Community banks are getting increased regulatory pressure to beef up their technology platforms and emergency response plans for unexpected events such as hurricanes, floods and cyberattacks.
Examiners are increasingly asking small banks to showcase how they would recover systems after a disaster, either natural or man-made, industry experts say.
These types of requirements have been in place for years, but scrutiny is finally trickling down from larger banks to smaller institutions.
"Regulators want to be ahead of this," says Kevin Jacques, a former regulator at the Office of the Comptroller of the Currency who is now the finance chair at Baldwin Wallace University in Cleveland.
As examiners have become more comfortable with this topic, Jacques says, oversight "has filtered down to smaller" banks.
IT-Lifeline, a provider of disaster recovery services, found a 67% rise in disaster recovery testing at small banks in 2012, says Matthew Gerber, its chief executive. The increase included banks that have scheduled testing well in advance to banks seeking assistance just weeks before an auditor visit, he says.
Examiners want banks to have "consistent business continuity plans" in place, says Kooros Mahmudi, senior vice president at Marsh Risk Consulting.
In addition to technology, such as servers and backup systems, examiners want banks to clearly outline the roles of senior management and directors in the case of an emergency.
"They want to make sure it is a process-orientated approach," Mahmudi says. "They're not necessarily interested in understanding a particular system. They want to know if you can process checks and money and if clients can gain access to their accounts. That's really a collection of processes and people."
A representative for the Federal Reserve Board would not comment, and efforts to reach the Comptroller's Office were unsuccessful.
Banks should have procedures to "disclose the adequacy of the planning and testing process for the organization to recover, resume, and maintain operations after disruptions, ranging from minor outages to full-scale disasters," according to the business continuity planning booklet that is part of the Federal Financial Institutions Examination Council's Information Technology Examination Handbook.
As part of the planning process, banks must rate their various systems as one of five categories ranging from nonessential — those that would be fixed last — to ones that are deemed critical and must be running again within hours, Gerber says.
What is considered critical has changed over the last few years, he says. For instance, email systems that were once considered lower priority are now considered critical because management greatly relies on email to communicate with staff.
"What good would it be to have your core system up and running if you can't communicate?" Gerber says. Banks must also provide documentation to examiners that they have conducted tests on their recovery procedures.
Generally, banks should conduct tests at least twice a year and rotate the systems they examine, experts say.
"Auditors want to know that you have sat down, looked at your systems and determined the risk levels," says Stan Anderson, information technology manager at Inland Northwest Bank, the $394 million-asset unit of Northwest Bancorp in Spokane, Wash.
"They want to make sure banks are engaged in the process on a monthly basis," Anderson says.