Is the FDIC’s IT Exam Effective?

Community banks may be in for a surprise the next time their information technology and cybersecurity systems are examined by the Federal Deposit Insurance Corp.

The agency is undertaking a number of changes to the exam it uses to assess IT systems and controls at supervised banks, after a report from the agency’s Office of the Inspector General in January found weaknesses that could miss or underestimate risk at examined institutions. Advisors and the OIG have warned that FDIC-examined banks might need better protections beyond what the FDIC’s IT exam requires. 

“Until the FDIC addresses these weaknesses, there is a risk that IT and cyber risks at banks will not be identified or adequately mitigated or addressed. As a result, financial institutions may be more susceptible to [cyberattacks] and threats,” the OIG wrote.

FDIC’s IT exam, called the IT Risk Examination or InTREx, was implemented in 2016 and updated in 2019. The ratings a bank receives on this exam feed into the management component of the CAMELS rating, which stands for capital, asset quality, management, earnings, liquidity and sensitivity to market risk. The CAMELS rating carries a number of implications for banks, including determining their deposit insurance assessment.

The FDIC’s OIG found that the InTREx program is outdated: It doesn’t reflect current or updated federal guidance and frameworks in three of the exam’s four core modules. For example, InTREx was developed using a cybersecurity framework from the National Institute of Standards and Technology (NIST) that came out in 2014. That framework was updated in 2018, but those changes aren’t reflected in the program, according to the OIG. 

“The evolving nature of IT and cyber risks underscores the need for timely updates to examination procedures for the InTREx program. Without an effective process to update the InTREx program, the FDIC cannot ensure that its examiners are applying current IT guidance to assess all significant risks,” the OIG wrote. “The lack of an effective process also increases the potential that banks may be operating in IT environments with unidentified and unmanaged risks.”

The OIG also audited a sample of exam findings and found instances where examiners didn’t complete the InTREx exam procedures and decision factors required to support their findings and subsequent ratings. The office wrote that these shortcomings indicate that examiners may not be making accurate assessments of bank IT risks, or that banks may not be receiving accurate or fully documented exam findings or composite ratings. 

Small banks that use their exam findings to direct IT investments may be surprised if the FDIC updates the exam. They can’t rely on the exam to be the only “trustworthy rudder” that guides their programs, says Joshua Sitta, CIO and founder of cybersecurity firm Sittadel. And an updated InTREx program could lead to examiner findings that could adversely impact a bank’s management score in their CAMELS rating.

“If you feel like your bank is operating within your risk appetite and you’re using the InTREX score to evaluate that, you’re running a bank [with risk] that is much higher than your risk appetite,” he says.  

The OIG audit contains 19 recommendations for the FDIC, including updating the program, ensuring examiners follow the procedures as intended and reviewing and applying new threat information regularly. The FDIC concurred with the majority of the OIG’s recommendations and proposed corrective action that should be completed by the end of the year. However, the OIG determined that on five recommendations, the FDIC’s proposed actions didn’t satisfy the recommendations. The FDIC didn’t return requests for comment for this article. 

The OIG’s report led audit and consulting firm Plante Moran to issue guidance this spring that encouraged banks to be proactive in testing for cybersecurity threats and to keep up with the changing IT landscape.

But that can even create challenges during InTREx exams. Colin Taggert, a principal at Plante Moran who provides cybersecurity consulting and authored the spring client notice, has heard of “pain points” from bank clients with systems that are more robust, modern or updated in certain areas beyond the scope of InTREx, but receive feedback based on the older exam materials. 

That tension also came up in banker feedback to the FDIC’s ombudsman, according to the 2022 annual report: “Some bankers reported that examiners did not sufficiently understand the processes, risks, and controls related to their bank’s technology programs. In the bankers’ opinions, this led to unwarranted criticisms and inappropriate supervisory recommendations,” the ombudsman wrote.

Cybersecurity is a perennial focus of risks for banks, with 83% of respondents to Bank Director’s 2023 Risk Survey saying their cybersecurity risk concerns increased somewhat or significantly year-over-year. Almost 90% say their bank had conducted a cybersecurity assessment in the past 12 months; the median budget for cybersecurity in 2023 was $250,000. 

This focus on cybersecurity underlines that banks are responsible for making sure they have safe and sound practices. Taggart and Sitta both recommend that FDIC-examined banks work with third parties to assess their IT frameworks and cybersecurity. Taggart recommends banks pay special attention to systems that have undergone changes in the last 5 to 7 years, including digital channels, wireless networks and policies around employees using personal devices for work, among others. 

Banks should also consider incorporating guidance from organizations like the Federal Financial Institutions Examination Council and NIST that has been updated in the years since InTREX was created. Several resources that the OIG, Taggart and Sitta reference include:

What to Know About Cannabis Banking in 2022

The cannabis industry is growing exponentially, and nationwide sales are estimated to exceed $30 billion in 2022.

This growth comes with extraordinary opportunities for banks to offer services to the still largely unbanked and underbanked cannabis industry. Board members and C-suite executives cannot afford to ignore the potential impact of cannabis on their bank in 2022, whether they are banking it or not. Here’s some trends that the industry should be on the lookout for.

More states will legalize marijuana in 2022
The website Ballotopedia is tracking over a dozen proposed marijuana legalization initiatives as of September. These include attempts to legalize marijuana for medical purposes in Wyoming, Idaho and Mississippi, medical and adult uses in Nebraska and adult recreational uses in Arkansas and Ohio. Any kind of legalization in Nebraska would be significant; it is currently the only state with no loosened legal restrictions on marijuana possession or use. Banks located in states without a legal marijuana program, including adult or medical, may see that change by the end of 2022 and need to start planning now for how this could affect your bank.

