Each depositor insured to at least $250,000 per insured bank



Home > About FDIC > Financial Reports > 2007 Annual Report




2007 Annual Report

Previous | Contents

VI. Appendix C - Office of Inspector General's Assessment of the Management and Performance Challenges Facing the FDIC

2008 Management and Performance Challenges
The following discussion reflects the Office of Inspector General's view of the management and performance challenges facing the FDIC as it works to accomplish its mission in the coming year. Overall, and as discussed in more detail below, these challenges primarily exist due to significant changes impacting the Corporation—changes in the economy, including systemic risk caused by subprime mortgage lending; the financial services industry; the characteristics of today's depository institutions, including the existence of many more large, complex banks; the regulatory arena; lending practices; information technology; and the examination processes, work environment, and priorities of the FDIC. Key elements in addressing these challenges are cooperation, coordination, and communication among federal and state banking regulators; the Congress; others in the financial services industry, both domestically and abroad; and the public. Such activities need to be complemented by a vigilant, well trained and prepared FDIC workforce that is fully engaged in insurance and supervisory programs and other supporting processes that identify and address risky products, practices, and activities that can threaten the viability of the insurance fund, harm consumers, and undermine stability and public confidence in the banking system. Likewise, in light of the existence of more large, complex banks, the FDIC must ensure that it has the necessary skills, processes, and systems to carry out its resolution mission in the event that such a bank would fail.

In our view, the FDIC is fully committed to addressing these challenges and has many actions underway in that regard. The OIG is prepared to continue to work with our corporate colleagues throughout the coming year to assist them in successfully doing so.

Identifying and Mitigating Risks to the Deposit Insurance Fund
As of the end of the third quarter of 2007, the Deposit Insurance Fund balance was $51.8 billion. The FDIC insured $4.241 trillion in deposits in 8,571 institutions. Of these FDIC-insured institutions, as of September 30, 2007, the 10 largest ones controlled almost 46 percent of the total assets of all insured financial institutions. The FDIC is the primary federal regulator for none of these institutions but is responsible for insuring their deposits and for resolution in the unlikely event of failure of one or more of these institutions. The Corporation is also working to maintain strong regulatory capital standards under the Basel accord and has been implementing legislated reforms to deposit insurance. The Corporation also continues to address matters related to industrial loan companies and to address potential risks that a volatile economy can pose to the fund. Finally, the Corporation has taken on a leadership role as it works with other governments implementing or strengthening deposit insurance around the world. Given these circumstances, the Corporation faces a number of challenges:

Assessing and Managing Risks in Large Banks
The Corporation must ensure it has ready access to the information it needs to effectively identify and assess risks that large institutions, including those it does not supervise, pose to the Deposit Insurance Fund (DIF). Effective communication and coordination with the other primary federal banking regulators is central to the Corporation's ability to meet this challenge. Moreover, given the inherent complexity of these large institutions, the FDIC must have or develop the capability to assess and fully understand the risks associated with these institutions, which are different from those found in the smaller banks with which the FDIC has historical experience. To strengthen its oversight of large institutions, the Corporation has implemented some key programs: the Large Insured Depository Institutions program, Dedicated Examiner program, and Off-site Review program. The FDIC also participates with the other federal regulators in the Shared National Credit program. The FDIC is also emphasizing liquidity management due to uncertainties in the financial markets area from the subprime mortgage turmoil.

Maintaining Strong Regulatory Capital Standards
The FDIC and other federal banking agencies agreed to finalize rules implementing Basel II advanced capital requirements for large, complex banks. The agreement contains important safeguards against unrestrained reductions in risk-based capital requirements for these large institutions. It also provides for the development in the U.S. of the Basel II standardized approach as an option for other banks. The FDIC must continue its work in this realm to ensure strong regulatory capital standards.

