Understanding the Compliance Playbook: A Critical Step for Successful Bank IT Examinations

Perhaps no other industry in the United States has to face the consistently high level of regulatory oversight that banks do. As a result, financial institution management must commit more and more time to address these strict regulations. However, compliance concerns are far from the only thing bankers must consider. From ensuring bank operations run smoothly, to accommodating shareholder concerns, and driving customer satisfaction, bankers have a complex job. Community banks in particular can struggle to meet an ever-increasing regulatory burden. In some cases, these institutions are the sole source of credit and liquidity in their communities, so bankers naturally gravitate toward helping the customer before addressing the latest regulatory release. These bankers often feel forced to choose between focusing their attention and resources on compliance and serving their community. To strike this balance, building success with regulators has to be a priority because if the regulators have significant concerns about the health of the institution, they may not allow them to serve the community for long.

Last month, Safe Systems hosted its 2016 NetConnect Customer Success Summit in Athens, Ga. 73 financial institutions from around the country gathered together to exchange ideas and learn about key issues and trends affecting the banking industry today. During the conference, Safe Systems’ Vice President of Compliance Services, Tom Hinkel, held a session where he highlighted many of the compliance challenges banks are facing today and provided helpful advice on how they can successfully manage this stressful and complex function. It is not only important to understand how compliance has changed (and continues to change), but to also know what to expect when an examiner arrives at the bank.

Here are a few key points from the presentation to help your bank meet examiner expectations and achieve success:

Stay Up to Date on Compliance Changes and Key Areas of Focus for Examiners

Compliance regulations are not the same as they were 10 years ago. With the emergence of the CAT and the new InTREx program, banks must develop a deep understanding of what examiners are looking for and prepare accordingly. In the last two years, there have been several major compliance updates, including the FFIEC BCP and Management Handbooks; the FDIC InTREx examination procedures; and the most recent handbook to be updated: the IT Examination Handbook that was released in early September (replacing the 2006 handbook). One way to understand the changes between the old and new guidance is to analyze the frequency of words used in the handbooks. With the FFIEC’s latest IT examination handbook, a few key terms stand out as important areas of focus for 2016 and beyond:

  • 2006 handbook contained zero references to “cyber”
  • 2016 handbook contains 26 references to “cyber”
  • 2006 Handbook contained 28 references to “third-party(s)”
  • 2016 Handbook contains 120 references to “third-party(s)”
  • 2006 Handbook contained zero references to “inherent risk”
  • 2016 Handbook contains 5 references to “inherent risk”
  • 2006 handbook contained 4 references to “residual risk”
  • 2016 handbook contains zero references to “residual risk”

Based on this analysis of the 2016 handbook versus its predecessor from a decade prior, it is clear that cybersecurity and inherent risks have emerged as more important areas of focus for examiners. There is also much greater emphasis on the importance of managing third-party relationships

Be Familiar with Exam Factors and Procedures and Prepare In Advance

Success with examiners depends primarily on banks’ level of understanding of the exam structure and what factors are most critical for satisfactory results. The examiner will ask about core processing, network management, online banking, development, programming, software, and more. For FDIC institutions using the new InTREx examination format, the examiner will ask 26 specific questions to determine how deeply they will dig into four specific areas: audit, management, development and acquisition, and support and delivery. The examiner will gather the preliminary review items and assess them before the full examination begins.

Next is an on-site visit where the examiner will use very specific Core Analysis Procedures to examine your IT risk management and use Core Analysis Decision Factors to draw conclusions. Each one of these decision factors will be graded on scale of “strong,” “satisfactory,” “less than satisfactory,” “deficient,” or “critically deficient.” At the end of the examination, all of these components are rolled into your overall composite score. Since the Procedures and Decision Factors are so detailed, there is not likely to be much procedural variation on the part of the examiner. The potential benefit in knowing all of the factors and procedures for each examination in advance is that you know what to expect and can properly prepare.

Free White Paper

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

Free White Paper

It is also important to mention that everyone (including non-FDIC institutions) should now be paying close attention to the new FDIC regulations. Since the FDIC is insuring bank funds, it reserves the right to examine your institution, regardless of who your regulator is. Understanding the key areas that examiners are focusing on can help banks narrow their focus and examine critical areas that may need more attention.

Responding to an IT audit or exam can be a headache at best, but potentially much worse if you are not well prepared. Safe Systems has a proven track record of serving as a trusted resource and technology advisor to financial institutions, leading to improved IT audit and examination ratings. When it comes to compliance, bankers who invest proactively in understanding the complexities of the regulations that govern their institutions are well positioned to respond accordingly when the examiner comes calling.