What the OCC's Bank Supervision Operating Plan for Fiscal Year 2023 Means for Community Banks and FinTechs

April 10, 2022
5 minutes

On October 6, 2022, the Office of the Comptroller of the Currency (OCC) released its Bank Supervision Operating Plan for Fiscal Year 2023. 

In the plan, the OCC highlights which areas of the bank will see increased scrutiny as regulators ramp up supervisory activities to ensure compliance with applicable laws and regulations. The plan also clarifies what the OCC expects from financial institutions during the coming year.

Here's what you need to know about their top priority objectives and how you can protect your FinTech APIs.

TLDR Key Takeaways


The OCC’s primary focus for the upcoming fiscal year will be on risk-focused bank supervision, specifically cyber security and data protection.


Operational resilience, third-party relationships, and new products/services will be in the spotlight for examiners.


You'll need to take proactive measures to protect your digital infrastructure from data breaches and other cyber threats to remain (or become) compliant under the new guidelines.


Open Banking places consumers at the center of a banking experience made up of interconnected, yet independent services. At the same time, Open Banking offers technology-forward banks the chance to reshape their business models and re-orient their relationship with clients to grow market share and increase profitability.

At the heart of the Open Banking revolution is data; specifically the infrastructure of databases, data standards, and open APIs that make the free flow of data between banks, third party service providers, and consumers possible.

Priority Objectives for CBS Operating Units

The emphasis for fiscal year 2023 is on risk-focused bank supervision, specifically cyber security and data protection.

“The threats for many financial institutions continue to expand at a rapid pace as the interconnectedness of multiple specialized service providers and FinTechs increases, digitalization of critical infrastructure components proliferates, and reliance on cloud services grows rapidly.”

Per the OCC Bank Supervision Operating Plan for Fiscal Year 2023, in the coming year, the OCC will focus more on a select few key areas.

Third-parties and Related Concentrations

Third-party relationships are a source of financial institution risk, but it is important to understand how these risks appear and what steps taken by banks can reduce them.

Common risk attributes include:

  • Customer-facing products and services
  • Critical elements needed for bank operations
  • Significant concentrations
  • Factors that may affect the bank's operational resilience
  • Regulatory compliance, including Bank Secrecy Act and consumer protection laws

Examiners must determine whether the bank and third parties possess adequate, qualified personnel to mitigate these risks and meet contractual obligations.

Additionally, examiners must evaluate how the bank assesses a third party's cybersecurity risk management and resilience capabilities.

New Products and Services

To remain vigilant, bank examiners should assess whether banks can still see potential threats in new growth opportunities.  

As part of the strategic planning process, they must understand how innovative or new activities offered through third parties affect financial performance and risks.

Payments: Examiners should evaluate products and services (both new and existing) for potential operational, compliance, strategic, credit, liquidity, and reputation risks. 

Additionally, they should consider how they will assess and manage these risks in their institution-wide risk assessments, as well as new product reviews.

FinTech and digital assets: Examiners should identify and evaluate changes to governance processes for banks applying new technological innovations to their operations, such as:

  • Cloud computing
  • Artificial intelligence
  • Digitalization of risk management processes
  • Engaging in banking-as-a-service arrangements 

Crypto-related products and services and other new products and services need to be evaluated by examiners for risk management practices, which include:

  • Evaluating due diligence activities
  • Assessing the expertise needed to manage technology, financial, operational, compliance, strategic, reputational, and other risks.

Operational Resilience and Cybersecurity

To ensure FinTechs are resilient to the ever-changing cybersecurity threat landscape, examinations must focus on fundamental controls to identify, detect, and prevent threats and vulnerabilities. 

These include, but are not limited to:

  • Authentication
  • Access controls segmentation
  • Patch management
  • End-of-life programs

Additionally, auditors should assess how effective the governance processes are in relation to technology investment and implementing changes in systems and infrastructure.

What Does This Mean for API Security Teams?

With the Office of the Comptroller of the Currency's Committee on Bank Supervision prioritizing cybersecurity more than ever before, banks and FinTech companies should shift their focus accordingly to ensure a safe environment for their users.

This means taking proactive measures to protect their digital infrastructure from data breaches and other cyber threats.

But with so many attack vectors, how should you prioritize your efforts?

Gartner knows the answer, projecting that APIs are well on their way to becoming the primary attack vector in 2022 and beyond.

