OCC Targets Cybersecurity and AML Deficiencies – ERM is the Answer

The OCC released its “Semiannual Risk Perspective” and, perhaps as anticipated, banks continue to struggle plugging gaps in information technology practices.

Among the risks highlighted in the study, as reported by Joe Mont at Compliance Week:

• Evolving cyber-threats and information technology vulnerabilities require heightened awareness and appropriate controls.
• The high volumes and frequency of changes to information systems to address regulatory requirements, enhance risk monitoring reporting, and update compliance systems.
• Banks are taking on additional risks by expanding into new, less familiar, or higher-risk products without adequate due diligence or appropriate risk management and controls.
• The number, nature, and complexity of domestic and foreign third-party relationships continue to expand, increasing complexity, concentration, and risk management challenges.

While these risks are diverse in nature, the OCC identifies a possible solution. They suggest that banks use “Enterprise Risk Management practices to fully align with heightened standards.”

ERM software is effective for compliance management because it evaluates a bank’s obligations in the context of both the regulatory and business environment to properly prioritize resources. Rather than just meeting the letter of the law, enterprise risk management for banks provides a mechanism to document the achievement of compliance while improving daily operations and increasing operational efficiency on a daily basis at the same time.

For example, cross-functional risks like cybersecurity are only addressable across silos with an Enterprise Risk Management methodology. Cybersecurity is not only an internal concern but has cascading effects on vendors and service providers. One in three banks don’t require third parties to alert them about information security breaches, indicating an obvious communication failure between the IT and vendor management governance functions. Many businesses conduct an IT assessment on vendors AFTER they select the vendor to validate what mitigation controls are actually in place versus what was promised during the sales cycle. An integrated GRC system helps to identify connections between departments, vendors, and the impact of risks based on these connections; so that these gaps can be identified and addressed before they make their rounds on social media.