WASHINGTON - The Federal Reserve Board is folding its high-tech reviews into a bank's principal exam, drawing positive reaction from community bankers.
Rather than conducting separate evaluations for information technology risk and safety and soundness, Fed examiners will integrate the two by yearend.
"It is better and easier for us to have the [exams] all at one time. It is less disruptive and less time consuming," said Jim Ghiglieri, president of Alpha Community Bank in Toluca, Ill.
"It does make things better for us," said Robert Muth, president and chief executive officer of Andover Bank in Andover, Ohio. "We don't have to prep twice for [the examiners] coming in."
While the Fed has been incorporating technology assessments into its safety-and-soundness examination schedule for larger banks since 1997, smaller institutions, which are examined for information technology risk every 18 months, have had separate schedules.
"The use of information technology can have important implications for a banking organization's financial condition, risk profile, and operating performance and should be incorporated into the safety-and-soundness assessment of each organization," the Fed told its examiners in a Feb. 29 letter.
The Fed said it was melding the two exams "to facilitate the integration of information technology supervision within the overall risk-focused supervisory process."
The Fed will maintain separate rating systems for each exam - the rating for general safety and soundness, which assesses capital, assets, management, earnings, liquidity, and sensitivity to risk; and the Uniform Rating System for Information Technology for information technology.
The Uniform Rating System score is based on how a bank develops, operates, manages, and audits its electronic systems. Examiners look at everything from how the institution buys or develops software to who has access to its computer systems and how it processes data. A poor rating could affect a bank's Camels rating.
The other federal regulatory agencies already incorporate information technology reviews in their general safety-and-soundness exams.
The Fed sent a separate letter to examiners about the oversight of vendors that provide banks with critical information technology services, such as transaction processing.
"The Federal Reserve expects institutions to ensure that controls over outsourced information and transaction processing activities are equivalent to those that would be implemented in the activity were conducted internally," according to the letter.
It instructs examiners to determine which critical information and transaction processing activities are outsourced and to assess what the institution is doing to protect against the risks posed by using outside contractors. For instance, the Fed said banks ought to audit vendors and have contingency plans in case service is unexpectedly cut off.
