Regulators giving increased scrutiny to bank IT

Heightened regulatory expectations around cybersecurity, pandemic planning and business continuity are driving IT matters from banks’ back rooms to their board rooms.

In our day-to-day business, we interact with a lot of bank examiners — both assisting client banks across the United States and on our own behalf as a regulated technology service provider to financial institutions.

From what we have learned, these are the areas where you can expect to see examiners ramping up scrutiny:

  • Due diligence on IT vendors — and “hidden” sub-vendors;
  • Cybersecurity — in all platforms;
  • IT management — the processes and applications designed to keep your business safe; and 
  • Risk management — including business continuity planning, pandemic preparations and work-from-home capabilities.

Examiners are elevating these issues to a level that requires attention, understanding and governance beyond the “back office” IT function. This is an opportunity to ensure executive leadership and bank directors are appropriately engaged in the pillars that lead to regulatory compliance and business success: 


Cybersecurity matters now more than ever — with increased attacks specifically targeted at financial institutions. This comes down to protecting what belongs to you — and your customers.

The Federal Financial Institutions Examinations Council’s joint statement in April elevated the issue of cloud-computing security. The gist of the FFIEC statement: Don’t assume that all cloud-computing environments are safe, secure and resilient. 

Key areas for regulatory scrutiny include: network security; information security; access management; planning and testing for business continuity and incident response; third-party audit; and training.

IT vendor due diligence

Consider your IT vendors’ support of your bank’s ability to conduct business and meet regulatory expectations. Be aware that compliance in this area can be more challenging if your IT services are the product of decades of evolving technologies, regulatory requirements and vendor relationships. 

Your due diligence should include a vendor-management strategy that evaluates all vendors — including the unseen providers behind a visible firm — and assesses the risk they pose to your operations.

More IT vendors introduce more complexity, service gaps and risks for banks to manage. Consider whether your institution may benefit from consolidating IT services and providers.

In addition to the usual vendor due-diligence checkpoints — SSAE16/18 or SOC Audit; exam results; insurance; financials; privacy agreements; incident response; regulatory or exam follow-ups — business-continuity testing and secure work-from-home capabilities are areas for attention.

IT management

Examiners are looking for evidence of appropriate management of policies and applications to safeguard your business. This ranges from antivirus software and patch management to SPAM filtering and cyber-attack monitoring. Business-continuity planning plays a major role here, too.

Risk management

Basic risk management includes identifying potential threats and the likelihood of impact — as well as mitigating controls. Your risk assessment should include both inherent and residual risk ratings. 

Things to consider include: Information security; disaster recovery; e-banking; and multifactor authentication. You should understand, address and document your bank’s IT-specific risk for pandemic, cybersecurity intrusion, natural disaster or other business interruption.

Get it in writing

Consider the policies, plans and risk-assessments you have in place. Are they appropriately documented and up to date? 

Some new or more regularly requested IT policies to keep in mind include: Change management; data classification; work-from-home; and revised acceptable use policy to accommodate work-from-home. 

Ready for regulators

Directing attention and resources now to the evolving focus of bank regulators will position your financial institution for success in a range of uncertain environments.


Sharon Bracken, CISA, is senior audit and regulatory manager at BankOnIT. You can reach her at 405-605-3929 or [email protected].