Your APIs are the main target for cybercriminals trying to access your financial data, so your cybersecurity strategy for 2023 should prioritize API security.

Top 4 Tips to Protect Your FinTech APIs

Now that you know that APIs should be your main focus, how should you prioritize your efforts?

To help you get started, here are some actionable tips to reduce your API attack surface and minimize your risk.

1. Cover the OWASP API Security Top 10 List

You need to cover the essentials first, so it's a good idea to start by tackling some of the most common API vulnerabilities and threats.

Fortunately, you don't need to hire an expensive cybersecurity firm to get the list of action items. It already exists, and it's called the OWASP API Security Top 10 list.

This list is developed by OWASP, an industry-leading non-profit organization that aims to promote a safer Web by spreading awareness around the most common cybersecurity threats.

The API security top 10 list is explicitly tailored to APIs, giving you an idea of which vulnerabilities you should prioritize.

Here's a quick recap of the OWASP Top 10 list:

OWASP Designation


1: Broken Object Level Authorization

Broken request validation allows an attacker to perform an unauthorized action by reusing an access token

2: Broken Authentication

Broken user authentication allows attackers to impersonate legitimate users

3: Excessive Data Exposure

An API exposes more data than necessary, relying on client software to perform filtering

4: Lack of Resources & Rate Limiting

By not implementing rate limiting policies, attackers can overwhelm the backend with denial-of-service attacks

5: Broken Function Level Authorization

Broken request validation allows an attacker to execute functions they are unauthorized to access

6: Mass Assignment

Unfiltered data allows attackers to guess object properties via requests

7: Security Misconfiguration

Insecure configurations including misconfigured HTTP headers, unnecessary HTTP methods, permissive cross-origin resource sharing (CORS), and error messages containing sensitive information

8: Injection

Untrusted injection of data resulting in the unintended execution of command or unauthorized data access via database engines, LDAP, and OS system commands

9: Improper Assets Management

Insufficient environment management and segregation allowing attackers to access under-secured endpoints

10: Insufficient Logging & Monitoring

Inadequate monitoring infrastructure allows attacks in progress to go undetected

2. Analyze Your APIs for Business Logic Flaws

While the OWASP list covers the most popular attack vectors, business logic flaws are, by far, the most dangerous ones.

Why is that the case?

Business logic vulnerabilities occur when the attacker can abuse the flaws in the legitimate functionalities of your APIs, allowing them to gain unauthorized access to data without resorting to any exploits.

But what makes them truly dangerous is the fact that since this cluster of vulnerabilities occurs because of how the API is built, they're virtually impossible to detect at scale with penetration testing, vulnerability scanning, or bug bounty programs.

Every API has its unique architecture, meaning that each API will have its own unique business logic flaws.

This is why tackling this API threat is so paramount.

3. Implement a Zero-trust Security Model

Most systems rigorously monitor requests from new users. 

But once they're in, they give them a certain level of trust, meaning that the system no longer views them as a threat.

This approach fails as the attacker can easily take advantage of your APIs once they’ve gained access.

That's where the zero-trust security model comes in. As opposed to trusting a certain group of users based on their privilege level, the model treats everyone as a potential security threat at all times.

This means that every user and every request should be constantly monitored and evaluated from a security perspective, drastically reducing the likelihood of a successful data breach.

That's why implementing the zero-trust security model across all of your API assets can help you add another layer of security.

4. Implement Automated API Security Testing

Whenever your API is updated, you potentially open up new loopholes that attackers can abuse.

Traditional testing methods are time and labor intensive, as well as costly. As a result, most organizations test their API security only once or twice a year, leaving their APIs ripe for the picking.

However, with the rise of AI and machine learning came solutions that allow for automated, comprehensive, and continuous API security testing at scale.

One of them is APIsec.

APIsec is a fully automated API security testing solution that can automatically dissect every corner of your APIs to generate thousands of custom-tailored attack scenarios and execute them in minutes.

Solutions like APIsec helps you security test for the entire OWASP list as well as business logic flaws that are unique to your APIs. Now your application security teams can run a full security check on every build for a fraction of the cost of manual pen testing.

"x" icon
Download Your Copy Today!
Get The Complete API Security Buyer's Guide [eBook]

Similar Posts

Learn how to take your API security to the next level.

Best Practices for Securing APIs for Community Banks and FinTechs