Reading Between the Lines – Compliance Guru

14 Sep 2021

Reading Between the Lines The Safe Systems Compliance Team 0 comment

FFIEC Replaces, and Expands, the Operations Handbook

Back in June of this year the FFIEC released an update to the 2004 Operations Handbook called Architecture, Infrastructure, and Operations (AIO). As the lengthier name implies, this was not simply an update, it also greatly expanded the scope of operations to include architecture and infrastructure principles and practices. This reflects the tight integration between and among the various separate but related functions that comprise the IT environment, and the recognition that inadequate coordination and oversight of these components may result in various risks including credit, liquidity, operational, compliance, and reputation. Similar to the BCMP Handbook back in 2019, it encourages financial institutions to take an enterprise-wide, process-based approach.

Another similarity between this IT Handbook and the others released in the past couple years is the use of the term “entities” instead of “institutions” to describe the intended audience. “Entities” include depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers. (Emphasis added.) Using the “entities” terminology effectively eliminates the distinction between the expectations for an institution and those of the key third-parties that provide the interdependencies necessary for the delivery of an institutions’ products and services. And this provides perhaps the most important take-away from this Handbook for the vast majority of institutions that out-source core and technology services; architecture and infrastructure (and to a lesser degree, operations) are largely the responsibility of your provider. Indeed the Handbook seems to recognize this, making no fewer than 70 references to the importance of understanding the “complexity” of the entity as specific principles and practices are considered. This applies to the entity and the examiner alike, and hopefully will translate into a more optimal examination experience for smaller, less complex (and largely outsourced) community financial institutions as examiners adjust their scope and objectives accordingly. (Of course it’s important to understand that the AIO burden does not necessarily decrease in these outsourced scenarios, it simply shifts to the third-party oversight!)

Another similarity between recent Handbooks is the claim that the “…booklet does not impose requirements on entities. Instead, this booklet describes principles and practices that examiners review to assess an entity’s AIO functions.” We’ve always found this statement to be somewhat contradictory, as anything an examiner may use to evaluate, or grade, your practices becomes in effect a defacto requirement. Nonetheless, this statement (along with the aforementioned entity “complexity”) may provide just enough leeway for the basis of honest differences in opinion between how (and if) specific principles and practices are implemented within your institution. In fact, this could prove to be very useful as a “push-back” if an auditor or examiner tries to use the booklet to rationalize the implementation of a specific practice.

All that said, here are a few actionable observations from the booklet:

The importance of a strategic planning process to assure that the IT strategic plan aligns with the overall enterprise-wide strategic plans. Make sure your project planning includes a way to link one or more specific enterprise goals and objectives to every IT initiative.
The importance of IT asset management (ITAM). Specifically, “Management should have a comprehensive inventory of its electronic (or digital) and physical information assets to adequately safeguard them against reasonably foreseeable threats.” Simply put, you can’t secure it if you don’t know you have it.
The importance of oversight of third-party service providers. This goes without saying, but especially for smaller institutions where system architecture and infrastructure are outsourced. Expect significantly increased scrutiny in this area. (A case in point, we’re keeping an eye on this.)
The importance of accurately depicting the interconnectivity between entity assets and third-parties by creating and maintaining up-to-date network, data flow, and business process flow diagrams.
The importance of building resilience into your AIO components and functions by proactively anticipating the impact of a disruptive event in the design, implementation, and operation of your IT systems and processes.
The importance of an internal control self-assessment process for management and work teams to monitor and continuously improve the effectiveness of IT operations controls.

It would be prudent to review the entire operational controls section of the booklet, as many of these apply regardless of whether you have a dedicated data center, or only a server room or closet.

In summary, we’ll have to see how (and how quickly) the new expectations will be integrated into the existing IT examination work program, but we think it’s safe to assume the items above will certainly be among the areas of increased focus. As always, Appendix A contains the Examination Procedures and can be a valuable pre-exam resource. (This 11-year-old post is still relevant!) It also bears repeating that even if you outsource the “A” and “I” components, the day-to-day “O” elements* are still largely your responsibility, as are Board and management committee reporting.

* IT operations include the tactical management of technology assets and daily delivery of services to capture, transmit, process, and store transactions and information that support the entity’s overall business processes.

20 Oct 2020

Reading Between the Lines The Safe Systems Compliance Team 0 comment

Compliance Quick Bites – Tests vs. Exercises, and the Resiliency Factor

One of several changes implemented in the 2019 FFIEC BCM Examination Handbook is a subtle but important differentiation between a BCMP “test” and an “exercise”. I discussed some of the more material changes here, but we’re starting to see examiner scrutiny into not just if, but exactly what and how you’re testing.