Implementing New Deposit Insurance Regulations
On February 6, 2006, President Bush signed into law the Federal Deposit Insurance (FDI) Reform Act of 2005. The FDI Reform Conforming Amendments Act of 2005, enacted on February 15, 2006, contains necessary technical and conforming changes to implement deposit insurance reform as well as a number of study and survey requirements. In 2006, the Board adopted a number of final rules implementing specific reforms concerning the one-time assessment credit, risk-based assessments, the designated reserve ratio, and put in place a temporary rule for dividends. In 2007, the Corporation made significant changes to its IT systems and business processes in order to prepare invoices and collect assessments in accordance with the new risk-based assessment and credit rules. In September 2007, the Board adopted an advance notice of proposed rulemaking seeking comment on alternative approaches to allocate dividends. In 2008, the FDIC expects to publish proposed and final dividend rules to replace the temporary rule, which will sunset at the end of this year. Also in 2008, the Corporation will continue to modify as necessary the processes and systems implementing the new rules and to begin evaluating the effectiveness of the new assessment methods and processes. Finally, for both 2007 and 2008, the Board adopted a designated (target) reserve ratio of 1.25 percent, which has resulted in the need to set risk-based assessment rates above the base rate schedule in order to gradually raise the reserve ratio to the target.

Granting Insurance to Industrial Loan Companies
In January 2007, the FDIC Board of Directors voted to continue for one year a moratorium on applications for deposit insurance and change in control notices for industrial loan companies (ILCs) that will be owned by commercial companies. The moratorium does not apply to ILCs owned by financial companies. The Board also issued a proposed rule to strengthen the framework for consideration of applications or notices for industrial banks owned by financial companies not subject to federal consolidated bank supervision. According to FDIC Chairman Bair, the growth in commercial ownership of ILCs raises public policy concerns. The moratorium would provide Congress an opportunity to address the issue legislatively while the FDIC considers how best to respond to any safety and soundness issues surrounding commercial ownership under existing law. This area will continue to require FDIC attention.

Serving as a Model for Deposit Insurers and Bank Supervisors Around the World
Deposit insurance helps maintain financial stability—on a national or international scale—in times of economic stress. Increasingly, the Corporation is playing a leadership role in the global arena as foreign governments look to the FDIC as a model for establishing or strengthening their systems of deposit insurance and bank supervision. For example, in August 2007, the FDIC and the People's Republic of China signed a Memorandum of Understanding (MOU) forging an international working relationship to develop and expand methods of interaction on economic and financial issues. The MOU is a positive step in establishing a deposit insurance system in China. In November 2007, an MOU was signed with the Korean Deposit Insurance Corporation (KDIC), which provides for a KDIC employee to be temporarily assigned to the FDIC. The FDIC is joining others in the International Association of Deposit Insurers (IADI) to help strengthen the role of deposit insurance around the world. In 2007, FDIC Vice Chairman Gruenberg was elected to serve as Chairman of the Executive Council and President of the IADI. The FDIC was also elected as the North American Region Board member for the Association of Supervisors of Banks in the Americas (ASBA), providing leadership to several ASBA working groups and instruction for ASBA operational risk management courses. The FDIC may face new challenges as expands its role in these types of international activities.

Ensuring Institution Safety and Soundness Through Effective Examinations, Enforcement, and Follow-Up
Effective supervision is a cornerstone of the FDIC's efforts to ensure stability and public confidence in the nation's financial system. As of the third quarter 2007, the FDIC was the primary federal regulator for more than 5,200 institutions. The FDIC performs risk management, information technology, trust, and other types of examinations of FDIC-supervised insured depository institutions. (See also a discussion of compliance examinations under Protecting and Educating Consumers and Ensuring Compliance Through Effective Examinations, Enforcement, and Follow-up.) As part of risk management examinations, the FDIC also ensures that institutions comply with the regulatory requirements of the Bank Secrecy Act. The Corporation's system of supervisory controls must identify and effectively address financial institution activities that are unsafe, unsound, illegal, or improper. Specific challenges related to this core FDIC function include:

