Tag: OTS

22 Feb 2011

Management of IT reflects overall management

(This is an extract from an article written for Bank Technology News.  The full article is here.)

One of the reasons compelling the shift towards increased focus on IT is found in the only non-financial element in the CAMELS ratings: management. Post-mortem reports on the failures of both Washington Mutual and Indy Mac placed the blame equally on management for pursuing overly aggressive growth strategies, as well as on the regulator (OTS) and their inability to effectively identify and assess the risks. The OTS was a regulatory casualty of Dodd-Frank, and I think we can expect (and rightly so) increased focus on all governance issues going forward.  But how does that translate into increased IT focus?

There are twelve factors that go into the CAMELS management rating component, and one of them is a measure of how well the institution manages its information systems. In addition to that, the FFIEC makes it clear in their IT Examination Handbook on Management that

“…effective IT management practices play an integral role in achieving many goals related to corporate governance. The ability to manage technology effectively in isolation no longer exists. Institutions should integrate IT management into the strategic planning function of each line of business within the institution.”

And regarding the relationship between IT and strategic planning;

“…an institution capable of aligning its IT infrastructure to support its business strategy adds value to its organization and positions itself for sustained success.”

Clearly IT is so pervasive throughout financial institutions that no enterprise-wide assessment of management and governance is complete without a thorough review of IT.  It also stands to reason that an institution that can not demonstrate that they can adequately manage technology (and do so at all levels of management, from the Board of Directors down) may have fundamental management issues enterprise-wide.

Bottom line…more scrutiny of management equals more scrutiny of IT, and deficiencies in IT can lead to lower CAMELS scores.  Solution?  Implement a formal IT management process consisting of a dedicated committee.  Use a standardized agenda, assigning follow-up items to responsible parties with specific time-frames for resolution.  Involve ALL functional units in the committee, and regularly report status updates to the Board.

Then take this same model and apply it to the rest of the organization!

31 Jan 2011

OTS Using New IT Examination Questionnaire

I’m not sure if this is being used across the board for all OTS exams, or just regionally, but the new pre-examination form (officially called PERK, or Preliminary Examination Response Kit) is significantly more comprehensive than before.  It’s 10 pages in length, and has the following 11 categories:

  • Audit (11 questions)
  • Management (8 questions)
  • Development & Acquisition (14 questions)
  • Outsourcing (7 questions)
  • Operations (8 questions)
  • Business Continuity Planning (6 questions)
  • Information Security (20 questions)
  • EBanking (12 questions)
  • Remote Deposit Capture (20 questions)
  • Wholesale Payment Systems (8 questions)
  • Retail Payment Systems (14 questions)

If these categories look familiar, they should…they are the 12 FFIEC IT Examination Handbooks, plus RDC (less Supervision of Technology Service Providers).   All the OTS has done is take the Handbooks, and extract a few questions from Appendix A (Examination Procedures) of each one.

The institution that received this new exam questionnaire format is about $1B in size, and it could be that it’s only being used for larger institutions.  But given that I had previously predicted an overall increase in the level of IT scrutiny, it may also be the start of the trend.

What OTS institutions can do in the meantime is become familiar with the Tier I Examination Procedures in the back of all of the IT Examination Handbooks.  Prepare by using them as your own pre-exam checklist (see this).  Are you seeing more detailed examination questionnaires?  Let me know!

23 Oct 2010

Dodd-Frank and agency consolidation

Although the specific requirements and burdens of the almost 250 regulations and more than 2000 pages in the Dodd-Frank Act are yet to be clearly defined, one of the major provisions of immediate interest to financial institutions is the elimination of the Office of Thrift Supervision (OTS).  The OTS operations will be merged into the Office of the Comptroller of the Currency (OCC), which will have an immediate impact on thrift chartered banks as they adapt to the safety and soundness compliance requirements of the OCC.  Details are that the OTS regulatory responsibilities will be spread among other regulators. The Federal Reserve will regulate savings and loan holding companies, the OCC will regulate federal savings associations, and the FDIC will regulate State savings associations.

I believe that this consolidation, in combination with the memorandum signed between the FDIC and the other primary federal regulators, will lead to increased safety and soundness scrutiny across the board.  All financial institutions, particularly those regulated by the OTS, are strongly encouraged to monitor regulatory activity closely over the next several months and take a proactive approach to pre-empt surprises during regulatory safety and soundness and  examinations.

09 Aug 2010

FDIC can now step in regardless of primary regulator (part 2)

Further to the previous post, the memorandum requires the FDIC opinion to prevail in the event that an institutions’ PFR (primary federal regulator) CAMELS rating differs from the FDIC:

If the FDIC’s CAMELS ratings for an institution differ from a PFR’s assigned ratings, the FDIC is required to provide the PFR with an explanation of the basis for the FDIC’s position. In the event of a disagreement, the matter must be referred to the FDIC Director of the Division of Supervision and Consumer Protection (Director), or other designee, and the appropriate supervision official of the PFR. Any decision by the FDIC to use an assigned rating different than the PFR’s rating must be made by the Director (or other designee), after consultation with the Chairman of the FDIC.

Again, best advice is to adopt the FDIC interpretation of FFIEC regulations, regardless of your PFR.

13 Jul 2010

FDIC can now step in regardless of primary regulator (part 1)

According to a memorandum of understanding just signed by all the primary federal regulators (FDIC, OTS, OCC and Fed), the FDIC now has the authority to step in whenever they feel the DIF (deposit insurance fund) is in jeopardy. Although this is primarily targeted at larger (>$10b) institutions, it also applies to smaller (<$10b) institutions as well, and applies to ANY threat to the DIF, not just under-capitalization (i.e. any safety and soundness concerns).

There are several potential implications for this, but I think the primary one is that since the opinion of the FDIC examiner will prevail, all other primary regulators will follow their lead when it comes to interpretation of FFIEC guidance. We all know that certain regulators (FDIC) are more stringent than others (OTS, OCC) when it comes to both the interpretation of federal guidance, and the way that is reflected in examination procedures.

Compliance officers would be well advised to be proactive by following FDIC examination procedures regardless of your primary regulator.

09 Jul 2010

DR/BCP Scrutiny – UPDATED

Auditors (and some FDIC examiners) are scrutinizing disaster recovery plans more closely, specifically looking to verify that the plan structure adheres to FFIEC guidance. We’ve definitely seen this regarding the Business Impact Analysis and the Risk Assessment; the first 2 phases specified by the guidance.

FFIEC DR Cycle

UPDATE: At least one regulator (OTS) is demanding that all Recovery Time Objectives (RTO’s) be based on an methodical analysis of the tolerance for downtime for each process, and NOT simply a subjective value.