In a survey conducted recently among our bank customers, we asked where they felt the primary areas of focus were for the regulators during their last examination. While an overwhelming margin (more than 96 percent), felt examiners were still focused on asset quality, there are several indications the pendulum is starting to swing to IT. When responses were filtered for how long ago the exam occurred, (less than 6 months ago vs. more than 6 months ago), the focus on asset quality declined for exams conducted most recently, while the focus on IT increased.
Is there any other evidence that the swing has begun? In my capacity as a regulatory compliance resource for our customers, I routinely assist them with both pre-examination questionnaires and post-examination remediation efforts. The pre-exam requests have been more frequent, and some of the questionnaires are getting more detailed.
In addition, and perhaps more significantly, I'm getting far more post-exam remediation requests than ever before, and they are coming from all regulators and in all areas of safety and soundness.
Several state banking divisions have already adopted the FDIC Officers' pre-examination questionnaire word for word. This represents an order of magnitude increase in the level of scrutiny over most state examiner pre-exam questionnaires. It's no secret that state chartered thrifts have, on balance, enjoyed a much less rigorous examination experience than federally chartered institutions. In fact, one of the early proposals from the group that would eventually produce the Dodd-Frank bill was to consolidate all of the regulatory agencies into one to prevent, as Senator Dodd said at the time, "regulator shopping." This proposal was eventually dropped, with the OTS becoming the only casualty.
This brings us to the second dynamic that will impact the future direction of IT examinations: the consolidation of the OTS into the OCC. This will have an immediate effect on thrifts for which the OTS is the primary federal regulator (PFR) as they adapt to the safety and soundness requirements of the OCC.
Third, and what could be perhaps the greatest influence on the overall level of scrutiny for all banks, is a memorandum of understanding signed between the FDIC and the other PFRs in July. It states in part that the FDIC, "...shall have power...to make any special examination of any insured depository institution whenever the Board of Directors determines a special examination of any such depository institution is necessary to determine the condition of such depository institution for insurance purposes."
Simply put, the FDIC has the ability to step in and take over any examination where they feel, in their assessment alone, it is in the best interest of the deposit insurance fund to do so. At that point, the initial PFR may be asked to participate, but their input will be necessarily limited, and differences in CAMELS ratings will be resolved by the FDIC. The criterion for this special examination is broad, and encompasses institutions of all sizes and all CAMELS ratings, but most significantly, it's not solely focused on financials. A concern in any of the six UFIRS elements that comprise the safety and soundness ratings could trigger the special examination.
The fourth trend impacting the shift towards focus on IT is found in the only non-financial element in the CAMELS ratings: management. Post-mortem reports on the failures of both Washington Mutual and Indy Mac placed the blame equally on management for pursuing overly aggressive growth strategies, as well as on the regulator (OTS) and their inability to effectively identify and assess the risks. I think we can expect (and rightly so) increased focus on all governance issues going forward, but how does that translate into increased IT focus?
There are twelve factors that go into the CAMELS management rating component, and one of them is a measure of how well the institution manages its information systems. In addition to that, the FFIEC makes it clear in their IT Examination Handbook on Management that "...effective IT management practices play an integral role in achieving many goals related to corporate governance. The ability to manage technology effectively in isolation no longer exists. Institutions should integrate IT management into the strategic planning function of each line of business within the institution." And regarding the relationship between IT and strategic planning; "an institution capable of aligning its IT infrastructure to support its business strategy adds value to its organization and positions itself for sustained success."
Clearly IT is so pervasive throughout banks that no enterprise-wide assessment of management and governance is complete without a thorough review of IT.
So, as the pendulum swings from the CAMELS "A" to the "M," increased focus on IT will be the result. Banks that have kept on top of their IT policies, procedures and practices won't be caught off guard when the pendulum swings back. But if industry executives put certain IT management issues like risk assessments and vendor management on the back burner for the last 18 months (even as they've expanded technology-based products and services), they should make a New Year's resolution to bring all documentation up to date.
Tom Hinkel is director of compliance at Safe Systems Inc.
