The advances in technology over the past several decades have been breathtaking. Particularly so for a “seasoned” lawyer who well remembers the days when copiers were filled with vats of chemicals that had to be frequently replenished only to produce wet copies that had to be hung up to dry and seemed to be printed with disappearing ink. And let us not forget the Dictaphones with their blue celluloid belts that could not be erased, causing the hapless secretary to plod on through your mistakes, only to learn of them after they had been typed. That great invention, White Out, eased their pain somewhat, but one could not paint over whole paragraphs even with this miraculous substance. In those days, bank transactions were all “paper based,” as we now call it, which delighted the auditors and enabled them to stalk miscreants through reams of paper records.
The audit trails are much harder to find in these days, when electronic imaging systems are making paper records obsolete. Many of the traditional audit and security controls for paper-based systems may be reduced or absent in electronic document workflow. New controls must be developed and designed into the automated process to ensure that the information in image files cannot be altered, erased, or lost.
Potential problems arising out of the use of electronic imaging systems pale in comparison with the chamber of horrors conjured up by the notion of bank transactions taking wing on the Internet. To quote from an FDIC issuance: “The Internet offers financial institutions a wide array of opportunities to access resources and to deliver information, products, and services. However, the principal benefits of Internet access, namely its global reach and open architecture, also present significant security risks.” The FDIC then goes on to point out the many risks involved and to discuss possible solutions. The regulators also have warned of a number of other potential risks involved in the use of certain technologies, including large-scale integrated software systems and client/server computer systems.
What does all of this have to do with bank directors? A lot, so it would appear from various pronouncements from the bank regulators. Take, for example, the client/server computer systems. According to the Federal Financial Institutions Examination Council (FFIEC), “It is the responsibility of the board of directors of financial institutions to develop and adopt appropriate policies, practices, or procedures covering management’s responsibilities and controls for all areas of client/server computing activities.” FFIEC also has stressed the importance of board oversight of large-scale integrated software systems. Last June, the agencies comprising FFIEC published in the Federal Register a proposed revision of the Uniform Rating System for Data Processing operations, the name of which is to be changed to “Uniform Rating System for Information Technology.” One of the components evaluated is management. Under the proposal, Sound management practices are demonstrated through “active oversight by the board of directors and management, competent personnel, sound IT plans, adequate policies and standards, an effective control environment, and risk monitoring.” (Emphasis supplied)
The OCC has issued a separate bulletin outlining the primary risks related to banks’ use of technology and describing a risk management process for how a bank should manage these risks. Here, again, board involvement is required. The bulletin states: “The OCC will evaluate whether senior management has sufficient knowledge and skills to manage the bank’s use of technology and whether senior management and the board of directors are sufficiently engaged in the planning process to manage the bank’s technology-related risks.”
How many bank boards include members knowledgeable about technology matters? Probably precious few. Traditionally, directors have been chosen from among business and community leaders. Today, there should be at least one director who is wise in the ways of technology. It is not the role of the board to micromanage the bank, but the members need to know enough about the bank’s business and operations to be able to ask the right questions. If no director has any expertise in technology, the board will be ill-equipped to fulfill its responsibilities with respect to technology, as outlined by the bank regulators. The tendency of the typical board member has been to leave technology issues to the bank’s experts. Given the enormous impact technology has on the success or failure of a bank today, directors can no longer afford to doze off when technology issues are on the table.