Tag: FDIC

10 Jul 2014
Hot Topics Tom Hinkel 0 comment

Cybersecurity – Part 1

Cybersecurity has gotten a lot of attention from regulators lately, and with assessments already underway it promises to be a regulatory focus for the foreseeable future.  But exactly what are they expecting from you, and how does that differ from what you may be doing already?  More importantly, how should you demonstrate that you are cybersecurity compliant?

First of all it’s important to understand that, at least initially, regulators  will be data gathering only.  They may offer verbal feedback, but don’t expect any written examination findings or recommendation at this time.  What they will be doing is assessing the overall posture of cybersecurity.  It would appear that the regulators are following the NIST cybersecurity framework that came out earlier this year in response to the Presidential Executive Order that came out in February of 2013.  The  NIST framework provides a common mechanism for organizations to:

  1. Describe their current cybersecurity posture;
  2. Describe their target state for cybersecurity;
  3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  4. Assess progress toward the target state; and
  5. Communicate among internal and external stakeholders about cybersecurity risk.

It would appear that financial regulators are currently on step 1; gathering information in order to describe the current state of cybersecurity across the financial industry.  Of course once the current state has been established, I expect that the “target state” for cybersecurity (step #2) will involve additional regulatory expectations.

So what do you need to do now?  Well, if you’ve kept your information security, business continuity, and vendor management policies and procedures up-to-date, probably not much.  Cybersecurity is simply a subset of each of those existing policies.  In most cases, ‘cyber’ refers to either the source or nature of the attack or the vulnerability.  Your InfoSec  policies (including incident response) should already address this, and so should your business continuity plan.  In other words, you should already have procedures in place to secure customer and confidential data and recovery critical business processes regardless of  the source or nature of the threat.  Your policies should all be impact-based, not threat-based.

Your risk assessments, however, may need to be adjusted if they don’t specifically account for cyber threats.  For example, critical vendors should be assessed for their exposure to, and protection from, cyber threats…with your controls adjusted accordingly (i.e. audit reports, PEN tests, etc.).  Your BCP risk assessment should account for the impact and probability of cyber, as well as traditional, fraud, theft and blackmail.  All that said, regulators will likely be looking for specific references to ‘cyber’, so it won’t hurt to make sure your policies include the term as well.

For me, the biggest takeaway from the flurry of cybersecurity activity (the 2013 Presidential Directive, the 2013 FFIEC working group, the 2014 NIST Cybersecurity Framework, the recent FFIEC statements on ATM Hacking and Heartbleed and DDoS attacks, as well as the recent FDIC’s C-level cybersecurity webinar) is this; for the vast majority of outsourced financial institutions, cybersecurity readiness means A). managing your vendors, and B). having a proven plan in place to detect and recover if a cyber-attack occurs.  

According to the FDIC, here are the required elements of a cybersecurity risk management program …notice the last two:

  • Governance – risk management and oversight
  • Threat intelligence and collaboration – Internal & External Resources
  • Third -party service provider and vendor risk management
  • Incident response and resilience

I’ve covered vendor management and incident response before.  In Part 2 I’ll break down each of the four elements in greater detail, and tell you what you’ll need to do to demonstrate compliance.

09 Apr 2014
Hot Topics Tom Hinkel 0 comment

FDIC Re-issues Service Provider Guidance

Originally released in 2001, the FDIC recently re-issued 3 publications related to managing outsourced relationships:

  • Effective Practices for Selecting a Service Provider
  • Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements
  • Techniques for Managing Multiple Service Providers

What struck me about this re-release, and the fact that they were released without modification of any kind, suggests that not only have expectations changed very little over the past 12 years, but also (and more significantly) that regulators expect that you are already adhering to them.  But are you?

First of all, this guidance (and indeed the guidance released last year by the OCC and the Federal Reserve) makes it clear that there is no meaningful distinction between service provider, vendor, subcontractor, and outsourcer…they are all the same as far as regulatory expectations are concerned.

SO just in case the realities of your vendor management activities have fallen short of those expectations, here are just a few things regulators expect:

  • The vendor management process actually starts before the vendor becomes a vendor, indeed it begins even prior to identifying prospective vendors.  It actually starts when management identifies the need for outsourcing, and identifies how outsourcing will support the institutions objectives and strategic plans.
  • Even when only one provider has been identified, you must still evaluate their expertise, technical controls, financial condition and management.
  • Although not a strict requirement, an RFP, RFQ and/or RFI can greatly contribute to the selection process by making sure the deliverables match your expectations.
  • If an RFP was used to solicit proposals, those documents can be incorporated into the contract.
  • The contract remains the single most important vendor management control, and regulators believe the Service Level Agreement (SLA) is a key component in a structuring a successful outsourcing contract.

One final thought on this re-release; between this and the OCC and Federal Reserve issuing updated guidance on outsourcing late last year, and the fact that almost all of the recent updates to FFIEC IT Examination Handbooks dealt either directly or indirectly with vendor management, all lead me to believe even more strongly than ever that this will be a regulator hot-button in the immediate (and foreseeable) future.

