Skip to main content
December 5, 2014

OCC Compliance and Financial Institutions: A Look Into the Crystal Ball

OCC Compliance and Financial Institutions: A Look into the Crystal BallAs goes the world, so goes banking. With everything else that's possible via technology today, there's no reason we shouldn't be able to deposit checks with our smartphones, complete online transactions with bank-enabled checkout systems or move money between bank accounts online. So we can.

This creates major headaches for banks and their regulators. Every layer of accessibility is another third party that's involved in the banking process. The Office of the Comptroller of the Currency (OCC) recently released updated guidelines for third-party relationships, focusing specifically on the growing interdependence between banks, third-party applications and service providers. As banks end up online and virtually (no pun intended) all of them outsource their web applications, technology companies find themselves in the midst of the banking industry. No longer does the Comptroller only have to worry about vaults and padlocks — there's now the added complexity of regulating third parties and their interactions with the banking industry. On the flip side, IT teams now have to comply with the strict laws of the banking world.

Bank on It

As Comptroller of the Currency Thomas Curry said in remarks during a CES Government conference in April, "It's one thing to worry about whether someone is making charges on your credit card, as troubling as that might be. It's quite another to worry about whether the accounts that hold your life's savings are secure." Put another way, he knows the potential reward for criminals hacking banks is higher than if they targeted credit cards — and recovering that money could be much more difficult.

In light of the recent major breaches at Target and Home Depot, Curry's job has grown increasingly more stressful.

Part of Curry's recent initiatives includes viewing the OCC's jurisdiction not simply as comprising the financial institutions it governs, but the interconnected system that includes all third-party services employed by community and major national banks. This puts more pressure on software vendors to be compliant, but it also furthers the value proposition of a thorough security service. As more organizations align their regulations, cybersecurity is poised to become less of a sore subject internally and more of a top-down no-brainer for companies looking to grow or maintain their market shares.

Comply or Die

The OCC has highlighted sectors across the tech industry as targets for its guidelines, from telecommunications providers to marketing and cyberservices. As organizations become increasingly interconnected, the importance of compliance for your own business' security as well as the security of our nation's banks is further underscored. If you don't work with banks, someone you work with probably does — which means that you'll soon be held accountable for bank-level security. Comprehensive compliance is a preemptive measure to prevent the loss of business as well as internal losses related to direct attacks.

Though the onus is currently on financial institutions to ensure compliance or risk penalty, there is a major trickle-down effect at work here. If a bank is unsure about your security-compliance status, it will terminate the relationship before hackers or penalties can cause it any damage. This marks the beginning of what is poised to be an expansion of regulation and reach from the Comptroller, the Federal Deposit Insurance Corporation (FDIC) and other organizations tasked with the protection of the nation's currency. The business and legal cases for security compliance have never been clearer.

A Look Into the Crystal Ball

In an earlier speech, Curry noted, "Some of these third parties have connections to other institutions and servicers. Each new relationship and connection provides potential access points to all the connected networks and introduces different weaknesses into the system. Ultimately, these interconnected networks are vulnerable to attacks that may affect multiple organizations at one time." This is less-than-subtle foreshadowing of the rules to come from new branches of existing government organizations. The first step is issuing guidelines and enforcing compliance through the banks, but it's only a matter of time before penalties can be assessed directly on third-party vendors.

As signs point toward an inevitable increase in scrutiny and penalties for noncompliant vendors, comprehensive security services are becoming more obvious aspects of the tech landscape. With financial institutions now feeling pressure to terminate relationships with unsecured vendors, the reasons for securing your enterprise continue to mount. Instead of waiting until you get caught or hacked, stay ahead of the compliance curve. That way, you'll retain your current business and stand out from the competition.

Photo Source: Flickr

John is a B2B and SaaS expert who likes to explain complex concepts using cute animals and cocktail napkins. He believes that content marketing is the future and sometimes ghost writes, but he can never prove it.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.