2015 Annual Report
C. OFFICE OF INSPECTOR GENERAL’S ASSESSMENT OF THE MANAGEMENT AND PERFORMANCE CHALLENGES FACING THE FDIC
Under the Reports Consolidation Act of 2000, the Office of Inspector General (OIG) identifies the management and performance challenges facing the FDIC and provides its assessment to the Corporation for inclusion in the FDIC’s annual performance and accountability report. In doing so, we keep in mind the FDIC’s overall program and operational responsibilities; financial industry, economic, and technological conditions and trends; areas of congressional interest and concern; relevant laws and regulations; the Chairman’s priorities and corresponding corporate goals; and ongoing activities to address the issues involved. The OIG believes that the FDIC faces challenges in the critical areas listed below, a number of which carry over from last year. These challenges will continue to occupy much of the Corporation’s attention and require its sustained focus for the foreseeable future.
Carrying Out Dodd-Frank Act Responsibilities
The Dodd-Frank Wall Street Reform and Consumer Protection Act (the Dodd-Frank Act) created a comprehensive new regulatory and resolution framework designed to avoid the severe consequences of financial instability. Title I of the Dodd-Frank Act provides tools for regulators to impose enhanced supervision and prudential standards on systemically important financial institutions (SIFI). Title II provides the FDIC with a new orderly liquidation authority for SIFIs, subject to a systemic risk determination by statutorily designated regulators. The FDIC has made progress toward implementing its systemic resolution authorities under the Dodd-Frank Act, in large part due to the efforts of an active cross-divisional working group composed of senior FDIC officials, but challenges remain. These challenges involve the FDIC fulfilling its insurance, supervisory, receivership management, and resolution responsibilities as it meets the requirements of the Dodd-Frank Act. These responsibilities are cross-cutting and are carried out by staff throughout the Corporation’s headquarters and regional divisions and offices, including in the Office of Complex Financial Institutions (OCFI), an office established in response to the Dodd-Frank Act. That office has taken steps to realign organizational responsibilities for Title I and Title II tasks in the interest of ensuring the most efficient and complementary efforts of staff involved in both. Staff members from the FDIC’s Division of Risk Management Supervision, Division of Resolutions and Receiverships (DRR), and Legal Division join OCFI in collaborative efforts and play key roles in implementing Titles I and II.
Those involved in Dodd-Frank Act activities will continue to evaluate the resolution plans submitted by the largest bank holding companies and other SIFIs under Title I, develop strategies for resolving SIFIs under Title II, work to promote cross-border cooperation for the orderly resolution of a global SIFI, and coordinate with the other regulators in developing policy to implement the provisions of the Act.
In a related vein, the FDIC will carry out risk assessments to identify supervisory, resolution, and insurance pricing-related risks in all insured depository institutions (IDIs) with more than $10 billion in assets, including those for which the FDIC is not the PFR, in addition to systemically important bank holding companies and nonbank financial companies subject to Title I of the Dodd-Frank Act.
Maintaining Strong Information Technology Security and Governance Practices
Essential to achieving the FDIC’s mission of maintaining stability and public confidence in the nation’s financial system is safeguarding sensitive information, including personally identifiable information that the FDIC collects and manages in its role as federal deposit insurer and regulator of state nonmember financial institutions. Further, as an employer, an acquirer of services, and a receiver for failed institutions, the FDIC obtains considerable amounts of sensitive information from its employees, contractors, and failed institutions. Increasingly sophisticated security risks and global connectivity have resulted in both internal and external risks to that sensitive information. Internal risks at the FDIC include errors and fraudulent or malevolent acts by employees or contractors working within the organization who may, for example, exfiltrate sensitive data from the workplaceso called “insider threats.” External threats include a growing number of cyber-based attacks that can come from a variety of sources, such as hackers, criminals, foreign nations, terrorists, and other adversarial groups. Such threats underscore the importance of a strong, enterprise-wide program that implements strategies to enhance cybersecurity within both the FDIC and the banking industry.
Going forward, a challenging priority for the FDIC will be to maintain effective communication and collaboration among all parties involved in ensuring a robust, secure information technology (IT) operating environment that meets the day-to-day and longer-term needs of the FDIC employees who depend on it. In that regard, as we pointed out in recent work under the Federal Information Security Modernization Act of 2014, the Corporation will need to ensure that the skills, training, oversight, and resource allocations pertaining to division and office information security managers enable them to successfully carry out their responsibilities. The FDIC has also relied heavily on its infrastructure services contract to support IT operations and implement security controls. If not properly managed, problems that affect the FDIC’s IT operations could ensue. In addition, given the substantial financial investment in FDIC systems and related human resources, the Corporation needs to consider the cost-effectiveness and measurable business value outcomes in its decisions to fund major IT projects to ensure effective stewardship of millions of dollars in IT investments.