Marijuana licensing and sales will begin in states that legalized or expanded their programs in 2021.
Marijuana-related business (MRB) licensing and sales don’t begin the day after it’s legalized. A governor’s signature is just the first step. Legalization requires months of work by a newly appointed marijuana regulatory authority to develop the actual regulations — the infrastructure — that make licensing and sales possible. 2022 can expect to finally see sales in states that legalized marijuana in 2021.

There’s no guarantee that any federal marijuana legislation will pass in 2022.
There are currently two major proposed bills that would loosen federal policy towards marijuana: the Secure and Fair Enforcement Banking Act (SAFE Banking Act) and the Cannabis Administration and Opportunity Act (CAO Act).

The most attractive to banks is the SAFE Banking Act, which would ensure federal regulators could not take adverse action against banks that provide services to state-legal MRBs. It would also require the Federal Financial Institutions Examination Council to establish uniform exam guidelines for evaluating marijuana banking programs. This legislation passed the House of Representatives by a comfortable margin in 2020 and again in 2021, but has yet to make it to the Senate floor for a vote.

Senate leadership has made it clear that passage of the CAO Act is their priority, with Sen. Cory Booker (D-NJ) going so far as to say, “I will lay myself down to do everything I can to stop an easy banking bill […] as opposed to focusing on the restorative justice aspects.” There’s been another attempt in the House to push through the SAFE Banking Act as an amendment to the National Defense Authorization Act but there’s no guarantee this will be included in the final version of the bill. As a result, banks shouldn’t count on the SAFE Banking Act passing in 2022, with Senate leadership focused on the CAO Act.

In 2022, cannabis banking will move from “nice to have” to “unavoidable.”
Something new we’ve seen this year is that an increasing number of institutions are building cannabis banking programs because they risk losing high-worth customers if they don’t. For instance, a bank in the Midwest was approached by a member of a prominent farming family that had decided to start growing marijuana. They were upfront about their plans and made it clear that, despite a multi-generational relationship with the bank, they were prepared to go elsewhere if necessary.

We saw something similar in the South: a major customer decided to pivot from growing flowers in their greenhouses to marijuana, and the bank decided to release their marijuana restrictions only after they lost a good part of their customer’s business to a cannabis-friendly competing financial institution. Banks risk losing valuable customers in 2022 if they do not establish cannabis banking programs.

Due to a combination of widespread destigmatization, a steady march of state-by-state legalization and the immense business opportunity of this industry, an increasing number of banks are building lines of business to benefit from this market — or at the least, avoid losing customers to it.

To learn more about what this industry will look like in 2022, and the financial modeling and risk assessment behind successful programs, click HERE.

Risk, Business Continuity Planning: Trends and Lessons from Covid-19

The Covid-19 pandemic has introduced unprecedented strains to the economy, enhancing concerns about credit risk and pressuring lenders’ ability to serve their borrowers.

Cybersecurity and other risk environments have also evolved, following government-mandated work from home models. These shifts are prompting bank leaders to evaluate their business continuity plans and pandemic planning initiatives to ensure they’re putting safety and efficiency first.

Bank Director’s 2020 Risk Survey, sponsored by Moss Adams, was conducted in January before the U.S. economy felt the full effect of the coronavirus. Yet, insights derived from this annual survey of bank executives and board members help paint a picture of how the industry will move forward in a challenging operating environment.

Credit Risk
Most community banks have issued loans through the Paycheck Protection Program (PPP), the Small Business Administration’s loan created under the Coronavirus Aid, Relief and Economic Security (CARES) Act passed in late March. These loans, which may be forgiven if borrowers meet specified conditions, allowed small businesses to retain staff, pay rent and cover identified operating expenses.

However, it’s likely that businesses will seek additional credit sources as the economy restarts. The lapse in business revenue generation will pose significant underwriting challenges for banks.

More than half of respondents in the 2020 Risk Survey revealed enhanced concerns around credit risk over the past year, while 67% believed that competing banks and credit unions had eased underwriting standards.

While there’s no way to determine what the future holds, near-term lending decisions will likely occur amid an uncertain economic recovery. There are some important questions institutions should consider when determining their lending approach:

  • How will our organization evaluate lending to businesses that have been closed due to the coronavirus?
  • Should a pandemic-related operational gap be treated as an anomaly, or should lenders consider this as they underwrite commercial loans?
  • What other factors should be considered in the current environment?
  • How much bank capital are we willing to put at risk?

Cybersecurity
Directors and executives who responded to the survey consistently indicate that cybersecurity is a key risk concern. In this year’s survey, 77% revealed their bank had placed significant emphasis on increasing cybersecurity and data privacy in the wake of cyberattacks targeting financial institutions, such as Capital One Financial Corp.

With more bank staff working remotely, cyber risks are even greater now. Employees are also emotionally taxed with concerns about their health, family and jobs, increasing the risk for errors and oversights. Unfortunately, the COVID-19 pandemic presents cybercriminals with a ripe opportunity to prey on individuals.

Business Continuity
In the survey, respondents whose bank had weathered a natural disaster within the last two years were asked if they were satisfied with their institution’s business continuity plan. The majority, or 79%, indicated they were.

However, the Covid-19 pandemic isn’t a typical natural disaster. Although buildings haven’t been destroyed, companies are still experiencing significant disruption to their normal operations — if they’re able to operate at all.

These circumstances, coupled with expanding technology and banks operations increasingly moving to the cloud, will likely lead to further changes in business continuity planning.

Remain Flexible
In an interagency statement released a week before the World Health Organization declared that the Covid-19 outbreak a pandemic, federal regulators reminded depository institutions of their duty to “periodically review related risk management plans, including continuity plans, to ensure their ability to continue to deliver their products and services in a wide range of scenarios and with minimal disruption.”

The Federal Financial Institutions Examination Council also updated its pandemic guidance, noting the need for a preventative program and documented strategy to continue critical operations throughout a pandemic.

