The final numbers are in for 2011, and it was a record year for Director and Officer (D&O) lawsuits by the FDIC. In 2011 alone, 264 defendants were named in FDIC lawsuits. To put that in perspective, that’s more than twice the number sued in the previous 2 years combined. Some of the most frequently repeated charges were:
Although not considered official supervisory guidance, the most recent FDIC Supervisory Insights newsletter offers an instructive early look into how the agency might examine this emerging electronic banking delivery method in the future. (Before you tune out and decide to wait for the formal guidance, remember it was the Winter 2009 issue that first introduced us to the concept of the Enterprise-wide risk assessment as the preferred replacement for the traditional information security risk assessment. I consider these Supervisory Insight newsletters to be a pretty accurate peek into the regulatory crystal ball.)
The article is titled “Mobile Banking: Rewards and Risks”, and is a fairly deep dive into this relatively new banking service. Mobile banking is defined as the use of a mobile device, commonly a cell phone or tablet computer, to conduct banking activities. The article starts by discussing the current, and estimated future, market for this service, quoting a survey placing the potential adoption of mobile banking at 38 million households by 2015. Clearly, if institutions have not already considered adopting this delivery method, they certainly will in the near future. They separate the mobile service offerings into 3 broad categories based on the delivery method:
They then discuss the channel-specific mobile banking risks, and this was one of the most interesting parts of the article for me:
A recent study looked at the security of four types of mobile applications – financial services, social networking, productivity, and retail. The study focused on the types of sensitive data that mobile applications store on the device and whether these data were stored securely. Each application was rated “Pass,” “Warn,” or “Fail.” A “Pass” rating means sensitive data are not stored on the device or are encrypted. A “Warning” rating means certain data are stored on the device, but this does not put the user at significant risk of fraud. A “Fail” rating indicates sensitive data, such as account numbers and passwords, are stored on the device in clear text, placing the user at an increased risk of identity theft or other financial fraud.
As you can see, although financial institutions had the highest “pass” rate for mobile applications, they also had uncomfortably high “warn” and “fail” rates. (Also note the extremely high “fail” rates for social networking apps…this only confirms my concerns.) Although they don’t go into great detail on the availability and proper use of controls to mitigate the risks, they do make the point that proper vendor management is key. This is particularly true for community institutions who rely heavily, and almost exclusively, on the built-in controls provided by their product’s vendor.
But they also refer to the updated FFIEC Authentication guidance, stating that it “applies to mobile banking“. This is a bit of a news flash, as the term “mobile banking” is not specifically mentioned anywhere in the updated guidance. In fact this was one of the major criticisms of the update when it was released (although I disagreed). I think it’s clear now that the FFIEC intended for the updated guidance to be broad enough include new and emerging technology, and that we shouldn’t expect a new update every time technology changes. This also means that you should include mobile capabilities in your Electronic Banking risk assessment, as well as the associated controls.
So consider this an early Christmas present from the FDIC, and make sure to incorporate the mobile banking risk management concepts discussed in this article into your electronic banking risk assessment. In summary:
Financial institutions are challenged to ensure their mobile banking service is designed and offered in a secure manner, and customers are made aware of steps they can take to protect the integrity of their mobile banking transactions. (Edit – so does making customers aware mean mobile banking customer training will be a requirement?)
I asked in my previous post whether or not the regulators should share any of the blame when institutions fail, and if so, should they shoulder any of the liability? The thought occurred to me as I was reviewing some recent Material Loss Reviews.
A Material Loss Review (MLR) is a post-mortum written by the Office of Inspector General for each of the federal regulators with oversight responsibility after a failure of an institution if the loss to the deposit insurance fund is considered to be “material”. (The threshold for determining whether the loss is material was recently increased by the Dodd-Frank Act from $25 million to $200 million, so we are likely to see fewer of these MLR’s going forward.) All MLR’s have a similar structure. There is an executive summary in the front, followed by a break-down of capital and assets by type and concentration. But there is also a section that analyzes the regulator’s supervision of the financial institution, and I noticed a recurring theme in this section:
There were also many references to the responsibilities of the Board, which I addressed here, but in almost every case the regulator was found at least partially responsible for the failure of the institution.
Here is where you can find the reports for each regulator:
I encourage you to take a look at these and draw your own conclusions as to the issues of responsibility and liability. But clearly there are lessons to learn from any failure, and one lesson that I think we should all learn from this is that regulators will be pressured to be much more critical going forward. (I.e. quicker to apply “Prompt Corrective Action“.) After all, no one likes to be called out for doing a bad job.
One other part I found interesting (in the sense that it perfectly fits the narrative) is where the review lists all examination CAMELS ratings in the periods immediately prior to the failure. What struck me was how many times institutions scored 1’s and 2’s just prior to the failure, and then dropped immediately to 4’s and 5’s in a single examination cycle. Again, the lesson is that there will be tremendous downward pressure on CAMELS scores. And don’t think that just because you are healthy you’re immune from the additional scrutiny. As one MLR stated “…a forceful supervisory response is warranted, even in the presence of strong financial performance.”
