Federal Deposit
Insurance Corporation

• An analysis of the issuer.  The analysis should consider the following:

  • The financial condition of the issuer at the time of acceptance;

  • The size and character of the issue, including the volume of securities transfers, the type of security, e.g. stock, bond or mutual fund, and any legal restrictions that may impact the issue, e.g., Section 144 stock;

  • The reputation of the issuer;

  • The existence of, or potential for, conflicts of interest;

  • The capabilities of the securities transfer agent to perform all securities transfer services in a satisfactory manner and in full conformance with applicable laws, regulations and industry standards;

  • The prospects for earning a profit during the term of the appointment that adequately compensates the transfer agent for the level of risk assumed;

  • The adequacy of operational and informational systems.

• Fees.  Except in the case where the institution serves as transfer agent for own-institution securities, a fee should be assessed for providing securities transfer services.  When providing securities transfer services to the parent holding company or affiliated entities, Section 23B of the Federal Reserve Act requires that all terms governing the appointment be comparable as those with non-affiliated entities.

• Account Documentation. Accepting an appointment as securities transfer agent for the securities of outside organizations requires various documentation. Corporate and other resolutions, contracts, and similar documents setting forth the duties and responsibilities of each party are standard. Documentation will, however, differ according to the type of security, the issuer, and the registrant's duties and responsibilities. While not specifically required in the SEC regulation, the following types of documentation are normally required:

Official resolution of the issuer authorizing the transfer appointment;

Issuer's charter or articles of incorporation, with all amendments;

Issuer's bylaws, with all amendments;

Evidence that the securities have been registered with, or approved by, regulatory authorities such as the SEC or state securities departments, utilities commissions, banking agencies etc;

Opinion of the issuer's attorneys that the securities are validly issued and that all required actions have been completed;

Specimen securities certificates, certified by the issuer's secretary;

Certified specimen signatures of current officers of the issuer who are authorized to sign securities;

Printer's certificates or other documentation evidencing the number of unissued certificates received by the registrant;

If appointed as successor transfer agent/registrar for an issue which is out-of-proof at acceptance, an indemnification agreement obtained from either the previous transfer agent/registrar or the issuer.

The Board, or a duly designated subcommittee, should review all closed accounts. The goal of the closing review is to ensure that the institution has fulfilled its responsibilities as transfer agent and that the administration of the account has been satisfactory. The institution can also verify that all required depository notifications have been made, and, if the institution has no remaining transfer agent responsibilities, that a deregistration form has been mailed to the appropriate regulatory authority.

A significant increase in closed accounts may indicate operational or managerial deficiencies. The Board should review the reason why the account was closed. Formal acknowledgement of all closed accounts should be noted in the Board or appointed subcommittee's minutes.

The Board and senior management are responsible for ensuring that securities transfer activities are performed in a satisfactory manner and in full compliance with applicable laws, regulations and industry standards.  The development and implementation of appropriate policies and comprehensive operating procedures are important elements for ensuring proper administration of all transfer agent accounts.  

In addition to policies and procedures, an annual account review is essential for verifying the proper conduct of securities transfer services and compliance with laws and regulations.  An annual review of the performance of each transfer agent appointment allows for the early identification of operational or compliance problems and allows management and the Board to intervene promptly to ensure correction of any deficiencies revealed by the account review. 

Account reviews should be conducted annually.  Those FDIC regulated institutions that conduct securities transfer activities in the Trust Department have adopted the Statement of Principles of Trust Department Management which requires an annual review of all accounts.  However, even those institutions that do not conduct securities transfer activity via the Trust Department should implement an annual account review program.  Account reviews should be conducted by individuals who are independent of the transfer agent function, i.e., not involved in the operational aspects of securities transfer operations.  In small institutions with limited staff, transfer agent personal can conduct the account review, but should not be involved in the administration of the specific account.