Since that time, banks have encouraged customers to broadly adopt digital platforms and, when necessary, serve customers in person through drive-through lines or by appointment to reduce face-to-face contact. Bank employees wear masks and gloves, branches are cleaned frequently and, where possible, staff work remotely.

Gain Insights
The pandemic is a real-world tabletop exercise that can provide important takeaways about the effectiveness of an organization’s business continuity plan. It’s important for organizations to take advantage of this opportunity.

For example, there could be another wave of Covid-19 later this year; alternately, it could be years before we see an event similar to what we’re experiencing. Either way, your bank must to consider the potential consequences of each outcome and have a plan ready. Reviewing your organization’s business continuity plans and initiatives can help reveal opportunities to move forward with confidence, despite challenging operating environments.

Coronavirus Strategies, Considerations for Banks

Over the past two weeks, we have received numerous inquiries from financial institutions on what actions should be taken or considered to address the COVID-19, or the new coronavirus, pandemic. While the current situation is evolving each day, we have engaged in numerous discussions with banks on various strategies and considerations that are being reviewed or implemented during this uncertain time.

Business Continuity Plan

Every financial institution should have implemented pandemic planning contingencies contained in its business continuity plan. In response to the burgeoning public health crisis, the Federal Financial Institutions Examination Council issued revised guidance on March 6 on how to address pandemic planning in a bank’s business continuity plans. The revision updates previous guidance issued in response to the avian flu pandemic of 2007.

Although there are no substantive updates contained in the revised Pandemic Planning Guidance, the FFIEC’s update reiterates and emphasizes the importance of maintaining a pandemic response plan that includes strategies to minimize disruptions and recover from a pandemic wave. The updated guidance states that banks should consider minimizing staff contact, encouraging employees to telecommute and redirecting customers from branch to electronic banking services. We anticipate that regulators will review an institution’s utilization of its business continuity plan at upcoming safety and soundness examinations.

Branch Operations

Based on our discussions, we believe that many banks have taken or plan to take actions related to their branch operations. Below is a summary of various actions that a bank may wish to take regarding its branch operations.

Branches Remain Open, with Caveats. A number of banks have elected to close branch lobbies and direct customers to utilize drive-up facilities, walk-up teller lines and ATM machines where possible. In addition, they are also directing customers to their online platforms. Some banks are requesting customers who require physical or in-person assistance, such as access to a safe deposit box, to schedule an appointment with bank employees.

Branch Closures. To the extent a bank may be readying a branch closure strategy, below are federal and state requirements that must be satisfied.

Federal Requirements. On March 13, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve Board issued corresponding guidance addressing COVID-19’s impact on customers and bank operations indicating that they expect bank branch closures, or changes to branch hours. In such an event, they recommend that a bank (i) notify the applicable federal banking regulator as soon as practicable of the closure/change in bank hours, (ii) comply with any notice or filing requirements with applicable state banking regulators and (iii) place a customer notice on the front entrance of the impacted branch describing the reason for the closure and/or change in hours.

State Law Requirements. Closing lobbies and redirecting customers to drive-ups does not generally require a bank to obtain the approval of state banking authorities, but some state banking authorities have requested that banks provide notice of such changes. For example, Illinois-chartered banks seeking to fully close a branch or change branch hours must provide prior notice to the Illinois Department of Financial and Professional Regulation, Division of Banking, and obtain an official proclamation from the IDB under the Illinois Banking Emergencies Act (205 ILCS 610). In addition, the bank must post notice of the temporary closing or change in branch hours and the authorization for such change on the main entrance doors of the applicable branch.

ATM/Cash-On-Hand Strategies. In a push to increase customer traffic to ATMs and minimize direct customer contact, some banks have increased or plan to increase ATM daily allowable cash withdrawal limits. The size of the increase depends on the individual circumstances of the institution. Banks may experience greater cash withdrawal requests from depositors and may wish to keep higher levels of cash in its branch offices.

Regular and Periodic Cleaning of Branches. Each bank we spoke with also indicated that they have implemented enhanced periodic cleaning of their branches and offices. Some banks have indicated that “deep” cleanings are being completed on a weekly basis.

Employee Considerations

Flexible Work-from-Home Arrangements. We have also discussed the potential for implementing flexible work-from-home or telecommuting arrangements for specific business line employees with institutions. Whether or not this is a viable option for a specific institution is dependent upon a number of specific circumstances: whether the bank’s information technology systems can support an increased number of employees utilizing the bank’s server remotely, ensuring that each employee who remotely accesses the bank’s systems can do so in a confidential manner that protects that bank’s data and whether there are geographic and business-line specific considerations that prevent working remotely, among others. Nonetheless, a bank should plan to test their IT systems and update policies prior to implementing such arrangements.

Utilization of Split-Staff and Split-Location Strategies. In addition, we’ve discussed split-staff and split-location strategies;  a number of banks indicated that they are currently utilizing a split-staff strategy. Under a split-staff strategy, an institution staggers its employees on any given day. For instance, half of the institution’s employees come in on Monday, Wednesday and Friday, and the other half of the employees come in on Tuesday, Thursday and Saturday. The aim is that limiting employee interaction with customers on any given day allows a bank to maintain operations on a much more limited basis if only one group of employees is potentially exposed to COVID-19.

In addition, some institutions also indicated that they plan to utilize a split-location strategy, distributing staff across various branches and offices. If one location is potentially exposed to COVID-19, a bank’s operations can continue through its other locations.

Employee Training. Banks have also implemented staff training on how to properly interact with customers during this troubling time. Following guidance from the World Health Organization and Centers for Disease Control and Prevention, banks have implemented new procedures meant to limit physical contact (like prohibiting handshakes) and eliminating or reducing scheduled meetings.

Liquidity and Capital Considerations

During times of uncertainty and financial market volatility, like the financial crisis, banks have often found it difficult to enhance liquidity and raise additional capital when they may need it the most. Based on our discussions, we recommend that financial institutions review their current and near-term liquidity/capital strategies. Below are a few items to consider.