Maintaining an Effective Examination and Supervision Program
The FDIC has adopted a risk-focused approach to examinations to minimize regulatory burden and direct its resources to those areas that carry the greatest potential risk. At the end of the year, the FDIC Chairman voiced her support and trust in examiner judgment; announced elimination of the Maximum Efficiency, Risk-Focused, Institution Targeted (MERIT) examination program; and recommended other changes to the examination program to allow examiners more flexibility in planning and conducting examinations. Further details on the changes to this core FDIC function will be forthcoming and will likely have a significant impact on the FDIC's examination workforce, which is expected to total 1,808 by the end of 2008 (1,423 risk management examiners; 385 compliance examiners). Examiners today work in an environment where risk may be increasingly difficult to ascertain and quantify, for example as a result of the lack of financial statement transparency that derives from off-bank balance sheet liabilities at a time when, for instance, the FDIC increasingly employs off-site monitoring. The FDIC must also ensure that financial institutions have adequate corporate governance structures relative to the bank's size, complexity, and risk profile to prevent financial losses and maintain confidence in those entrusted with operating the institutions. The FDIC's follow-up processes must be effective to ensure institutions are promptly complying with supervisory actions resulting from the FDIC's examination process. The FDIC Board approved an increase in authorized staffing from 4,716 in 2007 to 4,810 for 2008, primarily for additional bank examiners, including the rehiring of retired examiners to return to the FDIC temporarily in the interest of ensuring an examination workforce with the breadth of experience needed to detect risk management concerns during the examination process.

Identifying and Addressing Risks Related to Consumer Debt
The past several years have been marked by increased participation in the mortgage market by providers other than insured banks and thrift institutions. About half of subprime mortgage originations in 2005 and 2006 were carried out by companies that were not subject to examination by a federal supervisor. The use of securitization as a funding method also has changed the financial system by moving large volumes of assets off the balance sheets of federally insured financial institutions. As industry practices changed, a number of risk management fundamentals were seemingly ignored or weakened. Practices such as limited or no income verification, faulty appraisals, risk layering through combinations of loan products, and no money down or interest-only loan products all serve to heighten risk when combined with the ability to securitize and sell the loans. Lax lending standards and inadequate consumer protections resulted in widespread failure to underwrite loans to borrowers based on the borrowers' ability to pay at the fully indexed rate. As the Chairman pointed out in December 2007, there are an estimated 1.7 million owner-occupied subprime hybrid adjustable rate mortgages, with outstanding balances of $367 billion, that are scheduled to have their interest rates reset in 2008 and 2009. The impact of poor underwriting practices has spread throughout the economy, harming consumers and investors while creating volatility in the financial markets. The FDIC is working with other regulators in urging banks and mortgage servicers to restructure loans, as feasible, to avoid foreclosures and keep consumers in their homes. The full ramifications of the troubled subprime mortgage market have yet to be seen, and the months ahead will be challenging ones. Similar concerns related to other consumer debt such as credit card lending may also require focused FDIC attention in the future.

Contributing to Public Confidence in Insured Depository Institutions

Guarding Against Financial Crimes in Insured Institutions
All financial institutions are at risk of being used to facilitate or being victimized by criminal activities including money laundering and terrorist financing. Such activities serve to undermine public confidence in the nation's financial system. The Corporation's challenge is to develop and implement programs and activities to minimize the extent to which the institutions it supervises are involved in or victims of financial crimes and other abuse. Increased reliance by both financial institutions and non-financial institution lenders on third-party brokers has also created opportunities for increased real-estate frauds, including certain property flipping schemes and other mortgage frauds. Examiners must be alert to the possibility of multiple types of fraudulent activity in financial institutions, and make good use of reports, information, and other resources available to them to help detect such fraud.

