SOC 2 Compliance: Definition, Basics, Benefits, Types & Next Steps
Demonstrating SOC 2 compliance allows organizations to bolster their overall cybersecurity posture and provide assurance to stakeholders, customers,…
In early March 2023, Santa Clara-based Silicon Valley Bank was the financial institution of choice for the tech industry. The institution counted some of the biggest names in tech, thousands of smaller tech startups, and numerous venture capital firms among its clientele.
By the middle of that month, the 40-year-old bank was dead in the water, shuttered by state regulators and put into receivership under the Federal Deposit Insurance Corporation. After the institution’s leadership disclosed that the bank’s bond investments had suffered significant losses and it was short on cash, depositors let loose with a classic bank run that drained $41 billion in a matter of hours. It was the absolute worst-case scenario for any bank, and regulators shut things down the next day.
SVB’s spectacular collapse was a case study in just how much the speed at which risk moves has increased in the banking industry as financial markets have grown more volatile and immediate in the age of digital banking and social media.
While the risk of such an incident had been building for some time amid regulatory loosening and interest rate hikes from the Fed, the actual risk event itself played out in less than 72 hours as digital wire transfers siphoned money out of the bank and social media served as an accelerant.
The incident has revealed how critical it is for banks to have robust risk programs with nimble, well-equipped risk management teams running them. And, it showed the importance of prioritizing staying on top of financial and banking risk, even when the regulators aren’t always watching.
In this article, we’ll take a look at how financial regulations have changed in recent years, where we expect they’re headed next, and how to stand up effective programs for risk management in banking and ensuring compliance as the regulatory landscape evolves.
Banking regulation in the United States has been characterized by a bit of whiplash throughout its history, see-sawing between the expansion of centralized control and loosening of regulations.
We’ve seen this dynamic play out even in just the past decade. Following the 2008 financial crisis, regulators tightened the screws on banks with the Dodd-Frank Act, requiring more extensive financial-safety measures to be taken. A decade later, those and other requirements were dialed back for small and mid-size banks not deemed “too big to fail” — banks just like SVB and Signature Bank.
In the relaxed regulatory environment that followed, SVB was able to grow rapidly and finance technology startups that many other banks considered too risky to do business with, all while avoiding the strict scrutiny and stress-tests that its largest peers were subjected to. This partially set the stage for the bank’s downfall and a likely renewed reckoning for banking regulation.
Within that context, there has naturally been lots of chatter since the bank implosion about what regulators may do in response and whether the pendulum will swing back towards regulators taking a heavier hand toward regulatory compliance in banking. Indeed, lawmakers have already proposed legislation that would undo the post-financial crisis regulatory rollbacks that fed into the banking crisis.
In light of all this, there’s a good chance that the banking sector can expect state and federal regulators to be knocking on their doors quite a bit more often in the future, specifically focusing on how they’re managing the risk associated with their investments and liquidity.
Regulators will also likely take aim at the new technology-powered banking landscape that enabled SVB’s bank run to happen at a significantly faster clip than has ever been seen in such scenarios.
Here’s a look at some of the regulatory action or trends we expect may emerge in coming years.
This one’s the elephant in the room. Regulators will likely be looking for ways to improve oversight of bank liquidity and strengthen capital requirements. At the very least, we expect smaller banks will once again begin to see regulators imposing stress-testing and capital requirements similar to those with the biggest banks must comply.
Banks will also likely face new regulations around their asset and deposit mixes to limit over-concentration of one type of deposit. A large piece of the problem for SVB and Signature Bank was that the lion’s share of their deposits were from tech companies in SVB’s case and cryptocurrencies in the case of the latter.
Both of these types of deposits are considered generally risky, and failing to diversify the rest of an institution’s deposit mix makes them even riskier. Most of those deposits were also uninsured.
Speaking of cryptocurrency, regulators have already begun turning their gaze toward the fledgling and largely unregulated industry and that trend has only accelerated after the high-profile collapses of crypto firms such as FTX and Terraform Labs in 2022.
The rapid drop in valuation of cryptocurrencies that followed these events — the so-called “crypto winter” — led to the bankruptcies of no small number of companies, firms, banks, and other players with significant investments in the asset class.
In light of these developments, we expect to see regulators step up action for crypto players and roll out new regulatory requirements targeting the industry over the next few years. The way crypto exchanges like FTX operate and how illegal financial activities like money laundering can be prevented will likely be a focus of these efforts.
Cybersecurity incidents continue to increase in frequency and severity, and banks and financial institutions, like other critical infrastructure industries, are catnip for bad actors. The trend toward remote work becoming more common in the wake of the pandemic has also presented new cybersecurity challenges for financial institutions. All of these developments have made regulatory compliance in banking that much more complex.
