Nyc B6 Gao Fdr- Occ Meeting 8-29-02- Record Of Interview

Prepared by: Daniel J. Hoy Date Prepared: September. 10th. 2002 Reviewed by: Tynr ravirwrr nnmr n'rrr

Index: Type bundle index here DOC Number: 398103 DOC Library: Goal 1 Job Code: 250073

l**~™

Record of Interview Qffice

Qf

^ Comptroller Of

the Currency Meeting on 8/29/02 Purpose

To discuss OCC's actions post 9/11

Contact Method

Interview

Contact Place

250 E Street S.W. Washington, D.C.

Contact Date

August 29 , 2002, 9am

Participants OCC; Mr. Ralph E. Sharpe, Deputy Comptroller, (202) 874-4572 Aida Plaza Carter, (202) 874-4740 Laura McAuliffe, (202) 874-4603 GAO: Mr. Cody Goebel, Assistant Director, (202) 512-7329 Mr. Jean-Paul Reveyoso, Senior Analyst, (202) 512-9609 Mr. Hal Lewis, Senior Analyst, (202) 512- 7048 Mr. Kirk Daubenspeck, Senior Analyst, (202) 512-6329 Mr. Daniel Wexler, Senior Analyst, (202) 512- 5799 Mr. Derald Seid, Analyst, (202) 512-6118 Mr. Daniel Hoy, Analyst, (202) 512-6459

Comments/Remarks

The meeting commenced with Mr. Goebel giving the OCC staff a brief background of the job, entities we have looked at, and the different aspects of the reviews. Mr. Reveyoso then discussed the impacts of the attacks of September 11*. Mr. Sharpe noted that the report could act as a road map for terrorists and asked about the potential classification of the report. M Goebel acknowledged his concerned and assured him that classification

Page 1

Proprietary Data

Record of Intei

Prepared by: Daniel J. Hoy Date Prepared: September, 10th, 2002 Reviewed by: Type reviewer name here

Index: Type bundle index hi. DOC Number: 39810. DOC Library: Goal 1 Job Code: 250073

was something that is being taken into consideration while preparing report. Effect of 9/11 on National Banks Regulated by OCC: OCC is the regulatory agency responsible for National Banks. OCC had seven institutions, which they oversee, located either in the World Trade Center or in close proximity to the World Trade Center that sustained damage resulting from the terrorist attacks of September 11th. The Bank of America had three employees perish in the attacks. All seven institutions were forced to relocate to alternative facilities, which caused some problems in terms of access to faculties, access to equipment, access to power and generators and oil trucks to run generators. OCC did not issue any guidance right away after the attacks because they wanted to know the status of the situation. They did not want to proceed with out concrete reliable information. Problems with Banking Transactions; OCC reported that the loss of utilities and telecommunications caused problems with national banks. Mainly, national banks did not have the ability to talk to Fedwire or BONY. National banks were also forced to use land transportation to transport ...... instead of airplanes, because airplanes were grounded for days following 9/11. There was some functional disruption of ATM transactions due to the noted problems with telecommunications. OCC noted that all of their banking institutions were able to successfully relocate to their back-up facilities. Overall, preparations for Y2K helped national banks deal with the disaster of 9/11, mainly because the Y2K preparation forced entities to focus on business continuity planning. Problems faced by OCC's banks located outside lower Manhattan; None of the national banks, regulated by OCC, closed operations and no one was sent home. They were just placed on high alert. There were

Proprietary Data Page 2

Record of Intervie

Prepared by: Daniel J. Hoy Date Prepared: September, 10th, 2002 Reviewed by: Type reviewer name here

Index: Type bundle index here DOC Number: 398103 DOC Library: Goal 1 Job Code: 250073

problems with ATM's because of telecommunications problems. The only other problem that OCC reported was that transportation of goods and people took place on land instead of in the air. Physical Security: The OCC staff began the discussion of physical security by pointing out that the FFIEC's IS Handbook was in the process of being revised and that there is a specific chapter (Chapter 14) that address aspects of physical security. OCC noted that the changes to the handbook began prior to 9/11 and was in response to changes in technology and regulation. OCC examiners do not specifically look at the "nuts and bolts" of physical security of the institutions they regulate. OCC exams have gotten away from looking only at guards and vaults; the focus has shifted to a more system wide approach. OCC regulators evaluate the processes banks have in place to protect electronic security, physical security, and logical security. OCC will look at internal and external audits, contractors, etc. . . to make sure that the institution is being operated in a safe and sound manner and will take action if a problem is found. The exam process begins with the risk profile of the firms, with the high risks firms getting looked at first and with more detail. Examiners are able to get a quantifiable and qualifiable assessment of a firm by comparing nine transactional risks verses the firm's management controls. The most expert examiners are assigned to cover the largest institutions and the largest banks typically have individual examiners assigned to the largest banks on a full time basis. OCC feels the best aspect of having examiners permanently assigned to an institution is that there is a constant flow of dialog between examiners and the institutions. Problems get fixed on the fly and will not necessarily be seen on exam reports. Specific Threats; OCC has sent out threats through the Office of Homeland Security with the issuing being coordinated through the Financial and Banking Information Infrastructure Committee (FBIIC)..An example of this was the warning