Subordinated Debt and Equity Issuances. Banks may need to weather a prolonged economic slowdown. Bankers agree that reviewing the firm’s capital strategies in uncertain times is a critical consideration to address any potential need to enhance immediate or near-term liquidity or to shore up capital. Other banks may also wish to review various alternatives available to issue debt for additional liquidity, to potentially refinance outstanding debt arrangements at lower rates, or to provide additional capital.

Lines of Credit. As lenders, banks are aware that their borrowers may be considering a draw down on existing lines of credit. Banks may also wish to consider potentially drawing down on their existing lines of credit (such as Federal Home Loan Bank advances or holding company lines of credit) as an effective tool to increase the holding company’s or bank’s liquidity. Before either drawing down any existing line of credit or utilizing the proceeds for any purpose other than increasing cash-on-hand, a bank should carefully review the covenants in the underlying loan agreements.

Securities Portfolio. Reviewing current strategies pertaining to an institution’s securities portfolio is also a consideration for banks. Many banks have built-in gains in their portfolio. Consequently, institutions are reviewing their portfolios to determine whether to realize existing gains to boost liquidity in the short-term or maintain its current strategy to assist earnings in the longer-term.

Stock Repurchase Programs. Many publicly traded banks have suspended their stock repurchase programs as part of a capital conservation strategy. While no bank has announced plans to cut dividends, now is the time to review contingency plans and consider when such action may be warranted.

Federal Reserve Discount Window. Bankers should also discuss potentially using the Federal Reserve’s short-term emergency loans dispensed through the discount window if necessary. While many institutions consider using the discount window as a last resort and could indicate dire financial straits, senior bank management should revisit their policies and procedures to ensure their institution can access the discount window should circumstances require it.

Importantly, on March 17, the Federal Reserve and eight of the largest financial institutions in the U.S. worked together to provide these large financial institutions access to the discount window. Largely symbolic, the actions are being viewed by banks as an effort to remove the stigma of accessing the discount window. Whether these coordinated efforts will be a success remains to be seen.

Stress Testing of Loans. We anticipate that many institutions will consider the need to begin stress testing their portfolios, and some already are. For some, stress testing may be centered on specific industries and sectors of the loan portfolio that may have been more substantially impacted by COVID-19 (such as hospitality/restaurants, travel, entertainment and companies with supply chains dependent upon China or Europe). For others, the entire loan portfolio may be tested, under the assumption it could be subject to pandemic-related stress.

Review Insurance Policies. Another consideration we’ve discussed with banks is the need to review in-place insurance policies for business disruption coverage to determine if they would cover matters resulting from the COVID-19 pandemic.

Assist Impacted Customers. Consistent with the recent guidance issued by the Fed, FDIC and OCC, banks are considering offering a variety of relief options related to specific product/service lines to customers. Some banks may waive late fees on loan payments or credit cards and others may waive ATM- and deposit-related fees. We expect these relief options will be limited to specific product and service lines, and to a certain period of time.

On March 19, the FDIC issued a set of Frequently Asked Questions for banks impacted by the coronavirus. The FAQs provide insight into how the FDIC, and potentially other federal banking regulators, will view payment accommodations, reporting of delinquent loans, document retention and reporting requirements, troubled debt restructurings, nonaccrual loans and the allowance for loan and lease losses. Banks should review the FAQs in connection with providing any financial assistance to impacted customers.

The items noted above should not be considered definitive or exclusive. A financial institution should carefully consider the above items, among others, and determine how to tailor any proposed changes to its operations in light of the very fluid circumstances surrounding the current COVID-19 pandemic.

Click here to review the March 13 OCC Bulletin 2020-15 (Pandemic Planning: Working With Customers Affected by Coronavirus and Regulatory Assistance).

Click here to review the March 13 FDIC FIL-17-2020 (Regulatory Relief: Working with Customers Affected by the Coronavirus).

Click here to review the March 13 FRB SR 20-4/CA 20-3 (Supervisory Practices Regarding Financial Institutions Affected by Coronavirus).

What Regulators Are Doing About Coronavirus

For the last few weeks, bank regulators have been gearing up their responses and preparations as the U.S. financial industry and broader economy confront the impact of the coronavirus pandemic.

On March 13, President Donald Trump declared a national state of emergency that freed billions in aid as cities and sectors grappled with the pandemic. The announcement capped off a tumultuous week of market freefalls and rallies, the cancelation of major sporting events, closed college campus and the start of millions of Americans voluntary and involuntary quarantining and national social distancing. It remains to be seen how long the outbreak will last and when it will peak, as well as the potential economic fallout on businesses and consumers.

Already, the Federal Open Market Committee has lowered the federal funds rate twice; the most recent was a surprise 100-basis point decline on March 15, to the range of 0 to 25 basis points. The Fed last lowered interest rates to near zero back in late 2008. The move is intended to support economic activity and labor market conditions, and the benchmark rate will stay low until the Fed is confident the economy has weathered recent events.

Additionally, the Fed announced it would increase its holdings of both Treasury securities by at least $500 billion and agency mortgage-backed securities by at least $200 billion.

Bank executives and directors must now contend with near-zero rates as they work with borrowers to contain the economic implications of the coronavirus.

“The adverse economic effects of a pandemic could be significant, both nationally and internationally,” the Federal Financial Institutions Examination Council wrote in recently updated guidance on how banks can minimize the adverse effects of a pandemic. “Due to their crucial financial and economic role, financial institutions should have plans in place that describe how they will manage through a pandemic event.”

The ongoing events serve as a belated reminder that pandemic preparedness should be considered as part of board’s periodic review of business continuity planning, according to a March 6 interagency release. These plans should address how a bank anticipates delivering products and services “in a wide range of scenarios and with minimal disruption.”