The scope of the annual account review will vary depending on the volume and complexity of securities transfer.  In all cases, however, the scope should include compliance with all applicable SEC operational requirements, including fingerprinting requirements and internal policies and procedures.  The annual account review may include, but is not limited to the following items:

• Account documentation
• Fingerprinting of Personnel
• Turnaround Performance, including SEC notifications and limitations on growth in those cases where SEC turnaround performance has not been satisfied
• Out-of-Proof Conditions and Buy-ins
• Signature Guarantee Policies and Procedures
• Master Securityholder file, including certificate detail and prompt posting thereto
• Inquiries, including turnaround performance and monthly logs thereof
• Control Book, including adequacy of documentation supporting changes to
• Daily and Monthly Logs
• Internal Controls, including controls of cancelled and unissued certificates
• Regulatory Reports, including amendments to TA-1, accuracy and timeliness of TA-2, and depository notifications
• Eligibility for small transfer agent exemption, including documentation supporting the continued eligibility for the exemption
• Reporting of Lost, Missing or Stolen Securities
• Fees, including the accuracy and prompt collection of
• Complaints, including the adequacy and timeliness of response thereto
• Criticisms by auditors and regulatory agencies

Examiners should be flexible in assessing the adequacy of an institution's annual review process.  An evaluation of an institution's review process should focus on the effectiveness of the process, rather than the manner in which it is conducted.  Flexibility is required when evaluating the review process for small transfer agents that limit securities transfer activity to own-bank or parent holding company stock and may have a relatively small volume of transfers.  The objective of any account review program, regardless of the volume of activity and complexity of operations, is to promptly identify instances of operational deficiencies and noncompliance with laws and regulations, and to promote the timely correction thereof.

The results of the annual review should be periodically reported to the Board, or a designated committee thereof, and senior management.  The Board and senior management should ensure that all deficiencies noted in the annual review are addressed and monitor the progress of corrective action taken.

For many small transfer agents that limit securities transfer activity to own-bank or parent holding company stock and process a relatively small volume of transfers, the risk management program will be informal in nature and consist principally of implementing sound polices and procedures and providing for annual account reviews and audits.  For larger, more complex transfer agents, a formal risk management program should be established to identify and control the risks of providing securities transfer services.  An effective risk management program guards against the legal liability that can result from poor operational practices and noncompliance with applicable laws and regulation by identifying areas where there is significant exposure.   Strong internal controls, sound policies and practices, and appropriate management information systems provide the basis for an effective risk management program.  The sophistication of the department's risk management program should be developed according to the complexity and size of securities transfer services offered.  Risk tolerance levels should be clearly set and monitored by both senior management and the Board of directors.  The program should be periodically reviewed and revised to address significant changes in the risk profile of securities transfer activity.  Generally, an effective risk management program should:

• Identify the various risks associated with the institution’s securities transfer activities. This includes an analysis of insurance coverage and the impact of fiduciary risk on capital adequacy. Litigation risks should also be analyzed.

• Establish the level of risk that management is willing to assume. Examiner emphasis should be placed on reviewing the planning process and new services.

• Supervise the management of current operations. Guidelines should address the structure of day-to-day management of transfer agent operations, the effectiveness of operating policies and procedures, and the effectiveness of compliance programs and internal controls.

• Implement adequate controls and monitoring systems. This includes establishing a system of checks and balances, reviewing audit coverage, the compliance management system, and the overall scope and reliability of existing management information systems.

Securities transfer activities expose the bank to many of the same risks encountered in the commercial business. Operating or transaction, strategic, legal, compliance, and reputational risks are found in varying degrees within many departments.

In addition to managing the risks inherent in offering securities transfer services, including compliance with applicable laws and regulations, management must manage the risks of securities transfer activities being interrupted, hindered, delayed or rendered impracticable due to natural disasters or, given the indispensability of automated systems in conducting securities transfer activities, computer system failures.

Storms, floods, earthquakes and other natural disasters may render a transfer agent's facilities unserviceable for extended periods of time. Computer systems may crash, communication lines may fail or vital electronic data may be lost or damaged.  Management should anticipate such contingencies by developing emergency preparedness and business resumption plans.  Among the areas that such plans should address are:

• Business resumption in the event of natural disaster or civil disturbances. Areas that should be addressed include: the availability of back-up facilities; the evacuation of affected personnel; management succession; the availability of required supplies, for example blank securities certificates; back-up records, both computer and manual; and communications with clients. 
• Recovery of data processing functions in the event of a computer system failure, communications failure, or the loss or corruption of vital electronic records. Such plans generally address the back-up and off-site storage of critical data files; arrangements for back-up data processing facilities; the availability of back-up communication lines; as well as on-site data security and protection procedures.

