Fed holds firm on bank requirements

The Federal Reserve is pressing on with plans to force the largest financial institutions to improve back-up and data-recovery procedures to guard against a repeat of the disruptions in monetary exchanges that occurred after the Sept. 11 terrorist attacks.

However, the Federal Reserve also is tabling further talk of a controversial distance requirement – perhaps 300 miles – between primary and back-up facilities. That idea caught the attention of New York’s political establishment, which complained bitterly that it would drive thousands of jobs out of a financial district that already suffered the brunt of those attacks almost two years ago.

“Instead of the 300-mile limit, we’re asking them to look at whether they’re on the same [electric] power grid, water or telecommunications grid with the primary and back-up facilities,” says Steve Malphrus, CIO of the Board of Governors and director of management at the Federal Reserve System.

Secret list

Malphrus says the Federal Reserve is putting together a secret list of financial institutions – primarily based on size and market influence – that will have to follow the new guidelines. The list is secret because it contains sensitive information with national security implications. He says the Federal Reserve is not going to let these larger institutions have primary data center operations and backup depend on the same telecom offices, water and electricity supplies, and perhaps transportation hubs.

Malphrus says two-hour recovery time in a crisis is reasonable to expect from the most important financial institutions processing core settlements that have to be done to keep the banking system up and going. “They have got to prove to us they are not on the same power, telecommunications, water and transportation for their backup,” he emphasizes.

Aspects of the Federal Reserve’s plan, undertaken with the Securities and Exchange Commission and the Treasury’s Office of the Comptroller of the Currency, are summarized in a document published in April at www.sec.gov called the “Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System.”

“This continues to be controversial,” says John Carlson, senior director at Bits, the technical arm of the industry trade group Financial Services Roundtable, which has about 100 members, including the nation’s largest banks, Citigroup, J.P. Morgan Chase & Co., Wells Fargo & Co. and Wachovia. 

Carlson says many of the larger banks are worried that they will end up on the Federal Reserve’s secret list of organizations required to conform to new disaster-recovery guidelines while their closest competitors won’t. “It’s become a competitiveness issue because there will be costs involved in this,” he notes.

Bits members would like to see federal regulators give approval to foreign sites for backup and recovery because many larger organizations maintain large data processing sites abroad and domestically. Bits also is urging regulators to address the role the nation’s telecom industry can play in fostering improved disaster recovery by improving network redundancy.

Behind closed doors

Later this summer, Bits and some of its members, including Bank of America, will meet behind closed doors with Ameritech and other carriers in a discussion that also will include the federal crisis management group National Communications System.

“This will be about circuits and how they’re maintained,” Carlson says. “We want to know about [network] dependencies and perhaps have new facilities built or new technologies used.” He says this is the first time the carriers will share this kind of sensitive proprietary information with the banking industry.

The Federal Reserve has defused some of the controversy surrounding its unfolding disaster-recovery guidelines by pushing out the deadline to make changes from one year to three years in some cases, instead of the originally proposed six months.

But smaller banks and brokerages – all of which are also subject to periodic security audits by a host of regulatory authorities – shouldn’t think they’re off the hook in terms of new regulation.

That’s because the Federal Financial Institutions Examination Council (FFIEC), an interagency group that supervises examination of financial institutions, is in the midst of issuing the most sweeping set of changes to security auditing rules since 1996.

So far, FFIEC has issued three so-called IT Examination Handbook “booklets” (which have hundreds of pages) in the past few months to replace guidelines that were in place before the Internet, online banking and the Web became important. They are titled “Information Security,” “Business Continuity Planning” and “Supervision of Technology Service Providers,” which details how federal examiners will evaluate independent data centers and other technology providers assisting banks in processing transactions.

Some new demands from regulators concern use of technologies largely unknown a decade ago. For instance, financial institutions are expected to use intrusion-detection systems and be prepared to respond and preserve evidence related to use of IDS.

The FFIEC is expected to issue about a half-dozen other handbooks on new security guidelines by year-end.