Tag: Examination

12 Jul 2016

FDIC Updates IT Examination Procedures

Starting immediately, all FDIC-examined institutions will be subjected to new IT examination procedures, the first major overhaul since December 2007.  The new format is dubbed the InTREx program (Information Technology Risk Examination), and is designed to be a bit simpler in the pre-examination phase.  In fact, the InTREx has only 26 questions vs. 59 for the 12/07 version.  But what the new version gives up in the pre-exam phase, it more than makes up for in the actual on-site examination portion.  I believe most institutions should prepare for a much more thorough (i.e. time-consuming) examination experience going forward.

The InTREx is based on the URSIT methodology (Uniform Rating System for Information Technology), which dates back to 1999.  URSIT consists of four main components used to assess the overall performance of IT management within an organization; Audit, Management, Development and Acquisition, and Support and Delivery (AMDS).  Additionally InTREx adds an Expanded Analysis section for both Management and Support and Delivery.

First, the similarities:  Both the old and new model share a pre-exam and an on-site phase.  The pre-exam phase consists of the questionnaire, which is designed to help the examiner “scope” the examination (see #2 below), and determine exactly what documentation they will require from you (some of which they will request ahead of time, some will be requested on-site).

Once on-site the differences between the old and new are more apparent.  The new exam procedures require examiners to “review” (47 instances) and “evaluate” (54 instances) your documentation, and “determine” (30 instances) whether it is sufficient to prove that you’re doing what you say you will do.  The examiner uses the “Core Analysis Procedures” to assess each “Decision Factor” as either Strong, Satisfactory, Less than satisfactory, Deficient, or Critically deficient.  Examiners will then assign a 1 – 5 rating score to each AMDS component, and then assign an overall composite score.  All component ratings and scores, along with examination findings and recommendations, will appear in the final report.

Here is how the pre-exam and on-site phases break down in terms of type and volume of information requested:

  • The pre-exam phase is divided into 6 sections, with a total of 26 questions (most of which have an “If Yes…” portion, very similar to the 12/07 version):
SECTION # QUESTIONS
Core Processing 4
Network 6
Online Banking 4
Development and Programming 1
Software and Services 2
Other 9
  • The on-site exam phase is where the new examiner procedures are defined, and is divided into the AMDS sections, plus the 2 Expanded Analysis sections.  Each of the AMDS sections has a Core Analysis Decision Factors, and a Core Analysis Procedures sub-section:
Exam Procedures Components Core Analysis Decision Factors Core Analysis Procedures
Audit 10 8
Management 8 16
Development and Acquisition 6 9
Support and Delivery 8 26
Management: Expanded Analysis 6 7
Support and Delivery: Expanded Analysis 7 8
GLBA Information Security Standards* 1* 0
Cybersecurity* 1* 0

* These components are not assessed separately, but are scattered throughout the program.

OBSERVATIONS:
  1. This is much more granular process, requiring a deeper analysis by the examiner, which in turn puts a greater burden on the bank.  Proper documentation will often make the difference between a “satisfactory” and a “less than satisfactory” assessment.  If you prepared for previous exams by not just answering “Yes” or “No” to the pre-exam questions, but identifying all supporting documentation whether or not it was asked for, you should be fine with the InTREx.  If you were used to answering “Yes” or “No” with little or no examiner follow-up, download the InTREx now and focus on all the items in the Core Analysis Procedures sections.  Pay particular attention to the 34 “Control Test” items marked with FDIC Control Test Image , and make sure you can get your hands on those items.  Again, being able to provide the documentation may make all the difference in your final exam score.
  2. The pre-exam portion of the questionnaire should (in theory) allow the exam to scale to the size and complexity of the institution.  We’ll have to wait and see if that actually occurs, but let’s hope so.  We’ve heard from far too many smaller institutions that said they felt their examiner treated them as if they were much larger.
  3. There is quite a bit of overlap between the elements in the InTREx and the Declarative Statements in the Cybersecurity Assessment Tool.  That should mean that actions taken to strengthen your cybersecurity control maturity will also strengthen your overall IT controls.  Also, cybersecurity elements are now permanently baked-in to the IT examination process, not a separate assessment.  This is consistent with what I’ve been saying all along, that cybersecurity is simply a subset of information security.  However, as with the Control Tests, you should make sure you have documentation available for all items marked with FDIC Cyber Image .
  4. Hopefully, one potentially positive outcome from all this will be a more consistent examination experience.  Inconsistent examination results have been a source of concern for many institutions recently.  This new process should address that by removing some of the subjectivity that results when different examiners interpret the same guidance differently, and also by clarifying precisely what resources they need to “review”, and “evaluate” in order to “determine” the level of compliance achieved. 
  5. It is uncertain how quickly the new format will be adopted by regulators, but I’m guessing it will be pretty quickly.  Since they will send the questionnaire 90 days prior to your scheduled exam, we should expect the new methodology to be implemented for exams conducted in Q4 2016 at the soonest.
  6. It’s also unclear whether the other (non-FDIC) regulators will adopt this format. However, the FDIC insures the funds in all banks they have supervisory authority at all insured institutions (including those for which it is not the primary federal supervisor), so a single standard would make sense.  In any case, even non-FDIC institutions would be wise to familiarize themselves with this guidance.

