VI. Appendix C Office of Inspector General's Assessment of the Management and Performance Challenges Facing the FDIC
In keeping with the Reports Consolidation Act, the OIG has identified the following management and performance challenges facing the Corporation.9 Each of the challenges we have identified is marked by one or more of the following characteristics:
It is important to the achievement of the FDIC mission and the strength of the nation's financial system.
It directly impacts consumers of financial services.
It involves significant resources, expenditures, or fiduciary responsibility.
The following challenges reflect the OIG's view of the Corporation's overall program and operational responsibilities; industry, economic, and technological trends; areas of congressional interest; relevant laws and regulations; the Corporation's priorities and corresponding corporate performance and Government Performance and Results Act goals; and the ongoing activities to address the issues involved.
Identifying and Mitigating Risks to the Insurance Funds
As of the end of the third quarter of 2006, the FDIC insured $4.095 trillion in deposits in 8,755 institutions. According to FDIC projections, if the current trend of industry consolidation continues, the banks the FDIC directly supervises will likely represent a smaller and smaller portion of the financial exposure it faces as deposit insurer. In fact, as of June 30, 2006, the ten largest FDIC-insured institutions controlled 44 percent of total insured assets and 42 percent of total insured deposits. The FDIC is the primary federal regulator for none of these institutions. The Corporation is also working to maintain strong regulatory capital standards under the Basel Accord and has been implementing major reforms in deposit insurance over the past ten months. Given these circumstances, the Corporation faces several challenges:
Assessing Risks in Large Banks: To effectively fulfill its fundamental responsibilities as deposit insurer, the Corporation must ensure its large-bank program provides ready access to the information it needs to effectively identify and assess risks that large institutions, including those it does not supervise, pose to the Deposit Insurance Fund (DIF). Effectively communicating and coordinating with the other primary federal banking regulators is central to the Corporation's ability to meet this challenge. Moreover, given the inherent complexity of these large institutions, the FDIC must have or develop the capability to assess the risks associated with these institutions, which are different from those found in smaller banks. To strengthen its oversight of large banks, the Corporation has implemented some key programs: the Large Insured Depository Institutions program, Dedicated Examiner program, and Off-site Review program. The FDIC participates with the other federal regulators in the Shared National Credit program.
Maintaining Strong Regulatory Capital Standards: The FDIC and other regulators have evaluated policy options to ensure that large institutions and the industry as a whole maintain adequate capital and reserves under Basel II. The intent of Basel II is to more closely align regulatory capital with risk in large or multinational banks. In conjunction with the transition to Basel II, the FDIC and the other federal bank regulatory agencies are pursuing a more risk-sensitive capital framework for the institutions that are not subject to or that opt out of Basel II. This new Basel IA capital framework seeks to minimize potential inequities between large and small banks resulting from Basel II implementation while maintaining adequate capital levels and avoiding undue burden on the affected institutions.
In 2007, the federal bank regulatory agencies will review comments received in response to Basel II and Basel IA notices of proposed rulemaking, complete rulemaking for Basel IA, and eventually seek to make final rules for Basel II.
Implementing Deposit Insurance Reform: On February 8, 2006, President Bush signed into law the FDI Reform Act of 2005, prompting sweeping changes in the federal deposit insurance system. The Congress gave the Corporation nine months to implement most of the provisions of the legislation, and the Corporation has worked diligently to do so In October 2006, the Board of Directors approved a final rule to implement a one-time assessment credit to banks and thrifts. The credit will be used to offset future assessments charged by the FDIC and will recognize contributions that certain institutions made to capitalize the funds during the first half of the 1990s. In November 2006, the Board also adopted a final rule on the pricing structure and approved a more risk-sensitive framework for the 95 percent of insured institutions that are well-capitalized and well managed.
