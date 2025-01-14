US regulators including the Office of the Comptroller of the Currency (OCC), Securities and Exchange Commission (SEC), Federal Reserve Board (FRB) and others mandate financial services organizations to prove that laws, rules and regulations (LRRs) are covered across their risk governance framework. This oversight helps ensure a secure and sound control environment that aligns with the organization’s risk tolerance and heightened regulatory standards.

However, interpreting banking regulations can be complex and subjective, requiring expert judgment to determine applicability to specific sections of a law. Banks often rely on third-party vendors to review LRRs and generic controls based on the bank’s characteristics, such as being a Global Systemically Important Bank (GSIB) or offering specific products and services.

Moreover, LRRs and other industry frameworks, such as the National Institute of Standards and Technology (NIST), Information Technology Infrastructure Library (ITIL), and Control Objectives for Information and Related Technologies (COBIT), are constantly evolving. This continual progress requires nonstop efforts to help ensure that the organization does not have gaps in their control environment. Unfortunately, the manual process of linking LRRs to policies, standards, procedures, risk metrics and controls is time-consuming and often delayed. This process leads to a gap between regulatory expectations and the organization’s ability to demonstrate adherence to LRRs.

For example, a bank can have a policy that states that customers’ personal information must be protected, and the standard might require encryption of personal data. In that case, the procedure would outline the steps to encrypt personal data, and the control would help ensure that personal data is encrypted. However, if there is a lag in updating the linkages between LRRs and controls, the bank might not be able to demonstrate adherence to the encryption standard, putting them at risk of noncompliance.