The reality for the community banking industry is that often, institutions are limited in staff size, especially in IT. As a result, employees are sometimes placed in an IT role without any prior experience and they are forced to learn the “ins and outs” of information technology quickly to ensure that the institution stays in compliance and the IT environment is secure.
This can be a daunting task for a financial institution employee who’s been placed in an IT role for the first time. From our experience working with more than 600 community financial institutions, there are four key steps that someone who’s new to banking technology needs to know to quickly get up to speed on all things IT:
Step 1: Determine the Financial Institution’s Current State
When stepping into an IT role from another department, the first thing you must do is get a strong understanding of the current state of the institution and how the IT infrastructure is set up. Key questions include:
- What does the IT infrastructure look like?
- What technology is currently in place?
- Is there hardware or software that is reaching end-of-life?
- Are network schematics and data flow diagrams up to date and accurate?
Look at all the policies and procedures currently in place and understand what management has approved for the information technology program and how the environment is organized. It’s important to know exactly where the bank is from an IT perspective because without this knowledge you won’t be able to troubleshoot potential issues or plan strategically for where the financial institution needs to be to meet compliance guidelines.
Step 2: Review Vendor Relationships and Responsibilities
It is critical to know exactly who is responsible for each IT activity. Many community banks and credit unions use a variety of vendors, including core providers, cloud providers, managed services providers, and others. It’s important to understand which vendors are involved with all your hardware, software, and IT services and review the service level agreements (SLAs) which are typically found in the contract to be clear on what the vendor should be providing to the institution. This is crucial because if an issue arises you need to know if it is your responsibility to handle it internally or if you should reach out to a vendor for support. Make sure you are clear about what the institution’s vendors are responsible for, when to go to them for help, and which activities are your responsibility under the SLA.
Another key part of this role is vendor management. As a new IT admin, you have a shared responsibility for monitoring and managing the institution’s vendors and weighing the risks each one poses to the institution. To keep the network compliant and secure, you need to thoroughly evaluate potential vendors; identify critical vendors and services; implement an effective risk management process throughout the lifecycle of the vendor relationship, and report appropriately to senior management. Some key best practices include:
- Developing plans that outline the institution’s strategy;
- Identifying the inherent risks of the specific activity, and the residual, or remaining, risk after the application of controls;
- Detailing how the institution selects, assesses, and oversees third-party providers;
- Performing proper due diligence on all vendors;
- Creating a contingency plan for terminating vendor relationships effectively; and
- Producing clear documentation and reporting to meet all regulatory requirements.
Having a proactive plan in place will help you effectively manage vendors and have a clear understanding of the level of criticality and risk for each service provider. Properly vetting and managing vendors will reduce risk for the institution, while also ensuring compliance requirements are met successfully.
Step 3: Understand the Institution’s IT Organizational Structure
How IT roles are structured within a community bank or credit union varies by the institution, but many financial institutions have an IT administrator, information security officer (ISO), chief information officer (CIO), and an IT steering committee to support IT activities. It’s important to learn how the institution is set up and understand what the ISO and CIO are responsible for so you can work together to ensure the institution’s environment is operating securely and efficiently. It’s also important to make sure all ISO duties are separated from other IT roles at the institution to maintain compliance with FFIEC requirements.
At some point, every functional area of a bank or credit union touches IT in one way or another so understanding how every system, application, and functional area within the institution operates and relates back to IT enables you to help the staff by troubleshooting the different issues each department may experience.
Step 4. Review Recent Audits and Exams
Another way to determine the current state of the financial institution is to review all recent IT audits and exams. Determine if there were any findings or recommendations made by a regulatory agency and make sure that this has been addressed and remediated appropriately. With this information, you can tell if there are any current issues or pain points and start to make strategic plans or address specific issues as they arise.
Financial institutions are held accountable for FFIEC compliance and must manage regulatory activities including reporting effectively. New IT personnel should become familiar with FFIEC guidance and understand what is required to meet regulatory expectations and perform well on future audits and exams.
With these steps, new IT admins can gain a deeper understanding of information technology and what their key responsibilities are at the financial institution to ensure the community bank or credit union can successfully meet examiner expectations and keep operations running smoothly.