Ensuring Institution Safety and Soundness Through Effective Examinations, Enforcement, and Follow-Up
Supervision is a cornerstone of the FDIC's efforts to ensure stability and public confidence in the nation's financial system. As of September 30, 2006, the FDIC was the primary federal regulator for 5,237 institutions. The FDIC performs risk management, information technology, trust, and other types of examinations of FDIC-supervised insured depository institutions. As part of risk management examinations, the FDIC also ensures that institutions comply with the regulatory requirements of the Bank Secrecy Act. The Corporation's system of supervisory controls must identify and effectively address financial institution activities that are unsafe, unsound, illegal, or improper before the activities cause a drain on the insurance funds. Specific challenges related to this core FDIC mission include:
Maintaining an Effective Examination and Supervision Program: The FDIC has adopted a risk-focused approach to examinations to minimize regulatory burden and direct its resources to those areas that carry the greatest potential risk. The FDIC must also ensure that financial institutions have adequate corporate governance structures relative to the bank's size, complexity, and risk profile to prevent financial losses and maintain confidence in those entrusted with operating the institutions. The FDIC's follow-up processes must be effective to ensure institutions are promptly complying with supervisory actions that arise as a result of the FDIC's examination process.
Granting Insurance to and Supervising Industrial Loan Companies: The FDIC is the primary federal regulator for a number of industrial loan companies (ILCs), which are limited-charter depository institutions. ILCs may be owned by commercial firms, and these parents may not be subject to consolidated supervision by a federal banking regulator. As of September 30, 2006, there were 58 operating ILCs with aggregate total assets of $177 billion. The FDIC must establish and maintain effective controls in its processes for granting insurance to, supervising, and examining ILCs, taking into consideration the relationship between the ILC and its parent company and the effect of such a relationship on the ILC. This is particularly important when the ILC's holding company is not subject to the scope of consolidated supervision, consolidated capital requirements, or enforcement actions imposed on parent organizations subject to the Bank Company Holding Act.
In July 2006, the FDIC placed a six-month moratorium on ILC deposit insurance applications and change of control notices. The Corporation wanted time to assess developments in the ILC industry; determine whether any emerging safety and soundness or policy issues exist; and evaluate whether statutory, regulatory, or policy changes needed to be made in the oversight of these institutions. While the moratorium is set to expire at the end of January, a number of congressional representatives have voiced concern over mixing banking and commerce and have urged the Corporation to extend its freeze on granting industrial loan charters to commercial applicants. This issue will continue to require FDIC attention.
Contributing to Public Confidence in Insured Depository Institutions
Guarding Against Financial Crimes in Insured Institutions: All financial institutions are at risk of being used to facilitate or being victimized by criminal activities including money laundering and terrorist financing. Such activities serve to undermine public confidence in the nation's financial system. The Corporation is faced with developing and implementing programs to minimize the extent to which the institutions it supervises are involved in or victims of financial crimes and other abuse. Increased reliance by both financial institutions and non-financial institution lenders on third-party brokers has also created opportunities for increased real-estate frauds, including property flipping and other mortgage frauds. Examiners must be alert to the possibility of multiple types of fraudulent activity in financial institutions, which is inherently difficult because fraud is both purposeful and hard to detect.
Part of the FDIC's overall responsibility and authority to examine banks for safety and soundness is the responsibility for examining state-chartered non-member financial institutions for compliance with the Bank Secrecy Act (BSA). The BSA requires financial institutions to keep records and file reports on certain financial transactions. FDIC-supervised institutions must establish and maintain procedures to assure and monitor compliance with BSA requirements. An institution's level of risk for potential money laundering determines the necessary scope of the BSA examination. In a related vein, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) promulgates, develops, and administers economic and trade sanctions such as trade embargoes, blocked assets controls, and other commercial and financial restrictions under the provisions of various laws. Generally, OFAC regulations prohibit financial institutions from engaging in transactions with the governments of, or individuals or entities associated with, foreign countries against which federal law imposes economic sanctions. Sanctions can also be used against international drug traffickers, terrorists, or foreign terrorist organizations, regardless of national affiliation. A challenge for the FDIC is to provide effective supervision of compliance with OFAC regulations by FDIC-supervised institutions.
In its role as supervisor, the FDIC also analyzes data security threats, occurrences of bank security breaches, and incidents of electronic crime that involve financial institutions. Misuse and misappropriation of personal information are emerging as major developments in financial crime. Despite generally strong controls and practices by financial institutions, methods for stealing personal data and committing fraud with that data are continuously evolving. The FDIC must continue its work in assuring the security of customer data against such criminal activity to help maintain the public's trust and confidence in the banking system.