The Corporation will also need to ensure that its continuity of operations and disaster recovery plans are effective in addressing the negative impacts of natural disasters or other catastrophic events that disrupt its business processes and activities and other government activities. In this regard, in 2014, the FDIC placed into operation a Sensitive Compartmented Information Facility (SCIF) to meet continuity of operations requirements for a Level 2 agency. The SCIF was constructed to standards of Intelligence Community Directive 705, Sensitive Compartmented Information Facilities. The FDIC reported that the SCIF received physical security accreditation in August 2014 and that equipment was purchased to enable communications testing and assessments planned in the future. Such a facility can help ensure the security of the FDIC’s systems and infrastructure and facilitate communications with other federal agencies if a widespread emergency occurs.
Maintaining Effective Supervisory Activities and Preserving Community Banking
The FDIC’s supervision program promotes the safety and soundness of FDIC-supervised IDIs. The FDIC is the PFR for 4,037 FDIC-insured, state-chartered institutions that are not members of the Board of Governors of the Federal Reserve System. As such, the FDIC is the lead federal regulator for the majority of community banks. We have pointed out in our past work that a key lesson from the crisis is the need for earlier regulatory response when risks are building. Even now, for example, as they operate in a post-crisis environment, banks may be tempted to take additional risks, engage in imprudent concentrations, or loosen underwriting standards. Some banks are also introducing new products or lines of business or seeking new sources for non-interest income, all of which can lead to interest rate risk, credit risk, operational risk, and reputational risk. Such risks need to be managed and addressed early-on during the “good times” before a period of downturn. FDIC examiners need to identify problems, bring them to bank management’s attention, follow up on problems, bring enforcement actions as needed, and be alert to such risks as Bank Secrecy Act and anti-money-laundering issues. In doing so, the Corporation needs to execute its supervisory authority in a fair, consistent manner. With respect to important international concerns, the FDIC also needs to support development of sound global regulatory policy through participation on the Basel Committee on Bank Supervision and other related sub-groups.
In light of technological changes, increased use of technology service providers (TSP), new delivery channels, and cyber threats, the FDIC’s IT examination program needs to be proactive and bankers and Boards of Directors need to ensure a strong control environment and sound risk management and governance practices in their institutions. Importantly, with respect to TSPs, one TSP can service hundreds or even thousands of financial institutions, so that the impact of security incidents in one TSP can have devastating ripple effects on those institutions. Controls need to be designed not only to protect sensitive customer information at banks and TSPs, but also to guard against intrusions that can compromise the integrity and availability of operations, information and transaction processing systems, and data. Given the complexities of the range of cyber threats, the FDIC needs to ensure its examination workforce has the needed expertise to effectively carry out its IT examination responsibilities.
The FDIC has tried over the past year to enhance the Corporation’s IT supervision program for FDIC-supervised institutions and TSPs to focus on information security, cybersecurity, and business continuity. In the coming months, the Corporation needs to continue efforts, along with the other regulators, to address these risks and use all available supervisory and legal authorities to ensure the continued safety and soundness of financial institutions and affiliated third-party entities. It also needs to ensure effective information-sharing about security incidents with regulatory parties and other federal groups established to combat cyber threats, in an increasingly interconnected world.
The FDIC Chairman continues to emphasize that one of the FDIC’s most important priorities is the future of community banks and the critical role they play in the financial system and the U.S. economy as a whole. Local communities and small businesses rely heavily on community banks for credit and other essential financial services. These banks foster economic growth and help to ensure that the financial resources of the local community are put to work on its behalf. Consolidations and other far-reaching changes in the U.S. financial sector in recent decades have made community banks a smaller part of the U.S. financial system. The FDIC has sought to identify and implement changes to improve the efficiency and effectiveness of the community bank risk management and compliance examination processes, while still maintaining supervisory standards. To ensure the continued strength of the community banks, the Corporation will also need to sustain initiatives such as ongoing research, technical assistance to the banks by way of training videos on key risk management and consumer compliance matters, and continuous dialogue with community banking groups.
Maintaining a strong examination program, conducting vigilant supervisory activities for both small and large banks, applying lessons learned, being attuned to harmful cyber threats in financial institutions and technology service providers, and preserving community banking will be critical to ensuring stability and continued confidence in the financial system going forward.
Carrying Out Current and Future Resolution and Receivership Responsibilities
One of the FDIC’s most important roles is acting as the receiver or liquidating agent for failed FDIC-insured institutions. The FDIC’s responsibilities include planning and efficiently handling the resolutions of failing FDIC-insured institutions and providing prompt, responsive, and efficient administration of failing and failed financial institutions in order to maintain confidence and stability in our financial system.
