Improve your FFIEC Exam Scores

The Office of the Comptroller of the Currency (OCC) takes a risk-based approach to bank operations. As a bank’s deposits go up, so does the risk associated with their operations. No one wants to get a bad score on their annual OCC exam and there are definite ways to avoid it. After all, the purpose of these exams is to protect consumers and consumers’ assets.

When I prepared for my first OTS (since then responsibilities rolled to OCC), I went to the FFIEC website to go over the IT booklet. I had actually worked on a remediation project prior to my managing an OTS audit so I was familiar with the power of the scores.  If you’re not familiar with the individual scoring process, the scale is 1-5 with 1 being the best and 5 being the worst.

The exam covers the following areas:

·         Capital Adequacy
·         Asset Quality
·         Management Competence
·         Earnings
·         Liquidity Risk
And Composite

I am not a banker nor am I an OCC employee. I am a technologist who has been responsible for the areas Operations, Business Continuity Planning, Management, Outsourcing Technology Services and Information Security (OTS wording) which fall under Management Competence and Composite. These are the areas I can provide expertise in.

To start, you should review your last report with a focus on:
·         Where do you need the biggest improvement?
·         What can YOU have an impact on?
·         Be aware of the bank’s asset balances and what that means to the OCC. If your bank is in growth mode, the last thing you want is for your areas of responsibility to be the causation of disapproval for expansion from the OCC.

The OCC relies on several Standards Setting organizations for their guidelines so if you are focused on Best Practices, the chances are good you’re on the right path. You may just need some formalization.

What were the documented Management Responses in the last report? Pay close attention to the management responses. Regulators do not like repeat items that have had no or insignificant progress made toward resolving open issues.

Next, download or designate someone to download the FFIEC IT handbook. The guidelines provide an excellent source for what policies and procedures you should have in place as well as where financial institutions should be focusing their security resources. A few things to keep in mind, regulators prefer to see formal plans with commitment dates and approvals from Executives to meet those dates. I really suggest you designate a specific person to oversee the remediation focus. This person should be aware of who is the assigned go-to person for each of the areas of responsibility documented in the handbook.

To further the progress,

·         Create a matrix that includes each line item, the potential cost, required effort and resources required. Also, include the potential risk of NOT remediating the item. The bank may choose to accept or transfer the risk associated with the line item versus attempting to remediate.
·         Get executive acceptance and sign-off.

To get ahead of a potentially poor Audit score, review your policies and procedures, Service Level Agreements, Operating Level Agreements. At a minimum, you need to have:
·         Employee acceptable use policy for technology systems and devices
·         Documented existence, adherence and review of technology policies and procedures

o   Change Control policy,

o   Incident response,

o   Privileged Account use,

o   Patch Management process,

o   Data access report reviews,

§  Focus on your key control points

§  Are there designated Information Owners who review data access?

o   Exception review procedure,

o   System Availability Reports

§  Problem Management Action statements and reviews

o   Software Architectural framework

o   Standard architectural review documentation

§  Are security and risk protocols a regular part of the architectural process? If not, this should be a high priority.

§  Have standards been implemented to reduce human error and silo’d decision-making? If so, this should be a high priority.

·         Technology Risk educational program for both business and IT employees.
·         Documented reviews of roles and responsibilities
·         Reports for new hires and terminations
·         Secured system access reviews
·         Have you had an outside firm perform a Penetration Test? There are multiple layers to pen testing but they really are the best way to ascertain if you have any open holes that need to be plugged.
·         There need to be documented and tested business continuity plans. There needs to be two types of plans. 1) Business Continuity, 2) Disaster Recovery. While the business is responsible for collaborating with IT through these tests, it has to be the IT team that drives these areas. While the business may know what to restore, the IT team knows the “how”.

If you can create a Risk Management framework or program in your bank, you can turn your 3’s into 2’s and perhaps even a 1. The unspoken benefit of a Risk Management program is an awareness of potential risks that sit in the back of an employee’s mind and hopefully will deter security risks.