Tag: FDIC

20 Apr 2011
Hot Topics Tom Hinkel 0 comment

A Recurring Theme in FDIC Consent Orders

If you look at any of the recent FDIC Consent Orders, you will quickly see a common theme.  I randomly pulled a few off the top of the list, and the verbiage was very similar, and in many cases identical:

  • …the Board shall enhance its participation in the affairs of the Bank
  • …the Bank’s board of directors shall increase its participation in the affairs of the Bank
  • …the Board shall participate fully in the oversight of the Bank’s compliance management system
  • …the Board shall participate fully in the oversight of the Bank’s Compliance Management System
  • …the Board shall increase its participation in the affairs of the Bank
  • …the Bank shall have and retain qualified management
  • …Bank’s board of directors shall increase its participation in the affairs of the Bank
  • …the Bank shall have and retain qualified management.
  • …the Board shall increase its participation in the affairs of the Bank
  • …the Bank’s board of directors (“Board”) shall increase its participation in the affairs of the Bank

In almost every case, regardless of the main thrust of the Consent Order, this was usually the first requirement.  In other words, although the Order may have been imposed because of financial weakness, or lending policy non-conformance, or some other reason, the examiners want to establish up front that the Board and Senior Management are at fault for failing to prevent, detect, and/or correct the problem ahead of time.  Furthermore, regardless of their past participation, in every case they are expected to increase their oversight in the future.

Of course, not only must this occur, but it must also be documented.  If recent examination experience has taught us anything, it is that if you don’t have it documented, it didn’t happen.  The challenge is this; typically the Board defines the broad goals and objectives of the institution in the strategic plan, and delegates the day-to-day responsibility of implementing those goals to committees.  In a perfect world, the mandates flow down from the Board to the committees, and status reporting flows back up from the committees to the Board.  (Graphic illustration) In reality, there are multiple points of failure in this top-down, bottom-up model:

  1. Does the Board have a well-defined, 3-5 year Strategic  Plan?
  2. Has this plan been communicated to all stakeholders?
  3. Have committees been formed, staffed, and tasked with implementing the details of the plan?
  4. Are there well-defined objectives and benchmarks in place to measure alignment between strategic goals and actual performance?
  5. Does the Board have access to adequate, timely information (reporting), and the necessary expertise, to determine if their strategic goals and objectives are being achieved?

A “No” answer at any point in this process causes the whole process to break down.  And even a “Yes, but we didn’t document it…”, is not enough to satisfy the examiners.  So how best to document each step?  Taken in order from above:

  1. Make sure the institution has a valid, up-to-date, Strategic Plan, and…
  2. …the plan has been communicated to all stakeholders.  This isn’t as onerous as it sounds…the plan shouldn’t change that often.
  3. The mission statement for all committees should reinforce their alignment and coordination with the Strategic Plan, and any risk assessments conducted by the committees must measure strategic risk.
  4. Evaluate each new product, service and vendor against its ability to further the objectives of the Strategic Plan, and…
  5. …make sure this information is summarized and presented to the Board at a frequency commensurate with the pace of change within the institution.

As I’ve mentioned before, the Tech Steering Committee is the ideal committee to report all things IT to the Board.  If you utilize a standard agenda, which includes discussion of on-going or proposed IT initiatives (and their alignment with Strategy), document the meetings, and report progress to the Board periodically, you will satisfy the IT oversight requirement.  Once the top-down and bottom-up process is in place for IT, simply duplicate it across the enterprise!

23 Mar 2011
From the Field Tom Hinkel 1 Comment

IT Composite Ratings: 1 vs. 2

In a recent survey conducted with our customers, we asked them to tell us (anonymously) what their FDIC IT composite scores were after their last IT examination, and whether those scores increased (got worse), or decreased (got better).  The average score was 1.8 on the 5 point scale.  Of course the results could be attributed to the fact that by virtue of their relationship with us, they demonstrate a higher level of awareness of IT and IT risks, resulting in a kind of reverse “adverse selection”, but regardless anything better than 2 is considered much better than average.  And slightly more institutions saw their score increase (or get worse) than stay the same…almost none saw their scores decrease.
So is the FDIC issuing any 1’s in IT anymore?  Not many, as far as I can see.  But for those institutions looking to maintain, or even enhance, their IT scores, it’s critical to review the components in each category…particularly the differences…between 1 and 2.  And since there are significant similarities between the two, the difference is all in the details.

The full list with all details is here, but this is a condensed version of how the FDIC IT Examination Composite Ratings break out by component:

Risk Management:

One (1) – “Risk Management processes provide a comprehensive program to identify and monitor risk relative to the size, complexity and risk profile of the entity.”
Two (2) – “Risk Management processes adequately identify and monitor risk relative to the size, complexity and risk profile of the entity.”

