National banks are being told to step up their efforts to police fraud and financial mismanagement.
The Office of the Comptroller of the Currency said that examiners will be looking into national banks' enforcement of internal policies aimed at detecting employee theft and errors.
According to instructions issued this week, examiners will also be required to assess the skills of key bank personnel, the effectiveness of risk management systems, and the vulnerability of sensitive data to unauthorized access.
"We are seeing increasing evidence that bank internal controls are slipping," said acting Comptroller of the Currency Julie L. Williams. "We have learned over the years that when internal controls are neglected, banks get into trouble."
The number of troubled banks remains small, but most of the institutions with problems have been hit by fraud, according to an agency spokesman.
The examination procedures are the latest component of Ms. Williams' fight against what she describes as an erosion of industry safeguards and credit standards.
She first warned bankers about slipping internal controls in early June. Last month she ordered examiners to dig deeper into bank portfolios to root out high-risk loans.
Kevin J. Bailey, deputy comptroller for core policy, said internal controls have weakened because banks often carry cost-cutting too far.
"Activities that don't generate revenue, such as internal controls, are first on the cutting block when banks are trying to save money," he said. "But they should remember these activities stem future losses."
According to the instructions, examiners will ensure that national banks:
Require different individuals to be responsible for approving, executing, and monitoring higher-risk transactions such as purchases of derivatives and securities.
Rotate new personnel into sensitive jobs by ordering employees permanently in those positions to be absent from their posts for two consecutive weeks each year.
Use pre-numbered documents to ensure that transactions are properly recorded.
Restrict access to data processing facilities.
Conduct independent checks to verify that account balances and computer-generated reports are accurate.
Large banks will need to validate internal control policies annually for "high-risk" activities that put bank earnings and capital at risk. "Low-risk" activities must be reviewed every three years.
The guidance also warned examiners to watch out for sloppy management practices that may weaken internal controls. For instance, employees may use shortcuts that circumvent internal controls. Or, management may not update policies to reflect current business practices.
"A lot of this is very fundamental and very basic, but if not done right it can have a potentially cataclysmic impact," Mr. Bailey said.
John J. Byrne, senior counsel and compliance manager at the American Bankers Association, said bankers are intent on combatting fraud, particularly as more business is done electronically.
"Any assistance on improving the internal controls process is welcome," Mr. Byrne said. "However, to suggest that our guard is down is not accurate.
"We don't believe we are complacent. We are constantly improving."