07 Jan 2014
From the Field Tom Hinkel 0 comment

A Look Back at 2013…and a Look Ahead – Part 1 (charts edition)

One thing that’s clear from the examination feedback I’ve received from financial institutions in 2013 is that examiners are spending less time in their safety & soundness examinations on the CAMELS “C”, “A”, & “L” (capital, asset quality and liquidity) issues, and more time on the “M” & “E” (management and earnings) issues.  (There was some additional guidance released on the “S” issue by the FDIC in October, but so far we haven’t seen “sensitivity to interest rates” become a big deal for examiners.)

I’ve taken a deep dive into the 2013 FDIC financial institution data, and the following charts explain why I believe the trend towards less C, A & L, and more M & E scrutiny will continue.  The first chart is a count of total failed institutions per year since 2007:

So 2013 saw a return to pre-crisis levels of bank failures, which, while still somewhat high by historical standards, definitely reduced the pressure somewhat.  In the next graph I plot the number of “problem banks” (defined here) over the same period , which should give us some indication of the overall health of the banking industry:

As you can see, problem banks are not quite at pre-crisis levels but do show a definite downward correlation with bank failures, and I believe we’ll see that trend continue.

This next chart depicts average net operating income (left scale) against total count of unprofitable institutions (right scale):

As you can see, both indicators are trending in the right direction, which should indicate a continued de-emphasis on C, A & L in future examinations…and increased earnings pressure.  Notably however, smaller institutions are likely to face more earnings scrutiny than larger institutions, because although they did not experience the same level of losses early on as larger institutions, they are also taking longer to return to profitability:

So how will all of this impact institutions going forward?  If you’ve had a federal examination in the last 6-9 months you’ve probably already heard some variation of the following from your examiner: “Great, your problem assets are under control, now why aren’t you profitable (or more profitable)?”  (Of course at this point you might be tempted to mention things like increased deposit insurance assessments, reduced fee income, and increased regulatory burden, but you know it won’t matter…)  So certainly the increased focus on “E” will continue, but because the number of institutions still losing money is inversely proportional to size, the smaller you are the more “E” scrutiny you’re likely to get.

However regardless of asset quality or earnings, I believe that increasingly “M” will begin to take center stage in 2014, because at the end of every banking crisis since 1980 there has been a post-mortem analysis of the causes and the regulatory gaps that should be addressed going forward.  And that always leads back to “M”, because ultimately regulators believe that all problems facing financial institutions should have be foreseen and avoided by competent management taking a more active role in the affairs of the institution.  More on that, and how to prepare for it, in a future post.

20 Aug 2013
Ask the Guru, From the Field Tom Hinkel 2 Comments

Ask the Guru: Vendor vs. Service Provider

Hey Guru
I recently had an FDIC examiner tell me that we needed to make a better distinction between a vendor and a service provider.  His point seemed to be that by lumping them together in our vendor management program we were “over-analyzing” them.  He suggested that we should be focused instead only on those few key providers that pose the greatest risk of identity theft.  Our approach has always been to assess each and every vendor.  Is this a new approach?

I don’t think so, although I think I know where the examiner is coming from on the vendor vs. service provider distinction.  First of all, let’s understand what is meant by a “service provider”.  The traditional definition of a service provider was one who provided services subject to the Bank Service Company Act (BSCA), which dates back to 1962.  As defined in Section 3 of the Act, these services include:

“…check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution.”

But lately the definition has expanded way beyond the BSCA, and today almost anything you can outsource can conceivably be provided by a “service provider”.  In fact according to the FDIC, the products and services provided can vary widely:

“…core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers.”

Furthermore, in a 2010 interview with BankInfoSecurity, Don Saxinger (Team Lead – IT and Operations Risk at FDIC) said this regarding what constitutes a service provider:

“We are not always so sure ourselves, to be quite honest…but, in general, I would look at it from a banking function perspective. If this is a function of the bank, where somebody is performing some service for you that is a banking function or a decision-making function, including your operations and your technology and you have outsourced it, then yes, that would be a technology service that is (BSCA) reportable.”

Finally, the Federal Reserve defines a service provider as:

“… any party, whether affiliated or not, that is permitted access to a financial institution’s customer information through the provision of services directly to the institution.   For example, a processor that directly obtains, processes, stores, or transmits customer information on an institution’s behalf is its service provider.  Similarly, an attorney, accountant, or consultant who performs services for a financial institution and has access to customer information is a service provider for the institution.”

And in their Guidance on Managing Outsourcing Risk

“Service providers is broadly defined to include all entities that have entered into a contractural relationship with a financial insitiution to provide business functions or activities”

So access to customer information seems to be the common thread, not necessarily the services provided.  Clearly the regulators have an expanded view of a “service provider”, and so should you.  Keep doing what you’re doing.  Run all providers through the same risk-ranking formula, and go from there!

One last thought…don’t get confused by different terms.  According the the FDIC as far back as 2001, other terms synonymous with “service providers” include vendors, subcontractors, external service provider (ESPs) and outsourcers.

25 Feb 2013
From the Field Tom Hinkel 0 comment

Examination Downgrades Correlated with Poor Vendor Management

According to Donald Saxinger (senior examination specialist in FDIC’s Technology Supervision Branch) in a telephone briefing given to the ABA in December of last year, almost half of all CAMELS score downgrades in 2012 were related to poor vendor management.  The briefing was titled “Vendor Management: Unlocking the Value beyond Regulatory Compliance“, and in it Mr. Saxinger noted that in 46% of the FDIC IT examinations in which bank ratings were downgraded, inadequate vendor management was cited as a causal factor.  He went on to say that although poor vendor management may not have been the prime cause, it was frequently cited as a factor in the downgrade.

Mr. Saxinger recommends that banks request, receive, and review not just financials and third-party audits such as SOC reports and validation of disaster recovery capabilities, but also any examination reports on the provider.  Federal examiners have an obligation and a responsibility to monitor financial institution service providers using the same set of standards required of the institutions themselves, and they are doing so with increasing frequency.

In addition, consider that all of the FFIEC regulatory updates and releases issued last year were either directly or indirectly related to vendor management:

  • Changes to the Outsourcing Handbook to add references to cloud computing vendors, and managed security service providers.
  • Updates to the Information Security Handbook to accommodate the recently released Internet Authentication Guidance (with its strong reliance on third-parties).
  • Changes to all Handbooks to accommodate the phase-out of the SAS 70, and  replace with the term “third-party review”.
  • Updated guidance on the URSIT programs for the supervision and scoring of Technology Service Providers.
  • Completely revised and updated  Supervision of Technology Service Providers Handbook.

So regulators see inadequate vendor management as a contributing factor in examination downgrades, and virtually all new regulations issued by the FFIEC are related to it as well.  As a service provider to financial institutions we are prepared for, and expecting, added scrutiny.  As a financial institution looking to optimize examination results and stay ahead of the regulators, you should be too.

Here is a link to all vendor management related blog posts.

03 Jan 2013
Hot Topics Tom Hinkel 0 comment

FDIC Files Record Number of Lawsuits in 2012 – 2015 UPDATE

UPDATE 2: We in fact did see a significant decrease in O&D lawsuits in the past few years:

O&D 2015

 

[pullquote]“The FDIC will not bring civil suits against directors and officers who fulfill their responsibilities, including the duties of loyalty and care, and who make reasonable business judgments on a fully informed basis and after proper deliberation.”[/pullquote]

UPDATE: Apparently one of the most common requests of the FDIC from bankers is for more technical assistance and training.  The FDIC has responded, and I do not believe it is coincidental that the first set of new videos released is a new series titled “New Director Education Series” aimed at bank Directors.

The numbers are in for 2012, and for the fourth year in a row the FDIC has filed a record number of officer and director lawsuits. According to the Statement Concerning the Responsibilities of Bank Directors and Officers adopted in 1992, the FDIC may sue professionals who they believe played a role in the failure of the institution. These individuals can include officers and directors, attorneys, accountants, appraisers, brokers, or others.

 

2012 FDIC Lawsuits

 

The FDIC regulations defining officer and director obligations are explained here, and the key concept to understand is something called the “duties of loyalty and care.”

 “The duty of loyalty requires directors and officers to administer the affairs of the bank with candor, personal honesty and integrity. They are prohibited from advancing their own personal or business interests, or those of others, at the expense of the bank.”

So how can your officers and directors (and others) demonstrate the “duties of loyalty and care” and avoid liability claims?  The FDIC spells it out, and it isn’t really that difficult:

“The FDIC will not bring civil suits against directors and officers who fulfill their responsibilities, including the duties of loyalty and care, and who make reasonable business judgments on a fully informed basis and after proper deliberation.”

Let’s break that last sentence down a bit.  Officers and directors must demonstrate that they made…

  1. …reasonable business judgments…
  2. …on a fully informed basis, and…
  3. …after proper deliberation.

So working backwards, the key to proper deliberation is that you be fully informed, and that requires accurate, timely and relevant information.   Not just data, but actionable information.

The key then, is that financial institutions must take steps to ensure that officers and directors have the information necessary to carry out their responsibilities, and that the deliberation process is appropriately documented.  I’ve written before (Using Technology to Drive Compliance) about how technology (specifically automation) can enable and/or enhance your compliance efforts.  Technology can help extract useful information from mountains of data, and then present that information in a consistent, easy to understand format.

Management committees like the IT committee and the audit committee can provide both a forum for both the exchange of information, and documentation that the exchange took place.  Make sure all functional units are represented in the committee, and designate someone as the Board representative if possible.  Make sure the committee reports to the Board periodically (preferably quarterly, but at least annually), and don’t underestimate the value of having outside expertise on those committees.  Not only can it add a different perspective, it can also help document that you are truly making an effort to be “fully informed” and that you are “properly deliberating”.

Given the right information, in the right format, and the right setting, perhaps we’ll see this trend slow or even reverse itself in 2013!

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy