On May 20, 2022 the Federal Deposit Insurance Corporation published the 2022 Risk Review, the FDIC’s comprehensive summary of emerging risks in the U.S. banking system as observed over the past year. https://www.fdic.gov/analysis/risk-review/2022-risk-review.html
While the past 2021 Risk Review covered traditional credit and market risks with a focus on community banks, the new 2022 edition has expanded coverage with new sections on operational risk as well as climate-related financial risks, which the FDIC described as among its top priorities for monitoring. The describes “operational risk in banking is one of the most critical risks to banks.” The elaboration of operational risks is dedicated primarily to cyber threats and secondarily to anti-money laundering while nonetheless noting that the latter category did not represent a change to regulations. More heavy reliance on third-party service providers including cloud-based environments is cited as increasing the importance of effective controls. And, the only specific new rulemaking mentioned in the hundred page document is the incident reporting rule issued jointly by the FDIC, Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency requiring a bank to notify its primary federal regulator agencies of the most severe incidents, which went into effect on May 1, 2022.
The FDIC’s announcement of the computer-security incident management rule is here: https://www.fdic.gov/news/financial-institution-letters/2022/fil22012.html#:~:text=Bank%20service%20providers%20must%20notify,materially%20disrupt%20or%20degrade%2C%20services. The final rule is here: https://www.fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf.
Our summary of the rule here: https://crindata.com/computer-security-incident-notification-requirements/. The regulations are effective and require all FDIC-regulated banks to notify the FDIC of qualifying incidents and business disruptions whether related to internal systems or systems of third parties affecting the bank’s operations or its customers.
For more information about operational risk management solutions to meet these evolving requirements and regulatory expectations, see the CRINDATA offerings (https://crindata.com/solutions/). We offer solutions for banks’ and third party service providers’ compliance with the new computer-security incident management regulations adopted by the FDIC, Fed, and OCC as well as solutions for operational risk management of critical third party relationships.
