Regulators have caught up to technology with a vengeance. The regulatory impact on information systems has been around for years--just talk to any software developer about how many lines of a given application have to be written, and rewritten, to keep up to date with state and federal regulations. But what's new is the manner and degree to which regulators are focusing on operations, both in the back office and on down to departmental networks and desktop computers.

The affected areas range from the everyday, such as report filing and documentation, to the tumultuous, disaster recovery. In addition, an amendment to Regulation CC in last year's Federal Deposit Insurance Corporation Improvement Act (FDICIA) will have an impact on check clearing.

COMING FROM ALL DIRECTIONS

No one event has come down on information systems with a crashing thud, but there has been a slow ratcheting up of the pressure. When taken together, the changes appear to be coming from so many different directions and are buried so deeply in the new laws and regulations that information systems executives are still sorting through them to assess just how much they are going to be affected.

"The part that worries us the most is the open-ended nature of it," says Jim Erwin, operations and technology executive at NationsBank. "Regulators have the ability to prescribe new management practices."

A series of events got rolling late last year, and with each, the pressure on information systems went up another degree. The FDICIA and the Truth in Savings Act, both of which came out of Congress at yearend, will increase the amount of information banks must provide to consumers and regulators. Since the data processing area is the ultimate source of almost every bit of information a bank supplies to regulators, the responsibility will ultimately fall on that area's shoulders.

Also, recent editions of the Federal Financial Institutions Examination Council (FFIEC) EDP Examination Handbook have spelled out regulations related to disaster recovery that had been circulating among regulators for the past several years. Some of these regulations go back nearly a decade, but their cumulative effect is forcing senior management to get more involved in disaster recovery planning.

PRESSURE FROM THE FDICIA

Adding to this trend was last year's FDICIA. Since, the law holds officers and auditors directly responsible for a bank's safety and soundness, some are interpreting that as giving regulators the leeway to draw disaster recovery planning into that particular realm.

According to Ed Evans, president of Comdisco Consulting Services of Rosemont, IL, this section of the FDICIA could also be used by federal regulators to remove auditors if they fail to examine disaster recovery planning.

The passage of the FDICIA is too recent for any specific regulations to have been drawn up yet. The full impact of its provisions on information systems, like many of the other recent changes, is unclear. At least one senior banking auditor at one of the Big Six accounting firms was unaware of any sections that could hold external auditors accountable for disaster recovery planning.

If it is any consolation, the federal regulator with the most responsibility for banks' data processing, Jerry Jones of the Office of Thrift Supervision, says he is unaware of senior officers or directors of any bank or thrift being harshly penalized for any deficiencies in disaster recovery planning.

HOLDING OFFICERS CRIMINALLY NEGLIGENT

If bank officers were to be held criminally negligent, "it would have to be an extreme example," says Jones, the chairman of the EDP subcommittee for the FFIEC. "If a bank is sitting on a fault and it has an earthquake, and management didn't have an adequate plan, then I could see something happening."

To date, he rates the compliance of most large institutions as satisfactory, but some smaller regional and community banks have had to make adjustments in order to comply. Much of the pain banks suffered in satisfying regulators' disaster recovery requirements was self-inflicted. "A lot of bankers didn't take them seriously until they started coming out with real specifics," says Debbie Bohlken, manager of legislative and regulatory operations for Systematics Information Services of Little Rock.

Five to 10 years ago, regulators were drawing up broader guidelines. It was only when they saw that they weren't being followed, particularly by smaller banks, that they came up with more specific items.

Comdisco's Evans reports that the 1992 Handbook calls for banks to include disaster recovery, and the related concept of business continuity, in the earliest stages of their computer and telecommunications plans for a given department. Unlike disaster recovery, which implies direct back-up for a data center, business continuity calls for a bank to get individual departments or operations up and running in a reasonable amount of time.

The advent of the personal computer and the local area network has been most responsible for the focus on business continuity. When banking was a mainframe-only world, it could be safely said that all of a bank's important computer data was kept in one place. But that is no longer the case.