On June 19, 2009 Cooperative Bank in Wilmington, NC was closed by the North Carolina Commissioner of Banks and the FDIC. Federal banking regulators are now suing Cooperative Bank’s chairman and eight members of the board of directors for more than $145 million for negligence and breaches of fiduciary duty. One of the FDIC’s assertions in the suit is the claim that the “…bank materially deviated from its approved business plan”, and that it did not adequately control the risks. But this is not the only instance, it’s merely the latest.
If you are a bank director or officer, and your bank fails, there is a 1 in 4 chance that the FDIC will sue you. In fact, as of September 13, 2011, the FDIC has authorized suits in connection with 32 failed institutions against 294 individuals with damage claims of at least $7.2 billion. And not just officers and directors are being targeted…attorneys, accountants, appraisers, brokers and other professionals working on behalf of the bank can be held liable as well. More importantly, the pace is increasing rapidly too. From 1986 through 2010 there were a total of 109 defendants named in lawsuits, but in just 8 months of 2011 185 have been named.
The FDIC regulations defining officer and director obligations are explained here, and the key concept is something called the “duties of loyalty and care.”
The duty of loyalty requires directors and officers to administer the affairs of the bank with candor, personal honesty and integrity. They are prohibited from advancing their own personal or business interests, or those of others, at the expense of the bank.
The duty of care requires directors and officers to act as prudent and diligent business persons in conducting the affairs of the bank.
But the guidance states that the FDIC will not bring civil suit if it finds that they’ve…
- “…made reasonable business judgments…
- …on a fully informed basis, and…
- …after proper deliberation.”
If you are an officer or director, preventing a lawsuit in the first place is far preferable to having to defend yourself after being named, and prevention is entirely predicated on being able to demonstrate that you’ve properly exercised your duties. Exercising your duties means making reasonable business decisions after proper deliberation. The key to proper deliberation is that you be fully informed, and that requires accurate, timely and relevant information. Not just data, but actionable information.
I’ve written before about how technology (specifically automation) can enable and/or enhance your compliance efforts, particularly in the effort to extract useful information from mountains of data. I’ve also discussed how management committees like the IT committee and the audit committee can provide both a forum for the exchange of information, and documentation that the exchange took place. And don’t underestimate the value of having outside expertise on those committees. Not only can it add a different perspective, it can also help document that you are making an effort to be “fully informed” and that you are “properly deliberating”.
Now here is a question to ponder…if the regulators are found to have been at least partially liable for the failure of an institution, can they be named as a party to the lawsuit? In my next post I’ll take a look at some recent Material Loss Reviews, and examine the regulator mandate of “Prompt Corrective Action”. In the meantime, what do you think…can the FDIC be both a plaintiff and a defendant?
One of the more surprising findings from my recent examination experience survey (thanks again to all that participated!) is that there doesn’t seem to be a direct relationship between the amount of time spent preparing, and examination results. I’ll elaborate in a moment, but first, here are the final survey demographics:
So what we found was that most institutions spent quite a bit of time preparing for their last IT examination. 57% of you spent more than 5 hours, but interestingly enough, it really didn’t translate into better results. Although 73% of those felt they were very prepared for the exam, less than half felt that the exam went pretty much as expected, with 9% describing their last examination as a “nightmare”! By contrast, only 5% of those who spent less than 5 hours preparing felt the same way. But perhaps the most significant statistic is the average IT composite score. Those who spent more than 5 hours preparing averaged a score of 1.85 as opposed to a 1.76 for those that spent less than 5 hours. So is the conclusion that as far as preparation goes, less equals more? I think a better way to interpret the data is that it’s better to work smarter than harder. Consider this: Those of you who used an outside consultant to assist with the pre-examination questionnaire seemed to have a much more favorable experience overall. 90% of you felt that the examination experience was either not bad, or pretty much as expected. But more significantly, those who used outside help also got better IT composite scores, averaging a 1.69 versus 1.82 for all respondents!
In a recent FDIC IT Examination, the examiner made the following criticism of the institutions’ DR/BCP:
“Business continuity planing should focus on all critical business functions that need to be recovered to resume operations. Continuity planing for technology alone should no longer be the primary focus of a BCP, but rather viewed as one critical aspect of the enterprise-wide process. The review of each critical business function should include the technology that supports it.” (bold is mine)
This is not the first time we’ve seen this finding, nor is it a new direction for regulators, but rather follows directly from the 2008 FFIEC Handbook on Business Continuity Planning when they state:
“The business continuity planning process involves the recovery, resumption, and maintenance of the entire business, not just the technology component. While the restoration of IT systems and electronic data is important, recovery of these systems and data will not always be enough to restore business operations.”
I still see way too many DR plans that focus on the recovery of technology, instead of recovery of the critical process supported by the technology. Sure, technology is an interdependency of nearly every function you provide, but it must not be the primary focus of your recovery effort. Focus instead on recovery of the entire process (teller, CSR, lending, funds management, etc.), by recognizing that each process is nothing more than the sum of its interdependencies. For example, what does it take to deliver typical teller functionality?
As you can see, technology certainly plays a very important role, but it is not the only critical aspect of the process. All sub-components must work, and work together, for the overall process to work. Mapping out the processes through a work-flow analysis is an excellent way to get your arms around all of the interdependencies.
So next time you perform the annual review of your BCP (and you do review your plan annually, right?), make sure your IT department isn’t the only one in the room!