The Federal Reserve Board, revamping its exams to pinpoint the dangers posed by technology, will check all holding companies and state member banks for five new risks.
The new exam procedures are being tested by the Federal Reserve Bank of San Francisco and will be rolled out nationwide this summer. Coming under scrutiny will be:
organizational risk, which covers how a bank trains its employees, staffs its technology department, and plans for upgrades and replacements of existing systems;
infrastructure and application integrity risks, which involve the hardware and software a bank uses. This includes mainframe and desktop computers, accounting software, market- and credit-risk models, and credit- scoring systems. Examiners want to ensure these computers and programs actually work as intended;
availability risk, which encompasses contingency planning in case computer systems are damaged by natural disasters, terrorism, or employee mistakes; and
security risk, which includes a review of a bank's encryption software and other defenses against hackers.
"Banking is obviously changing, and technology is changing," said Terry S. Schwakopf, senior vice president for banking supervision and regulation at the San Francisco Fed. "We want to be in a very good position to address those changes."
Banks increasing rely on high-technology equipment to run their businesses. Many institutions use computerized models to manage their interest rate, credit, and market risks. They also are offering Internet banking, operating computerized customer service systems, and experimenting with stored-value cards.
The Fed's moves received preliminary support from the industry.
"Technology has certainly exploded in terms of its utilization by banks," said Dorothy M. Horvath, chief credit officer at National City Bank and chairwoman of Robert Morris Associates. "That potential presents a whole new area of risk. It is very appropriate for the Fed to incorporate that aspect into its process reviews."
The new information technology systems exams will be wrapped into an institution's safety and soundness review.
"The idea is to get away from information technology being separate and unrelated," Richard Spillenkothen, the Fed's director of supervision and regulation, said in an interview in Washington. "We want to integrate it into the general safety and soundness examination."
The new initiatives, unveiled last week by San Francisco Fed officials, will hold all banking companies subject to Fed oversight to a single standard.
James McLaughlin, director of regulatory and trust affairs at the American Bankers Association, said he welcomes any effort to adopt uniform exam procedures.
"One of things we have complained about is the lack of uniformity among Federal Reserve districts," he said. "As we are starting to see more and more holding companies consolidate their operations, they are finding themselves subject to different requirements. This will eliminate those kinds of difficulties."
The new review is in addition to an electronic data processing exam that the Fed conducts of state-member banks and independent data processing firms.
To implement the initiative, the Fed plans to train its 858 examiners during the coming year. "We don't expect them to know all the bits and bytes," said Todd A. Glissman, assistant vice president for banking supervision at the San Francisco Fed. "But rather we want them to know when to call in an expert."
Karen Thomas, director of regulatory affairs at the Independent Bankers Association of America, praised the training aspect, saying it will give the program credibility.
"They need to make sure their examiners know what they are talking about," she said. "There is no question about that."
Building on the new technology exams, the Fed plans to overhaul its basic safety and soundness guidelines by June when examiners convene in Dallas for a conference.
The Fed plans to create two sets of guidelines for small and large institutions with the dividing line set roughly at $1 billion of assets.
Smaller banks require less comprehensive reviews than larger institutions, according to the San Francisco Fed's Ms. Schwakopf.
Although the agency declined to release details, Ms. Schwakopf said the guidelines will direct examiners to look more at the processes banks use to make decisions and less on individual transactions. Examiners also will be instructed to produce risk-profiles, which will identify the greatest risks each institution faces. Supervisors then will concentrate their reviews in these areas, she said.
The Fed program mirrors the risk-based exams instituted for large and small national banks by the Office of the Comptroller of the Currency last year.
Ms. Schwakopf said the guidelines will ensure that each reserve bank district takes the same approach. "These are tools to allow our examiners to implement this in a consistent way," she said.
The Fed also will work with the Federal Deposit Insurance Corp. to make small bank reviews more consistent. The intent is to have a single, interagency review of a bank and its holding company's internal controls, Ms. Schwakopf said.
Mr. Spillenkothen said the new procedures, with their emphasis on pre- exam planning, will reduce the amount of time examiners spend at banks.
"This is really designed to better focus our efforts and be more efficient and more focused on risk," he said. "Hopefully we will reduce burden and the cost of examinations."