Institutions with large, complex transfer agent operations may have disaster recovery/business resumption plans specifically designed for the securities transfer area.  Institutions with small, non-complex transfer agent operations, may, instead, develop institution-wide disaster recovery/business resumption plans.  In such cases, examiners should determine that the institution's plans adequately address the business resumption requirements of the transfer agent area.  Examiners, as part of their pre-examination planning, can review previous Safety and Soundness and Information Technology (IT) Reports of Examination to obtain information about the institution's disaster recovery/business resumption plans and data security/data back-up policies.  When the Registered Transfer Agent examination is conducted concurrent with Safety and Soundness or IT, the EIC is encouraged to coordinate the review of emergency preparedness with the other EIC's in order to avoid duplication of effort.

Disaster recovery/business resumption plans should be review and tested periodically to ensure that the plans continue to adequately address current conditions.  For example, where the institution has contracted or otherwise arranged back-up facilities from third parties, the institution should ensure that third parties continue to be able to provide the services promised. The results of periodic tests should be documented in writing and reviewed by the Board, or a designated committee thereof, which should monitor the progress of any remedial action resulting from the test.

The disaster recovery/business resumption requirements for a small, non-complex transfer agent that limits securities transfer activity to own-bank stock and employs a manual or simple PC-based operation will be much less extensive and complex than institutions that transfer securities for third party issuers and maintain more sophisticated automated systems.

The Board of Directors and senior management are responsible for protecting the financial institution from fraud and other acts of dishonesty.  12 U.S.C. 1829 requires financial institutions to take steps to avoid hiring an individual convicted of dishonest acts.  An important step in protecting the financial institution from potential fraud is the pre-screening of employees.  Some prospective employees, however, provide false information or references which cannot be substantiated. The repercussions of employing such individuals may be serious. In addition, current employees may have committed acts of dishonesty or breaches of trust during their tenure at the bank.  An effective way of identifying current and prospective employees with criminal records is by fingerprinting employees and submitting the fingerprints to the FBI for analysis.   It's been estimated that 10 percent of the fingerprint cards submitted uncover a criminal record.  As discussed below, the fingerprinting of employees who are directly or indirectly involved in handing securities certificates is an important requirement for registered transfer agents.

Securities and Exchange Commission rules require that every partner, director, officer and employee of a registered transfer agent be fingerprinted. The fingerprinting requirement is implemented by SEC Regulation 240.17f-2. As discussed in more detail below, certain individuals may be exempted from being fingerprinted. Once fingerprinted, the registered transfer agent must submit the fingerprints to the Attorney General of the United States or its designee for processing and identification.  In practice, fingerprint cards are submitted to the FBI which does a search in order to determine if the individual whose fingerprints have been submitted has a criminal record.  The FBI, however, will not accept fingerprint cards submitted directly by banks.  Instead, an authorized intermediary must be used.   The only intermediary authorized by both the FBI and the SEC is the American Bankers Association (ABA). The ABA has a program in place to handle the submission of fingerprint cards to the FBI.  Bank transfer agents needing more information about administering a fingerprinting program can contact the ABA.

If there is a criminal record, termed a "hit", both the fingerprint card and the criminal identification card, i.e., "rap sheet", are returned.  Sometimes fingerprint cards received by the FBI cannot be classified and thus can not be searched by characteristics of the fingerprint. In such cases, a name check (based on the information on the fingerprint card) is performed. If the name check is positive, the fingerprints will be verified against the subject's fingerprints already on file, and a copy of that record will be returned directly to the bank. If the name check is negative, the bank will be notified.