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act), enacted on October 26, 2001, was passed by the United States Congress in response to the September 11, 2001 attacks and made a number of amendments to the anti-money laundering provisions of the Bank Secrecy Act (BSA). Congress found that money laundering "provides the financial fuel that permits transnational criminal enterprises to conduct and expand their operations to the detriment of the safety and security of American citizens" and that it is critical to the financing of global terrorism and terrorist attacks. Accordingly, FDIC examiners play an important role in ensuring that the institutions for which they serve as primary federal regulator comply with the Act.

Part of the FDIC's overall responsibility and authority to examine banks for safety and soundness relates to compliance with the BSA, which requires financial institutions to keep records and file reports on certain financial transactions. FDIC-supervised institutions must establish and maintain procedures to comply with BSA requirements. An institution's level of risk for potential terrorist financing and money laundering determines the necessary scope of the BSA examination. In a related vein, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) promulgates, develops, and administers economic and trade sanctions such as trade embargoes, blocked assets controls, and other commercial and financial restrictions under the provisions of various laws. Generally, OFAC regulations prohibit financial institutions from engaging in transactions with the governments of, or individuals or entities associated with, foreign countries against which federal law imposes economic sanctions. A challenge for the FDIC is to provide effective oversight of FDIC-supervised institutions' compliance with BSA and OFAC regulations.

In its supervisory capacity, the FDIC also analyzes data security threats, occurrences of bank security breaches, and incidents of electronic crime that involve financial institutions. Despite generally strong controls and practices by financial institutions, new methods for stealing personal data and committing fraud with that data continue to emerge. The FDIC needs to continue its work to ensure the security of customer data against such criminal activity to help maintain the public's trust and confidence in the banking system.

Protecting and Educating Consumers and Ensuring Compliance Through Effective Examinations, Enforcement, and Follow-up
The FDIC protects consumers by overseeing a variety of statutory and regulatory requirements aimed at safeguarding consumer privacy and preventing unfair or deceptive practices involving FDIC-supervised institutions. Through community outreach efforts and technical assistance, the FDIC educates consumers and encourages lenders to work with members of their local communities in meeting the communities' credit needs and to serve the unbanked and underbanked members of their communities. Specific challenges include:

Safeguarding the Privacy of Consumer Information
The FDIC conducts periodic examinations to verify that institutions comply with laws designed to protect personal information. The FDIC evaluates the adequacy of financial institutions' programs for securing customer data and may pursue informal or formal supervisory action if it finds a deficiency. As an added challenge, banks are increasingly using third-party servicers to provide support for core information and transaction processing functions, and these servicers may operate domestically or abroad. The obligations of a financial institution to protect the privacy and security of customer information under U.S. laws and regulations remain in full effect.

Promoting Fairness and Inclusion in the Delivery of Information, Products, and Services to Consumers and Communities
FDIC Chairman Bair has stressed the importance of economic inclusion and has voiced concern that market mechanisms may not work as well as they should for low-to-moderate income families who must often pay relatively higher amounts for basic financial services that others obtain at far less cost. Many people lack the financial skills needed to analyze and compare products and their prices or to understand disclosures that describe a product and its true costs. As the Chairman has pointed out, continuing dialogue among consumer advocates, regulators, and the banking industry is key to the challenge of closing the gap between what the unbanked and underbanked pay for credit and what those in the mainstream pay. An additional challenge is to balance the need for regulation with undue interference in legitimate business activities.

Ensuring Compliance with Laws and Regulations and Follow-up on Violations
The FDIC's compliance program, including examinations, visitations, and follow-up supervisory attention on violations and other program deficiencies, is critical to ensuring that consumers and businesses obtain the benefits and protections afforded them by law. The compliance examination is the primary means by which the FDIC determines the extent to which a financial institution complies with more than 20 consumer protection laws and related regulations. The FDIC also conducts Community Reinvestment Act (CRA) examinations in accordance with the Community Reinvestment Act, a 1977 law intended to encourage insured banks and thrifts to help meet the credit needs of the communities in which they are chartered to do business, including low- and moderate-income neighborhoods, consistent with safe and sound operations.