Shoot me an email if and when you get the new InTREx, and let me know your experiences with it.  I’ll update the post periodically.

04 Mar 2016

FDIC Expands Criteria for 18 Month Exam Cycle

The FDIC released FIL-17-2016 today, which will increase the examination cycle for community banks meeting certain criteria from 12 months to 18 months, thereby potentially decreasing one of the most intrusive events in the bankers life.

The criteria is as follows:

  • Must be less than $1 B in assets
  • Must have a CAMELS composite rating of “1” or “2”
  • Must be well-capitalized
  • Must be well-managed
  • Must not have undergone any change in control during the previous 12 months
  • Must not be under an enforcement order or proceeding.

The 18 month examination cycle was previously not available to any community bank smaller than $500 million in assets, but now any bank smaller than 1 B will qualify, provided they meet the other criteria.

This is good news for already overly-burdened and otherwise healthy institutions, but what concerns me is the definition of “well-managed”. All of the other criteria is objective, and pretty easy to define and establish. But how will the regulators define well-managed? For example, if the institution had a single, non-material, repeat finding in their last exam, could that reflect poorly on management? After all, responsiveness to recommendation from auditors and supervisory authorities is one of the elements that make up the CAMELS management component.

And is it even possible for an institution to rate a composite score of “1” or “2” if it is not well-managed? Here is an extract from the FDIC Uniform Financial Institutions Rating System (UFIRS) relating to management:

  • Composite 2 : Only moderate weaknesses are present and are well within the board of directors’ and management’s capabilities and willingness to correct.
  • Composite 3: Management may lack the ability or willingness to effectively address weaknesses within appropriate time frames.



7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management

Based in this I think it’s highly unlikely that a bank could score a “2” and be poorly managed.

Anyway, time will tell how examiners define well-managed, but this is certainly a step in the right direction and should bring much needed relief to many institutions.

20 Aug 2013

Ask the Guru: Vendor vs. Service Provider

Hey Guru
I recently had an FDIC examiner tell me that we needed to make a better distinction between a vendor and a service provider.  His point seemed to be that by lumping them together in our vendor management program we were “over-analyzing” them.  He suggested that we should be focused instead only on those few key providers that pose the greatest risk of identity theft.  Our approach has always been to assess each and every vendor.  Is this a new approach?


I don’t think so, although I think I know where the examiner is coming from on the vendor vs. service provider distinction.  First of all, let’s understand what is meant by a “service provider”.  The traditional definition of a service provider was one who provided services subject to the Bank Service Company Act (BSCA), which dates back to 1962.  As defined in Section 3 of the Act, these services include:

“…check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution.”

But lately the definition has expanded way beyond the BSCA, and today almost anything you can outsource can conceivably be provided by a “service provider”.  In fact according to the FDIC, the products and services provided can vary widely:

“…core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers.”

Furthermore, in a 2010 interview with BankInfoSecurity, Don Saxinger (Team Lead – IT and Operations Risk at FDIC) said this regarding what constitutes a service provider:

“We are not always so sure ourselves, to be quite honest…but, in general, I would look at it from a banking function perspective. If this is a function of the bank, where somebody is performing some service for you that is a banking function or a decision-making function, including your operations and your technology and you have outsourced it, then yes, that would be a technology service that is (BSCA) reportable.”

