IT Banking Examinations
Bank leadership should cultivate a culture that prioritizes compliance and informed risk-taking, ensuring their strategic goals are in sync with the changing regulatory environment for effective navigation through these shifts. Image: Microsoft Bing.
Alejandro Mijares
Founder and Chief Executive Officer, Mijares Consulting
Executive Summary
This analysis explores the major regulatory examination trends seen among our banking clients in 2023 and their potential impact on the industry in 2024 and beyond. It reflects on past developments and a strategic roadmap for navigating future changes in the ever-evolving banking sector. Key points include:
- As banks move into 2024, they should prepare for stricter regulatory expectations around API governance, necessitating comprehensive risk assessment frameworks and control effectiveness evaluation.
- Increased scrutiny of AI-based BSA/AML systems (i.e., transaction monitoring systems) by regulators has emphasized the need for these models to be transparent, explainable, and unbiased, while effectively identifying and mitigating risks associated with money laundering and terrorist financing.
- The introduction of the OCC’s new Cybersecurity Supervision Work Program and the FDIC’s updated Information Technology Risk Examination procedures in 2023 indicates a more structured approach to cybersecurity and IT risk management. Similarly, the FFIEC’s updated guidance on third-party relationships emphasizes the importance of enhanced vendor risk management practices.
Introduction
As we advance into 2024, the banking sector continues to navigate a complex regulatory landscape shaped by significant developments in 2023. These changes, driven by technological advancements and evolving cyber threats, have prompted regulatory bodies to adapt and refine their approaches. This article considers significant regulatory examination trends from 2023, including API Risk Assessment, BSA/AML Artificial Intelligence (AI) system model validation, OCC’s new Cybersecurity Supervision Work Program (CSW), FFIEC guidance on third-party relationships, and updates to the FDIC’s InTREx procedures.
Understanding these trends is crucial for banks, credit unions, and other financial institutions to stay compliant and competitive in the dynamic financial landscape. This insight reflects not just the past but a strategic guide for future readiness in an industry where change is the only constant.
Regulatory examination trends from 2023
API Risk Assessment
In 2023, we witnessed a heightened focus on API (Application Programming Interface) Risk Assessment. As banks increasingly integrate APIs for enhanced customer experiences and operational efficiency, the associated risks have come under regulatory scrutiny. This trend will likely continue into 2024 and underscores the need for robust API management strategies encompassing security, data privacy, and operational integrity. Banks should anticipate stricter regulatory expectations around API governance, necessitating comprehensive risk assessment frameworks, and evaluation of control design and effectiveness.
Our team has performed API risk assessments, conducted following the Federal Financial Institutions Examination Council (FFIEC) guidelines, National Institute of Standards and Technology (NIST) standards, Open Worldwide Application Security Project (OWASP) Top 10 API Security Risks – 2023, along with Gartner and SANS Institute best practices, and augmented by our professional judgment. These risk assessments have yielded insightful observations, for example:
- Security strategy for internally developed APIs includes hosting them on the same servers as their applications, typically using NetNamedPipeBinding for API-application binding. While this method offers efficiencies, it also presents unique risk factors that require careful consideration.
- Incorporating static code analysis and penetration testing into the development process of these APIs is crucial for early identification and remediation of potential vulnerabilities.
- Expanding the API inventory to encompass more detailed information, including associated data and metadata, will provide a deeper understanding of data flows and dependencies, enhancing risk management capabilities.
- Implementing consistent rate-limiting protection across the entire API environment is essential for safeguarding against attacks like DoS attacks. This measure will ensure that APIs can manage expected traffic while preventing potential abuses.
- Development of specialized training programs for staff to ensure the team is adequately prepared to secure APIs effectively, addressing both technical challenges and human factors.
- Conducting comprehensive testing of the authorization mechanisms within the API environment is critical. This step will ensure robust and effective access controls, preventing unauthorized access and ensuring compliance with regulatory standards.
