Spring World 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Spring Journal

Volume 31, Issue 1

Full Contents Now Available!

During the past year, in response to heightened concerns about security in general, many banks have put disaster recovery planning at the forefront of their agendas. Those that have not already done so can expect increased scrutiny from state and federal regulators. But planning should be more comprehensive than merely dusting off old plans that have already been put in place.

Whether banks use outside consultants or internal managers, many are currently re-examining every aspect of their disaster recovery plans, including the assumptions upon which the plans are based, and looking more closely at the options they have to choose from, not only to keep their major data processing systems running in case of business interruption (the focus of many articles relating to banking as well as other industries), but in regard to what might seem a routine part of normal banking operations, namely item processing.

Item Processing Should Be A Central Part Of Disaster Recovery Planning
Item processing includes the sorting and proofing of checks, the preparation of cash letters, inclearings processing, and data transmission. But while it may seem less critical than data processing, it provides the sum of the basic raw data that the data processing system uses and is essential to the successful operation of any bank.

Furthermore, a disruption at any bank could threaten the integrity and continuity of the entire banking system, which is why state and federal regulators and the Federal Financial Institutions Examination Council (FFIEC) are looking more closely at the risk management of outsourced technology services.

The following reviews many of the choices regional, local, and community banks have for item processing back-up and provides a checklist of item processing disaster recovery planning that may assist bank management to upgrade their plans at this period of higher than normal risk awareness.

Money Center Banks vs. Local, Community Banks

Money center banks that handle high volumes of checks on a daily basis and must process and return NSF checks without fail, may find it necessary to establish a fully functioning item processing disaster recovery site of their own with completely redundant equipment, systems, and transmission capabilities.

Or they may need a contract with a large volume, outside supplier to satisfy themselves and the appropriate bank authorities that they are prepared for any eventuality.

Smaller banks, such as local and community banks in small towns or rural areas, have more options, partly because of the smaller volume of checks they handle and also because they may feel more comfortable knowing their own local clientele and their customers’ “normal” banking habits (fewer instances of fraud and irregularities).

But whether banks are located in rural communities or urban centers, they must consider the pros and cons of each option before staking their ongoing operations on a back-up plan that may seem reasonable and economical now but will have unintended consequences in a variety of unforeseen situations.

Let’s take a look at a few example scenarios related to some of the options.

Reciprocal Agreements

Reciprocal agreements are a common practice in the banking community. Bank A establishes a reciprocal agreement with Bank B, located in a neighboring town. The agreement allows each to use the other’s item processing facility in the case of an interruption of business. It’s an inexpensive arrangement that provides an easy and normally acceptable solution to compliance with disaster recovery planning requirements. Of course, the management at Bank A realizes they won’t be able to do their own work until after Bank B finishes its normal item processing routines every evening – a minor concern, perhaps.

Of even greater concern, however, Bank A uses somewhat different systems than Bank B, so while the facility at Bank B is available when Bank A finds itself under 12 feet of flood water in the spring, it takes over a week for the systems people from Bank A to jerry-rig Bank B’s equipment and transmission software, so that they will send the appropriate information to Bank A’s data processing center.


 

Reciprocal agreements are economical but beware of systems incompatibility.


Internal Hot Sites

Internal hot sites are another alternative for smaller banks. By using older proofing and sorting equipment, a collection of prior generation data processing equipment, and an alternative data transmission system set up in an offsite facility, Bank C has provided what management considers an adequate back-up capability. After all, the older equipment is already paid for, and though it may require a return to earlier routines for bank personnel, it won’t take long for some of the more experienced people to get back into the swing of things.

But what if the disaster that befalls Bank C is accompanied by a flu outbreak of epidemic proportions? The only people left standing to operate the older equipment and systems have never used them before and must function in a disaster mode, with reduced headcount, and no one to instruct them on the older procedures.


Older back-up equipment may not function properly unless it is tested frequently and all appropriate staff is trained to use it.

Outsourcing Options

Outsourcing options, of course, come in a variety of shapes, sizes, and costs.

For instance, some smaller banks already outsource their primary item processing operations and rely on the vendor to provide for disaster recovery planning. Outsourced item processors sometimes set up reciprocal deals with their competitors in a similar arrangement to those described above.

Or banks may contract directly with a primary item processor as a back-up facility for a small monthly fee. Of course, any efficiently managed item processing facility will likely be fully utilized, or nearly so, otherwise their equipment is sitting idle.

So a difficulty may arise when Bank D calls on the back-up capabilities of an already fully utilized facility, and Bank D’s item processing needs turn out to be last in line for processing time and could face the prospect of significant delays, frequent missed deadlines, and regulatory action, not to mention Bank D’s employees having to work late into the night.