"The lesson is there are mission-critical things being done in the workstation, LAN and PC world," says David Moore, a senior vice president at Mellon Bank Corporation.

Regulatory documents related to disaster recovery date back nearly a decsde. The first one relevant to the current situation was the Comptroller of the Currency's Business Circular 177, which came out in 1983. It was revised six years later to cover disaster recovery beyond simply backing up a data center to providing backup for individual departments, whether they might be trading floors, trust departments or credit card remittance processing.

What the regulations are emphasizing is that a bank has to have plans for all contingencies. More importantly, senior executives and directors will be held accountable for it.

EXPERIENCE WITH REGULATORS

Moore recently witnessed first-hand the increased scrutiny being applied to disaster recovery by bank regulators, who completed their annual examination of Mellon's data processing area in April. While regulators are seeking more information and causing banks to work harder in order to comply, the examinations of data processing are orderly enough to make providing them the necessary information a relatively straightforward process.

"They first give us a list of information they want," says Moore. "They want to look at our organization chart and separation of duties. Then they set up interviews with the appropriate people, and then they put out a report.

"If anything, they're probably more compact. There's continuity among the examiners from past years; they're not starting from ground zero."

THE CASE OF SERVICE BUREAUS

The requirement for disaster recovery beyond the data center was also expressed in a 1988 policy statement from the FFIEC, SP-3, which covered disaster recovery planning for units dependent upon service bureaus. "A bank that uses a service bureau must make sure that all of its other contingency plans tie into the bureau's plans," says Evans of Comdisco.

For example, the majority of a bank's processing might come from a bureau, but a department, such as trust, might use its own remote processing. In such a setup, the trust department may regularly share information with other bank systems supplied by the service bureau. The department's operations might be so sensitive that they need instantaneous backup, but the service bureau may only be able to provide recovery within 24 hours.

Under SP-3, federal regulators will not object to that, says Evans, but they will find fault with a bank if its contingency plan does not account for how its trust department will continue while it waits for the service bureau to resume normal operations.

The section of the FDICIA that amends 1988's Reg CC allows banks to reduce their exposure to next-day items, typically cashiers' checks or local government checks.

Initially under Reg CC, banks had to make all of the funds from such items available within 24 hours. With the amendments, only the First $5,000 of a check in this class has to be released in that period; the remaining amount can be held up along with a bank's schedule for other checks.

While the long-term impact of the risk reduction is positive, from a technical standpoint this change will create a graded availability schedule for this class of checks.

That will add to the complexity of clearing them, and at least initially, it will mean revising the software and systems associated with the process of check clearing.

An example of how much more complexity will be added from a strictly procedural standpoint is the case of a bank that uses special deposit slips as a way of keeping track of next-day items, according to Michael Lawrence, an assistant vice president for regulatory management at Signet Banking Corporation of Richmond.

Such a system would have to be modified for those items that can't be fully released the next day.

The Truth in Savings Act could prove to be more troublesome than the amendments to Reg CC, says Lawrence. The Federal Reserve is required to supply Congress with new rules by Sept. 19. Banks will have six months from that date, until March 19, 1993, to comply.

The areas most affected will be the systems that calculate account interest rates, statement rendering for deposit accounts and printed marketing and advertising material.

"Is that enough time? I don't know," says Lawrence. "It depends on what the final rule looks like."

At his own first glance, he did not feel that complying with the act would prove to be an onerous task. But since then, he has discussed the act with bank officers who were around when the Truth in Lending Act was enacted in 1969, and he says they feel that complying with the new law could prove to be more difficult than the earlier legislation.

"We see it as a major item on our agenda for next year," says Sidney Hicks, NationsBank's national director of risk control and cash assets management. "We just don't know the magnitude of the effort."

On the other hand, George Hall, an executive vice president at CoreStates, says the work involved in complying with this act in particular need not be onerous.

