management – Compliance Guru

11 Nov 2015

Hot Topics Tom Hinkel 0 comment

FFIEC Updates (and Greatly Expands) the Management Handbook

This latest update to the IT Examination Handbook series comes 11 years after the original version. And although IT has changed significantly in the past 11 years, the requirement that financial institutions properly manage the risks of IT has not changed. This new Handbook contains many changes that will introduce new requirements and new expectations from regulators. Some of these changes are subtle, others are more significant. Here is my first take on just a few differences between the original and the new Handbook:

Cybersecurity

The original Handbook contained only a single reference to “cyber”. The revised Handbook contains 53 references.

IT Management

The Board and a steering committee are still responsible for overall IT management, but the guidance now introduces a new obligation for the Board, requiring that they provide a “credible challenge” to management. Specifically, this means the Board must be “actively engaged, asking thoughtful questions, and exercising independent judgment”. Simply put, no more “rubber stamps”. The Board is expected to actually govern, and that means they need access to accurate, timely and relevant information.

The IT Management Structure has changed. The 2004 Handbook listed the following structure:

Board of Directors / Steering Committee
Chief Information Officer / Chief Technology Officer
IT Line Management
Business Unit Management

The Updated Guidance is a bit more granular, and recommends the following structure (changes in bold):

Board of Directors / Steering Committee
Executive Management
Chief Information Officer or Chief Technology Officer
Chief Information Security Officer
IT Line Management
Business Unit Management

“Risk Appetite”

The FFIEC Cybersecurity Assessment Tool introduced this new term (addressed here), and the Management Handbook makes an additional 11 references. Institutions should understand this relatively new (for IT anyway) concept and incorporate it into their strategic planning process.

Managing Technology Service Providers

The 2004 guidance contained a separate section on best practices in this area. The new guidance has removed the section, incorporating references to vendor management best practices throughout the document. This reflects the reality of the prevalence and importance of outsourcing in today’s financial institutions.

Examination Procedures (Appendix A)

The 2004 Handbook had 8 pages containing 9 examination objectives. The new guidance is almost completely re-written, and has 15 pages containing 13 objectives. Several of these new objectives deal with internal governance and oversight, and a couple address the enterprise-wide nature of IT management. All areas have been greatly expanded. For example, the objective dealing with IT controls and risk mitigation (Objective 12) consists of 18 separate examination elements with 53 discrete items that examiners must check.

Best Practices for Control and Management of Your Community Bank’s IT

A community bank’s digital assets are every bit as valuable as the money in the vault.

In summary, the updated Handbook represents a significant evolution in both the breadth and depth of IT management requirements. It will set the standard for IT management best practices for both examiners and institutions for some time to come, and should be required reading for all Board members, CEO’s, CIO’s, ISO’s, and network administrators.

07 Jan 2014

From the Field Tom Hinkel 0 comment

A Look Back at 2013…and a Look Ahead – Part 1 (charts edition)

One thing that’s clear from the examination feedback I’ve received from financial institutions in 2013 is that examiners are spending less time in their safety & soundness examinations on the CAMELS “C”, “A”, & “L” (capital, asset quality and liquidity) issues, and more time on the “M” & “E” (management and earnings) issues. (There was some additional guidance released on the “S” issue by the FDIC in October, but so far we haven’t seen “sensitivity to interest rates” become a big deal for examiners.)

I’ve taken a deep dive into the 2013 FDIC financial institution data, and the following charts explain why I believe the trend towards less C, A & L, and more M & E scrutiny will continue. The first chart is a count of total failed institutions per year since 2007:

So 2013 saw a return to pre-crisis levels of bank failures, which, while still somewhat high by historical standards, definitely reduced the pressure somewhat. In the next graph I plot the number of “problem banks” (defined here) over the same period , which should give us some indication of the overall health of the banking industry:

As you can see, problem banks are not quite at pre-crisis levels but do show a definite downward correlation with bank failures, and I believe we’ll see that trend continue.

This next chart depicts average net operating income (left scale) against total count of unprofitable institutions (right scale):

As you can see, both indicators are trending in the right direction, which should indicate a continued de-emphasis on C, A & L in future examinations…and increased earnings pressure. Notably however, smaller institutions are likely to face more earnings scrutiny than larger institutions, because although they did not experience the same level of losses early on as larger institutions, they are also taking longer to return to profitability:

So how will all of this impact institutions going forward? If you’ve had a federal examination in the last 6-9 months you’ve probably already heard some variation of the following from your examiner: “Great, your problem assets are under control, now why aren’t you profitable (or more profitable)?” (Of course at this point you might be tempted to mention things like increased deposit insurance assessments, reduced fee income, and increased regulatory burden, but you know it won’t matter…) So certainly the increased focus on “E” will continue, but because the number of institutions still losing money is inversely proportional to size, the smaller you are the more “E” scrutiny you’re likely to get.

However regardless of asset quality or earnings, I believe that increasingly “M” will begin to take center stage in 2014, because at the end of every banking crisis since 1980 there has been a post-mortem analysis of the causes and the regulatory gaps that should be addressed going forward. And that always leads back to “M”, because ultimately regulators believe that all problems facing financial institutions should have be foreseen and avoided by competent management taking a more active role in the affairs of the institution. More on that, and how to prepare for it, in a future post.

19 Dec 2011

Hot Topics Tom Hinkel 0 comment

2012 Compliance Trends, Part 3 – Management

I’ve written about the importance of this before, and from many different angles, but I want to recap and explain why I think management (both IT and enterprise) will be an area of increased regulatory focus in the year ahead. To recap my criteria for inclusion in the “2012 Trends” list, it must have a basis in:

Recent audit and examination experience,
Regulatory changes, and/or
Recent events.

Management, or as it is sometimes referred, governance, is defined by the FFIEC in the IT Examination Management Handbook as;

“…an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.”

And…

“Due to the reliance on technology, effective IT management practices play an integral role in achieving many goals related to corporate governance.”

So regulators have always considered IT management critical, and most institutions address that obligation by assigning responsibility for day-to-day management of IT to a committee, such as a technology or IT Committee. In recent examinations we have seen regulators ask specifically to see committee minutes, looking for things such as discussion of vendors before they are approved, and discussion of new technology before it is implemented. They want to know that the institution considered the strategic value of the vendor and the new technology prior to approval. Was the decision to approve consistent with (in alignment with) the overall goals and objectives of the strategic plan? Can you document that?

Effective management of IT has significance way beyond just IT and strategic alignment though, after all…

“…IT management is an essential component of effective corporate governance and operational risk management.”

An institution that fails to demonstrate that they can adequately manage technology (and do so at all levels of management, from the Board of Directors down) may have fundamental management issues enterprise-wide. I further explained this here, and examiners agree. Consider this…the two most often repeated statements in FDIC enforcement orders this year is for the institution to “have and retain qualified management”, and for the Board of Directors to “increase its participation in the affairs of the Bank”.

For all these reasons I believe the CAMELS “M” will be in the minds of examiners. So how can you prepare? In a word, reporting. Take a look at the following illustration:

Once the overall strategy has been communicated top-down (left side), reporting (right side) will document that the strategy has been successfully incorporated into the policies and procedures of the organization, and (most importantly) that day-to-day practices abide by those policies and procedures. Implementing an internal self-assessment program can be a very effective way of both communicating strategy and documenting compliance. Use automated controls and monitoring (like this for example), and employ outside expertise whenever possible.