As part of the resolution process, the FDIC values a failing federally insured depository institution, markets it, solicits and accepts bids for the sale of the institution, considers the least costly resolution method, determines which bid to accept, and works with the acquiring institution through the closing process. The receivership process involves performing the closing function at the failed bank; liquidating any remaining assets; and distributing any proceeds to the FDIC, the bank customers, general creditors, and those with approved claims.
The FDIC places great emphasis on promptly marketing and selling the assets of failed institutions and terminating the receivership quickly. Although the number of institution failures has fallen dramatically since the crisis, these activities still pose challenges to the Corporation. As of December 31, 2015, DRR was managing 446 active receiverships with assets in liquidation totaling about $4.8 billion.
In addition, through purchase and assumption agreements with acquiring institutions, the Corporation has entered into shared-loss agreements (SLA). Since loss sharing began during the most recent crisis in November 2008, the Corporation has resolved 304 failures with accompanying SLAs. Under these agreements, the FDIC agrees to absorb a portion of the lossgenerally 80 to 95 percentwhich may be experienced by the acquiring institution with regard to those assets, for a period of up to ten years. The initial asset balance of the covered assets in these SLAs was $216.5 billion. As of December 31, 2015, 215 receiverships still had active SLAs, with a covered asset balance at that time of $31.5 billion.
As another resolution strategy, the FDIC entered into 35 structured sales transactions involving 43,315 assets with a total unpaid principal balance of $26.2 billion. Under these arrangements, the FDIC receiverships retain a participation interest in future net positive cash flows derived from third-party management of these assets. As of December 31, 2015, the unpaid principal balance in 34 active arrangements was $3.3 billion. The FDIC will continue to evaluate termination offers from limited liability company (LLC) managing members in deciding whether to pursue dissolution of the LLCs if in the best economic interest of the receiverships.
As time passes and recovery from the crisis continues, these risk sharing agreements will continue to wind down and certain active receiverships will be terminated. Given the substantial dollar value and risks associated with the risk-sharing activities and other receivership operations, the FDIC needs to ensure continuous monitoring and effective oversight to protect the FDIC’s financial interests.
Given improving conditions in the economy and financial system, the Corporation has reshaped its workforce and adjusted its budget and resources accordingly. Notably, in the case of the FDIC’s resolutions and receiverships workforce, authorized staffing fell from a peak of 2,460 in 2010 to authorized staffing of 756 for 2015. DRR will continue to substantially reduce its nonpermanent staff each year, based on declining workload.
These staff reductions bring with them a loss of specialized experience and expertise. As discussed in connection with the Dodd-Frank Act responsibilities, the Corporation must continue to review the resolution plans of large bank holding companies and designated nonbank holding companies to ensure their resolvability under the Bankruptcy Code, if necessary, and in cases where their failure would threaten financial stability, administer their orderly liquidation. Carrying out such activities could pose significant challenges to those remaining staff in DRR who could be called upon to lead critical resolution activities.
Ensuring the Continued Strength of the Insurance Fund
Insuring deposits remains at the heart of the FDIC’s commitment to maintain stability and public confidence in the nation’s financial system. To maintain sufficient Deposit Insurance Fund (DIF) balances, the FDIC collects risk-based insurance premiums from insured institutions and invests deposit insurance funds. In response to the Dodd-Frank Act and in the interest of protecting and insuring depositors, the Corporation has designed a long-term DIF management plan. This plan complements the Restoration Plan, which is designed to ensure that the DIF reserve ratio will reach 1.35 percent by September 30, 2020. As of September 30, 2015, the reserve ratio had reached 1.09 percent.
In the aftermath of the financial crisis, FDIC-insured institutions continue to make gradual but steady progress. Continuing to replenish the DIF in a post-crisis environment is a critical activity for the FDIC. The DIF balance had dropped below negative $20 billion during the worst time of the crisis. As of December 31, 2015, the DIF balance was $72.6 billion, an increase of $9.8 billion over the year-end 2014 balance of $62.8 billion.
While the fund is considerably stronger than it has been, the FDIC must continue to monitor the emerging risks that can threaten fund solvency in the interest of continuing to provide the insurance coverage that depositors have come to rely upon. In that regard, the FDIC will need to continue to regularly disseminate data and analysis on issues and risks affecting the financial services industry to bankers, supervisors, the public, and other stakeholders.
Given the volatility of the global markets and financial systems, new risks can emerge without warning and threaten the safety and soundness of U.S. financial institutions and the viability of the DIF. The FDIC must be prepared for such a possibility. As part of its efforts, the FDIC needs to continue collaborating with others involved in helping to ensure financial stability and protect the DIF. One important means of doing so is through participation on the Financial Stability Oversight Council, created under the Dodd-Frank Act. This Council was established to provide comprehensive monitoring of stability in the U.S. financial system by identifying and responding to emerging risks to U.S. financial stability and by promoting market discipline.