 


Using a primary item processor for disaster recovery may require a bank to wait hours every evening because normal customers’ work comes first.

Mobile Hot Sites

Some suppliers of disaster recovery item processing provide mobile item processing equipment and promise to have it in place within a specified time frame, often up to three days after notification of a disaster situation. The cost of maintaining a mobile trailer with similar equipment and systems to the local or community bank is shared with other banks in the region that use compatible processing procedures.

But unfortunately when Bank E calls on such a supplier in the event its item processing center is knocked out by a tornado, the same storm that flattened the facility has also knocked down the communications lines that the mobile facility intended to use.

 Mobile item processing hot site trailers require communication lines (which may also be knocked out in a disaster situation) to be an effective means of backup.

Dedicated Hot Sites

Dedicated hot sites offer an alternative to many of the problems of other options but require the commitment of bank management to a planning and implementation process that mirrors the procedures already in place in the primary item processing operation. The cost of a dedicated item processing hot site may be higher than some of the other alternatives, but if properly tested, located within a reasonable distance, and accessible through a variety of different means of transportation (consider the recent shut-down of the air transportation system), a dedicated hot site provides the surest and safest form of protection against the many unforeseen circumstances that community banks may face.


Dedicated disaster recovery item processing centers (such as the Davis Bancorp item processing center in Chicago) have equipment and systems in place and are not already being used for primary item processing for other customers.

Regulators Are Taking A Closer Look At Disaster Recovery Planning

Existing federal regulatory guidelines and most state regulators require banks to provide disaster recovery plans and have them reviewed by bank management and the board of directors. A recent publication from the FFIEC states, “The board of directors and senior management are responsible for understanding and ensuring that effective risk management practices are in place. As part of this responsibility, the board and management should assess how the outsourcing arrangement will support the institution’s objectives and strategic plans and how the service provider’s relationship will be managed.”

Of course, that same advice should be followed for any outsourcing arrangements, whether for technology services or for transportation or other processing services, which are all too often managed and contracted by lower level bank personnel who do not understand the risks that may be involved.

During normal bank examinations, they also require banks to provide proof of back-up planning, including agreements or contracts with other institutions or service providers. But because of increased risk management concerns, regulators are looking more closely at disaster recovery planning during the examination process. Therefore, banks should review all aspects of their current disaster recovery plans and make changes wherever deficiencies exist.
The following list provides a number of important considerations to which banks should pay particular attention:

Checklist For Item Processing Disaster Recovery Planning

Equipment and systems compatibility

Does the back-up item processing facility offer the same equipment and systems used by your bank in its normal operations so that there is no need to alter, update, or reprogram?

Testing and ongoing maintenance

Does the back-up facility pre-test all equipment and systems to make sure your bank’s routines and procedures work flawlessly? And do they test those procedures on a regular and scheduled basis?

Disaster definition

Who defines what qualifies as a disaster? Do you have the right under your agreement to declare a disaster for any reason, whether it be the obvious natural occurrences of floods, fires, tornados, etc., or the unusual problems of equipment, systems, or human failures or incapacitation?

Capacity

Is the back-up facility dedicated to disaster recovery operations, or is it a primary processor with a relatively small amount of excess capacity? If the back-up facility is another bank, does it have the capacity to handle its own and your processing needs in a timely way?

Availability

Is the back-up facility available 24/7/365? Are there any exclusions to the times when you can declare a disaster and use the site?

Accessibility

Is the back-up facility easily accessible by a variety of transportation means? Can you get there within a few hours by car or train? If the air transportation system is shut down, do you have an alternative facility that is within reach?
Regulatory and audit review
Is the back-up facility open to regulatory and audit review and does it welcome such visits?

Insurance

Does the back-up facility have appropriate insurance coverage? Will the service provider supply you with a copy of the policy for review by your risk management officer? Is the coverage sufficient in case the facility itself experiences problems? Does the courier service you or your service provider use have appropriate coverage? (Many couriers have insufficient coverage to carry sensitive bank documentation.)

Microfilm or imaging back-up

Does the back-up facility provide microfilm or imaging back-up capabilities, in case documentation is lost or stolen in transit?

Costs

Is the back-up facility priced appropriately? Are all costs included in the contract? Are there any extra “declaration” or “duration of disaster” fees?
Only when an item processing disaster recovery facility meets all the tests outlined above can the management of a bank feel confident that they have provided for secure business resumption of one of the most important, but often neglected, aspects of bank operations.


J. R. Davis is president of Davis Bancorp, risk management partner to the banking community. For more information about the company and its services, visit www.davishotsite.com. For comments or questions, Davis may be reached at This email address is being protected from spambots. You need JavaScript enabled to view it. or at 847-998-9000, ext. 4460.