Additionally, the Real Estate Settlement Procedures Act of 1974 (RESPA) is applicable to all federally-related mortgage loans, except for certain types of loans which are exempted. Although overall authority for RESPA compliance and enforcement remains with the Department of Housing and Urban Development, the FDIC and other federal banking agencies examine financial institutions for compliance. There is significant risk in this area due to downturns in the residential real estate market, which could cause mortgage lenders to be more aggressive in their lending practices; anticipation of large restructuring and refinancing of nontraditional real estate loans in the near future; and the need to determine whether financial institutions are providing adequate disclosure to ensure consumers understand the types of real estate loans they are obtaining.

As with risk management examinations discussed earlier, the changes that the Chairman announced at the end of 2007 will have a definite impact on the FDIC's compliance examination activities as well and will pose new challenges. Among those changes, the Chairman indicated that rules associated with report of examination content would be eliminated and workpaper requirements would be altered, with the report of examination becoming the principal document of record.

Visitations are an important means of reviewing the compliance posture of newly chartered institutions coming under FDIC supervision or for following up on an institution's progress on corrective actions. Investigations are used to follow up on a particular consumer's inquiries or complaints. In instances where repeat violations occur, the FDIC must remain vigilant in ensuring appropriate corrective actions are taken.

Being Ready for Potential Insured Institution Failures
The FDIC is responsible for the resolution of failed banks or savings associations and needs to be ready for the resolution of any institution that fails, regardless of size. The challenge is especially great if a large and complex bank fails. By carefully managing the Deposit Insurance Fund, the FDIC can protect insured depositors by using fund assets to pay insured deposits at the time of institution failure. After a relatively long period during which no banks failed, the FDIC was appointed receiver of Metropolitan Savings Bank, Pittsburgh, Pennsylvania on February 2, 2007. Metropolitan was the first FDIC-insured institution to fail since June 25, 2004. Metropolitan's failure was followed by two additional closings: NetBank, FSB, Alpharetta, Georgia, a $2.2 billion Internet bank on September 28, 2007, and Miami Valley Bank, an $92.6 million institution in Lakeview, Ohio, which failed on October 4, 2007.

In total, the FDIC insures more than 8,560 commercial banks and savings institutions, which together hold more than $12 trillion in assets. While over 90 percent of U.S. banks and thrifts are small community-based institutions, the 25 largest banking organizations hold about 71 percent of the industry's assets. Thus, the FDIC could face the challenge of handling a failing institution with a significantly larger number of insured deposits than it has had to in the past. In recent history, the largest number of deposit accounts in a failed institution for which the FDIC had to make an insurance determination was about 175,000 for NetBank, referenced above. Today, however, some of the larger banks have more than 50 million deposit accounts.

The Corporation's ability to rapidly and accurately determine the insured status of deposit accounts is essential to resolving bank failures in the most cost-effective and least disruptive manner and preserving the public's confidence in the FDIC. To that end, the Corporation needs to continue to explore new strategies and ensure corporate readiness to handle failing and failed institutions, including large or multiple bank failures. It needs to do so in light of past FDIC downsizing activities--which could prove especially burdensome for current receivership and resolutions staff; corresponding loss of institutional knowledge and expertise; and the relative lack of recent experience with failed banks.

The FDIC is focusing on developing a strategy for closing a very large, non-systemic bank. In that connection, the Corporation has conducted a Strategic Readiness Simulation and plans others to simulate and stress the FDIC's decision-making processes, strategies, and planning for a large bank failure. The FDIC also has an ongoing initiative to modernize the way it determines the insurance status of depositors in the event of failure by streamlining its business processes and modernizing the internal systems used to facilitate a deposit insurance determination through improved use of current technology. This includes developing and implementing a new insurance determination system by 2009 called the Claims Administration System (CAS), which will provide an integrated solution that will meet the current and future deposit insurance determination needs of the FDIC. These are all positive steps, yet the Corporation faces significant challenges in ensuring that it has the requisite resources and expertise to efficiently and effectively resolve failed banks, completing contingency resolution plans, and implementing the CAS system.