According to the Handbook:

“An exercise is a task or activity involving people and processes that is designed to validate one or more aspects of the BCP or related procedures.”
“A test is a type of exercise intended to verify the quality, performance, or reliability of system resilience in an operational environment.”

Essentially, “…the distinction between the two is that exercises address people, processes, and systems whereas tests address specific aspects of a system.” Simply put, think of an exercise as a scenario-based simulation of your written process recovery procedures (a table-top exercise, for example), and a test as validation of the interdependencies of those processes, such as data restoration or circuit fail-over.

The new guidance makes it clear that you must have a comprehensive program that includes both exercises and tests, and that the primary objective should be to validate the effectiveness of your entire business continuity program. In the past, most FI’s have conducted an annual table-top or structured walk-through test, and that was enough to validate their plan. It now seems that this new differentiation requires multiple methods of validation of your recovery capabilities. Given the close integration between the various internal and external interdependencies of your recovery procedures, this makes perfect sense.

An additional consideration in preparing for future testing is the increased focus on resiliency, defined as any proactive measures you’ve already implemented to mitigate disruptive events and enhance your recovery capabilities. The term “resiliency” is used 126 times in the new Handbook, and you can bet that examiners will be looking for you to validate your ability to withstand as well as recover in your testing exercises. Resilience measures can include fire suppression, auxiliary power, server virtualization and replication, hot-site facilities, alternate providers, succession planning, etc.

One way of incorporating resilience capabilities into future testing is to evaluate the impact of a disruptive event after consideration of your internal and external process interdependencies and accounting for any existing resilience measures. For example, let’s say your lending operations require 3 external providers and 6 internal assets, including IT infrastructure, scanned documents, paper documents, and key employees. List any resilience capabilities you already have in place, such as recovery testing results from your third-parties, data replication and restoration, and cross-training for key employees, then evaluate what the true impact of the disruptive event would be in that context.

In summary, conducting both testing and exercises gives all stakeholders a high level of assurance that you’ve thoroughly identified and evaluated all internal and external process interdependencies, built resilience into each component, and can successfully restore critical business functions within recovery time objectives.

05 Aug 2020

Reading Between the Lines The Safe Systems Compliance Team 0 comment

Reading Between the Lines: The Interagency Examiner Guidance for Assessing Safety and Soundness During COVID-19

On June 23, 2020, the FDIC posted “The Interagency Examiner Guidance for Assessing Safety and Soundness Considering the Effect of the COVID-19 Pandemic on Institutions.” FIL-64-2020

This statement this is only one of several interagency statements issued since the start of the Covid-19 Pandemic outlining supervisory principles examiners will use to guide their safety and soundness examinations in the context of this event. Simply put, this statement makes it clear that regulators expect financial institutions to take prudent actions and make reasonable accommodations to address the impact of the event on their customers (and by extension, on themselves).

The focus on this post is on what may be less clear, because ambiguity opens the door to interpretation, and differences of opinion between management and regulators are where the most contentious examination findings occur. We’re going to look at a few passages that caught my eye, and discuss how to interpret them and what specific action to take. We’ll focus on the Management section starting on page 9. The first few sentences state that:

Examiners should evaluate the extent to which management factors the results of these efforts into its longer-term business strategy. Strategies could evolve throughout the local and national recovery. Institutions may be compelled to reconsider branching, mergers, or other expansions.

Interpretation and actions to be taken

This one is pretty straightforward. When the dust settles from this event, examiners will be asking you to see specific changes you’ve made to your strategic planning based on the lessons-learned. Not if you’ve made adjustments to strategy, but what you’ve done to respond. Even if no material changes are forthcoming, make sure the Board and senior management meeting minutes reflect your thinking.

The next area we’ll try to read between is right after the previous one:

When rating an institution’s management, examiners will distinguish between problems caused by the institution’s management and those caused by external factors beyond management’s control.

Interpretation and actions to be taken

This relatively short sentence is much trickier to decode because it depends on the definition of “…external factors beyond management’s control.” Does “beyond control” mean beyond the capacity of management to anticipate? Virtually all natural disasters (and most man-made disasters and cyber events) are beyond management’s control, but that doesn’t mean the event should not be foreseen and assessed for probability and impact. In fact the most recent FFIEC BCM Booklet makes no reference to risks beyond management’s control, instead using the term “reasonably foreseeable events”, (including low probability, high impact events, like Pandemic) to describe the scope of events expected to be foreseen and risk-assessed by management. How should we reconcile the two concepts; “external factors beyond management’s control”, and “reasonably foreseeable/anticipated risks”? Again, most threats facing financial institutions today are both beyond management’s control, and reasonably foreseeable. Understanding how to approach this issue is more than an academic exercise, the Management component of your CAMELS rating may be affected by it.

