The Exam Tide Is Changing: Just When You Thought Examinations Might Get Easier, Regulators Are Shifting Their Sights to Technology Risk Management

[ILLUSTRATION OMITTED] To judge from recent comments from bankers, expectations with regard to technology exams are beginning to take on a new intensity. Resources that were dedicated previously to the review of credit and liquidity issues are now starting to be redirected toward technology exams as economic conditions moderate. No one can deny that poor risk management was one of the major contributors to the financial crisis that the industry is currently exiting. The question is: Does risk management only relate to derivatives, subprime mortgages, and commercial real estate concentrations? Definitely not! Managing risk has taken on new meaning. It's scope has broadened and everyone in the industry should be concerned how it applies to IT, given the extensive and increasing reliance on technology in banks today. No longer can executives remain at arm's length when it comes to making technology business decisions. The regulators are forcing the issue. The Federal Financial Institutions Examination Council, in its updated examination handbooks, is asking specific questions about the participation of executive management and the board of directors in the technology planning and decision process. An example of this can be found in the new Retail Payment Systems Information Technology Examination Handbook. Issued Feb. 25, 2010, its examination procedures contain the following points: * Obtain and review the financial institution's strategic plan for the implementation of Remote Deposit Capture (p. 60); * Review board minutes involving the discussion and approval of RDC implementation. Note date of approval (p. 60). Examiners are asking for this, and more, now. Banks will continue to see more of this theme as the FFIEC handbook update process continues. The issue has to do with the virtual banking presence that technology has enabled. Simply stated, electronics not only improves service and product offerings, but has brought the concept of an all-electronic financial institution--internally and externally--closer to reality. Commerce and banking are increasingly mobile, and remote, with relationships moving from the bank lobby to the desktop of the commercial customer, the laptop of the consumer, and even the hip, where most cell phones reside until needed. Electronics is altering the traditional customer relationship--formerly known as, "drop by the branch and get to know us"--with a rapidly emerging social networking presence. And while the basis of banking relationships is changing, bank risk management practices have remained traditional in large measure. They have not kept up with an understanding of what the real risks are to the institution and how to manage them. Let's face it, most bankers were hoping to retire before they had to change, but technology, and regulators' new focus on risk, changed all that. Batch reports vs. real-time use The FFIEC's eleven IT exam handbooks range from Audit to Wholesale Payment Systems. Most of them have not been updated since 2003 and 2004, with several exceptions: The Information Security handbook in 2006, The Business Continuation Planning Handbook in 2008, the Retail Payment System handbook referenced earlier, and the BSA/AML Handbook updated this April. …