Promoting Sound Governance and Managing and Protecting Human, Financial, Information Technology, Physical and Procurement Resources
The FDIC must practice sound governance and risk mitigation practices and effectively manage a number of critical strategic resources in order to carry out its mission successfully, particularly its human, financial, information technology (IT), physical, and procurement resources. A number of key management activities pose challenges to corporate leadership and managers, as discussed below:

Corporate Governance and Enterprise Risk Management
The FDIC is managed by a five-person Board of Directors, all of whom are appointed by the President and confirmed by the Senate, with no more than three being from the same political party. At least one Board member must have State bank supervisory experience. The Board includes the Comptroller of the Currency and the Director of the Office of Thrift Supervision. Given the relatively frequent changes in the Board make-up, it is essential that strong and sustainable governance and communication processes are in place throughout the FDIC and that Board members possess and share the information needed at all times to understand existing and emerging risks and make sound policy and management decisions.

Enterprise risk management (ERM) is a key component of governance. The FDIC's numerous enterprise risk management activities need to consistently identify, analyze, and mitigate operational risks on an integrated, corporate-wide basis. Additionally, such risks need to be communicated throughout the Corporation and the relationship between internal and external risks and related risk mitigation activities should be understood by all involved. To that end, the FDIC plans to develop a more comprehensive blueprint to enhance coordination among the various committees and groups that contribute to ERM.

Human Capital Management and Employee Engagement
The FDIC has undergone significant restructuring and downsizing in response to changes in the industry, technological advances, and business process improvements and, as with many government agencies, the FDIC anticipates a high level of retirement in the next 5 years. The Corporation needs to continue to focus on ensuring that employees have the necessary skill sets to address the issues confronting the FDIC now and into the future—oftentimes issues that are extremely complex and technically challenging. Further, with a large number of employees eligible to retire, succession planning efforts are key to ensuring that institutional knowledge is maintained and a new group of FDIC employees is well prepared to carry out the corporate mission going forward.

In the interest of making the FDIC an employer of choice, increasing FDIC employee engagement and empowerment, enhancing trust between FDIC managers and employees, and refining the Corporation's pay-for-performance system, the Chairman of the FDIC spearheaded a comprehensive employee survey that was carried out by an independent consulting group. The Chairman is committed to effecting necessary changes based on the results of the survey, as evidenced by her announcement regarding improvements to the pay-for-performance program for pay determinations due in early 2008. In the upcoming months, many in the Corporation will be challenged as they take steps to address the concerns and issues identified in the employee engagement survey.

Finally, in an age of identity theft risks, another human capital management challenge is to maintain effective controls to protect personal employee-related information that the Corporation possesses. The appointment of a chief privacy officer and implementation of a privacy program have been positive steps in addressing that challenge. Further, the FDIC has established a process for conducting privacy impact assessments of its information systems containing personally identifiable information (PII) that is consistent with relevant privacy-related policy, guidance, and standards. The FDIC is making progress towards completing initiatives to safeguard its PII and related systems consistent with privacy-related statutes, policies, and guidelines. The FDIC recognizes that implementing effective measures to protect PII will require a sustained effort.

Financial Management
As referenced above, the Deposit Insurance Fund totals $51.8 billion. Given such magnitude, FDIC investment policies must require that these funds be invested in accordance with applicable requirements and sound investment strategies. The Board approved a $1.14 billion 2008 Corporate Operating Budget, approximately 3.1 percent higher than for 2007. The FDIC's operating expenses are largely paid from the insurance fund, and consistent with sound corporate governance principles, the Corporation must continuously seek to be efficient and cost-conscious. The FDIC uses its New Financial Environment to better manage and track costs across the Corporation.

