The Federal Reserve’s latest Supervision and Regulation Report 2019 is on the most part reassuring and encouraging – the US banking system is sound, profitability is robust and capital and liquidity levels are as they should be. But for the first time, the Federal Reserve Board has so evidently called out the “non-financial weaknesses” – i.e. IT governance and risk management issues – in US financial institutions. Of the supervisory findings in financial institutions currently outstanding, over 60% pertain to these areas. Perhaps a wake-up call for firms and potentially a warning that they could have the regulator knocking at their door if the issues are left unaddressed?

This said, this situation isn’t an issue for the US banks and financial institutions alone – it’s a cause for concern for firms globally and an area that most regulators are narrowing their focus on.  In the UK for instance, the Bank of England’s Operational Resilience programme is an attempt to address such internal control weaknesses. In fact, only recently, a UK Treasury Committee has demanded that regulators need to increase their expertise dedicated to Operational Resilience at senior levels and even increase industry levies to cover the costs, if required.

To us, these findings have been a long time coming. In fact, with some of the Federal Reserve supervised institutions, we are already helping them strengthen many of the matters requiring immediate attention (MRIAs) and external audit points highlighted in the Report including model risk management, data and Shadow IT management as well as operational risk and resilience issues that this Report highlights.

At the core, financial institutions need to demonstrate knowledge, transparency and veracity of their Shadow IT environment – end user computing tools, models, spreadsheets, databases, etc. – and exhibit auditable controls to close the loop on these non-financial weaknesses.

If you are looking for help and guidance in this space, get in touch with us. Strengthening these non-financial MRIAs areas will go a long way in enabling compliance with a whole host of other regulations too – from the SM&CR through to SR 11-7, SS 3/18 and more.

Prev Next

Get In Touch

Let's talk about how you can control your Shadow IT.