"I don't hear a lot of loud gnashing of teeth," he says. "It's just one more thing to be done."

More problematic to Hall are the amendments in recent years to the Bank Secrecy Act, particularly those that call for the electronic filing of currency transaction reports.

In the long run, electronic report filing may benefit banks, in terms of leading them to more efficient methods of gathering the necessary information and avoiding a backlog of report filing. But Hall says setting up the system was no simple matter.

"We had to determine which customers are exempt and normally handle a lot of cash in their business, such as a supermarket," he says.

At Firstar Corporation in Milwaukee, the tellers were alerted to what would determine a reportable transaction, says Larry Greves, senior vice president and corporate operations officer. In addition, the teller automation system had to be modified to ensure compliance.

Still, says Greves, ensuring the bank's compliance with the secrecy act is a continuing task.

"We're constantly monitoring it," he says. The risk of noncompliance "has got us extremely cautious."

Beyond CTRs, there is also the likelihood that other reports will have to filed electronically. According to Hicks of NationsBank, Home Mortgage Disclosure Act reports must be filed via a tape each year. The automation involved is one problem; a second is the high degree of accuracy the government is demanding.

"You can only make 30 errors per tape," she says. "If you're a small bank, and you only make 30 loans, you can have 30 errors. If you're a large bank, and you have 1 million loans, you can still only make 30 errors."

Erwin of NationsBank says, "One of the problems we have with the reporting requirements in general is that they're so mechanical. It doesn't look at the risk involved. If you make a mistake on a form, that invalidates the form. It doesn't seem to make a difference whether the information came incorrectly from the customer."

"The whole tone of the act puts a premium on promptness, precision and accuracy in all matters." says Paul Nelson, a senior manager in Price Waterhouse's regulatory advisory practice. The underlying assumption is that efficiencies created by the electronic filing of all this data will make life easier for banks and regulators in the long run.

That may be a good thing, but Erwin says the increased reporting requirements are first requiring banks to gather information that they might not otherwise dig up, and, second, causing programming staffs to write communications protocols and interfaces necessary for feeding information into regulators' data formats.

Fortunately, in some of these areas, regulators are working with vendors and banks to ease the regulatory burden on information systems, says Bohlken of Systematics. The OCC is conducting roundtables, and recently Systematics participated in a pilot project with the IRS to see how 5498 forms for IRA accounts could be filed on-line. "These are good signs," she says.

In addition to federal regulations, state regulations also are demanding more attention from banking's technology executives.

Greves describes Firstar as being an example of the bank holding companies with operations in several states that have to modify their procedures for each state where they do business. "Each state has a little different twist. It does become very complex."

Firstar has banking units in Wisconsin, Iowa, Minnesota, Illinois and Arizona, and according to Greves, both Illinois and Wisconsin recently changed the law applying to the charges banks can assess for late payments. If the software the holding company has installed does not address that, then it becomes a legal liability for the bank.

Greves says that examples such as this have led him to include the assumption of legal liability in the evaluation of every new system. He does not mean that he demands that a vendor accept the liability, but that he and the vendor have to determine which party will be held accountable to regulators and then have it spelled out in the contract.

Earlier this year, Firstar selected a loan documentation package from FormAtion Technologies of Denver because of its ability to modify the loan forms it prints in accordance with various state laws. The software comes with a $1 million compliance warranty from an insurance firm.

Finally, modifications to information systems will become more important to ensure compliance with areas of the FDICIA that are not directed at systems specifically.

"Bankers are probably going to want to monitor very closely their capital positions," says Nelson. The FDICIA will call for "a greater attention to capital. The capital ratios should be on a loan officer's desk. It should be available on his screen."

Erwin of NationsBank does not think that particular approach will be worthwhile, but he sees the law's impact on one of banking's most basic functions, credit underwriting, placing a greater demand on systems and operations personnel in their support of this activity.

"It's very difficult for us to say what we'll have to change. But it relates to the entire process of managing and assessing risk."