The difference between a 1 and a 2 in risk management is a “comprehensive program”…very subtle, but using the IT Steering Committee to manage IT could be the difference.

Strategic Planning:

One (1) – “Strategic plans are well defined and fully integrated throughout the organization.  This allows management to quickly adapt to changing market, business and technology needs of the entity”.
Two (2) – “Strategic plans are defined but may require clarification, better coordination or improved communication throughout the organization.  As a result, management anticipates, but responds less quickly to changes in market, business, and technological needs of the entity”.

This distinction is the most significant between the 2 categories, and in my opinion, seems to be the critical factor.  I addressed the IT Strategic Plan in detail here.  Often the difference between a 1 and a 2 in IT is in how well you manage, and communicate, your strategic plan.

Self Assessment:

One (1) – “Management identifies weaknesses promptly and takes appropriate corrective action  to resolve audit and regulatory concerns”.
Two (2) – “Management normally identifies weaknesses and takes appropriate corrective action.  However, greater reliance is placed on audit and regulatory intervention to identify and resolve concerns“.

Both have the ability to identify and correct weaknesses, but the key difference here is that the stronger organization handles it internally.  The key to this is the control self-assessment process.  The FFIEC mentions “control self-assessment” 43 times, and  in 7 of the 12 IT Examination Handbooks.  This is not a new concept, nor is it particularly difficult to implement, but for some reason it is under-utilized by most financial institutions.

I intend to address the self-assessment process more completely in a future post, but until then here are some of the benefits:

  • Early detection of risks
  • Improved internal controls
  • Assurance to top management that you are doing what you say you’re doing,  and of course
  • Improved audit and examination ratings!
03 Mar 2011
Hot Topics Tom Hinkel 2 Comments

FDIC issues new FIL…

…and pretty much confirms what most of us already knew; regulatory scrutiny has increased across the board.  FIL-13-2011 entitled “Reminder on FDIC Examination Findings” was just released March 1st, and in spite of the title,  is not so much a reminder but a response.  Here is the one-line summary:

“Recently, the FDIC has received some criticism that its examination findings have been overly harsh.”

Make no mistake, this is NOT a reminder, this is a response to a flurry of criticism from financial institutions who feel that:

  1. Their examiners are finding fault with policies, procedures and practices that they have not had problems with in past examinations, and
  2. The examiners are less willing to “work with them” to resolve the findings during the examination…before they appear in the exit letter.

I have heard the same criticism from our customers, and I think it is highly significant that the FDIC has seen fit to issue an FIL to address this.  This confirms that the problem is not sporadic, it is endemic, and it is the new normal.

The FIL goes on to describe the procedures by which an institution might formally express their concerns, but in the end there is little the institution can do to change the findings.  My attitude is that there are really only 3 ways to respond to an examiner finding:

  1. Admit that the finding is valid, and commit to making the recommended change(s). The vast majority are handled this way.
  2. Contest the finding.  This is a viable option only if you can demonstrate that you’ve made a different interpretation of the underlying guidance, and as a result of your risk analysis, you’ve come to a different conclusion.  If properly documented, this can be a very effective response.
  3. Refuse the finding.  This is an adversarial position and NOT really recommended, but I see this more often than you would think.

Given the new normal, the second option makes the most sense IF you’ve implemented an effective risk management process, because in the final analysis all examiner findings are about one thing…they believe you’ve accepted too much risk.  I’ve addressed effective risk management in detail here.

One other thing caught my eye in the FIL, because the fact that the FDIC felt necessary to address it indicates that it has become an issue:  “Prohibition Against Retaliation”. Apparently some institutions feel that not only are the examiners more critical, but that they have experienced “…retaliation, abuse, or retribution by an agency examiner…”.  This may be because institutions are choosing the adversarial option.  Even more reason to make sure that if and when you do decide to push back on an examiner finding, you do so in a logical, dispassionate way.  Make a risk-based case that focuses on the residual, or remaining, risk.  The vast majority of findings revolve around the examiner’s belief that you haven’t properly recognized that residual risk, and that as a result, it’s unacceptably high.  If you can demonstrate that you do in fact understand the risks, and have decided to accept them as a business decision, you will eliminate the vast majority of examination findings.

23 Dec 2010
Hot Topics Tom Hinkel 0 comment

New FDIC Survey Results and Third-Party Providers

The new FDIC Supervisory Insights Winter 2010 newsletter addresses several issues of interest to bankers, including Trust Preferred Securities, Managing Agricultural Credit, and Senior Life Settlements.  But there was also a section that analyzed the results of a survey that was conducted by FDIC examiners over the past year.   The more than 2,100 responses are producing some interesting results, especially when correlated with other financial reports like call reports, but of particular interest to me were the findings examining how financial institutions are “responding to the recent period of economic and competitive challenges”. One of the trends identified in the survey results was how financial institutions are increasingly “…making use of third-party providers to offer new and innovative products”, and particularly, “how effectively bank safety-and-soundness and compliance risk management systems are keeping pace with these changes.”

