On October 6, the Office of the Comptroller of the Currency (OCC) released its examination priorities for the 2023 fiscal year, which begins in October 2022. While this communication was issued by the OCC, the focus areas track closely with trends we’ve observed from other regulatory agencies and general industry best practices, so all financial institutions should pay close attention.
This plan is intended to further the implementation of existing guidance and interpretations, and it does not create or change any requirements. However, it gives us insight into the areas that you can expect your examiners to focus on during the coming year and allows you to prepare accordingly.
This year’s priorities included several areas related to technology management and information security. Ensure that your controls in these areas are strong and that you’re prepared to respond to detailed questions on your strategy and operations.
Operational Resiliency and Cybersecurity
IT asset management continues to be high on examiners’ priority lists. The OCC correctly recognizes this as a fundamental element upon which any effective cybersecurity program must be built. You can read more about effective asset management strategies here.
The 2023 priorities expand on these preventative controls by shifting more focus to the detection and response aspects of a security incident. Examiners will scrutinize your incident response and business continuity plans for their ability to manage real-world threats, and in particular will test your data backup and recovery capabilities. Consider your critical data stored via all locations and media – in-house, cloud, vendors, and/or physical storage – and your ability to recover all of it when necessary. Threat emulation exercises provide the most comprehensive, practical evaluation of your cybersecurity incident detection and response capabilities relative to real-world threats.
Third Parties and Related Concentrations
While third-party risk management is nothing new to banks, and examiners will unsurprisingly continue to scrutinize the program, this year’s priorities explicitly focus on fintech relationships. Examiners will expect to see a thorough risk assessment of any relationship that could pose operational, financial, cybersecurity, regulatory, or other types of risks to your bank, and a commensurate level of due diligence. The nature of many fintechs’ services and product integrations, coupled with the sometimes-less-mature control environments of startup tech companies, makes this fraught with risk for your vendor due diligence function.
You should hold all vendors – even smaller or non-traditional providers – to the same high standard of due diligence according to the inherent risks they pose to you. There are no exceptions carved out for small companies. Identify all relevant risks and request assurance from your fintech vendors in any form available: SOC reports, evidence of penetration testing and remediation, relevant certifications, business continuity plans, etc. Security questionnaires are helpful but should be handled with some professional skepticism. You may not receive all requested due diligence artifacts, or you may be left with some concerns after your evaluation. Handle these according to your formal risk mitigation/acceptance policies and overall risk appetite, and continue to push vendors for improved assurance reporting when necessary.
New Products and Services
Examiners will pay close attention to your product development processes. The OCC’s priority memo specifically identifies payments systems, fintech, and digital assets (i.e. cryptocurrencies) as types of products and services of most interest. For any of these types of products, ensure that your planning and roll-out include a complete assessment of the impacts on your risk management program, e.g. increased operational risks related to cloud-based systems, or compliance and fraud risks related to online payment platforms. Many institutions are eager to roll out new and innovative technology capabilities, but this must be tempered with a well-governed and robust digital transformation strategy.
The memo also touches on cryptocurrencies. If you engage directly in any cryptocurrency activities, you will need to demonstrate a strong strategic and tactical understanding of the risks surrounding these technologies and the ability to manage them. Critically, your examination is the not when you should be dealing with these questions for the first time – you should have already notified your regulator prior to engaging in these activities and obtained a supervisory non-objection.
The 2023 examination priorities feature some expected fundamentals and some evolving new practices. Along with the rest of the non-IT objectives, it can feel like too much to get your arms around. Wolf’s technology advisory services keep you ahead of the curve and confident heading into any exam cycle.