Protecting and Educating Consumers and Ensuring Compliance Through Effective Examinations, Enforcement, and Follow-up
The FDIC protects consumers through its oversight of a variety of statutory and regulatory requirements aimed at safeguarding consumer privacy and preventing unfair and unscrupulous banking practices. Through community outreach efforts and technical assistance, the FDIC encourages lenders to work with members of their local communities in meeting the communities' credit needs and to serve the unbanked and underbanked members of their communities. Specific challenges include:
Safeguarding the Privacy of Consumer Information: The FDIC implements regulations and conducts regularly scheduled examinations to verify that institutions comply with laws designed to protect personal information, which serve to guard against the growing threat of identity theft. The FDIC evaluates the adequacy of financial institutions' programs for securing customer data and may pursue informal or formal supervisory action if it finds a deficiency. Banks are increasingly using third-party servicers to provide support for core information and transaction processing functions and these servicers may operate domestically or abroad. Notwithstanding such reliance, the obligations of a financial institution to protect the privacy and security of customer information under U.S. laws and regulations remain in full effect. Thus, an added challenge for the Corporation in examining and enforcing compliance with consumer privacy and protection laws exists because the FDIC expects institutions to effectively manage the risks and adequately oversee the third-party service providers.
Promoting Fairness and Inclusion in the Delivery of Information, Products, and Services to Consumers and Communities: FDIC Chairman Bair has stressed the importance of economic inclusion and has expressed concern that market mechanisms are not working as well as they should for low-to-moderate income families who must often pay high amounts for basic financial services that others obtain at far less cost. Many people lack the financial skills needed to analyze and compare products and their prices. Oftentimes the problem is the lack of disclosures that describe a product and its true costs in fair and simple terms. Another factor could be linked to aspects of safety and soundness regulation that could unnecessarily deter banks from serving the needs of their communities or create conditions that favor high-cost products. To address these concerns, in addition to the FDIC's existing Money Smart program, the Corporation is undertaking two new initiatives—a military lending initiative and a newly created Advisory Committee on Economic Inclusion. As the Chairman has pointed out, continuing dialogue among consumer advocates, regulators, and the banking industry is key to the challenge of closing the gap between what the unbanked and underbanked pay for credit and what those in the mainstream pay. The challenge is to balance the need for regulation while avoiding inappropriate or undue interference in legitimate business activities.
Ensuring Compliance with Laws and Regulations and Follow-up on Violations: The FDIC has supervisory responsibilities for ensuring that the financial institutions it supervises comply with fair lending, disclosure, and various other consumer protection laws and regulations. The compliance examination is the primary means by which the FDIC determines the extent to which a financial institution is complying with these requirements. Over 20 consumer protection laws and related regulations are addressed by compliance examinations, including the Home Mortgage Disclosure Act, Fair Housing Act, Truth in Lending Act, Equal Credit Opportunity Act, and Fair and Accurate Credit Transaction Act. The FDIC also conducts Community Reinvestment Act examinations. The FDIC conducts visitations and investigations to review the compliance posture of newly chartered institutions coming under FDIC supervision or to follow up on an institution's progress on corrective actions. Investigations are used to follow up on a particular consumer's inquiries or complaints. The compliance program, including examination and follow-up supervisory attention on violations and other program deficiencies, helps to ensure that consumers and businesses obtain the benefits and protections afforded them by law. In instances where repeat violations occur, the FDIC must remain vigilant in ensuring appropriate corrective actions are taken.
Being Ready for Potential Institution Failures
The FDIC is responsible for the resolution of failed banks or savings associations. The Corporation is required by law to protect taxpayers by prudently managing the Deposit Insurance Fund and to protect insured depositors by using the assets of the fund to pay insured deposits at the time of institution failure. The trend toward fewer failures over the past few years changes the nature of the challenge for the FDIC. The Corporation is exploring new strategies for planning for failing and failed institutions, including large or multiple bank failures. Catastrophic events such as the multiple hurricanes that occurred during 2005—which can threaten institution stability--also underscore the need for the Corporation's readiness to respond.