Proprietary Data

Prepared by: Daniel J. Hoy Date Prepared: September, 10lh, 2002 Reviewed by: Type reviewer name here

Index: Type bundle index K DOC Number: 3981v DOC Library: Goal > Job Code: 250073

sent out to and closed banks in the District of Columbia in April, 2002. There was also coordination with the President's Critical Infrastructure Board. FBIIC has established clearer lines of communication between the financial sector and the National Infrastructure Protection Center (NIPC), which is part of the FBI. OCC believes that FBHC will act as a clearinghouse for threat information specific to the financial sector. OCC Initiatives and Lessons Learned; As a result of the terrorist attacks on 9/11, regulators are now spending time thinking of potential events or scenarios that could transpire that would affect the financial services industry. In February of 2002 a summit was held in New York City with individuals from the Federal Reserve, OCC, SEC, the New York State Banking Commission, and other federal regulators to discuss business continuity planning. The product draft of this summit, a White Paper, is due out the week of August 31st and will cover topics like the distance to backup facilities, expected recovery time— identifying critical functions essential to market survivability, geographi concentration, and redundancy of telecommunication systems, actual lines, and service providers. Other topics addressed at the summit include the potential costs of backup facilities, whether or not the backup facilities should be staffed because of potential transportation problems, and the associated costs of maintaining a "hot" backup facility. The final draft of the white paper is expected to be released by the end of the year and will be apart of regulatory supervisory guidance. Telecommunication Issues; OCC looks at telecommunications as a part of their examination of business continuity plans. They also look at vendor management supervision. Asking questions like: what do you do? How would you fix your problems? Etc... Telecommunication issues are also being addressed by FFIEC and its Information Security Handbook and the previously mentioned white paper. There has also been discussion of backup facilities^ with regards to telecommunications. The thinking is that backup facilitie,

Proprietary Data Pa«e 4

Record of Intervi

Index: Type bundle index here DOC Number: 398103 DOC Library: Goal 1 Job Code: 250073

Prepared by: Daniel J. Hoy Date Prepared: September, 10'", 2002 Reviewed by: Type reviewer name here

should be located depending on existing on infrastructure grids. This will allow for adequate redundancy for telecom and power. The industry would also like to see an industry wide testing of backup facilities and telecommunications. However, they said that such a test would be difficult to coordinate. OCC also mentioned that there has been some inclination to encourage a third backup facility. Electronic Security: OCC does not conduct the electronic security audits themselves. However, they do look at the audit that was completed for the institution. OCC's evaluation process includes checking the qualifications of the auditors, looking at what the finding were, what the institutions response was to the findings, the frequency of penetration testing, the results of those penetration tests, and actions taken by the institution. OCC stated that there has not been an increase in electronic attacks, but note that some attacks have come through servers. Information Sharing and Threat Evaluation; OCC stated that FFIEC already has information sharing process in place. FFIEC has encrypted message capability to send information back in forth in a secure fashion. When a threat is received FFIEC will evaluate the threat and decide what action they need to take, which can include notifying the regulator's member firms. OCC and FFIEC do not have any direct information sharing agreements with the FS-ISAC. Summary of Exams and Final Remarks: OCC stated that their purpose for looking at or completing a summary of all of their exams would be to look for systemic problems. It should also be noted that OCC is looking to tier the institutions in order of critical importance to the financial systems. 10/21/02 Email from Laura McAuliffe. OCC

Proprietary Data PageS

Record of Int

Prepared by: Daniel J. Hoy Date Prepared: September, 10
Index: Type bundle index I, DOC Number: 3981 DOC Library: Goal Job Code:250073

As a follow-up to GAO's inquiry as to the number of institutions OCC supervises and the number of field examination staff and IT field examination specialists it has, Ms. McAuliffe emailed that, "The footer to all OCC press releases indicates that OCC supervises approximately 2200 national banks and 52 federal branches. There were 1709 field examiners as of 10/5/02. Of those, 110 are full time bank information technology examiners. In addition, approximately 100 examiners spend 25% of their time in the BIT area,"

Proprietary Data Page 6

.

Record of In

- RE: 3 questions OlO*

CO -3 ,-0* I -i W

S

- _^ ''r*

Page 1

r

From: To: Date: Subject:

"McAuliffe, Laura" "'DeraldSeid"'<[email protected]> 10/21/02 9:46AM RE: 3 questions

Derald, The footer to all OCC press releases indicates that OCC supervises approximately 2200 national banks and 52 federal branches. There were 1709 field examiners as of 10/5/02. Of those, 110 are full time bank information technology examiners. In addition, approximately 100 examiners spend 25% of their time in the BIT area. Please let me know if you need anything else. Laura 202-874-4603 —Original Message— From: Derald Seid [mailto:[email protected]] Sent: Wednesday, October 16, 2002 6:05 PM To: McAuliffe, Laura Subject: 3 questions Laura: Cody Goebel asked me to email you to ascertain: 1) the number of institutions that OCC supervises; 2) trie number of OCC examination staff; and 3) the number of OCC staff who are information technology specialists. Feel free to either email me this information or give me a call. Thank you very much. Derald Seid Analyst, Financial Markets and Community Investment United States General Accounting Office 441 G St., NW Washington, DC 20548 Phone:202-512-6118 E-mail: [email protected]

Proprietary Data