Finally, the Federal Reserve defines a service provider as:

“… any party, whether affiliated or not, that is permitted access to a financial institution’s customer information through the provision of services directly to the institution.   For example, a processor that directly obtains, processes, stores, or transmits customer information on an institution’s behalf is its service provider.  Similarly, an attorney, accountant, or consultant who performs services for a financial institution and has access to customer information is a service provider for the institution.”

And in their Guidance on Managing Outsourcing Risk

“Service providers is broadly defined to include all entities that have entered into a contractural relationship with a financial insitiution to provide business functions or activities”

So access to customer information seems to be the common thread, not necessarily the services provided.  Clearly the regulators have an expanded view of a “service provider”, and so should you.  Keep doing what you’re doing.  Run all providers through the same risk-ranking formula, and go from there!

One last thought…don’t get confused by different terms.  According the the FDIC as far back as 2001, other terms synonymous with “service providers” include vendors, subcontractors, external service provider (ESPs) and outsourcers.

09 Oct 2012

FDIC Institutions still getting UIGEA (Reg GG) findings – UPDATE

Update 1 –  12/5/2011 to add examination procedures*. 

Update 2 – 2/13/2012 to emphasize policy requirements.

Update 3 – 10/8/2012 to add specific courses of action if the FI has “actual knowledge” of restricted transactions.

We first saw this trend back in July 2011, and continue to see it, so I’m calling this a definite trend as opposed to an anomaly.  Here is the background:  The Unlawful Internet Gambling Enforcement Act of 2006 (“UIGEA”) prohibits any person, including a business, engaged in the business of betting or wagering from knowingly accepting payments in connection with the participation of another person in unlawful Internet gambling.  As a result, the Agencies (FDIC, OCC, NCUA, Federal Reserve) issued Reg GG, requiring financial institutions to establish policies and procedures “reasonably designed to identify and block, or otherwise prevent or prohibit, restricted (gambling) transactions” with compliance required as of June 1, 2010.

Most institutions have measures built in to their account opening procedures by their core vendor to comply with this Reg, but the recent examination findings seem to address the lack of a specific UIGEA policy.   This would indicate that procedures alone may not be enough to demonstrate compliance anymore (i.e., “we’re doing it even though we don’t say we are” isn’t enough).  So what are you supposed to do?  Make sure you have a specific written UIGEA policy, and that it is designed to address the following:

  • Don’t assume that just because you have no (or a few) commercial customers you aren’t required to have a policy.  The implementation burden is lessened, but a policy is still required.
  • Designate a person responsible for UIGEA compliance (this was a specific finding in one of the recent examinations).
  • Focus on establishing a due diligence process when initiating a commercial customer relationship.
  • Communicate to your commercial customers contractually up  front (and periodically throughout the relationship) that restricted transactions are prohibited.  Your policy should state that the commercial customer agrees to not originate or receive restricted transactions throughout the customer relationship.  If the risk warrants, a certification from the customer is recommended.
  • Your due diligence obligations do not end once the account is opened.
  • Specify a specific course of action to be followed in case you have “actual knowledge” that a customer has violated the policy.  For example:
    •  Perform an account review
    • Suspend activity on the account
    • Contact the customer
    • Contact legal counsel (if appropriate)
    • Close the account
    • File a SAR, if warranted
    • Contact regulatory authorities
    • Contact law enforcement
    • If cooperating with law enforcement, and so advised by same, continue processing

There are additional regulatory expectations if you actually have customers that are legally allowed to engage in an Internet gambling business, i.e. through U.S. State or Tribal authority.  In fact when I started getting reports of UIGEA policy deficiencies, my first thought was that all the institutions may have had that common denominator…they had customers legally engaging in Internet gambling.  That was not the case, however.  It would appear that this is just the latest regulatory “hot button”.

* Download Full Act, examination procedures in Attachment C

05 Apr 2012

5 “random” facts

Fact 1 – According to the U.S. Bureau of Labor Statistics, the increasing complexity of financial regulations will spur employment growth of financial examiners.  In fact it is expected to experience the third largest growth of all career paths through 2018:
Fact 2 – According to Rep. Shelly Moore Capito (R-W.Va.), author of H.R. 3461, “The Dodd-Frank Act has added so many new regulations to financial institutions, it has helped boost a 31% projected growth in job opportunities for Compliance Officers.”

