|Exam tide shifts to tech risk management (June 2010)|
The exam tide is changing
Just when you thought examinations might get easier, regulators are shifting their sights to technology risk management
By Dan Fisher
To judge from recent comments from bankers, expectations with regard to technology exams are beginning to take on a new intensity.
Resources that were dedicated previously to the review of credit and liquidity issues are now starting to be redirected toward technology exams as economic conditions moderate.
No one can deny that poor risk management was one of the major contributors to the financial crisis that the industry is currently exiting. The question is: Does risk management only relate to derivatives, subprime mortgages, and commercial real estate concentrations? Definitely not!
Managing risk has taken on new meaning. It’s scope has broadened and everyone in the industry should be concerned how it applies to IT, given the extensive and increasing reliance on technology in banks today.
No longer can executives remain at arm’s length when it comes to making technology business decisions. The regulators are forcing the issue. The Federal Financial Institutions Examination Council, in its updated examination handbooks, is asking specific questions about the participation of executive management and the board of directors in the technology planning and decision process. An example of this can be found in the new Retail Payment Systems Information Technology Examination Handbook. Issued Feb. 25, 2010, its examination procedures contain the following points:
• Obtain and review the financial institution’s strategic plan for the implementation of Remote Deposit Capture (p. 60);
• Review board minutes involving the discussion and approval of RDC implementation. Note date of approval (p. 60).
Examiners are asking for this, and more, now. Banks will continue to see more of this theme as the FFIEC handbook update process continues.
The issue has to do with the virtual banking presence that technology has enabled. Simply stated, electronics not only improves service and product offerings, but has brought the concept of an all-electronic financial institution—internally and externally—closer to reality. Commerce and banking are increasingly mobile, and remote, with relationships moving from the bank lobby to the desktop of the commercial customer, the laptop of the consumer, and even the hip, where most cell phones reside until needed.
Electronics is altering the traditional customer relationship—formerly known as, “drop by the branch and get to know us”—with a rapidly emerging social networking presence. And while the basis of banking relationships is changing, bank risk management practices have remained traditional in large measure. They have not kept up with an understanding of what the real risks are to the institution and how to manage them. Let’s face it, most bankers were hoping to retire before they had to change, but technology, and regulators’ new focus on risk, changed all that.
Batch reports vs. real-time use
The FFIEC’s eleven IT exam handbooks range from Audit to Wholesale Payment Systems. Most of them have not been updated since 2003 and 2004, with several exceptions: The Information Security handbook in 2006, The Business Continuation Planning Handbook in 2008, the Retail Payment System handbook referenced earlier, and the BSA/AML Handbook updated this April.
Six years is a long time in the technology world, even for a desktop computer, let alone for broader technology trends and how they impact the enterprise. Looking back on even just the last four years, a great deal has changed in regard to technology. In the context of technology trends, the handbooks are clearly behind except for the most recent updates. More importantly, the use of technology in banking is continuing to move into spaces that few anticipated, which means traditional approaches to risk management no longer apply and are less effective.
In an electronic, real-time world, for example, using month-end reports to review customer activity is not consistent with the characteristics of technology-savvy customers, particularly when a financial institution is providing current-day availability using internet products. The customer can be in and out several times during the banking day.
The assessment is a simple one: if your organization has increased the use of technology both internally and externally over the last four to six years without materially changing your risk management and monitoring programs, your risk is increasing at an alarming rate. A lot can happen during the day and institutions need to establish mechanisms that can monitor and intervene in the midst of a rapidly changing set of circumstances, and in a context that is consistent with the technology installed.
Batch reports that summarize real-time activity are a problem, to say the least.
Updated handbooks send clear signals
It is important to note that the two most recently updated FFIEC handbooks have a lot in common when it comes to technology. The expected attention that an organization needs to spend on the details associated with due diligence, management understanding, and engagement in the decision-making process is substantial. In addition, a specific and well-defined objective pertaining to the implementation of the product or service, and the clear expectation with regard to a comprehensive and effective risk management program reaches right into the board room.
The examination procedures of each updated handbook contain specific review criteria that determine whether or not the organization has identified both the applicable risk factors for the activities and the risk mitigation steps that can be employed, and also whether it has assessed the risks. These risk elements figure predominately in both handbooks and clearly signal what will be contained in updates of the other manuals.
Moving forward, every member of the management team from the CEO to a supervisor should expect significantly increased IT exam intensity. Technology can no longer be the perfunctory rubber stamp process.
Make no mistake about it, the FFIEC expectations are clear in regard to the executive team and the board: Become engaged, make a plan, understand the risk benefits of the technology, make an informed decision, and document your decision. Nothing less will suffice. n
The electronic version of this article available at: http://www.nxtbook.com/nxtbooks/sb/ababj0610/index.php?startid=22
| TechTopics Plus