Acting Comptroller Discusses Operational Resiliency at IIB Annual Conference

Acting Comptroller Discusses Operational Resiliency at IIB Annual Conference

By

Acting Comptroller, Michael Hsu, addressed the Institute of International Bankers (IIB) Annual Washington Conference, shedding light on the critical importance of operational resilience in the banking sector. Amidst the backdrop of discussions often dominated by capital and liquidity concerns, Hsu emphasized that operational resilience plays a pivotal role in ensuring the safety and soundness of banks and maintaining financial stability.

"The operational resilience of critical banking services is essential to the safety and soundness of banks and to financial stability. It warrants our full attention, especially in our highly interconnected world," Michael Hsu asserted.

Highlighting the growing risk of disruptions, the Acting Comptroller also presented statistics reflecting the exponential increase in the scale of banking services, including custodian banks now safeguarding over $108 trillion compared to $24 trillion two decades ago. The ACH Network's processing of payments also surged from $40 trillion in 2014 to $80 trillion in 2023.

He pointed out that as banking services expand, technology and third-party involvement increase, expanding the threat surface for disruptions. The Acting Comptroller stressed that the impacts of concern are not solely financial, and solutions require meticulous planning, prudent investment, well-designed systems, and regular testing.

The distributed nature of banking processes globally, with employees in various countries and increased reliance on third parties, has made the provision of banking services resemble global manufacturing supply chains, posing new challenges and vulnerabilities.

Hsu drew attention to recent ransomware attacks on EquiLend, Ion Markets, and the Industrial and Commercial Bank of China as early warning signs of the financial system's complexity and vulnerability to disruption.

Supervisory Expectations and Strengthening Resilience

Regulatory agencies, including the Office of the Comptroller of the Currency (OCC), expect financial institutions to prioritize operational resilience. Hsu highlighted the evolution of regulatory expectations, from the Interagency White Paper in 2001 to the more recent updates, including the Computer-Security Incident Notification Rule in 2021 and interagency guidance on third-party risk management in 2023.

However, Hsu raised the question of whether current measures are sufficient, especially for critical operations. Drawing on examples from other jurisdictions, such as the European Union's Digital Operational Resilience Act (DORA), he also emphasized the need for baseline operational resilience requirements for large banks with critical operations.

The proposed baseline requirements may include clear definitions for identifying critical activities, establishing impact tolerances, conducting testing and validation of resilience capabilities, incorporating third-party risk management expectations, and establishing communication protocols among stakeholders.

The Comptroller underlined the importance of collaboration, citing the success of forums like the Financial and Banking Information Infrastructure Committee (FBIIC) in coordinating responses to cybersecurity incidents and operational outages. The Acting Comptroller expressed commitment to enhancing coordination internationally to address the cross-border nature of disruptions.

The acting Comptroller reiterated the need for full attention to the resilience of large banks' critical operations. As the threat landscape continues to evolve, Michael Hsu expressed the OCC's dedication to working with industry stakeholders to develop effective approaches and strategies for ensuring operational resilience in the U.S.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.