Operational Risk Division Trio: Strengthening the Security of Financial Services
By Fleming Saunders
Public Affairs Operations
When Comptroller Thomas J. Curry testified before the Senate Committee on Banking, Housing, and Urban Affairs earlier this year, he discussed some of the operational risk issues facing banks, including online threats and retail payments activities.
Comptroller Curry told the committee that there are few issues of greater concern to him than the increasing risk of cyber attacks. He also noted, “The data breaches at Target and Neiman Marcus, as well as recent denial of service attacks on some large banks, are more than just an inconvenience for banks and their customers.”
Comptroller Curry said the OCC is working with national banks to improve the security of consumer financial information held by the banks. “One of my first initiatives as chairman of the Federal Financial Institutions Examination Council was to establish a working group on cybersecurity issues,” he said.
Several staff members from the Operational Risk Division had the necessary technical expertise to help support and prepare the testimony and briefing materials for the Comptroller, according to Carolyn DuChene, Deputy Comptroller for Operational Risk. “Because operational risk has become a high profile topic, our staff members frequently support and influence agency outreach activities and industry speaking engagements,” she says.
DuChene adds, “One point we try to emphasize is that operational risks, including cyber threats, are heightened by the interconnected and interdependent financial services landscape. In the same way that a chain is only as strong as its weakest link, the security of financial services is only as strong as its weakest participant.”
In particular, DuChene credits contributions to the Comptroller’s testimony made by her current leadership team: Valerie Abend, Senior Critical Infrastructure Officer; Kim Cahill, Acting Director of Bank Information Technology; John Eckert, Director for Operational Risk and Core Policy; Kathleen Oldenborg, the Director for Payments Systems Risk Policy; and Kenneth Fulton, Operational Risk and Basel Advisor.
Abend, Oldenburg, and Eckert are the latest additions to DuChene’s Operational Risk Division.
Learn more about them below.
Valerie Abend, Senior Critical Infrastructure Officer
Abend’s interest in risk management derived from her experiences surviving Hurricane Andrew, which hit her home town of Miami in 1992. She was at home for her summer college break when the hurricane hit. With her home and belongings lost, Abend learned first-hand the importance of being prepared for crises.
Abend returned to The George Washington University in Washington, D.C., to complete her undergraduate studies. Disappointed by the public sector’s response to the hurricane victims, she wrote a paper on the failure of the Federal Emergency Management Administration to work with state governments in response to disasters.
Abend then built a career in risk management in both the public and private sector. She served as Deputy Assistant Secretary over the Treasury Department’s Office of Critical Infrastructure Protection and Compliance Policy. Abend was a writer on the staff of two congressional commissions dealing with Internet policy and was the first Homeland Security Coordinator for the KPMG accounting firm. She led a market-wide cybersecurity exercise while working at the Federal Reserve Board. She was also Senior Information Risk Management Officer at the Mellon Bank of New York.
Today Abend leads critical infrastructure oversight at the OCC. She is driving interagency cooperation across the banking sector to set strategy for the security and resilience of the banking system in the face of not only natural disasters, but also cyber attacks and other man-made systemic events. “The threats to financial institutions are vast and are growing in sophistication and volume,” she explains. “We need to ensure both the OCC and the banks we regulate stay on top of the latest activities by nation-states, “hacktivists,” organized criminals, insiders, and terrorists. We need to identify and assess cyber risks, share information, and decide what guidance and alerts to issue.”
Abend has helped the OCC take a major step forward by securing membership in the Financial Services Information Sharing and Analysis Center—a public-private partnership dealing with information security threats.
She also chairs the new Cybersecurity and Critical Infrastructure Working Group established by the Federal Financial Institutions Examination Council. The group is working with the Treasury Department and other government agencies to strengthen cybersecurity for the banking industry.
Kathleen Oldenborg, Director for Payments Systems Risk Policy
Oldenborg brings a wealth of business and government skills to her position at the OCC. She began her career in the banking industry in the early 1970s at Marine Midland Grace Trust Company. She then went on to various other trust and compliance jobs in the private sector. “I learned the basics of operations in the trust custody department," she recalls. "I ran a small trading desk, moved to administrator, investment manager, then sales person, and did almost everything except make a loan. I found that if the operations side doesn’t support a banking function, it doesn’t get done.”