BSA/AML AI System Validation
The use of Artificial Intelligence (AI) in Bank Secrecy Act/Anti-Money Laundering (BSA/AML) systems has been a game-changer for financial institutions since AI can help detect suspicious activity more accurately and efficiently than traditional methods; however, regulators are also aware of the potential risks associated with AI. In 2023, we saw increased scrutiny of AI-based BSA/AML systems, with regulators requiring banks to validate these AI-driven systems thoroughly. This trend reflects the need to ensure that AI models are transparent, explainable, and free from biases, while effectively identifying and mitigating money laundering and terrorist financing risks. In the coming year, banks should expect continued regulatory focus on the responsible and compliant use of AI in BSA/AML operations.
The “Supervisory Guidance on Model Risk Management” and the Interagency Statement on Model Risk Management for Bank Systems Supporting Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Compliance, dated April 9, 2021, emphasize that banks should manage risks associated with their BSA/AML systems in line with safety and soundness principles. These systems must support compliance with all relevant laws and regulations, contributing to the bank’s stability and integrity. Models, often part of broader information systems, facilitate data movement, aggregation, and dissemination. Whether a bank develops its AI for BSA/AML or uses a vendor product, they are expected to implement systematic model validation procedures to understand the AI’s capabilities, applicability, and limitations.
OCC’s New Cybersecurity Supervision Work Program
The Office of the Comptroller of the Currency (OCC) introduced a new Cybersecurity Supervision Work Program in 2023, aligning with existing supervisory guidance and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This program represents a structured approach to assessing the cybersecurity posture of financial institutions. It emphasizes aligning cybersecurity practices with industry standards and regulatory expectations. In 2024, banks under the OCC’s purview must ensure their cybersecurity measures are robust, comprehensive, and in line with this new program.
The Cybersecurity Supervision Work Program (CSW) is designed to serve as a resource rather than a regulatory mandate (we highly recommend incorporating it into your Information Security Program). Banks are not obligated to adopt this program to evaluate their cybersecurity readiness. The CSW offers a set of overarching examination objectives and methodologies that are in harmony with current supervisory directives, and the framework established by the National Institute of Standards and Technology for cybersecurity. This alignment ensures that the CSW is a relevant and practical tool, complementing existing guidelines rather than introducing new regulatory requirements.
Based on Cybersecurity Supervision Work Program Attachment to OCC Bulletin 2023-22, “the CSW is structured according to the five NIST-CSF functions—Identify, Protect, Detect, Respond, and Recover—and the related categories and subcategories. The CSW does not include NIST-CSF subcategories that are addressed as part of other examination programs or subcategories that do not apply to the OCC bank supervision process. The OCC developed an additional function, Specialty Areas, to address areas of risk that may be part of OCC cybersecurity assessments, where applicable.”
FDIC updated Information Technology Risk Examination (InTREx) Procedures
The Federal Deposit Insurance Corporation (FDIC) updated its Information Technology Risk Examination (InTREx) procedures in 2023. These updates have significant implications for banks, particularly in preparing for and responding to IT risk management examinations. Banks need to familiarize themselves with these updated procedures to ensure they are prepared for their next IT examination with a focus on service provider oversight and incident response plans to ensure they comply with the new notification rule. Below is a short summary of these changes:
- Enhanced Focus on Compliance with Incident Notification Rules: The updates, especially those detailing compliance review steps in line with the Computer Security Incident Notification Rule (Part 304 Subpart C), indicate a heightened focus on how banks manage and report security incidents. Banks will need to ensure that their incident response plans are robust and fully compliant with these specific FDIC requirements.
- Increased Examiner Efficiency and Scrutiny: The positioning of procedures next to the Core Analysis Decision Factors in the Audit module is designed to increase examiner efficiency. This change suggests that examiners can assess compliance and risk management practices more quickly and thoroughly. Banks should anticipate more streamlined, yet potentially more rigorous, examinations and prepare accordingly by ensuring their internal audits and risk assessments are comprehensive and easily navigable.
