BSA Officers:  Bring power grid impacts on your BCP/DR plan into focus.

BSA Officers: Bring power grid impacts on your BCP/DR plan into focus.

Flip a switch and the power comes on, right? If not, it'll be on soon....right?? Maybe not. At least the events of the past few years have reminded us that the power might not be on for days... maybe even weeks. Yet the show must go on. The show, for purposes of this article, is the financial investigations unit of a bank. But the show could be any business activity.

Before diving into the BSA/AML/Sanctions aspects of BCP (Business Continuity Plan), let's set the stage with some general BCP issues for financial institutions. Then we'll end the article with specific impacts on BSA/AML/Sanctions.

General Background: With increasing frequency, due to natural events and disasters, the power isn't there when the switch is flipped and it's not coming back on for days. Whether you consider the rolling power outages in California brought on by heatwaves, the week-long power outages in New England caused from tropical storm Isaias, or the more recent power snafu in Texas from the winter storm (and those are just from the past year), the root cause to the power being out seems to include lack of preparation and lack of response among those we rely on to keep the power on. Add to this a threat that hasn't impacted the power grid, yet, but certainly could -- and that's a cyber attack on the nation's power grid, or parts thereof -- and the inherent risk edges higher.

We can't control how prepared power officials are, other than to "remind" our lawmakers of the risk in that area. But we can control what our response to a power outage will be at the business level, regardless of what causes it.

If these power issues happened decades ago, the BCP would include a generator at a bank's main branch and "manual procedures" for a few days. Today, however, the generator at a bank's main branch won't help the fact that the mobile banking service provider's servers that are located half-way across the country are down, or the internet provider is experiencing an outage two states away, or the VPN vendor's fail-over procedures didn't work, and none of your remote employees can connect. (During the pandemic, remote employees likely represented 98% of a bank's workforce.) Staying with the remote workforce theme, if the majority of employees live in the same general region, then it won't matter if your VPN provider is up or not if the employees themselves don't have power due to a regional event.

The lack of power is going to impact more than connectivity and service delivery... it's going to also impact information security and protection systems. It's going to impact internal climate control and depending where you are that can equate to overheated systems or frozen pipes bursting. Even worst is the fact that all those vendors and service providers who are listed in the BCP as contingency resources... well... they don't have electricity either. That's a lonely way to face a BCP event.

So if BCP coordinators simply rolled the BCP documentation forward in 2020 with the notation "no major changes," then there are likely gaps in the plan. If your Operational Risk Manager rolled the Operational Risk Assessment forward in 2020 with no changes to inherent risk, then there are likely gaps there, too. This isn't just because of the pandemic, but also because of the risk issues with the U.S. power grid.

BSA/AML/Sanctions Impact: But, you're not the BCP Coordinator or the Ops Risk Manager. You're in charge of the BSA Department or the Financial Investigations Unit, and here's hoping you did more with your area's BCP than just roll it forward in 2020.

Although BSA Departments or FIUs aren't providing services to customers, there are some serious reporting timelines that have to be adhered to by the department, even during a BCP event, and the requirement to spot suspicious activity never goes away. Your BCP is important.

Here are some things to consider:

  1. Even though they do don't so routinely, do multiple people in the department have the ability to file a SAR -- meaning, do they have access rights in your software to complete and file a SAR and are they trained to do so? How quickly and easily can these access rights be giving to them during an emergency? Who can do that?
  2. In the event your AML software is down, do multiple people in the department know how to file a discrete SAR?
  3. Do you have staff located in one region, or across the country? Power grid risk is lowered when you have staff dispersed all over the country. It would be difficult to imagine a power outage that impacts the entire U.S., other than, perhaps, a massive sun flare or the magnetic poles switching... at which point we're all toast, anyway. (OK... don't laugh, both should be on your list of things that can go wrong!)
  4. Conversely, in the event the VPN is down (and only the VPN), how many staff can actually make it into the office? (assuming current COVID restrictions allow it) Remember the office? It's a big building with cubes and equipment and more importantly, free coffee? Is there still equipment there? Is the BSA software accessible from that equipment? If staff have to bring in their bank laptops into the office from home, will they still be able to connect to the network? Are there monitors there with docking stations, or does the staff member have to lug all equipment to the office? It makes a difference... try working with just a laptop screen.
  5. How do you communicate? If there's a widespread power outage, cell phone towers won't be working, either. I know folks who have solar cell phone chargers, and they're a great option, but the cell phone won't be able to do much if the towers in the area are down. Do you have the contact information for everyone in the department in a place other than on bank systems? I sometimes hear "Oh, I can just look it up." You can't do that if systems are down.

Operationally, however, the biggest impact you can have on a BCP event and SAR/CTR reporting deadlines is to run your department such that you're ahead of the curve. If you routinely file CTRs on day #13 or you routinely file SARs on day #28, you might have an operational issue within the department. That leaves little wiggle-room in the event of downtime. If you routinely file CTRs on day #7, you have a lot of wiggle room.

The path forward is to ensure you update your BCP to address risks, including those from the power grid. Additionally, become familiar with how the power grid in the U.S. is laid out. I believe this knowledge is useful, even to a BSA Officer, because without electricity, we can't do much. And... you'll become the best partner in the bank for your BCP Coordinator.


要查看或添加评论,请登录

社区洞察