In 1989, she joined the OCC as an industry hire and witnessed operational risk on her very first assignment. Sitting in a troubled Manhattan bank, the rookie examiner was astonished to see a man arrive with a pink Conway shopping bag stuffed with cash. Two hundred thousand dollars, the customer announced, and the teller took the money without even counting it. The doomed bank turned out to be a subject of Operation Polar Cap, one of the biggest federal money-laundering investigations in history. “The bright pink shopping bag full of cash,” laughs Oldenborg. “I have never been able to top that.”
In 1997, she returned to the private sector, and served as a compliance executive at both Atlantic Trust Company and Wachovia/First Union (now Wells Fargo). In 2007, she rejoined the OCC and worked six years as examiner of Citibank’s Global Transaction Services and payment systems. She was excited to take her latest post as Director for Payments Systems Risk Policy at Headquarters last year.
Reflecting on her career, Oldenborg says she is fortunate to have “gained perspective from working both as an examiner and in the industry. I’ve learned when OCC guidance may be appropriate and when to let an issue percolate for a while. What applies to a large bank may not apply to a community bank and vice versa.”
Oldenborg’s supervisory focus includes
- recognizing, measuring, monitoring, and reporting payment risk.
- developing metrics for payment risk exposure.
- training examiners in payment risk.
- ensuring that banks keep pace with advances in payment technology and delivery channels. Her team monitors mobile payments, virtual currencies, big data, and crypto-currencies to determine when the industry is ripe for guidance.
Oldenborg particularly enjoys exchanging data and insights with folks across the OCC and the industry. “I get inquiries from examiners curious about operational risk and especially the payments world. Makes the job fun,” she says.
John Eckert, Director of Operational Risk and Core Policy
In 1986, Eckert began his OCC career in Decatur, Ill. He brought to the federal government an array of private sector experience: bank cashier, public accountant, corporate controller, and coordinator of credit and financial controls for the Nabisco Company. After supervising community and midsize banks mainly across the Central District for almost 20 years, he moved to the large bank resident team at Bank of America in Charlotte in 2006.
His earliest memory of an “op risk” was seeing a door propped open at the computer room in a small bank in central Illinois. “The computer operator said it was a hassle to keep locking and unlocking the door,” Eckert recalls. “Anyone could walk in from the street undetected and gain easy access.” To increase the risk threat, the computer operator puffed on a cigarette while handling sensitive paper files that could also go up in smoke.
Eckert also remembers when a community bank hired contractors to shred old bank documents. The workers, who had criminal records, took outdated cashier checks and went to area businesses to present the falsified checks for payment. “So much for third-party due diligence!” quips Eckert.
Eckert has been in his current role since May of last year. “Veteran examiners advised me to change jobs every five or six years to stay fresh, learn new skills, and meet new people,” he says. “When I joined the Bank of America team, I walked in on the ground floor of the Basel II operational risk advanced measurement approach, taking my operational risk experience to a whole new dimension! That experience provided a major benefit to assume my new role.”
Eckert leads a team of six Operational Risk Policy analysts from various backgrounds. While his primary role is focused on core policy, he maintains an active operational risk dialogue with examiners, Chief National Bank Examiner staff, and other banking supervisors. His top tasks include
- integrating OCC and Office of Thrift Supervision policies and guidance issuances.
- revising or developing OCC Comptroller’s Handbook booklets. His office recently issued updated guidance for third-party relationship risk management and updated the “Qualified Thrift Lender” booklet.
- presenting OCC policy topics, such as third-party relationship risk management, to internal and external audiences.
Finally, as part of his operational risk responsibilities, Eckert represents the Chief National Bank Examiner as a member of the
- Basel Committee on Bank Supervision Corporate Governance Task Force.
- OCC Supervisory Peer Review Work Group.
- OCC Business Information Technology Advisory Board.
Says Eckert, “One thing I have learned about risk management is that if you do not actively attack the risks, they will actively attack you.”