Community financial institutions are no strangers to vendor management, particularly the importance of addressing privacy and security issues, but the article makes reference to the risk of Unfair or Deceptive Acts and Practices (UDAP).  This is not a traditional risk category in and of itself, and may not be a consideration in your current vendor management program, but based on recent enforcement cases, maybe it should be.  The article makes reference to FDIC guidance here, and the FFIEC provides additional guidance here and here, but none of the existing guidance specifically mentions the significant financial liabilities and increased reputation risk that can result from a lawsuit based on UDAP.

The conclusion states:

Overall, Survey results show that banks are responding to ongoing economic and competitive challenges in a variety of ways, for example, by tightening underwriting standards and making use of third-party service providers to offer new and innovative products. These operational changes can affect an individual institution’s risk profile and its ability to effectively manage the resulting consumer compliance risks. The analysis of data gathered through this Survey will continue to help the FDIC understand how effectively bank safety-and-soundness and compliance risk management systems are keeping pace with these changes.

I suggest you incorporate UDAP risk into your existing vendor management risk assessment by assuring that it is identified as one of the potential contributors to reputation risk (along with privacy and security breaches), and that the  legal risks are assessed along with standard regulatory/compliance risks.

11 Oct 2010
Hot Topics Tom Hinkel 0 comment

FDIC and State examiners teaming up

I wrote a similar post earlier, but it now seems that perhaps the reason the State of Georgia has adopted the FDIC IT Examination Questionnaire is that the FDIC has been showing up on-site with the State examiners.  I’ve gotten reports that this is happening with increasing frequency, and not just in Georgia.

My advice is to familiarize yourself with the FDIC Questionnaire, even if you are preparing for a State examination.  Be able to answer each question and, most importantly, to justify your answer with the appropriate documentation.

07 Oct 2010
From the Field Tom Hinkel 1 Comment

The 5 trickiest FDIC IT examination questions (part 5).

In my last post, I asked you to weigh in on what question you wanted me to address in this final post of the series.  This one came from a bank that was in the process of actually filling out the questionnaire, and it’s a good one.  It’s found in the Vendor Management section:

“Has the bank identified and reported its service provider relationships (both domestic and foreign-based) to the FDIC (Y/N)?”

At first glance, you may be tempted to interpret this as asking “Has the bank identified and reported its MAJOR or CRITICAL service provider relationships…?”, but the question does not seem to limit your reporting requirement to a particular class or size of service provider.  So are you really obligated to report ALL vendor relationships, from your core provider to your cleaning crew?  Taken a face value it would certainly seem so.

To figure out exactly what is required you have to look at the 2 references listed under the question:

  • “Notification of Performance of Bank Services” FDIC Rules and Regulations 304.3, and
  • 12USC1867 Section 7(c)(2) Bank Service Company Act (BCSA)

In researching this, it appeared at first that it only applied to Banks that owned more than 1% of a bank service provider.  But upon further review (sorry, it’s football season), Section 7(c)(2) of the Bank Service Company Act states that any FDIC-supervised institution that has services performed by a third party “shall notify such agency of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first.”  So again, this looks like ALL vendor relationships need to be reported.

However, in a recent interview at bankinfosecurity.com with Donald Saxinger  (senior examination specialist with the FDIC), this exact issue was addressed in the context of reporting social media vendors.  Simply put, his response was that only if the vendor provides “banking functions” does it need to be reported to the regulators.   Banking functions are defined in Section 3 of the Bank Service Company Act as:

  • check and deposit sorting and posting,
  • computation and posting of interest and other credits and charges,
  • preparation and mailing of checks, statements, notices, and similar items, and
  • any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution

Using this list as a reference, only core vendors, item processors and outsourced accounting firms fall into these categories.  (Whether or not IT vendors fall into this category will be addressed in a future post.  Mr Saxinger makes the point that IT vendors are one of the dependency layers that supports the business process, and as such MAY fall into one of the categories above, depending on the outcome of your risk assessment.)  To be safe, since there is no penalty for over reporting, it’s best to report all vendor relationships that even come close to fitting the definition of a bank service company.

So the correct answer is “Yes, we report all of our service provider relationships that provide banking functions to us, as well as any vendors providing a critical dependency to those service providers, as determined by our risk assessment.”  Of course, make sure that you do report them.  The FDIC form is here, other regulators may have their own reporting mechanism.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy