Tag: FDIC

12 Nov 2012
From the Field Tom Hinkel 0 comment

The Financial Institutions Examination Fairness and Reform Act (and why you should care)

Although it’s currently stuck in committee, financial institutions should be aware of this bill and track it closely in the next congressional session.  There are actually 2 bills, a House (H.R. 3461) and a Senate (S. 2160) version, both  containing similar provisions.  The House bill has 192 sponsors and the Senate version has 14 sponsors, and both bills have supporters from both political parties.  Here is a summary of the bill, and why you might want to support it as well:

What it does:

  • Amends the Federal Financial Institutions Examination Council (FFIEC) Act of 1978 to require a federal financial institutions regulatory agency to make a final examination report to a financial institution within 60 days of the later of:
(1) the exit interview for an examination of the institution, or
(2) the provision of additional information by the institution relating to the examination.
  • Sets a deadline for the exit interview if a financial institution is not subject to a resident examiner program.
  • Sets forth examination standards for financial institutions.
  • Prohibits federal financial institutions regulatory agencies from requiring a well capitalized financial institution to raise additional capital in lieu of an action prohibited by the examination standards.
  • Establishes in the Federal Financial Institutions Examination Council an Office of Examination Ombudsman. Grants a financial institution the right to appeal a material supervisory determination contained in a final report of examination.
  • Requires the Ombudsman to determine the merits of the appeal on the record, after an opportunity for a hearing before an independent administrative law judge.
  • Declares the decision by the Ombudsman on an appeal to:
(1) be the final agency action, and
(2) bind the agency whose supervisory determination was the subject of the appeal and the financial institution making the appeal.
  • Amends the Riegle Community Development and Regulatory Improvement Act of 1994 to require:
(1) the Consumer Financial Protection Bureau (CFPB) to establish an independent intra-agency appellate process in connection with the regulatory appeals process; and
(2) appropriate safeguards to protect an insured depository institution or insured credit union from retaliation by the CFPB, the National Credit Union Administration (NCUA) Board, or any other federal banking agency for exercising its rights.

Why you should care:

In addition to the provisions for more expeditious exit interviews and final reports, the Bills provide for certain changes to “examination standards”.   The standards pertain primarily to the non-accrual treatment of commercial loans and their effect on capital, and they also redefine “Material Supervisory Determination” as “any matter requiring attention by the institution’s management or board of directors”.  These are all generally good things for financial institutions, but I think the most significant provisions (and the ones with the biggest positive impact) are the provisions that establish the Office of Examination Ombudsman within the FFIEC.

The current appeal process for contested examination findings was recently re-addressed by the FDIC here (and I reacted to it here).  In summary, if you currently have a disagreement with the FDIC about any “material supervisory determination”, which includes anything that affects CAMELS ratings and IT ratings (the full list is here, search for “D. Determinations Subject to Appeal”) you must stay within the FDIC for resolution.  And this includes the current Office of the Ombudsman, which is also a part of the FDIC.

The agency makes it clear that they believe the appeals process is “independent of the examination function and free of retribution or other retaliation”, but whether it is or isn’t, the fact that the process never leaves the FDIC deters many financial institutions from pursuing the appeals process in the first place.  I believe moving the process to the FFIEC at least improves the perception of independence and objectivity, which may encourage more institutions to be more inclined to challenge examination findings.  What are your thoughts?

[poll id=”6″]

Again, I encourage you to learn about these bills for yourself and take a position. To support the Senate bill, go HERE.  To support the House bill, go HERE.  And feel free to share this post.  If enough people support it perhaps we’ll see some progress in the next congressional session!

18 Oct 2012
From the Field Tom Hinkel 0 comment

“2 is the new 1″…or is it? (with poll)

UPDATED – October, 2012 – Two institutions in the past ten days have told me that they have been assigned a CAMELS score of “1” in their latest examination.  One institution regained their 1 after slipping to a 2 in their last exam cycle, and the other went up to a 1 for the first time.  The FDIC is the primary federal regulator for both institutions.  What is your experience?  (Original post below the polls)

[poll id=”4″]

And while we’re asking for your input…

[poll id=”5″]

During a panel discussion recently at our annual user conference, we heard this from a banker who was quoting an examiner during their last examination.  They had slipped from a CAMELS 1 rating to a 2, and in discussing the reasoning with the Examiner in Charge they said that they should be satisfied with a 2, because “2 is the new 1”.

Just 3 years ago Tony Plath, a finance professor at the University of North Carolina Charlotte, said that (at least for large banks) a CAMELS score of anything less than “1” was cause for concern.  These days it almost seems that examiners are digging for anything they can find to justify NOT assigning the highest rating.  Indeed I had a recent conversation with an FDIC examiner who said (off the record) “if we find anything at all to document during our examination, that is enough to disqualify them for a “1” rating”.

Unlike the comparatively significant difference between a “2” and a “3”, the differences between a “1”, defined as “Sound in every respect” and a “2”, defined as “Fundamentally sound” are extremely subtle, and there is no clear line of demarcation between them.  Often it comes down to examiner opinion.

So pick your battles and push back where you can, but understand that although you should be familiar with the criteria for a “1” rating, and strive to achieve it, you should be quite satisfied with a “2”…at least for now.

 

09 Oct 2012
From the Field Tom Hinkel 0 comment

FDIC Institutions still getting UIGEA (Reg GG) findings – UPDATE

Update 1 –  12/5/2011 to add examination procedures*. 

Update 2 – 2/13/2012 to emphasize policy requirements.

Update 3 – 10/8/2012 to add specific courses of action if the FI has “actual knowledge” of restricted transactions.

We first saw this trend back in July 2011, and continue to see it, so I’m calling this a definite trend as opposed to an anomaly.  Here is the background:  The Unlawful Internet Gambling Enforcement Act of 2006 (“UIGEA”) prohibits any person, including a business, engaged in the business of betting or wagering from knowingly accepting payments in connection with the participation of another person in unlawful Internet gambling.  As a result, the Agencies (FDIC, OCC, NCUA, Federal Reserve) issued Reg GG, requiring financial institutions to establish policies and procedures “reasonably designed to identify and block, or otherwise prevent or prohibit, restricted (gambling) transactions” with compliance required as of June 1, 2010.

Most institutions have measures built in to their account opening procedures by their core vendor to comply with this Reg, but the recent examination findings seem to address the lack of a specific UIGEA policy.   This would indicate that procedures alone may not be enough to demonstrate compliance anymore (i.e., “we’re doing it even though we don’t say we are” isn’t enough).  So what are you supposed to do?  Make sure you have a specific written UIGEA policy, and that it is designed to address the following:

  • Don’t assume that just because you have no (or a few) commercial customers you aren’t required to have a policy.  The implementation burden is lessened, but a policy is still required.
  • Designate a person responsible for UIGEA compliance (this was a specific finding in one of the recent examinations).
  • Focus on establishing a due diligence process when initiating a commercial customer relationship.
  • Communicate to your commercial customers contractually up  front (and periodically throughout the relationship) that restricted transactions are prohibited.  Your policy should state that the commercial customer agrees to not originate or receive restricted transactions throughout the customer relationship.  If the risk warrants, a certification from the customer is recommended.
  • Your due diligence obligations do not end once the account is opened.
  • Specify a specific course of action to be followed in case you have “actual knowledge” that a customer has violated the policy.  For example:
    •  Perform an account review
    • Suspend activity on the account
    • Contact the customer
    • Contact legal counsel (if appropriate)
    • Close the account
    • File a SAR, if warranted
    • Contact regulatory authorities
    • Contact law enforcement
    • If cooperating with law enforcement, and so advised by same, continue processing

There are additional regulatory expectations if you actually have customers that are legally allowed to engage in an Internet gambling business, i.e. through U.S. State or Tribal authority.  In fact when I started getting reports of UIGEA policy deficiencies, my first thought was that all the institutions may have had that common denominator…they had customers legally engaging in Internet gambling.  That was not the case, however.  It would appear that this is just the latest regulatory “hot button”.

* Download Full Act, examination procedures in Attachment C

25 Apr 2012
Hot Topics Tom Hinkel 0 comment

FDIC Supervisory Letter Issued on Critical Service Provider

(NOTE:  Although the vendor in question has been publicized by the NCUA, I will not name it here because it is not relevant.  If you currently contract with the vendor you know who it is, and you need to know how to respond to the letter.  If you don’t, you’ll need to know how to respond in case it happens to a critical vendor of yours at some point.)

What if you received this letter from the FDIC on one of your most critical service providers (summarized and redacted)?

“Dear Board of Directors,

Enclosed is a copy of the Information Technology (IT) Supervisory Letter based on the interim review of (your vendor).  We are sending you this Supervisory Letter for your evaluation and consideration in managing your vendor relationship…I encourage you to review the Supervisory Letter as it discusses some regulatory concerns that require corrective action by (your vendors’) management and Board of Directors.

Sincerely,

FDIC Regional Director”

The letter states in part:

“(Vendors’) Executive Management supervision and control over the Risk Management (RM) and Information Security (IS) functions are unsatisfactory. Additionally, the Board of Directors (BOD) does not provide sufficient direction and oversight for management responsibilities, as well as for independent review in these areas by Internal Audit (IA). The breadth and severity of weaknesses noted at this IR stem from management’s failure to adequately address previously identified systemic issues and to take proactive measures to mitigate the identified systemic risks. These weaknesses had exposed serviced financial institutions to increased risk, and have raised concerns regarding management’s ability to establish and enforce effective information security measures commensurate with the needs of (vendor).”

So the FDIC conducted an IT Examination on the service provider.  Nothing new there…IT service providers are subject to the same regulatory oversight as financial institutions, and even have their own Examination Handbook*.   However, in this case the exam uncovered significant material weaknesses in their audit, management and IT controls.  Weaknesses so severe that the FDIC felt it necessary to proactively notify all institutions under their regulatory responsibility that utilize the provider.

Since the FDIC stated that they are sending the letter for “your evaluation and consideration“, they clearly expect you to take specific action on this matter.  Don’t be surprised to see them asking for your formal response during your next visit from them.  So here is what you’ll need to do:

  • The first thing you’ll want to do is call a meeting with the group you use to manage your vendor relationships.  If you haven’t assigned vendor management responsibility to a management committee (as opposed to an individual), do so.  IT Steering or Audit is a logical choice.  Formally document in the committee that “the examiner’s letter represents certain concerns that will cause us to reevaluate the vendor, reassess the residual risk, and consider implementing additional compensating controls”.
  • Request, review and evaluate the vendor’s response to the examiners letter.  Determine whether the response is sufficient to address your concerns.  If not, consider implementing the following additional compensating controls:
  1. Accelerate the normal annual due diligence process by requesting more frequent financial statements (quarterly instead of annual).
  2. Request that vendor provide additional 3rd party security reviews other than SSAE 16 if possible (i.e. SOC 2, PEN tests, etc.).  The SOC 2 is a good choice, as it directly addresses controls related to privacy, security, confidentiality, integrity and availability…all the things that are important to you.
  3. Have legal review existing vendor contracts for possible breach of contract claims.
  4. Consider adding a “right to audit” clause in future contracts.
  5. Become active (or more active) in vendor user groups.  The intent is to stay close to the situation, and possibly influence them to release additional 3rd party reviews (such as SOC 2).

It is important to take action even if you are in a long term contract with the vendor, or if the vendor would be difficult to replace.  And you can’t take the position that since you can’t control what the vendor does, you’ll simply have to go along…that it’s not your problem to solve.  Guidance makes it clear that “institutions should ensure the service provider’s physical and data security standards meet or exceed standards required by the institution.”  So for all intents and purposes, the vendor’s deficiencies are your problem.

*According to the FFIEC:

The federal financial regulators have the statutory authority to supervise all of the activities and records of the financial institution whether performed or maintained by the institution or by a third party on or off of the premises of the financial institution.

The decision to examine a service provider is at least partially based on the number of Bank Service Company Act (BSCA) filings the regulators receive on the provider.  I explain this here, and make the point that because the definition of a “Service Company” has expanded, more service providers can expect more examinations in the future.

20 Mar 2012
Hot Topics Tom Hinkel 0 comment

FDIC issues FIL addressing proper use of Bank information

Although a quick read of this FIL makes it seem that it only addresses the proper use of confidential information after the institution is placed into receivership, it really has implications for the bank officers, directors and legal counsel of all financial institutions.    I’ll explain that in a moment, but first the FIL makes the following points:

  • Officers and directors have a fiduciary responsibility to act in the best interests of the institution at all times.
  • In the pursuit of that responsibility, access to institution records is essential.
  • If the institution goes into receivership, the receiver (FDIC) becomes the owner of the institutions’ records.
  • Officers and directors of failed or failing institutions who remove FI records in anticipation of litigation or enforcement activity against them may be in breach of their fiduciary duty.

It has been my experience that the vast majority of FIL’s are issued re-actively, instead of pro-actively, so I think it’s safe to assume that the FDIC has actually seen occasions where financial institution records have been removed and used by officers and directors for reasons other than for the benefit of the institution.  So if you are an officer or director, the clear message here is that using FI records to prepare for or defend against litigation is acting in your best interests, NOT the best interests of the institution*.  And legal counsel representing officers and directors must not advise their clients to copy or remove institution records under penalty of civil money penalties, consent orders, or removal and prohibition from the banking industry.

In addition to the “fiduciary responsibility” argument against possessing records, the FDIC also make an argument from confidentiality (GLBA Part 364b , SAR confidentiality, and Fair Credit Reporting regulations), and this has very real implications for all officers and directors regardless of the financial condition of the FI.  Here’s why…how many of your officers and directors receive confidential information?  All of them probably, right?  Board reports, examination reports, loan packages, audit committee minutes, etc.,  all are essential to performing their fiduciary duties.  Now how many of those records go off-site, and how are those records being secured in transit, use, and storage?  Are records stored off-site treated with the same document retention and destruction policies as those stored in-house?  The FDIC may not have the same motivation to go after officers and directors of healthy institutions that they do failed ones, but it is clear they expect records to be treated the same regardless of the physical location.  How are you distributing this information?  We’ve seen an increased interest in institutions using technologies such as iPads and cloud-based portals to distribute director reports, but you must be careful not to let convenience trump security.  Use this FIL as an excuse to review your records safekeeping practices and make sure you (and your officers and directors) are adhering to your data confidentiality, security, retention and destruction policies, wherever the data resides.

 

*The FDIC does recognize that officers and directors may have a legitimate need to access institution records to defend themselves from litigation, but they require that access to be arraigned formally through them, and only after signing confidentiality agreements.

16 Feb 2012
From the Field Tom Hinkel 0 comment

FDIC changing annual IT report to Board?

Based on recent examination findings, it would appear that the FDIC is changing what they expect to see in the annual information security report to the Board of Directors.  The requirement for the report is established in the FFIEC Information Security Handbook where it states that a written report to the board should describe the overall status of the information security program, and that at a minimum, the report should address:

  • The results of the risk assessment process
  • Risk management and control decisions
  • Service provider arrangements
  • Results of security monitoring and testing
  • Security breaches or violations, and management’s responses
  • Recommendations for changes to the information security program

However in a recent examination the institution was written up because the FDIC did not believe the report contained enough detail.  They stated that “Board reporting should be expanded and include detail at a minimum for the following areas:

  • The information security risk assessment
  • Service provider agreements
  • Results of testing, audits, examinations or other reviews of the program
  • Any security breaches, violations, or other incidents since the previous report and management responses
  • A summary of information security training provided to employees since the last report
  • Status of the patch management program
  • Status of the Business Continuity Plan and testing results
  • Customer Awareness Program efforts and plans
  • Any recommendations for changes to the information security program”

I’ve highlighted the changes between the original guidance and the examination finding.  I’m not surprised at the training findings, as I have previously identified both employee and customer training as likely 2012 trends.  Nor am I particularly surprised by the inclusion of the status of the BCP and testing results.  This has been a requirement and an area of increased regulatory focus for a couple of years.  However it would appear that examiners may now prefer the BCP status update to be a part of the information security update report to the Board.

The inclusion of a patch management status report was a bit surprising though, as in the past this was not reported separately but simply included as one of your many risk management controls.  Perhaps they are looking for more control detail now?  (I plan to address patch management in a future post.)

I was also a bit baffled by the exclusion of “Risk management and control decisions” from the list of findings.  I had also identified the “Management” element as a probable area of increased regulatory scrutiny in 2012, so I’ll keep an eye on future examination findings to see if this actually represents a shift in focus or simply an oversight by the examiners this time.  (Of course a third possibility is that the examiner felt that the “risk management and control decisions” were present and properly documented, but given the other findings I doubt that was the case.)

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy