Hey Guru! Management is asking why we have to complete the FFIEC Cybersecurity Assessment Tool when it is voluntary. They feel it is too much work if it is not mandatory. I think it is still needed even though it is voluntary. Is there any documentation as to why it is still necessary for OCC […]
Guru Briefs – OCC on Cybersecurity & MRA’s, FFIEC on Cybersecurity Assessments
(NOTE: Guru Briefs are short takes on recently released regulatory activity. They are not a detailed analysis, but designed to draw attention to the Guru’s initial impressions.) In this edition: The OCC has been particularly active on the regulatory front lately, and even non-OCC institutions may want to pay attention, as the head of the OCC […]
FDIC Re-issues Service Provider Guidance
Originally released in 2001, the FDIC recently re-issued 3 publications related to managing outsourced relationships: Effective Practices for Selecting a Service Provider Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements Techniques for Managing Multiple Service Providers What struck me about this re-release, and the fact that they were released without modification of any […]
The OCC Sets a New Standard for Vendor Management…
…but will it become the new standard for institutions with other regulators? UPDATE – The answer is yes, at least for the Federal Reserve. Readers of this blog know that I’ve been predicting an increase in vendor management program scrutiny since early 2010. And although the FFIEC has been very active in this area, issuing […]
“Operational Risk Increasing”
In a recent speech to the Exchequer Club1, Thomas J. Curry, the new head of the OCC, stated that although asset quality has improved, charge-off rates have fallen, and capital now stands at its highest level in a decade, another type of risk is gaining increasing prominence; Operational Risk. “Some of our most seasoned supervisors, […]
Material Loss Reviews: Does responsibility = liability?
I asked in my previous post whether or not the regulators should share any of the blame when institutions fail, and if so, should they shoulder any of the liability? The thought occurred to me as I was reviewing some recent Material Loss Reviews. A Material Loss Review (MLR) is a post-mortum written by the […]
Dodd-Frank and agency consolidation
Although the specific requirements and burdens of the almost 250 regulations and more than 2000 pages in the Dodd-Frank Act are yet to…
FDIC can now step in regardless of primary regulator (part 2)
Further to the previous post, the memorandum requires the FDIC opinion to prevail in the event that an institutions’ PFR (primary federal regulator) CAMELS rating differs from the FDIC: If the FDIC’s CAMELS ratings for an institution differ from a PFR’s assigned ratings, the FDIC is required to provide the PFR with an explanation of […]
FDIC can now step in regardless of primary regulator (part 1)
According to a memorandum of understanding just signed by all the primary federal regulators (FDIC, OTS, OCC and Fed), the FDIC now has the authority to step in whenever they feel the DIF (deposit insurance fund) is in jeopardy. Although this is primarily targeted at larger (>$10b) institutions, it also applies to smaller (<$10b) institutions as well, and applies to ANY threat to the DIF, not just under-capitalization (i.e. any safety and soundness concerns)…