- Greater Emphasis on Service Provider Oversight: The revisions to the Management and Support and Delivery modules, with more specific instructions for reviewing service provider audit reports, underscore the importance of third-party risk management. Banks must be prepared for closer scrutiny of how they manage and monitor their service providers. This will require banks to have detailed due diligence, ongoing monitoring, and effective controls for all third-party engagements, especially those involving critical services.
- Preparation for Future Module Adjustments: The mention of similar adjustments planned for the remaining core modules suggests ongoing changes in the FDIC’s examination approach. Banks should stay informed about these changes and be agile in adapting their internal controls and IT risk management frameworks to meet evolving regulatory expectations.
- Need for Comprehensive Documentation and Evidence:Banks must ensure that their documentation and evidence of compliance and risk management practices are thorough, up-to-date, and readily available for review. This includes maintaining clear records of all interactions and audits related to service providers.
- Strategic IT Risk Management Alignment: These modifications to the InTREx procedures reinforce the need for banks to align their IT risk management strategies closely with regulatory expectations. Banks should view these changes as a compliance exercise and as an integral part of their strategic approach to IT risk management, cybersecurity, and overall operational resilience.
FFIEC Interagency Guidance on Third-Party Relationships: Risk Management
The Federal Financial Institutions Examination Council (FFIEC) issued updated guidance on managing risks associated with third-party service providers. This guidance reflects the bank’s growing reliance on third-party vendors and the associated risks, particularly data security and operational resilience. As banks continue to rely on third parties for various services, they must ensure that these relationships do not expose them to undue risks. In 2024, financial institutions must enhance their vendor risk management practices, ensuring thorough due diligence, continuous monitoring, and effective contract management.
This guidance offers a valuable framework for banking organizations to enhance their practices in managing third-party risk. It provides practical examples and considerations across various stages, including planning, due diligence, contract negotiation, continuous monitoring, and termination of third-party relationships. The guidance emphasizes that effective third-party risk management should reflect the banking organization’s risk profile, size, complexity, and the specific nature of the third-party engagement.
Banking organizations are advised to apply this guidance with existing risk management protocols when dealing with third parties involved in lending, payment, or deposit services on behalf of or through the bank. These relationships should be scrutinized using third-party risk management guidance and the standard risk management practices pertinent to traditional lending and deposit activities.
However, relationships that exclusively involve direct customer interactions for standard banking products and services, like deposit accounts or retail and commercial loans, fall outside the scope of this third-party risk management framework. Such direct customer relationships are governed by the established risk management procedures and regulations specific to traditional lending and deposit activities.
Conclusion
The regulatory trends observed in 2023 have set a clear trajectory for the banking industry in 2024 and laid the groundwork for what promises to be a year of significant evolution in the banking regulatory landscape. Bank boards of directors and senior management must remain vigilant and well-informed about these trends to ensure their institutions stay compliant and maintain resilience and competitiveness in a rapidly changing environment. The increasing emphasis on digital risks, particularly in areas such as API risk assessment, AI system validation for BSA/AML, and third-party risk management, underscores the need for a proactive, knowledgeable approach to risk management, which is more crucial than ever.
In summary, 2024 is poised to be a year where adaptation to these examination trends will be pivotal. Banks that proactively embrace and integrate these evolving regulatory expectations into their risk management practices and business strategies are likely to comply with regulatory standards and gain a competitive edge in the industry. Therefore, banks’ leadership must foster a culture of compliance and risk-aware decision-making, aligning their strategic objectives with the evolving regulatory landscape to navigate these changes successfully.
Don’t wait until it’s too late. Equip your institution with the resilience and competitive advantage necessary to succeed in a rapidly evolving regulatory landscape. With our deep expertise in digital risk, cybersecurity, and regulatory compliance, we can provide tailored strategies and solutions beyond mere compliance. Our proven track record in tackling complex regulatory challenges speaks for itself. Reach out to us today, and let’s ensure your bank is prepared and flourishing in this changing environment. Act now and secure your future with us!