Attacks on critical infrastructure have become such a problem that the U.S. government has begun stepping up efforts to force companies to adhere to basic cybersecurity best practices, improve reporting around incidents, and potentially hold companies that fail to adhere to standards liable for cybersecurity incidents.
The U.S. Congress has also made moves to address and improve responses to cybersecurity incidents, including passing the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires companies to report hacks within 72 hours and report any ransoms paid to attackers within 24 hours.
Financial service institutions can expect these rules to apply to them and improve their cyber risk management capabilities accordingly.
Regulators are demanding more and better access to real-time data from banks to be able to respond to fast-moving crises and rapidly changing economic conditions.
To meet these requirements, banks will need to ensure they have both the necessary technology and the proper governance structure in place. Modern GRC platforms are powerful tools for improving data governance and reporting by removing barriers to data sharing created by organizational silos.
Any platform a bank chooses should be flexible enough to adapt as the organization scales or regulation changes. They should also be accessible to everyone in the organization to facilitate data sharing.
The first step in effectively managing regulatory compliance in banking and finance is understanding the types of risk your organization can expect to face. Few industries have a more diverse risk landscape than finance and banking. Here are a few of the most common types of risk banks should be aware of:
This is the risk that we saw play out with SVB when rising interest rates devalued the bank’s bond investments. Liquidity risk is the risk that a bank won’t be able to meet its financial obligations due to insufficient cash reserves, the inability to liquidate its assets to bolster reserves, or access to additional sources of funding.
Credit risk is the risk that borrowers won’t be able to pay back their loans, resulting in losses for the bank. This risk underpinned the 2008 financial crisis, when a housing bubble burst and saddled banks with heavy losses on their investments in subprime loans, mortgage-back securities, and other assets.
Another type of risk that factored into the 2008 financial crisis, this type of risk involves a massive shock to the global financial system—such as a housing bubble—resulting in the failure of numerous financial institutions and the destabilization of the economy.
Regulatory and compliance risk comes into play when a bank or financial institution can’t or won’t comply with state or federal regulations, resulting in losses in the form of fines, penalties, data breaches, reputational damage, and other negative outcomes.
Beyond the legal consequences of noncompliance, regulations are usually put into place for a good reason, and failing to comply with them can increase your firm’s exposure to the risks they’re intended to prevent.
The right regulatory compliance management software can help ensure your organization is up to date and on top of any regulatory requirements it may need to comply with.
Cyber risk includes risks like insider threats, technical misconfigurations that open up vulnerabilities, and hacker groups, nation-states, or other cyberattackers compromising a bank’s systems to steal sensitive data. Incidents resulting from these risks can lead to financial and reputational damage. As stated above, this has become a real problem for the financial services industry and has become the focus on plenty of new regulatory activity.
Every organization relies on third-party services and vendors to operate, and each of those relationships represents an avenue for hackers or other malicious actors to exploit and gain access to a bank’s systems. In banking, the rise of financial technology platforms, or fintech, has exponentially increased the number of vectors hackers can exploit.
Incidents that occur as a result of third-party risk carry the same consequences as a direct cyber attack on a bank’s systems, and banks need to require and ensure that third parties follow the same risk management and security practices as they do.
Business and operational risk stems from a failure to ensure all internal processes and procedures are being followed by the bank’s workforce. A failure in any of these processes can lead to risk exposure that can result in losses.
Banks should implement modern GRC software to streamline workflow management and ensure all policies and protocols are being followed at all times.
That one is sort of a meta-risk. Failing to properly manage any of the other types of risks banks face can lead to reputational damage, which can result in loss of customers and confidence. In the very worst of scenarios, it can even threaten the organization’s existence, since trust is a foundational quality of any banking relationship.
Despite the role regulations — or lack thereof — played in the SVB debacle, the bank’s demise was likely just as much the result of inadequate risk management practices or disregarded warning signs. That’s why it pays for any bank or financial services organization to make the appropriate investments in risk management and to have the right tools, processes, and teams in place.
Here’s a quick blueprint for building an effective risk management program for maintaining regulatory compliance for banks:
It’s impossible to effectively manage risk if you don’t know which risks your organization is facing. The first step in standing up or improving a risk management program is to take stock of your entire risk landscape. You can use the list of banking risks above to help you get started.
Having a list of all the risks your bank faces — commonly known as a risk register — is an excellent start, but it often leads into another problem: Which risks should take priority?
One way to figure this out is to determine how much it could cost your organization if a specific risk were to materialize. Risk quantification methods like risk matrices, Monte Carlo simulations, and the Open FAIR™ framework that tie risk to financial impact are good places to start.