The FFIEC’s guidance says pandemic preparation in a bank’s business continuity plan should include a preventive program, a documented strategy that is scaled to the stages of an outbreak, a comprehensive framework outlining how it will continue critical operations and a testing and oversight program. The plan should be appropriate for the bank’s size, complexity and business activities.

A group of agencies including prudential bank regulators are encouraging financial institutions to work constructively with customers in communities impacted by the new coronavirus, according a statement released on March 9. They also pledge to provide “appropriate regulatory assistance to affected institutions,” adding that prudent accommodations that follow “safe and sound lending practices should not be subject to examiner criticism.”

The regulators also acknowledged that banks may face staffing and other challenges associated with operations. The statement says regulators will expedite requests to provide “more convenient availability of services in affected communities” where appropriate, and work with impacted financial institutions for scheduling exams or inspections.

The Federal Deposit Insurance Corp and the Office of Comptroller of the Currency highlighted more specific ways banks can work with customers in a set of releases dated March 13. Some of the suggested potential accommodations, made in a safe and sound manner and consistent with bank laws, include:

  • waiving ATM, overdraft, early time deposit withdrawal and late credit card or loan fees
  • increasing ATM daily cash withdrawal limits
  • reducing restrictions on cashing out-of-state and non-customer checks
  • increasing card limits for creditworthy borrowers
  • payment accommodations that could include deferring or skipping payments or extending the payment due date to avoid delinquencies and negative reporting if a disruption is related to COVID-19.

The OCC points out that lending accommodations for existing or new customers can help borrowers facing pressured cash flows, improve their ability to service debt and ultimate help the bank collect on the loans. It adds that banks should individually evaluate whether a loan modification would constitute a troubled debt restructuring.

The regulator also acknowledged that some banks with customers impacted by issues related to the coronavirus may experience an increase in delinquent or nonperforming loans, and says it will consider “the unusual circumstances” these banks face when reviewing their financial condition and weighing the supervisory response.

The FDIC specifically encouraged banks to work with borrowers in industries that are “particularly vulnerable to the volatility” stemming from COVID-19 disruption, as well as the small business and independent contractors reliant on those industries.

“A financial institution’s prudent efforts to modify the terms on existing loans for affected customers will not be subject to examiner criticism,” the FDIC wrote in its release.

Some of the largest and most dramatic regulatory accommodation related to the new coronavirus has come from the Federal Reserve, given its role in the funding market and its role overseeing large bank holding companies.

The Fed announced on March 12 that it would inject $1.5 trillion into the U.S. market for repurchase agreements over the course of two days. The increased purchases, which serve as short-term loans for banks, were not meant to directly stimulate the economy. Instead, they were done to “address the unusual disruption” in Treasury financing markets from the coronavirus and help ensure it would continue functioning properly.

The Fed also announced several more changes to accommodate banks on March 15. It is now allowing depository institutions to borrow from the discount window for as long as 90 days and is encouraging banks to use its intraday credit. It is explicitly encouraging banks to use their capital and liquidity buffers to lend to customers impacted by the coronavirus and lowered the reserve requirement ratio to 0%, effective at the start of the next reserve maintenance period on March 26.

For more information from the regulators, check out their websites

FDIC: Coronavirus (COVID-19) Information for Bankers and Consumers
OCC: COVID-19 (Coronavirus)
Federal Reserve Board: Coronavirus Disease 2019 (COVID-19)
Conference of State Bank Supervisors: Information on COVID-19 Coronavirus and State Agency Nonbank Communication/Guidance on Coronavirus/COVID-19

How Risk Culture Drives a Sound Third-Party Risk Management Program


risk-10-1-18.pngRisk culture plays a role in every conversation and decision within a financial institution, and it is the key determinant as to whether a bank performs in a manner consistent with its mission and core values. Risk culture is a set of encouraged, acceptable behaviors, discussions, decisions and attitudes toward taking and managing risk.

Third-party risk management (TPRM) is a fairly new discipline that has evolved over the past few years from legacy processes of vendor or supplier management functions previously used by companies to manage processes or functions outsourced to third parties. A “third-party” now refers to any business arrangement between two organizations.

The interagency regulatory guidance (The Federal Reserve Board, OCC, FFIEC and CFPB) says a bank cannot outsource the responsibility for managing risk to a third-party especially when additional risks are created. These risks may relate to executing the process or managing the relationship.

The recent Center for Financial Professionals (CFP) Third Party Risk Management survey “Third Party Risk: A Journey Towards Maturity” underpinned the issue around risk culture given the resourcing dilemma that most organizations face. Getting top-down support and buy-in was an issue posed by respondents in the survey. One respondent stated, “The greatest challenge ahead is to incorporate third party risk management goals into the goals of the first line of defense.” Another respondent stated, “Challenges will be to embed this into the organization, including [the] establishment of roles and responsibilities.” In particular, TPRM teams found it challenging to get buy-in from the first line of defense for the management of cyber risk and concentration risk.

Effective TPRM can only be achieved when there is a risk-centric tone, at the top, middle and bottom, across all layers of the company. Clear lines of authority within a three-lines-of-defense model are critical to achieving the appropriate level of embeddedness, where accountabilities and preferred risk management behaviors are clearly defined and reinforced.

Root cause analyses on third-party incidents and risk events (inclusive of near-misses) should be better used by organizations to reinforce training and lessons learned as it relates to duties performed by the third party. Risk event reporting and root cause analysis allows leadership to identify and understand why a third party incident occurred, identifies trends with non-performance of service-level agreements with the third party, and ensures appropriate action is taken to prevent repeat occurrences as it relates to training, education or communication deficiencies.

Risk culture is paramount to achieving benefits from the value proposition of an effective and sustainable TPRM program, and also satisfies regulators’ use test benchmarks.

Roles and responsibilities must be clearly defined and integrated within a “hub and spoke” model for the second-line TPRM function, the first line third-party relationship managers and its risk partners. Clearly, there is a need for financial institutions to (1) implement a robust training and communication plan to socialize TPRM program standards, and (2) ensure first-line relationships and business owners have been provided training.

