I think not, because after conducting due diligence, we've decided to not go with them! That's a total joke for any OCC examiner reading this.

Question, are external IT auditors telling you your examiner is you vendor and needs to be included in the vendor management process? OCC was here when we got this recommendation from an external auditor. The OCC seemed pretty clueless.

They do obviously have access to our information and it is stored somewhere. They must have information security procedures and protections. I definitely consider their possession of our information an additional threat to info security.

Bottom line, we've gotten no where with securing some sort of information regarding how they protect our information and we're sick of asking. Any thoughts, (I have plenty!!) or experience to share? I want to remove this item from my follow up report, unresolved but accepted as such.

Thanks!

I counted my blessings when they went to secure email.

This has always been a risk and there is not much you can do about it. If it is on their servers, we must assume those are secure. All of the paper lying about? It always worried me.

Oh, it makes sense, I just think it is odd. It's like the "recommendation of the year" kind of thing. I've now seen it in 3 external audits, by the same firm.

So what sort of documentation should/could the OCC provide me to conclude corrective action? I'm still inclined to recommend management accept this risk as a part of doing business and move on to bigger, riskier issues.

I can't imagine the OCC providing info on their security to anyone, bank or not.

It has always been a risk of doing business. I would (hope to) move on to something else.

Has the GAO audited them? Perhaps there is something out there in the public domain? I have not looked.

I can't imagine that we'd ever get anything out of the regulators on this issue, as Kathleen noted. But I do take the opportunity to tactfully point out information security lapses I've come across. Such as when they have sent their loan sample - with our customers' names and other information - via regular email.

I've brought things up to my examiners during exams and have always received a quick reply along with a promise that the issue would be addressed. I've had informal discussions with the honchos at our agency and they have told me from a broad perspective how they protect confidential bank and bank customer information. I am very comfortable they understand the issue and I know that they have provided training to examiners. To my knowledge our external auditors have never told us we need to treat examiners similar to vendors. (I think if an external auditor told me something like this I'd have a hard time not busting out laughing.)