Community banks are getting increased regulatory pressure to beef up their technology platforms and emergency response plans for unexpected events such as hurricanes, floods and cyberattacks.
Examiners are increasingly asking small banks to showcase how they would recover systems after a disaster, either natural or man-made, industry experts say.
These types of requirements have been in place for years, but scrutiny is finally trickling down from larger banks to smaller institutions.
"Regulators want to be ahead of this," says Kevin Jacques, a former regulator at the Office of the Comptroller of the Currency who is now the finance chair at Baldwin Wallace University in Cleveland.
As examiners have become more comfortable with this topic, Jacques says, oversight "has filtered down to smaller" banks.
IT-Lifeline, a provider of disaster recovery services, found a 67% rise in disaster recovery testing at small banks in 2012, says Matthew Gerber, its chief executive. The increase included banks that have scheduled testing well in advance to banks seeking assistance just weeks before an auditor visit, he says.
Examiners want banks to have "consistent business continuity plans" in place, says Kooros Mahmudi, senior vice president at Marsh Risk Consulting.
In addition to technology, such as servers and backup systems, examiners want banks to clearly outline the roles of senior management and directors in the case of an emergency.
"They want to make sure it is a process-orientated approach," Mahmudi says. "They're not necessarily interested in understanding a particular system. They want to know if you can process checks and money and if clients can gain access to their accounts. That's really a collection of processes and people."
A representative for the Federal Reserve Board would not comment, and efforts to reach the Comptroller's Office were unsuccessful.
Banks should have procedures to "disclose the adequacy of the planning and testing process for the organization to recover, resume, and maintain operations after disruptions, ranging from minor outages to full-scale disasters," according to the business continuity planning booklet that is part of the Federal Financial Institutions Examination Council's Information Technology Examination Handbook.
As part of the planning process, banks must rate their various systems as one of five categories ranging from nonessential — those that would be fixed last — to ones that are deemed critical and must be running again within hours, Gerber says.
What is considered critical has changed over the last few years, he says. For instance, email systems that were once considered lower priority are now considered critical because management greatly relies on email to communicate with staff.
"What good would it be to have your core system up and running if you can't communicate?" Gerber says. Banks must also provide documentation to examiners that they have conducted tests on their recovery procedures.
Generally, banks should conduct tests at least twice a year and rotate the systems they examine, experts say.
"Auditors want to know that you have sat down, looked at your systems and determined the risk levels," says Stan Anderson, information technology manager at Inland Northwest Bank, the $394 million-asset unit of Northwest Bancorp in Spokane, Wash.
"They want to make sure banks are engaged in the process on a monthly basis," Anderson says.
Anderson says he spends about 10 hours each week on Inland's disaster recovery systems. The system has become more complicated over time, evolving from roughly six servers and a tape drive to backup data located at the bank.
IT-Lifeline provides Northwest with data protection off-site and a disaster recovery service, Anderson says.
Small banks often struggle with having the appropriate staff and infrastructure for its disaster recovery due to the costs. Gerber says it can cost a bank $2,400 to $3,600 a year for every $100 million of assets it holds.
As a result, many small banks rely on outside companies to provide these services at a lower cost, Jacques says.
John Marshall Bank in Reston, Va., has written plans on what it would do in case of various threats, says Carl Dodson, the bank's chief operating officer.
The $511 million-asset bank uses an outside company for its technology and personnel needs, keeps all its servers off-site and backs up all critical data daily, he says.
John Marshall Bank is also creating a secondary disaster recovery site, which would let it bounce back more quickly after an emergency.
"If something were to happen regardless of how unexpected, it would be terrible to not be able to serve our customers," Dodson says. "We do everything we can to make sure that doesn't happen."
Data backup alone is an insufficient disaster recovery plan, says Michael de la Torre, vice president of product management at SunGard Availability Services. Companies need the capacity and procedures to restore critical applications.
Banks also need to update the systems at their secondary sites to reflect any changes made in their business, he says.
"Change is the bane of disaster recovery," de la Torre says. "The more time that has passed from when you set up that site, the more changes that have happened and the less likely you will be able to use it."
Bankers should not view regulators as the enemy when discussing disaster preparedness, Jacques says. Examiners, who have the benefit of observing best practices at a variety of banks, can serve as a resource, especially to small banks, he adds.
Examiners have proven their worth to John Marshall and Inland in the past. "Someone who thinks they know it all is missing the boat," Anderson says, because "you never know it all."