Tech Outages and Regulatory Risks: A Wake-up Call for US Banks
On July 19th, the world awoke to a global IT outage caused by a single software update to widely used security software that inadvertently impacted 8.5 million Microsoft Windows machines and creating issues for some 75% of top US banks. Two days later, we learned of a private OCC report finding that 11 of the 22 large banks it oversees do not adequately manage operational risks. Operational risk is one of the categories evaluated by the OCC and includes anything from vendor failures and natural disasters to technology snafus, like the July 19th outage.
Banks increasingly rely on fintech partnerships and third-party service providers. Such reliance can create concentrated points of failure for business and operational functions, making them a target of heightened regulatory scrutiny. This post outlines the essential steps US banks should take to manage this risk and maintain regulatory compliance.
Due Diligence
Banks must conduct comprehensive due diligence that includes:
-
Compliance History: Investigate any past compliance failures, regulatory enforcement actions, and legal issues
-
Business Practices: Analyze the business model, data privacy policies, and cybersecurity measures, ensuring they meet regulatory and internal bank requirements
-
Business Continuity: Review the business continuity plan to ensure the necessary framework is in place to manage disruptions and that the plan addresses recovery strategies, communication protocols, and testing requirements
Ongoing Monitoring
Banks must establish ongoing monitoring and oversight to ensure they and their third parties comply with applicable laws and regulatory requirements. Such monitoring must include:
- Performance Metrics and Reporting: Establish key metrics that align with strategic goals, such as service delivery, compliance adherence, and customer satisfaction, and regular reporting requirements that support transparency and accountability
- Compliance Audits: Conduct periodic compliance audits to ensure third parties comply with all relevant laws, regulatory requirements, and contract terms, identifying gaps and requiring timely remediation
Internal Risk Identification and Escalation Process
Banks must establish a culture of risk management by implementing an internal framework that includes:
-
Identification and Reporting: Encouragement of all employees to actively identify and report potential risks helps to remediate and control risks promptly
-
Standardized Reporting: Standardized reporting mechanisms such as risk assessment checklists and dashboards help track and quantify risks, providing more detailed risk analysis
-
Clear Escalation Path: Establishing and communicating steps employees should take when they encounter risks help resolve issues quickly before they become more significant operational challenges
Conclusion
In conclusion, as banks increasingly depend on fintech partnerships and third-party providers, they must adopt robust risk management practices to mitigate the related operational risks. Conducting thorough due diligence, establishing ongoing monitoring, and fostering a strong internal risk identification culture are essential to ensure compliance and safeguard operations. By proactively addressing these challenges, banks can navigate potential disruptions while maintaining trust with customers and regulators alike.
We Can Help
Need more insights or assistance with compliance strategies? With extensive experience working directly with regulators and implementing third-party risk governance and controls, our experts can provide valuable insights and guidance tailored to your specific compliance needs. We can strengthen your risk management strategies and ensure your company remains resilient in this ever-changing environment.
Click here to contact us today.