Make OCC FY18’s priorities your bank’s priorities
When the OCC talks, banks listen. It’s not unlike the financial world hanging on every word of the Fed Chairman for clues on what the Fed and market might do. The Office of the Comptroller of the Currency (OCC) issues guidance for the banking industry on a regular basis, including an annual operating plan.
The OCC’s Committee on Bank Supervision (CBS) operating plan outlines priorities and objectives for the fiscal year. The current plan encompasses most of 2018 and is of a great value to banks and their service providers, such as national banks, federal savings associations, federal branches, and federal agencies (collectively referred to as banks). For FY18, the OCC intends to focus on critical areas like cybersecurity, operational resiliency, Bank Secrecy Act (BSA), Anti-Money Laundering (AML), and change management to address the changing regulatory environment for banking.
Because OCC’s plan is of such great importance, Lockpath presented a three-part webinar series on the topic. What follows is a recap of key takeaways from the webinars.
Bring on the frameworks
The OCC’s top concern for FY18 is the evolving cyber threat environment and banks’ cyber resilience. Examiners will use the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool to determine banks’ status of preparedness, as well as follow up on gaps identified during the previous year’s exam.
Banks have varying degrees of cybersecurity maturity. Challenges persist, from too many cybersecurity tools to an overwhelming amount of data to analyze manually. Patching may be patchy, reporting shaky, and various departments might well be out of the loop.
If your bank is looking to improve its cybersecurity program and concerned about new cybersecurity laws on the horizon, frameworks are a good place to start. Some frameworks are specific to cybersecurity, for example, the NIST Cybersecurity Framework used by government agencies. In fact, the FFIEC assessment tool is based on the NIST framework.
A framework provides a structure and a common language for understanding and managing risk. It’s a road map for the journey you’re taking. Frameworks help you prioritize investments and determine the importance of assuring critical operations and service delivery. Banks that utilize frameworks stand to fare much better than non-framework banks in complying with cybersecurity regulations and effectively managing cyber risk.
Make BSA/AML compliance more effective
Compliance with the Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations is major initiative within banks and one of the OCC’s top priorities for FY18.
Non-compliance with these regulations is dangerous for banks, as it can lead to civil money penalties, criminal prosecution, and termination of FDIC insurance. To comply, banks often focus on passing examinations and rightly so. However, it’s labor intensive and costly to issue BSA policies and conduct training, as well as to manage a fraud program using documents, spreadsheets, and email. It’s too much data to tackle manually and too easy to make a mistake. Furthermore, how do you know when a new product, process, employee, or customer will impact BSA/AML compliance?
Technology like a GRC platform offering integrated risk management processes streamlines BSA/AML compliance and provides a system of record and an audit trail for bank examiners.
Combine that technology with frameworks, and then you’re really on to something. Imagine bank examiner visits that are less stressful and more productive.
Address change management
Most banks are regarded as pillars of stability in our fast-paced global economy. However, when it comes to compliance, banks should combine stability with agility. That’s because change is the only constant with regulations.
In addition to regulations, staffing, processes, policies, and more also change. How do you ingrain adaptability in a bank that values stability? It starts with tone at the top. Is leadership committed to change management? If so, chances of success skyrocket.
Next, ensure everyone from tellers to board members impacted by regulatory change is aware of new policies and understands his or her responsibilities. Use assessments to gauge learnings and adoption of changes. The cost of failure is lower when discovered early via a test or assessment. Encourage senior leadership to implement change management and socialize the changes with events, posters, and prizes.
The necessary backdrop for successful change management is having a systematic approach to the compliance process. This is the only way to ensure you’re recording collection and acknowledgment for every task completed. The same goes for having a measurable and auditable process that can help with status and conflicts. Both are in the wheelhouse of GRC technology.
Making OCC’s priorities a bank priority
The OCC’s CBS operating plan outlines priorities and objectives for FY18. Cybersecurity, BSA/AML, and change management are all in the OCC’s top 5. Next step: watch Lockpath’s webinar series, OCC 2018 Part 1, Part 2, Part 3, for more on how to integrate OCC’s priorities and objectives for FY18.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.