Sometimes, an individual can not be successfully fingerprinted, i.e., a legible set of fingerprints can not be obtained.  In such cases, a minimum of three attempts must be made to obtain legible fingerprints.  All three attempts to obtain legible fingerprints, however, must be performed by an individual competent to roll fingerprints (this might be someone in the institution's security department, the local police or sheriff's department or the state police). If all three attempts are unsuccessful, no further fingerprinting of the individual is necessary.   The transfer agent must, however, retain all three fingerprint cards that the FBI returned as illegible in order to document that the three required attempts to fingerprint were performed.

The fingerprinting requirement can be satisfied if the officer or employee has already been fingerprinted pursuant to another law, provided that the fingerprints were submitted to and processed by the FBI and the fingerprint cards and related documents are retained as required by Rule 17f-2.

While Rule 17f-2 states that all directors, officers and employees must be fingerprinted, the regulation permits registered transfer agents to exempt   personnel not directly or indirectly involved in transfer agent operations.  Essentially, only those directors, officers and employees who handle securities certificates, related funds (e.g. dividend or interest checks) or are involved in maintaining transfer agent books and records, or who supervise those that do, must be fingerprinted.  Examples of personnel that must be fingerprinted include

• Transfer agent personnel, clerks and secretaries;
• Supervisors of transfer agent personnel;
• Persons countersigning securities certificates, e.g. directors or senior management;
• Employees with access to the locations where transfer agent activity is performed.

In addition to personnel who are directly involved in securities transfer activities, other bank personnel may be involved in handling securities certificates and or records.  These personnel should be fingerprinted and include:

• Internal auditors;
• Mail room personnel, who initially receive certificates mailed to the transfer agent;
• Internal messengers delivering and picking up certificates;
• Data processing personnel who process transfer agent records or print dividend and interest checks. 

Registered transfer agents that claim an exemption under 17f-2, must maintain a Notice Pursuant to Rule 17f-2, discussed below. Transfer agents that perform securities transfer services only for its own securities and process fewer than 500 items during any six consecutive month period, i.e., transfer agents eligible for the "small transfer agent" exemption, are exempted from maintaining the Notice Pursuant to Rule 17f-2.

Note:  "Own securities" normally means just the bank's own stock. Parent holding company stock may be considered to qualify as "own securities.  The SEC has indicated that parent holding company stock will be considered "own" securities if the parent holding company is a one-bank holding company, and:

• owns 100 percent of the bank's stock; or

• owns all of the bank's stock except directors' qualifying shares required under state law or regulation.

A registered transfer agent that claims an exemption for its personnel from the fingerprinting requirements of 17f-2 must prepare a Notice Pursuant to Rule 17f-2. The Notice must be kept current at all times.  The Notice Pursuant to Rule 17f-2 must contain the following:

• The name of the organization and a statement that the organization is a registered transfer agent
• A list of all persons who have been fingerprinted pursuant to Regulation 17f-2.  Persons fingerprinted can be listed by division, department, class or individual name.  Note: Since the Notice must be kept current at all times, it is not advisable to list persons fingerprinted by individual name, which would required updating the Notice every time there is a change in personnel.  Listing persons fingerprinted by broad categories, such as department or division, facilitates the maintenance of the Notice.  For example, if all transfer activity is conducted in Department X, the notice could list "Persons in Department" in the Notice.
• A list of all persons, by individual name, who could not be fingerprinted, i.e. for whom legible fingerprints could not be obtained.   Note: broad categories are not permitted for these persons, who must be designated by name.
• A list of all persons whom the registered transfer agent claims to be exempt from the fingerprinting requirement of Regulation 17f-2.  Persons for whom exemption is claimed can be listed by division, department, class or individual name.   As detailed in the note in the second bullet, broad designations rather than individual designations facilitate keeping the Notice current and accurate.
  
  The persons so identified in the Notice are exempted from the fingerprinting requirements of Rule 17f-2 unless the institution is notified to the contrary by the Securities and Exchange Commission.
  
  
• A generic description of the duties of the persons and/or the nature of the functions and operations of the divisions and departments identified as exempt.
• A description of the security measures utilized to ensure that only those persons who have been fingerprinted pursuant to Rule 17f-2, or who could not be fingerprinted due to the inability to obtain a set legible fingerprints, have access to the keeping, handling or processing of securities and the monies or the original books and records related thereto.