Risk culture mechanisms that facilitate clear, concise communication are fundamental components for a successful TPRM program – empowering all parties to fulfill responsibilities in an efficient, effective fashion. The challenge of managing cultural and personnel change components cannot be underestimated. As a result, the involvement of human resources, as a risk partner, is critical to a successful resource model. With respect to cultural change, a bank should observe and assess behaviors with current third-party arrangements. The levels of professionalism and responsibility exhibited by key stakeholders in existing third-party arrangements may indicate how much TPRM orientation or realignment is required.

Key success factors to build a robust risk culture across TPRM include:

  • Clear roles and responsibilities across the three lines of defense and risk partners within the “hub and spoke” model for risk oversight.
  • Greater consistency of practices with regards to treatment of third parties. Eliminate silos.
  • Increase understanding of TPRM activities and policy requirements across the relationship owners and risk partners.

Indicators of a sound TPRM culture and program include:

  • Tone from the top, middle and bottom – the board and senior management set the core values and expectations for the company around effective TPRM processes from the top down; and front-line business relationship manager behavior is consistent from the bottom-up with those values and expectations. 
  • Accountability and ownership – all stakeholders know and understand core values and expectations, as well as enforcement implications for misconduct. 
  • Credible and effective challenge – logic check for overall TPRM framework elements, whereby (1) decision-makers consider a range of views, (2) practices are tested and (3) open discussion is encouraged.
  • Incentives – rewarding behaviors that support the core values and expectations.

Setting a proper risk culture across the company is indeed the foundation to building a sound TPRM program. In other words, you need to walk before you can run.

Shelter From the Cyber Storm


cybersecurity-11-16-17.pngIn 2014, the Federal Financial Institutions Examination Council issued a statement on behalf of its members—including the Federal Deposit Insurance Corp., the Federal Reserve, the Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau—recommending that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), an organization focused on threat intelligence analysis and sharing. Cybersecurity has been a growing issue for the U.S. economy and the banking industry, and cyber intelligence is a significant focus of the organization, as well as natural disasters, such as the recent hurricanes that hit Texas, Florida and Puerto Rico. “Participating in information-sharing forums is an important element of an institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents,” the FFIEC said in the statement. “Financial institutions participating in information-sharing forums have improved their ability to identify attack tactics and successfully mitigate cyberattacks on their systems. Additionally, these institutions have gained deeper insight into specific vulnerabilities and collected methods for identifying vulnerabilities on their systems and enhancing controls.”

Resources like FS-ISAC help banks learn from each other about the cybersecurity threats facing the industry. But what happens when hackers hit your bank, and customers’ data is compromised?

Sheltered Harbor, an affiliate of FS-ISAC based in Reston, Virginia, was established following a series of cybersecurity simulation exercises, called the Hamilton Series, which were conducted by the Financial Services Coordinating Council, in coordination with the U.S. Dept. of the Treasury and with support from FS-ISAC. “These exercises are tabletop simulations of possible events with the goal to exercise, in the classic sense of practice, and to identify vulnerabilities that should be addressed by the industry,” says Steven Silberstein, the chief executive of Sheltered Harbor. “Sheltered Harbor is the industry’s response for one of these vulnerabilities: to ensure business continuity for retail banking customers if an attack happens, and all defenses fail.” The organization partners with member banks to ensure their customers’ accounts are safe should a cyberattack damage the bank’s data. If a bank is unable to recover from such an attack in a timely manner, the bank’s customers would still be able to access their accounts through another member financial institution. The data is encrypted and remains private, and there is no disruption in service for the customer.

Much like its parent organization, FS-ISAC, Sheltered Harbor helps banks work together to ensure the safety of consumer data. Regulators don’t require that banks join, but Sheltered Harbor already represents 63 percent of U.S. retail bank and brokerage accounts, according to the organization. Membership fees are based on a sliding scale and are determined by the size of the financial institution.

In this interview, Bank Director Director of Research Emily McCormick asks Silberstein about lessons learned from recent cyberattacks, and the policies and procedures that institutions should have in place to protect customers if a cyberattack damages account data.

BD: What are some lessons that bank boards should take to heart following recent cyberattacks, including the Equifax data breach?

Silberstein: Bank boards should have a tight pulse on the organization’s cybersecurity preparedness and cyber hygiene. Many corporations have cybersecurity scorecards that are updated and shared with the board of directors. These scorecards enable the board to assess the security of the enterprise and make appropriate decisions about strategy, staffing and internal standards.

In this rapidly evolving cyber environment, it’s important to use the most advanced technology to protect all of the “doors” to your company. Utilize scorecards as living and evolving tools to maintain a pulse on preparedness, and always ask what could happen from a business point of view, not just a cyber point of view. I call this healthy paranoia.

BD: What information should be included on those cybersecurity scorecards?

Silberstein: Each organization needs a consistent framework to continually assess risks, report on them, and respond to current and future risks. These include internal and external risks, existing vulnerabilities and remediation programs underway, recent events and lessons learned, organizational challenges, and third-party risk. Additionally, an organization can measure its cybersecurity implementation using frameworks like the Integrated Adaptive Cyber Defense, or IACD, framework and/or the National Institute of Standards and Technology [NIST] cybersecurity framework. Using the IACD framework, financial institutions can quickly prevent, detect and respond to attacks that may impact customers using technical guidelines for application of commercially available automation technology tools and systems. The NIST framework is about assessing risk and developing a risk management plan. The two frameworks complement each other.

BD: What does it mean when a financial institution becomes Sheltered Harbor ready?

Silberstein: When a financial institution becomes Sheltered Harbor ready, it means that it has implemented the additional resiliency prescribed by the Sheltered Harbor specification. At a high level, the model empowers financial institutions to securely store and rapidly restore customer account information using an industry standard format. Consumers would then benefit by having access to their accounts and basic transactions rapidly restored after a major incident at an institution.

BD: What policies, systems and personnel does the bank need to have in place in order to make this work?

Silberstein: First, most institutions are using a service provider for core banking services. Most large service providers are already implementing Sheltered Harbor capability, so for these institutions the focus is mainly on the business continuity planning that is specific to the Sheltered Harbor Model.

For institutions running their own core processing, an additional process of extracting customer account data, then putting the data into a standard format, encrypting it and finally storing the data in a very secure fashion per the specification encompasses most of the work. The institution must do some resiliency planning and organize a backup core service provider. The Sheltered Harbor specifications provide the controls and processes needed to ensure interoperability.

BD: The initiative helps member financial institutions store secure customer data above and beyond existing practices. Why should banks, particularly community banks, invest in putting this into in place?

Silberstein: Our industry’s investment in protecting everyone connected to financial institutions is second to none. Nevertheless, we cannot guarantee 100 percent protection. So if a financial institution is severely disabled, we need a safety net like Sheltered Harbor to protect consumers, allowing them to continue to manage daily financial transactions in their lives.

What CEOs and Directors Need to Know About Their Bank’s Cyber Risks


cybersecurity-8-21-17.pngCybersecurity is quickly moving to the forefront of pressing concerns for financial institutions and their leaders. Regulators and examiners increasingly are expecting the board of directors and C-suite executives to obtain a greater familiarity with cyber threats and mitigation measures.

In May 2017, for example, the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Assessment Tool (CAT), which was developed to help identify an institution’s risks and determine its preparedness. The FFIEC’s instructions for using the assessment explicitly contemplate the involvement of the chief executive officer and the board. Banks aren’t yet required to use CAT, but it’s expected to become mandatory eventually.

The message is clear—executives no longer can afford to take a hands-off approach to cybersecurity. They need to stay informed on critical security issues, and their chief information security officers (CISOs) should play a key role in keeping them up-to-date.

Role of the CISO
The CISO plays an advisory role, helping other C-suite executives make better, risk-informed decisions in the day-to-day execution of the bank’s operations. A CISO also can help design and implement the security strategy a bank deploys to effectively protect itself and its customers from known threats.

To provide the expected advisory services, the CISO must be aware of the current threats (including general threats, industry-specific threats and even institution-specific threats) confronting the bank. In addition to understanding this threat landscape, the CISO needs intimate knowledge of the bank’s ability to mitigate these threats, which includes evaluating the existence and effectiveness of the security program and its controls, and communicating the results to the C-suite.

Armed with measurements of the existence and effectiveness of the security program’s controls, the CISO can provide specific advice to the CEO and other C-suite members about the risks facing the bank and the additional steps that might be necessary.

The CISO regularly should brief executives on the following:

Status of Security Controls
Security controls—composed of people, processes and technology working together to mitigate specific threats—are the bedrock of any cybersecurity program. Executives must understand the status of such controls to know how well the bank is equipped to defend against threats.

Evaluating the status of such controls can be accomplished with dashboards that provide executives with a visual representation of all required security controls and the effectiveness of each. It is important for executives to understand how the effectiveness is measured. Is it a system that just measures the existence of the control, or is some form of measurement or testing done on the control? Historical metrics related to control implementation and effectiveness also are essential to provide perspective and illustrate progress (or lack thereof).

Status of Regulatory Compliance
Banks are subject to a broad and complex web of compliance obligations. Depending on the services they offer, applicable state and local regulations, and the types of information they process, the regulatory burden can differ dramatically among banks. For every financial institution, though, failure to comply can lead to fines, lawsuits and customer loss. The CISO should brief fellow C-suite executives on the bank’s current compliance status with all applicable laws and regulations. He or she also should update executives on how the bank is tracking and proactively preparing for potential regulatory changes.

Upcoming Security Initiatives
The CISO should explain current threats and the areas of risk that need to be addressed through various security initiatives, a measure which might require capital expenditures and approval from executive management. The explanation should cover not only where the security program stands today but also the overall direction going forward. Because this information can affect business initiatives that are not directly related to security, it facilitates risk-informed decision making.

Risk Management
Risk management is an ongoing process conducted by the security team to identify the areas with the highest level of risk based on known threats, weaknesses, controls and assets. In the end, the security team might determine that some identified risks are not sufficiently mitigated or that the residual risks remaining after the controls have been implemented are so considerable that they require new security initiatives. This information is vital for executives, as risks that aren’t adequately addressed must be considered when conducting business operations.

Know What You Know—And What You Don’t
No one, not even regulators and examiners, expect C-suite executives to be experts on cybersecurity issues. These executives should, however, understand their banks’ security posture so they can satisfy regulatory expectations and make better, risk-informed decisions for the overall business.

New Rules for Financial Firms in New York Put New Onus on Boards


cybersecurity-7-10-17.pngNew York-based financial services companies are under a new rule of law, intended to protect consumers from the repercussions of a cyberattack and one that puts boards in a front-and-center role when it comes to the company’s security.

Touted as the first law of its kind in the United States, New York enacted new cybersecurity regulations this year, outlining standards that are sure to resonate beyond the financial businesses—such as banks, insurance companies and other financial services firms—that the law targets.

How Far Does Regulation Go?
Companies regulated by the state’s Department of Financial Services (DFS) are required as of March 1, 2017, to create and maintain a cybersecurity program to protect the privacy of consumers and the safety of the state’s financial services industry.

It only applies to those that DFS oversees—in other words, only financial services organizations must comply with the regulation.

New York’s rules, DFS notes, don’t extend to nonfinancial companies. There are limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets.
Still, the message from New York is a strong one: consumers are protected here, and financial firms will be held accountable.

Several of the regulation’s mandates outline the ways in which a company must comply, and in doing so, vastly widens the base of those culpable for a breach and the requirements of a board to pay attention to its potential vulnerability and its cybersecurity planning.

New Duty for Board Members
The idea that board members should make cybersecurity a priority has risen over the years, coming into focus with the Target data breach in 2013 that resulted in members of the board of directors being sued.

In reality, banking regulators have held boards responsible for their banks’ cybersecurity program for years, as described in the Federal Financial Institutions Examination Council’s IT Examination HandBook.

In it, the banking regulators place oversight of the development, implementation and maintenance of the IT security program in the board’s hands, and say the board must hold senior management accountable for its actions and review the overall status of the program at least annually.

This new regulation expands on that. It requires board members to ensure that there’s a framework in place at the company “for a robust cybersecurity program,” and one “that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.”

That means nontechnical leaders on the board must take an active role in security oversight.

For the first time, the new rules say the firm must hire a chief information security officer, or CISO, to oversee policies and ensure that they’re working effectively. The CISO would report at least annually to the board, the DFS says, and according to the regulation, that person can be employed by an affiliate or third-party provider instead of being employed by the company itself.

It’s not uncommon for companies to have much of the new regulation’s guidelines already in their processes, but it’s good to tie it to risk assessments. Lastly, as the law firm McGuireWoods notes, the new rules require penetration testing at least annually and vulnerability assessments at least quarterly. Among new provisions, institutions must track and maintain cybersecurity records for at least six years, encrypt sensitive data and report any cybersecurity event to the Department of Financial Institutions within 72 hours of becoming aware of it.

What Comes Next
Entities have varying times to comply with specific requirements, from 180 days to two years after the regulation went into effect in March. Financial companies outside of New York are likely to look at these regulations to get a sense of what’s coming for the greater industry.

To learn more about protecting your organization’s security as a member of a board, read this white paper written in conjunction with the New York Stock Exchange to improve your cybersecurity practices.

Bank Regulatory Update: Three Things to Think About for 2017


regulation-1-18-17.pngSignificant regulatory changes continued to affect the banking industry in 2016. The industry generally has moved beyond implementing the requirements of the Dodd-Frank and Wall Street Reform and Consumer Protection Act, but regulatory expectations continue to rise, with increased emphasis on each institution’s ability to respond to and withstand adverse economic conditions. Regulatory supervision, often through oversight from multiple agencies, is becoming more focused on supporting compliance efforts with strong corporate cultures within the institution. Managing regulatory compliance risk for a financial institution has never been more complex.

Looking forward to 2017, regulators are expected to continue to ramp up expectations in several areas. Industry stakeholders undoubtedly will be watching closely as the new administration takes control of the White House. However, regulators are expected to continue to increase their emphasis on three areas: cybersecurity risk, consumer compliance and third-party risk management.

1. Cybersecurity Risk
Cybersecurity is likely to remain a key supervisory focal point for regulators in 2017. Regulatory officials have stressed that cybersecurity vulnerabilities are not just a concern at larger financial institutions: small banks also are at risk. As such, financial institutions of all sizes need to improve their ability to more aptly identify, assess and mitigate risks in light of the increasing volume and sophistication of cyberthreats.

The Federal Financial Institutions Examination Council (FFIEC) agencies have established a comprehensive cybersecurity awareness website that serves as a central repository where financial services companies of all sizes can access valuable cybersecurity tools and resources. The website also houses an FFIEC cybersecurity self-assessment tool to help banks identify their risks and assess their cybersecurity preparedness. The voluntary assessment provides a repeatable and quantifiable process that measures a bank’s cybersecurity preparedness over time.

2. Consumer Compliance
The Consumer Financial Protection Bureau (CFPB)—now a more mature entity—is having a dramatic impact on the supervisory processes around consumer financial products. While the CFPB conducts on-site consumer exams for financial institutions with more than $10 billion in assets, it also has begun to work with regulators in consumer supervisory efforts in smaller banks. The CFPB also has issued a significant number of new and revised consumer regulations that apply to institutions of all sizes. Some of the more onerous requirements center on mortgage lending and truth-in-lending integrated disclosures (TRID).

The CFPB also continues to cast a wide net when it comes to gathering consumer complaints about financial products and services through its consumer complaint database. The latest snapshot shows the database contains information on more than one million complaints about mortgages, student loans, deposit accounts and services, other consumer loans, and credit cards.

CFPB examiners often use complaints received through the database as a channel for reviewing practices and identifying possible violations. This continued pressure has forced financial institutions to ensure their compliance management systems are supported by effective policies, procedures and governance. But keep in mind, it’s even more important now to adequately aggregate, analyze and report customer-level data, so your institution can identify and remediate problems before the regulators come after you, and so you don’t get accused of “abusive” practices under the Dodd-Frank Act.

3. Third-Party Risk Management
As a component of safety and soundness examinations, effective third-party risk management is regarded as an important indicator of a financial institution’s ability to manage its business. As a result, regulatory examinations consistently include an element of third-party risk management, and all of the federal bank regulators have issued some form of guidance related to third-party risk. The Federal Reserve’s (Fed’s) SR 13-19 applies to all financial services companies under Fed supervision. The Fed guidance focuses on outsourced activities that have a substantial impact on a bank’s financial condition or that are critical to ongoing operations for other reasons, such as sensitive customer information, new products or services, or activities that pose material compliance risk.

Guidance from the Office of the Comptroller of the Currency (OCC) on third-party risk (Bulletin 2013-29) generally is more comprehensive than the Fed guidance and requires rigorous oversight and management of third-party relationships that involve critical activities. The OCC bulletin specifically highlights third-party activities outside of traditional vendor relationships.

Outlook
The critical areas discussed here are just a few for which banks need to expect more regulatory scrutiny in 2017. While there are early indicators that some elements of Dodd-Frank and other regulatory requirements could be pared back as the new administration takes control of the White House, the industry will need to closely monitor any changes and adjust compliance efforts accordingly.