We contracted with Safe Systems to help remediate exam findings, but we were told by the examiner that we are not allowed to share examination findings “under penalty of law”. How do we share this critical information with you without getting into legal trouble?
Thanks for the question, here is where this issue is coming from. The front cover of all examinations contains the following verbiage:
It goes on to say that doing so would violate Part 309 of the FDIC Rules and Regulations.
FDIC 12 CFR Part 309 is titled “Disclosure of Information”, which governs information the FDIC maintains on all financial institutions (including examination reports), and the procedures for obtaining access to such information. Subsection 309.6 (a) states:
I have always taken the opinion that if we are contracted to assist in the remediation of examination findings, we are considered an “agent” (acting on behalf of the institution) and require the examination report or the information contained therein, in order to perform our “official duties”. Of course as their agent, we are now bound by Part 309 and restricted from any further sharing of the information.
One additional thought… It’s important to see examination findings in the context of the entire report as opposed to simply being restated or copy/pasted. There are several reasons for this, primarily because often we can derive additional meaning from the broader context, allowing us to “connect the dots” between separate findings. Also because sometimes we can get additional clarity by reading “between the lines” of the report. For example, we recently assisted a customer with a finding to “Improve the Pandemic Plan within the BCP Plan”.
They went on to state that “Management should establish a clear action plan…for Pandemic.” Taken out of context, this would seem to indicate examiners wanted additional general recovery procedures in case of Pandemic. But they went on to mention “key personnel” and “employee training”, and so taken in the broader context what they were really looking for was a succession plan. Because the finding never specifically mentioned a succession plan, we may have gone in a different direction if not for seeing the entire report.
Hope this gives you a little insight into this Part 309 issue. Feel free to reach out any time with other compliance questions!