Given the industry's increase in merger and acquisition activity, banks are becoming more geographically diverse and complex, and institutions are much larger than they have been historically. As a result, the FDIC could potentially face the challenge of handling a failing institution with a significantly larger number of insured deposits than it has had to in the past.
The FDIC Board is soliciting comments on proposed improvements to the process of determining the insurance status of depositors of larger institutions in the event of a failure to facilitate the related deposit insurance claims process. The FDIC has also been developing a new claims determination system. The Corporation's ability to rapidly determine the insured status of deposit accounts is essential to resolving bank failures in the most cost-effective and least disruptive manner.
Promoting Sound Governance and Managing and Protecting Human, Financial, Information Technology, Physical, and Procurement Resources
The FDIC must practice sound governance and effectively manage and utilize a number of critical strategic resources in order to carry out its mission successfully, particularly its human, financial, information technology (IT), physical, and procurement resources. The FDIC Board of Directors plays a critical role in this regard, and FDIC management has emphasized its stewardship responsibilities in its strategic planning process. A number of key management activities pose challenges to corporate leadership and managers, as discussed below:
Corporate Governance and Enterprise Risk Management: The FDIC is managed by a five-person Board of Directors, all of whom are appointed by the President and confirmed by the Senate, with no more than three being from the same political party. At least one Board member must have State bank supervisory experience. The Board includes the Directors of the Office of the Comptroller of the Currency and the Office of Thrift Supervision. Given the inevitability of relatively frequent changes in the Board make-up, it is essential that a strong and sustainable governance process is in place and that Board members have and share the information needed at all times to make sound policy and management decisions.
As an important part of its governance process, the FDIC has established a risk management and internal control program. In the spirit of OMB Circular A-123, the Corporation has committed to adopting an enterprise risk management approach to identifying and analyzing risks on an integrated, corporate-wide basis. Revised OMB Circular A-123, which became effective for fiscal year 2006, requires a strengthened process for conducting management's assessment of the effectiveness of internal control over financial reporting. The circular also emphasizes the need for agencies to integrate and coordinate internal control assessments with other internal control-related activities, and ensure that an appropriate balance exists between the strength of controls and the relative risk associated with particular programs and operations.
Human Capital Management: In the past several years, the FDIC has undergone significant restructuring and downsizing in response to changes in the industry, technological advances, and business process improvements and, as with many government agencies, the FDIC anticipates a high level of retirement in the next five years. Amidst such change, the Corporation formulated a human capital strategy to guide the FDIC through the rest of this decade. The FDIC Corporate University was created to play a key role in training, developing, and maintaining a highly skilled, professional workforce to carry out the FDIC mission. One of the initiatives it sponsors is the Corporate Employee Program, designed to help create a more adaptable permanent workforce that reflects a more collaborative and corporate approach to meeting critical mission functions. Additionally, developing new leaders and engaging in succession planning pose a challenge. In this regard, the Corporation has developed an Executive Candidate Development Program that it plans to pilot to identify high-potential employees to develop for future executive management positions. The Corporation also piloted a Talent Review Program this year that focused on executive succession management needs and executive development needs. Finally, in an age of identity theft risks, another challenge in human capital management is to maintain effective controls to protect personal employee-related information that the Corporation possesses. The appointment of a chief privacy officer and implementation of a privacy program have been positive steps in addressing that challenge.
Financial Management: The FDIC's operating expenses are largely paid from the insurance fund, and consistent with sound corporate governance principles, the Corporation must continuously seek to be efficient and cost-conscious. Because about 65 percent of the FDIC's budget costs are personnel-related, a challenge to the Corporation is to ensure that budgeted resources are properly aligned with workload. The Board approved a $1.1 billion Corporate Operating Budget for 2007, approximately 4.6 percent higher than for 2006. The approved budget provides funding for additional compliance examiners, increased employee training, enhanced IT security and privacy programs, and completion of systems changes required to support the implementation of deposit insurance reform.
With respect to capital investments, effective planning and management of IT and non-IT capital investments are mandated by Congress and by the Office of Management and Budget for most federal agencies. Although many of these laws and executive orders are not legally binding on the FDIC, the Corporation recognizes that they constitute sound business practices and has decided to voluntarily adopt them in whole, or in part. The underlying financial management challenge facing the FDIC is to carry out approved investment projects on time and within budget, while realizing anticipated benefits. The Corporation's 2007 spending on multi-year investment projects separately approved by the Board is expected to be approximately $19 million to $23 million.