With respect to capital investments, effective planning and management of information technology (IT) and non-IT capital investments are mandated by Congress and by the Office of Management and Budget for most federal agencies. Although many of these laws and executive orders are not legally binding on the FDIC, the Corporation recognizes that they constitute sound business practices and has decided to voluntarily adopt them in whole, or in part. The FDIC is taking steps to help ensure that approved investment projects are executed on time and within budget, and that they realize anticipated benefits.

Information Technology Management
To address IT management challenges, the FDIC must focus on the capital planning and investment processes for IT and maximize the effectiveness of the Chief Information Officer Council and Project Management Office, both of which play an important role in reviewing the portfolio of approved IT projects and other initiatives. FDIC processes in this area are at varying degrees of maturity and the Corporation has activities underway and planned to further strengthen its processes to optimize IT capital investments. It must continue to enhance its Enterprise Architecture (EA) program by identifying duplicative resources/investments and opportunities for internal and external collaboration to promote operational improvements and cost-effective solutions to business requirements. Further, the FDIC should continue to focus attention on improving cost estimation; building project management skills; implementing project management process improvements related to project planning, coordination, and reporting; and establishing procedures to ensure that post-project recommendations, best practices, and lessons learned are integrated into the governance process. Making sound IT business decisions while containing IT costs to the fullest extent possible will continue to challenge corporate officials.

The establishment of an integrated and streamlined e-government infrastructure is a key component of the Corporation's target EA. In this regard, the Corporation has initiated a number of major projects designed to improve internal operations, communications, and service to members of the public, business, and other government entities. The challenge is to ensure that such projects are consistent with e-government principles and implementing guidance from the Office of Management and Budget.

IT and Physical Security
The FDIC relies on automated information systems to collect, process, and store vast amounts of banking and other sensitive information. Much of this information is used by financial regulators, academia, and the public to monitor bank performance, develop regulatory policy, and to research and analyze important banking issues. Ensuring the integrity, availability, and appropriate confidentiality of this information in an environment of increasingly sophisticated security threats and global connectivity requires a strong records management program and a correspondingly effective enterprise-wide information security program. The Corporation has made significant progress in improving its information security and privacy program and practices. However, as shown in our annual evaluation under the Federal Information Security Management Act, continued management attention is needed in certain key security control areas. These include: access control; identification and authentication; certification, accreditation, and security assessments; risk assessment; personnel security; and audit and accountability.

The FDIC must be sure that its emergency response plans provide for the safety and physical security of its personnel and ensure that its business continuity planning and disaster recovery capability keep critical business functions operational during any emergency. Threats to public health such as a pandemic influenza could also put the Corporation's internal emergency preparedness to the test. In this regard, it is important that the Corporation follow through on its planned completion of a Pandemic Influenza Preparedness Plan by April 2008.

Procurement Management
According to the Corporation's New Financial Environment data, the FDIC had $1.52 billion in outstanding contracts as of December 31, 2007, and awarded approximately $379 million in contracts during 2007. Over the past few years, the FDIC has increased its reliance on outsourcing for services such as IT infrastructure support, IT application system development, and facilities maintenance. Additionally, the Corporation negotiated certain "non-federal" employee benefits with the National Treasury Employees Union as part of the 2006-2009 Compensation Agreement. The FDIC has established agreements with benefits service providers to support its employee benefits program. The Corporation has also downsized and reduced its contracting staff over the same time frame, which has posed challenges to contract administration activities. Given this environment, effective and efficient processes and related controls for identifying needed goods and services, acquiring them, and monitoring contractors after the contract award must be in place and operate well. Such attention will serve the Corporation well as it plans for its 2009 reprocurement of IT infrastructure support services, one of its largest procurements. Also, a number of new contracting vehicles and approaches have been implemented requiring different oversight mechanisms and strategies and increasing the need for the FDIC to complete revisions to its acquisition policies that reflect the current procurement environment.



Last Updated 05/05/2008 communications@fdic.gov