Having these numbers in hand can help you more easily put the risks your organization is facing into perspective when attempting to secure buy-in from leadership to stand up programs for managing them.
Now that you know which risks you’re facing and which have the most potential to cause big problems for your organization, you need to implement some system for tracking, anticipating, and mitigating those risks.
Building an effective set of key risk indicators will provide you with a way to stay a step ahead of these risks, so you can start to take action before they become a true issue. These powerful metrics serve as early warning systems. When they exceed set thresholds for action, you can trigger risk mitigation strategies or business continuity plans.
At Silicon Valley Bank, for instance, risk quantification would have told them how much the bank stood to lose if their investments dropped in value as interest rates rose, while rising interest rates and how much of a particular sector or asset their deposits were centralized in would have made good KRIs.
Modern GRC software can help you build, track, and organize your KRIs, so you always have eyes on any risk trend. The platform you choose should be adaptive and flexible enough to change as both the risk and regulatory landscapes your bank operates within evolve.
Setting KRIs for managing banking risk is not a one-and-done sort of activity. You need to constantly evaluate the effectiveness of your KRIs, improve them where necessary, and remain on the lookout for new data sources that could inform new metrics.
Having the right GRC software can help you in each step of this process. An ideal GRC platform for banks should be able to centralize all of your risk data in one place, and it should be flexible enough to quickly adapt as your business grows and scales.
Pairing an effective GRC platform with automated regulatory intelligence software can help you stay one step ahead of regulatory change management and maintain compliance at all times by automatically uncovering relevant regulations and bringing them into your GRC system for better visibility and tracking.
In the United States:
The Federal Reserve Board of Governors: The Federal Reserve, also known as The Fed, is the central bank for the United States, and the world’s largest central bank. Its Board of Governors supervises the banks that belong to the Federal Reserve System and sets monetary policy for the United States.
The Federal Deposit Insurance Corporation (FDIC): The FDIC is responsible for insuring depositor’s funds held in banks. It also handles resolution of insolvent banks, such as SVB.
The Office of the Comptroller of the Currency (OCC): The OCC is responsible for chartering, regulating, and supervising all national banks in the United States and all federally licensed branches of foreign banks operating in the U.S.
Consumer Financial Protection Bureau (CFPB): The most recently created of the banking regulatory agencies, the CFPB was established in the wake of the 2008 financial crisis to enforce consumer protection laws.
In Europe and the United Kingdom:
European Central Bank (ECB): The Fed’s counterpart in Europe, the ECB sets European monetary policy and oversees banking in Europe.
European Banking Authority (EBA): The EBA regulates banks operating in the European Union.
Bank of England: The Bank of England oversees monetary policy and financial stability in the U.K.
In the U.S.:
Dodd-Frank: The Dodd-Frank Wall Street Reform and Consumer Protection Act was passed following the 2008 financial crisis to address the systemic issues that caused the financial system to melt down and ensure banks maintain adequate capital and liquidity levels. This is the regulation that was partially rolled back in recent years, contributing to the 2023 banking crisis.
Bank Secrecy and Anti-Money Laundering Act: The BSA/AML is designed to prevent money laundering, terrorist financing, and other illegal activities within the banking system. It places requirements for identifying customers and reporting suspicious activity on banks.
The Volcker Rule: The Volcker Rule, named after former Fed chairman Paul Volcker, prohibits banks from making speculative investments that may be against the interests of their customers.
In Europe and the U.K.:
European Banking Authority Capital Requirements Regulation: Similar to Dodd-Frank in the U.S., this regulation requires banks in Europe to maintain adequate capital and liquidity levels to make good on financial obligations.
Prudential Regulation: These are the regulations set by the Prudential Regulation Authority, an arm of the Bank of England, in the U.K. to set and enforce standards governing banks, investment firms, insurance companies, and other financial services organizations in the country.
Basel III: Basel III is an international accord designed to ensure banks always have enough capital and liquidity to make good on their obligations. It functions similar to Dodd-Frank in that it requires strict capital requirements and stress-testing for banks.
Modern GRC platforms can help banks build efficient, automated regulatory compliance programs that adapt as obligations change and can be scaled as the organization grows.
LogicGate’s Risk Cloud platform can help you assess, monitor, and adapt to banking risk and improve regulatory compliance in a holistic, proactive manner. Discover how by scheduling a demo today.
Demonstrating SOC 2 compliance allows organizations to bolster their overall cybersecurity posture and provide assurance to stakeholders, customers,…
No matter what industry your organization operates in or where its business is conducted, it will almost certainly…
Artificial intelligence erupted onto the business landscape with nothing short of a roar in the fall of 2022,…