The Corporation is continuing to implement its New Financial Environment, intended to meet current and future financial management and financial information needs; improve corporate financial business processes; and redirect resources from transaction processing to analysis, risk management, and decision support.
Information Technology Management: The FDIC seeks to maximize its IT resources to improve the efficiency and effectiveness of its operational processes. The Corporation operates a nationwide computing network and maintains more than 250 application systems for staff to carry out their responsibilities. To address IT management challenges, the FDIC must focus on the capital planning and investment processes for IT and maximize the effectiveness of the Chief Information Officer Council and Program Management Office, both of which play a continuing role in reviewing the portfolio of approved IT projects and other initiatives. The Corporation has also employed a new system development life cycle methodology to enhance its ability to effectively and efficiently manage IT project resources. It must also continue to enhance its Enterprise Architecture program by identifying duplicative resources/investments and opportunities for internal and external collaboration to promote operational improvements and cost-effective solutions to business requirements.
The establishment of an integrated and streamlined e-government infrastructure is a key component of the Corporation's target EA. In this regard, the Corporation has initiated a number of major projects designed to improve internal operations, communications, and service to members of the public, business, and other government entities. The challenge is to ensure that such projects are consistent with e-government principles and implementing guidance from the Office of Management and Budget.
IT and Physical Security: To achieve its mission, the FDIC relies on automated information systems to collect, process, and store vast amounts of banking and other sensitive information. Much of this information is used by financial regulators, academia, and the public to monitor bank performance, develop regulatory policy, and to research and analyze important banking issues. Ensuring the integrity, availability, and appropriate confidentiality of this information in an environment of increasingly sophisticated security threats and global connectivity requires a strong records management program and a correspondingly effective enterprise-wide information security program.
As a result of focused attention over the last several years, the FDIC has made significant progress in improving its information security program and practices. However, continued management attention is needed in certain key security control areas such as enterprise architecture, configuration management, access controls, and audit and accountability controls.
In light of past terrorist-related disruptions and, more recently, adverse impacts of natural disasters, the importance of corporate disaster recovery and business continuity planning has been underscored and elevated to an enterprise-wide level. The FDIC must be sure that its emergency response plans provide for the safety and physical security of its personnel and ensure that its business continuity planning and disaster recovery capability keep critical business functions operational during any emergency. Threats to public health such as a pandemic influenza could also put the Corporation's internal emergency preparedness to the test. In its role as a regulator, the Corporation has also joined with the other financial regulatory agencies in issuing an interagency advisory to financial institutions and their technology service providers to raise awareness regarding the threat of a pandemic influenza outbreak and its potential impact on the delivery of critical financial services.
Procurement Management: Over the past few years, the FDIC has increased its reliance on outsourcing for services such as IT infrastructure support, IT application system development, and facilities maintenance. As of March 2006, in fact, the value of the FDIC's active contracts totaled over $1.6 billion. The Corporation has also downsized and reduced its contracting staff over the same time frame, which has posed challenges to contract administration activities. Given this environment, effective and efficient processes and related controls for identifying needed goods and services, acquiring them, and monitoring contractors after the contract award must be in place and operate well. Also, a number of new contracting vehicles and approaches have been implemented. For example, the Corporation combined approximately 40 IT-related contracts into one contract with multiple vendors for a total program value of $555 million over ten years. Also, for the first time, the FDIC is using a large technical infrastructure contract through the General Services Administration (GSA) valued at over $340 million. Along with the expected benefits of these contracts come challenges. The Corporation has not previously outsourced a procurement process to GSA, and both new contracts are performance-based, requiring different oversight mechanisms and strategies than the time and materials contracts that the Corporation has historically used.
9 Under the Reports Consolidation Act, the OIG is required to identify the most significant management and performance challenges facing the Corporation and provide its assessment to the Corporation for inclusion in its annual performance and accountability report (annual report). The OIG conducts this assessment yearly and identifies a number of specific areas of challenge facing the Corporation at the time.