February 4, 1998
OCC Warns Banks On Technology Risks
WASHINGTON, D.C. — The Office of the Comptroller of the Currency today emphasized the importance of technology risk management as a critical success factor for national banks, and provided new guidelines for examiners to follow when reviewing a bank's technology risk management procedures.
The new guidelines are the agency's most comprehensive statement on technology issues to date, and they will guide national bank examiners as they evaluate such key bank activities as internet banking and the integration of computer systems following bank mergers.
"It is not possible to evaluate safety and soundness at a bank without understanding the risk that arises from technology," said Comptroller of the Currency Eugene A. Ludwig. "This guidance brings technology squarely within the boundaries of our Supervision by Risk program."
The OCC's Supervision by Risk program, which was implemented in September 1995, focuses examiners on those activities that are most likely to have a material impact upon bank safety and soundness.
In issuing the Technology Risk Management guidance, the OCC is also providing national banks and examiners with a framework for considering technology as an integral part of the financial services business, rather than simply a support function.
"Technology was once regarded as a back-office function that rarely rose to the attention of senior management," Comptroller Ludwig said. "Today, it is vital that the bank's senior management — right up to the chief executive officer — understand the risks and opportunities presented by technology."
The guidance makes it clear that the OCC will evaluate whether senior management has sufficient knowledge and skills to manage the bank's use of technology. In addition, examiners will also evaluate whether senior management and the board of directors are sufficiently engaged in the planning process to manage the bank's technology-related risks. At least one key senior manager should have the knowledge and skills to evaluate the design, operation and oversight of technology issues.
The guidance addresses other fundamental changes in the banking business brought on by advances in technology. Most notable is that banks are contracting increasingly with outside vendors to provide data processing and core banking functions. The technology guidance emphasizes that banks must closely scrutinize their vendors' operations to ensure that systems work properly and are secure and that consumer information is properly protected.
In addition, when using new electronic delivery channels, banks need to ensure that they comply with all relevant consumer protection regulations and that they keep abreast of new developments in that field.
"Automated teller machines, home computers and telephones may be as close as some customers get to their banks today," said OCC Chief Counsel Julie Williams. "Banks should be reviewing the ways in which they provide consumer protection outside the bank lobby."
Today's guidance has two parts. The first part outlines the primary risks to which banks are exposed when they use computer hardware, software applications and telecommunications systems. These fall into four main categories: transaction, strategic, reputation, and compliance risk.
Transaction risk arises from problems with service or product delivery. Strategic risk occurs when the implementation of a particular technology is inconsistent with or does not further the strategic direction of a company. Reputation risk is the potential for negative public opinion. And compliance risk arises from violations of or non-conformance with applicable laws, regulations, prescribed practices or ethical standards.
The second part of the guidance describes a process for managing technology related risks. It explains how banks should plan for, manage, and monitor these risks. The guidance links technology with more traditional bank activities, thereby promoting comprehensive bank risk management and bank supervision.
Further guidance on individual bank technology products and services will follow and fit conceptually under this umbrella guidance. The OCC expects to issue guidance soon on personal computer banking.