TrustCompanyITCompliance:Oklahoma'sRegulatoryFrameworkinPractice

Oklahoma hosts a healthy population of trust companies — both traditional institutions serving generational wealth and more modern directed trust and private family trust company structures. The regulatory framework is specific, and it differs in meaningful ways from the regimes that govern RIAs and broker-dealers. For firms operating in Tulsa, Oklahoma City, and the surrounding markets, the IT program has to satisfy the Oklahoma Banking Department, the applicable federal banking agency where relevant, and the practical expectations of correspondent banks and custodians.

This article is a practitioner-level view of what a compliant IT program looks like for an Oklahoma trust company, drawn from our work with firms across the state.

The Oklahoma Regulatory Landscape

Oklahoma trust companies are regulated by the Oklahoma State Banking Department under the Oklahoma Trust Company Act. The Act requires a state-chartered trust company to maintain sound administrative practices, qualified personnel, and appropriate internal controls. The IT dimensions of those requirements are interpreted through examination practice, the Banking Department's guidance, and the FFIEC Information Technology Examination Handbook, which Oklahoma examiners routinely reference.

A trust company that holds federal deposit insurance or operates under a federal charter faces additional overlay — the Office of the Comptroller of the Currency for national trust banks, the FDIC for insured state-chartered institutions. For the typical Oklahoma-chartered trust company without federal deposit insurance, the state framework is the primary reference point, with the FFIEC materials serving as a recognized best-practice baseline.

The practical consequence is that an Oklahoma trust company's IT program is evaluated against a higher bar than a similarly sized RIA. Examiners expect formal risk assessments, documented controls, independent testing, disaster recovery exercises, and evidence of board-level oversight. A program designed for an RIA will not clear the bar for a trust company.

The FFIEC IT Examination Lens

Oklahoma examiners apply a framework closely aligned with the FFIEC IT Examination Handbook, which organizes information technology risk across governance, risk management, information security, development and acquisition, business continuity, audit, operations, and outsourcing. Each area has its own booklet with specific control expectations.

For a small to mid-sized trust company, the most operationally significant books are Information Security, Business Continuity Management, and Outsourcing. Information Security covers the full scope of the cybersecurity program — risk assessment, policies, technical controls, incident response, and training. Business Continuity covers disaster recovery, recovery time and recovery point objectives, testing, and crisis communications. Outsourcing covers the vendor risk program, due diligence, contract requirements, and ongoing monitoring.

A trust company IT program that maps cleanly to those three FFIEC booklets, with documented evidence in each area, will satisfy most Oklahoma examinations. A program that has strong controls but no documentation, or documentation without evidence, will receive findings regardless of the underlying quality.

Information Security: The Core Stack

The information security stack we deploy for Oklahoma trust companies is a superset of the wealth management baseline, with several additions specific to the fiduciary context.

Identity and access controls include MFA on every remote access path and every privileged account, with phishing-resistant methods for the highest risk roles. Segregation of duties is enforced technically where possible — the person initiating a wire cannot be the person approving it, and the person creating a new account cannot be the person authorizing distributions from it. Privileged access management tools track and log administrative activity with high-retention audit trails.

Endpoint security runs EDR on every device with 24/7 monitored response. Disk encryption is universal. Patching is automated with defined service level targets for critical and high-severity vulnerabilities. The MDM platform enforces configuration baselines and prevents the installation of unapproved software.

Email security includes impersonation protection, business email compromise controls, DMARC enforcement, and internal banner warnings on external messages. Wire fraud attempts — phishing an officer to redirect a customer distribution — are one of the highest-frequency attack patterns against trust companies, and the email security stack is the primary preventive control.

Network security includes segmentation between the trust company's core systems, its administrative network, and any public-facing infrastructure. Firewalls, intrusion prevention, and network monitoring feed into the managed SIEM alongside endpoint and identity telemetry.

Business Continuity and Disaster Recovery

The FFIEC Business Continuity booklet sets a higher bar for recovery planning than most other regulatory frameworks. For a trust company, the expectation is a written business continuity plan that identifies critical business functions, defines recovery time objectives and recovery point objectives for each, and documents the technology and operational procedures to achieve those objectives.

The plan has to be exercised. Annual tabletop exercises at minimum, with more frequent tests for the highest-criticality systems. The exercises need to include business leadership, not just IT. Findings from each exercise drive remediation, and the remediation is tracked to closure.

Technology-wise, a typical trust company BCP is anchored on cloud-hosted core systems with geographic redundancy, backup infrastructure that meets the immutability bar, and remote access capabilities that allow the firm to operate from any location. For firms with a physical Tulsa or Oklahoma City office, the BCP specifically contemplates loss of that office due to severe weather, utility failure, or other disruption — and confirms that the firm can continue to serve clients without it.

Vendor and Outsourcing Oversight

Outsourcing is a growth area of examination focus. Trust companies typically depend on multiple third-party vendors — the trust accounting platform, the custodian, the MSP, the email and productivity suite, specialized compliance tools — and each vendor relationship introduces risk that has to be managed.

The outsourcing program has to include a vendor inventory with risk tiering, documented due diligence for each vendor matched to the risk tier, contractual requirements for security, confidentiality, breach notification, and right-to-audit, and ongoing monitoring of vendor performance and security posture. For the highest-risk vendors — those handling nonpublic customer information or critical operational functions — annual SOC 2 Type II reviews are the baseline.

Trust companies that use an MSP for IT operations face particular scrutiny on the MSP relationship. Examiners will ask whether the MSP is SOC 2 attested, whether the contract includes specific security obligations, whether the MSP's personnel are subject to background checks, and whether the MSP has been reviewed against the same standards applied to other critical vendors.

Board-Level Governance

Trust company regulatory frameworks uniformly expect board-level engagement on IT risk. The board or equivalent governing body must approve the information security program, receive periodic reporting on IT risk and the state of controls, and oversee the incident response framework. The board minutes should reflect this activity.

For smaller trust companies without a large internal IT function, the board reporting often comes through the CEO or COO based on input from the MSP or an internal IT coordinator. Our engagement model includes periodic board-facing reporting — typically quarterly — that summarizes the state of the program, recent incidents, emerging risks, and the forward-looking roadmap. This reporting becomes part of the board minutes and the examination evidence file.

Tulsa-Specific Considerations

For Tulsa-based trust companies, a few operational points are worth noting. The Tulsa market is tight-knit, and relationships between firms, banks, and service providers matter. A compliance incident at a local firm becomes industry knowledge quickly, which reinforces the value of a well-run program. Severe weather — tornadic storms, ice storms, and occasional flooding — creates real business continuity risk, and the BCP needs to be tested under conditions that reflect those scenarios.

Our financial services practice has specific experience with Oklahoma trust companies and the state's regulatory environment. If your firm is preparing for an examination, assessing the current state of your IT program, or planning infrastructure changes that intersect with the regulatory framework, schedule a consultation and we can walk through the specifics.