The federal regulator of the nation’s largest and most sophisticated banks has put the threats of anti-money laundering compliance failures and cybersecurity attacks on equal footing in its latest annual report released this week.
The US Treasury’s Office of the Comptroller of the Currency (OCC) also highlighted in the report that though total monetary penalties for Bank Secrecy Act (BSA)/anti-money laundering (AML) compliance plummeted in 2015 to a total of less than $500,000 after hitting nearly a billion dollars in the two years prior, the agency considers financial crime compliance critical, requiring top management support and adequate resources.
The money-laundering threat “is constantly evolving, especially as foreign-based individuals become more adept at using technology to circumvent bank controls,” according to the 88-page report.
- “In this respect, threats to cybersecurity and BSA/AML compliance increasingly resemble one another.”
the report says specifically…
OCC CONFRONTS DUAL THREAT FROM CYBER CRIMINALS
News headlines in 2015 provided a reminder that two of the highest-profile targets for computer hackers are financial institutions and government agencies. That makes cybersecurity doubly important to the OCC, which must defend its own systems against attack while helping banks confront the cyber threats they face. As Comptroller Curry said in a June speech, “Those threats are real and they are unlikely to abate anytime soon. In fact, they are more likely to increase.”
In its ongoing efforts to support cyber risk management at supervised institutions, the OCC in 2015 collaborated with fellow members of the FFIEC to create the new cybersecurity assessment tool to assist banks in determining their inherent risk profile and level of cybersecurity preparedness. The OCC will also use the assessment to assist examiners in evaluating a bank’s inherent risk and cybersecurity preparedness. The assessment incorporates concepts contained in the FFIEC Information Technology Examination Handbook and the National Institute of Standards and Technology’s Cybersecurity Framework, a broadly applicable framework used by many nonfinancial sectors. The assessment tool uses a multipart formula to help a bank determine its inherent risk profile and its level of cybersecurity preparedness. The inherent risk profile identifies the amount of risk posed to a bank by the types, volume, and complexity of the bank’s technologies and connections, delivery channels, products and services, organizational characteristics, and external threats. The tool evaluates a bank’s cybersecurity preparedness in five domains: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience.
The tool also helps examiners understand an individual bank’s level of inherent risk and cybersecurity preparedness. In addition, the assessment tool provides a common framework for assessment across institutions. Over time, it will help give regulators and bankers a better big-picture view of the industry’s ability to withstand cyber-attacks. To introduce the assessment tool, the OCC held a webinar for midsize and community banks and one for large banks. While banks are not required to use the assessment tool, OCC examiners will use it in their examinations to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity. OCC examiners are scheduled to begin incorporating the assessment tool into examinations in late 2015. Meanwhile, the OCC continued to implement rigorous security controls to protect its own critical information resources, which include sensitive information used in supervising banks. In addition to initiatives mentioned in the “Letter From the Chief Financial Officer” that appears later in this report, the OCC
- centralized key security functions within the Cyber Security Office.
- implemented a governance model that elevated the Chief Information Security Officer’s role to one that reports to the Senior Deputy Comptroller for Management and the Chief Financial Officer.
- established a new security engineering team to implement innovative security technology solutions to mitigate emerging threats.
The OCC continually seeks ways to enhance its controls, monitoring, and training to best position the agency to ensure a safe and sound federal banking system, while safeguarding the information and resources entrusted to the agency.