Audit Knowledge Base

The arms race around IT risk management is taking a new turn. Community bankers and the experts who advise them are discovering that trying to check the most sophisticated intrusion attempts with the best fraud prevention technology is not enough. What’s surfacing is a new emphasis on management to supplement the technology tools that are still critical in the never-ending war to protect financially sensitive data. Software and IT outsourcing are valuable tools, but William Henley, director of IT Risk Management at the Office of Thrift Supervision, puts the emphasis of network operational security squarely on management. No solution works without the right management supervision, Henley says. Without adequate planning and oversight, even the best system or service provider is a waste of money.

“A lot of the problems on the back end come from inadequate planning on the front end,” he points out. “You can’t run out and buy software or hire an IT vendor or service provider for a quick fix.” Lucy Griffin, editor of Compliance Action, cites the real example of a bank whose IT department bought one of the slickest loan administration software solutions on the market. Then the compliance officer noticed that although the software computed interest in a perfectly legal manner, it did not compute the interest the same way the bank had disclosed to its customers that it would. “Because of that discrepancy, every loan in their portfolio was in violation of the rules,” she points out. That kind of mistake is common, Griffin insists. “Slick doesn’t cut it. The software has to do the right job,” she adds. Any significant software purchase decision should be made but by a team that includes all the affected players. “The big complaint you hear over and over at compliance conferences is that IT makes decisions on its own without talking to compliance,” she reports. Doing your own thorough risk assessment and developing your own plan to manage it is a better solution than following the model of a peer bank that you admire, says a source in the Office of the Controller of the Currency (OCC). Because community banks have small staffs with multiple responsibilities, relying on third parties for help is appropriate, says Kent Conrad, director of technology risk management services at RSM McGladrey Inc. in Minneapolis, Minn. But it’s not OK to bring in IT experts and then simply say “yes” to whatever they recommend. “The bank needs IT staff who are knowledgeable enough to understand the ramifications of changes,” Conrad says. “IT decisions have to be made in the context of strong change management.” A solution that looks good generically might not be good for a particular bank in a particular situation, he points out.

Technology Tools

Technology tools, of course, remain critical. It takes technology to comply with expanding Bank Secrecy Act (BSA) requirements, for example, to monitor structured accounts for money laundering. Instead of merely reporting individual deposits over $10,000, banks now are required to monitor activity in accounts linked to the same person or business over seven-day and 30-day periods and report aggregate deposits. These requirements are only feasible to do manually at the smallest banks, explains Bill Nicholson, risk specialist at core processor Jack Henry & Associates in Monett, Mo. Even smaller community banks have had to automate some compliance components given the increasing expectations by regulators, admits Griffin. “Under BSA, how do you know what’s suspicious and what isn’t?” she asks. “Good software does that for you. It monitors flagged accounts and reports activity it has been programmed to report. That saves a lot of manual work and staff time.” In fact, some community banks have used defensive technology so effectively that they have apparently won some of the biggest battles. Hackers almost never worm into banks’ core systems any more, and financial controls are so effective that all IT hackers can hope for on the first pass is perhaps some data, but not dollars. For the most part, accounting controls successfully limit direct financial losses by community banks due to data security breaches as well, Conrad reports. The challenge is to stop criminals from turning data into money on a second pass. And if the bank is a nearly impregnable fortress of secure data, intruders will seek to exploit less fortified entry points—namely customers’ PCs.