Continuing in the same section:

“…management of an institution with problems largely related to the pandemic may warrant a more favorable rating than management of an institution operating with problems stemming from weak risk management practices that are, or should have been, substantially within the institution’s control.”

Interpretation and actions to be taken

To me this was the most difficult to interpret. Hypothetically, let’s say you’ve encountered credit quality issues largely related to the effects of the Covid-19 Pandemic. No downgrade because it’s outside your control and not a sign of weak management practices. Just retroactively adjust your loan loss reserves and move on. Now, substitute “pandemic” with “major storm”. Let’s says you’ve experienced significant operational problems largely related to the storm. Also outside your control, but regulators will probably take the position that operational issues arising from a natural disaster should have been reasonably foreseen, and your failure to anticipate that is a sign of weak management practices. In this case your Management component will likely take a hit. Both Pandemic and severe weather are very likely addressed in your BCM plan, but the impact of one may be forgivable, while the other is attributed to weak management?

What we think the regulators are saying here is that it’s not the specific event, or problems arising from that event, or even whether or not management foresaw the problems in advance, that regulators really care about. It’s management’s response to the event, whether or not it was within their control, whether or not it was foreseen. That is the core of the issue; how management improvises, adapts, and overcomes.

This brings us back to the beginning and the first “actions to be taken”. This event has been an unprecedented event in both scale and scope, and we believe when the dust settles, examiners will be asking to see your specific adaptations to procedures and processes to ensure continued delivery of financial services. This will include your ability to assess and implement additional controls (including cyber) to “…manage heightened risks related to the adjusted operating environment.”

One last sentence to decipher, and this one may be the easiest to understand:

“…examiners will consider the impacts on the control environment from instances of imprudent cost cutting, insufficient staffing, or delays in implementing needed updates in their assessment of the institution.”

Interpretation and actions to be taken

Self-explanatory. Examiners will take a dim view of cost-cutting even if you can use the Pandemic to rationalize it. Don’t sacrifice your control environment on the altar of saving money. Additionally, this is not the time to cancel or delay projects, stay on track with your initiatives but make any necessary strategic adjustments resulting from the lessons-learned, including new technology and staffing considerations.

In summary, we believe that when all the direct and indirect impact from this event is calculated, it will prove to be no less significant than a major natural disaster or even a recession. The regulators are giving every indication that they think so too, and plan to treat it that way.

30 Mar 2020

Reading Between the Lines The Safe Systems Compliance Team 0 comment

Reading Between the Lines: Recent Regulatory News

March 30, 2020 – Federal Reserve Statement on Supervisory Activities

Where did it come from, and where can I find it?

The Federal Reserve

Who needs to know about it?

All financial institutions supervised by the Federal Reserve

Why was it Issued?

To address adjustments in their supervisory approach in light of COVID-19

What does it say?

Financial institutions are encouraged to work with customers impacted by COVID-19
The Fed will not criticize you for prudent actions taken to accommodate impacted customers
The Fed will shift its focus from regular exams, to monitoring your efforts to address the internal and external impact of this issue
The Fed is also providing an additional 90 days to remediate any existing supervisory findings

What did it NOT say (but the Guru wants you to know)?

The exception to this de-emphasis on regular examination activity is any matter they feel is either urgent or negatively impacts safety and soundness. If you have any outstanding supervisory matters that might fall into those categories (MRA’s, formal or informal enforcement actions), the Guru believes you should stay on your committed timetable for completion of those matters. The timetable for completion was agreed to by your institution and the Federal Reserve based on an assessment of the severity of the findings. Taking additional time to resolve them could conceivably be perceived as having a negative impact on your safety and soundness.
Any actions taken to accommodate customers who may be unable to meet their contractual obligations will necessarily result in a higher risk exposure for your institution. Essentially the Federal Reserve is asking you to temporarily increase your credit risk appetite. Document that with the Board, and don’t forget to roll it back to pre-pandemic levels when this is over.
Although there may temporarily be less scrutiny on routine regulatory matters, try not to allow yourself to get too far behind in the day-to-day management of IT and vendor management.