Fact 3 – Speaking of H.R. 3461…It is also called the Financial Institution Examination Fairness and Reform Act, and aims to provide “more transparent, timely and fair examinations” by reducing the disconnect between exam results and their regulating agencies.  It now has 154 co-sponsors.

Fact 4 – A related bill (S. 2160) has just been introduced in the Senate.

Fact 5 – The provision in both bills that is getting the greatest push-back from regulators is the one that grants a financial institution the right to appeal an examination finding to an ombudsman at the FFIEC, not the regulator that made the finding.

I’ll let you connect the dots of these “random” facts.

28 Mar 2012

CFPB Examinations Are Coming – UPDATE 2

UPDATE 2 – June 2012:  Memorandum of Understanding issued on CFPB examinations

Examinations are coming, but hopefully they won’t impose too much of an additional burden on you.  At least that is the intent of an MOU was recently signed between the CFPB and the other Federal regulators (Federal Reserve, NCUA, FDIC and OCC).  The MOU provides for information sharing among and between all agencies in order to minimize unnecessary duplication of examination efforts, and provides guidelines for “Simultaneous and Coordinated Examinations” between the agencies.  So expect additional visitors during future examinations, but if they truly expect to achieve the stated objective to “minimize unnecessary regulatory burden on Covered Institutions” they could start by doing away with CFPB examinations entirely.

UPDATE 1  –  May 2012:  Ramping Up…

Coming soon to your financial institution –

Dear Board of Directors:

Pursuant to the authority of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the Consumer Financial Protection Bureau (CFPB) performed a risk-focused examination of your institution.  The examination began on April 1, 2012.  The following report summarizes the findings of our examination.

Any matters of criticism, violations of laws or regulations, and other matters of concern identified within this Examination Report require the Board of Director’s and management’s prompt attention and corrective action….

Although by law the CFPB will only  examine large depository institutions (assets greater than $10B) individually, Section 1026 extends coverage to smaller institutions on a sampling basis.  This means all institutions can eventually expect a visit from CFPB examiners (either with or without your primary federal regulator) at some point in the future.  And it is my opinion that the influence of the CFPB will continue to expand to all financial institutions regardless of size.  Consider the following:

  1. The CFPB is now one of the agencies comprising the inter-agency council of the FFIEC (replacing the OTS).  This means that CFPB will have input into all FFIEC guidance going forward.
  2. The head of the CFPB sits on the FDIC Board of Directors
  3. So far, 19 (Regs. B – P, V, X, Z & DD) out of the total of 39 Regulations have been turned over to CFPB for enforcement.  (I wonder if including Reg E will affect all electronic funds transfers, or only those initiated by non-business customers?  I find it hard to believe that there would be 2 sets of standards.)

So they are coming, but believe it or not there is good news.  Not only are they telling you what they are looking for ahead of time, they are giving you lots of helpful templates to fill out in preparation.  True, the templates are for their examiners, but there is no reason why you can’t use them too.  Particularly helpful is the Consumer Risk Assessment Template which CFPB examiners will use to determine inherent risk, which is then reduced by the appropriate controls to arrive at the overall risk (also called residual risk).  This table represents the summary of the consumer risk assessment process:

Notice that if the inherent risk is high, the residual risk can be no lower than moderate, regardless of the strength of the controls.  I think this is significant because of the potential implications for all risk assessments going forward.  Remember, CFPB now has a seat at the FFIEC (and FDIC) table.

But consider this…could we be looking at a fundamental change in how all risk assessments are conducted, and examined, in the future?  One single standardized risk assessment template for all risks?  Inherent risk levels are pre-defined, and control strength is pre-determined, making residual risk a purely objective calculation.  The complete lack of subjectivity means that all examiners evaluate all institutions against the exact same set of standards.  No exit meeting surprises, no unexpected CAMELS score downgrades, no spending hours and hours preparing for one area of compliance, only to have the examiners focus on something else.

So could the influence of the CFPB be a smoother, more predictable examination experience overall?  Or am I dreaming?