On October 6, 2022, the Office of the Comptroller of the Currency (OCC) released its Bank Supervision Operating Plan for Fiscal Year 2023.
In the plan, the OCC highlights which areas of the bank will see increased scrutiny as regulators ramp up supervisory activities to ensure compliance with applicable laws and regulations. The plan also clarifies what the OCC expects from financial institutions during the coming year.
Here's what you need to know about their top priority objectives and how you can protect your FinTech APIs.
TLDR Key Takeaways
The OCC’s primary focus for the upcoming fiscal year will be on risk-focused bank supervision, specifically cyber security and data protection.
Operational resilience, third-party relationships, and new products/services will be in the spotlight for examiners.
You'll need to take proactive measures to protect your digital infrastructure from data breaches and other cyber threats to remain (or become) compliant under the new guidelines.
Open Banking places consumers at the center of a banking experience made up of interconnected, yet independent services. At the same time, Open Banking offers technology-forward banks the chance to reshape their business models and re-orient their relationship with clients to grow market share and increase profitability.
At the heart of the Open Banking revolution is data; specifically the infrastructure of databases, data standards, and open APIs that make the free flow of data between banks, third party service providers, and consumers possible.
The emphasis for fiscal year 2023 is on risk-focused bank supervision, specifically cyber security and data protection.
“The threats for many financial institutions continue to expand at a rapid pace as the interconnectedness of multiple specialized service providers and FinTechs increases, digitalization of critical infrastructure components proliferates, and reliance on cloud services grows rapidly.”
Per the OCC Bank Supervision Operating Plan for Fiscal Year 2023, in the coming year, the OCC will focus more on a select few key areas.
Third-party relationships are a source of financial institution risk, but it is important to understand how these risks appear and what steps taken by banks can reduce them.
Common risk attributes include:
Examiners must determine whether the bank and third parties possess adequate, qualified personnel to mitigate these risks and meet contractual obligations.
Additionally, examiners must evaluate how the bank assesses a third party's cybersecurity risk management and resilience capabilities.
To remain vigilant, bank examiners should assess whether banks can still see potential threats in new growth opportunities.
As part of the strategic planning process, they must understand how innovative or new activities offered through third parties affect financial performance and risks.
Payments: Examiners should evaluate products and services (both new and existing) for potential operational, compliance, strategic, credit, liquidity, and reputation risks.
Additionally, they should consider how they will assess and manage these risks in their institution-wide risk assessments, as well as new product reviews.
FinTech and digital assets: Examiners should identify and evaluate changes to governance processes for banks applying new technological innovations to their operations, such as:
Crypto-related products and services and other new products and services need to be evaluated by examiners for risk management practices, which include:
To ensure FinTechs are resilient to the ever-changing cybersecurity threat landscape, examinations must focus on fundamental controls to identify, detect, and prevent threats and vulnerabilities.
These include, but are not limited to:
Additionally, auditors should assess how effective the governance processes are in relation to technology investment and implementing changes in systems and infrastructure.
With the Office of the Comptroller of the Currency's Committee on Bank Supervision prioritizing cybersecurity more than ever before, banks and FinTech companies should shift their focus accordingly to ensure a safe environment for their users.
This means taking proactive measures to protect their digital infrastructure from data breaches and other cyber threats.
But with so many attack vectors, how should you prioritize your efforts?
Gartner knows the answer, projecting that APIs are well on their way to becoming the primary attack vector in 2022 and beyond.
Your APIs are the main target for cybercriminals trying to access your financial data, so your cybersecurity strategy for 2023 should prioritize API security.
Now that you know that APIs should be your main focus, how should you prioritize your efforts?
To help you get started, here are some actionable tips to reduce your API attack surface and minimize your risk.
You need to cover the essentials first, so it's a good idea to start by tackling some of the most common API vulnerabilities and threats.
Fortunately, you don't need to hire an expensive cybersecurity firm to get the list of action items. It already exists, and it's called the OWASP API Security Top 10 list.
This list is developed by OWASP, an industry-leading non-profit organization that aims to promote a safer Web by spreading awareness around the most common cybersecurity threats.
The API security top 10 list is explicitly tailored to APIs, giving you an idea of which vulnerabilities you should prioritize.
While the OWASP list covers the most popular attack vectors, business logic flaws are, by far, the most dangerous ones.
Why is that the case?
Business logic vulnerabilities occur when the attacker can abuse the flaws in the legitimate functionalities of your APIs, allowing them to gain unauthorized access to data without resorting to any exploits.
But what makes them truly dangerous is the fact that since this cluster of vulnerabilities occurs because of how the API is built, they're virtually impossible to detect at scale with penetration testing, vulnerability scanning, or bug bounty programs.
Every API has its unique architecture, meaning that each API will have its own unique business logic flaws.
This is why tackling this API threat is so paramount.
Most systems rigorously monitor requests from new users.
But once they're in, they give them a certain level of trust, meaning that the system no longer views them as a threat.
This approach fails as the attacker can easily take advantage of your APIs once they’ve gained access.
That's where the zero-trust security model comes in. As opposed to trusting a certain group of users based on their privilege level, the model treats everyone as a potential security threat at all times.
This means that every user and every request should be constantly monitored and evaluated from a security perspective, drastically reducing the likelihood of a successful data breach.
That's why implementing the zero-trust security model across all of your API assets can help you add another layer of security.
Whenever your API is updated, you potentially open up new loopholes that attackers can abuse.
Traditional testing methods are time and labor intensive, as well as costly. As a result, most organizations test their API security only once or twice a year, leaving their APIs ripe for the picking.
However, with the rise of AI and machine learning came solutions that allow for automated, comprehensive, and continuous API security testing at scale.
One of them is APIsec.
APIsec is a fully automated API security testing solution that can automatically dissect every corner of your APIs to generate thousands of custom-tailored attack scenarios and execute them in minutes.
Solutions like APIsec helps you security test for the entire OWASP list as well as business logic flaws that are unique to your APIs. Now your application security teams can run a full security check on every build for a fraction of the cost of manual pen testing.