The FDIC will also be challenged to contribute to global financial stability by continuing its engagement with strategically important foreign jurisdictions and playing a leadership role in international organizations that support robust, effective deposit insurance systems, resolution programs, and bank supervision practices around the globe.
Promoting Consumer Protections and Economic Inclusion
The FDIC carries out its consumer protection role by providing consumers with access to information about their rights and disclosures that are required by federal laws and regulations. Importantly, it also examines the banks where the FDIC is the PFR to determine the institutions’ compliance with laws and regulations governing consumer protection, fair lending, and community investment. These activities require regular collaboration with other regulatory agencies. In particular, the FDIC coordinates with the Consumer Financial Protection Bureau, created under the Dodd-Frank Act, on consumer issues of mutual interest and to meet statutory requirements for consultation relating to rulemakings in mortgage lending and other types of consumer financial services and products. The FDIC will need to continue to assess the impact of such rulemakings on supervised institutions, communicate key changes to stakeholders, and train examination staff accordingly.
The FDIC continues to work with the Congress and others to ensure that the banking system remains sound and that the broader financial system is positioned to meet the credit needs of consumers and the economy, especially the needs of creditworthy households that may experience distress. One of the challenges articulated by the FDIC Chairman is to continue to increase access to financial services for the unbanked and underbanked in the United States. The Corporation will continue to develop and implement targeted strategies to expand access to mainstream financial institutions by populations that are disproportionately likely to be unbanked or underbanked. Input from the FDIC’s 2015 National Survey of Unbanked and Underbanked Households will inform those strategies. In addition, the FDIC’s Advisory Committee on Economic Inclusion, composed of bankers, community and consumer organizations, and academics, will continue to explore ways of bringing the unbanked into the financial mainstream. The FDIC’s Alliance for Economic Inclusion initiative seeks to collaborate with financial institutions; community organizations; local, state, and federal agencies; and other partners to form broad-based coalitions to bring unbanked and underbanked consumers and small businesses into the financial mainstream.
The FDIC will need to sustain ongoing efforts to carry out required compliance and community reinvestment examinations, coordinate with the other financial regulators and CFPB on regulatory matters involving financial products and services, and pursue and measure the success of economic inclusion initiatives to the benefit of the American public.
Implementing Workforce Changes and Budget Reductions
During the 2015 planning and budget process, the Corporation reassessed its current and projected workload along with trends within the banking industry and the broader economy. Based on that review, the FDIC expects a continuation of steady improvements in the global economy, a small number of insured institution failures, gradual reductions in post-failure receivership management workload, and significant further reductions in the number of 3-, 4-, and 5-rated institutions. While the FDIC will continue to need some temporary and term employees over the next several years to complete the residual workload from the financial crisis, industry trends confirm that there will be a steadily decreasing need for nonpermanent employees over the next several years.
Given those circumstances, the FDIC Board of Directors approved a $2.32 billion Corporate Operating Budget for 2015, 3.0 percent lower than the 2014 budget. In conjunction with its approval of the 2015 budget, the Board also approved an authorized 2015 staffing level of 6,886 positions, down from 7,200 previously authorized, a net reduction of 314 positions. This was the fifth consecutive reduction in the FDIC’s annual operating budget.
As conditions improve throughout the industry and the economy, the FDIC will continue its efforts to achieve the appropriate level of resources; at the same time, however, it needs to remain mindful of ever-present risks and other uncertainties in the economy that may prompt the need for additional resources and new skill sets and expertise that may be challenging to obtain. The need for these new skill sets comes at a time when the Corporation is focusing on succession management, in light of a substantial number of FDIC staff who are retiring. In that regard, the FDIC is continuing to work toward integrated workforce development processes as it seeks to bring on the best people to meet its changing needs and priorities, and do so in a timely manner. Most recently, the Corporation has emphasized its Workforce Development Initiative as a means of fulfilling the FDIC’s future leadership and workforce capability needs.
The FDIC has long promoted diversity and inclusion initiatives in the workplace. Section 342 of the Dodd-Frank Act reiterates the importance of standards for assessing diversity policies and practices and developing procedures to ensure the fair inclusion and utilization of women and minorities in the FDIC’s contractor workforce. The Dodd-Frank Act also points to the Office of Minority and Women Inclusion as being instrumental in diversity and inclusion initiatives within the FDIC working environment. This office needs to ensure that it has the proper staff, expertise, and organizational structure to successfully carry out its advisory responsibilities to ensure diversity and inclusion throughout the Corporation.
The FDIC needs to sustain its emphasis on fostering employee engagement and morale on the part of all staff in headquarters, regions, and field locations. Its diversity and inclusion goals and initiatives, Workplace Excellence Program, and Workforce Development Initiative are positive steps in that direction and should continue to help create a workplace that promotes diversity and equal opportunity.
Ensuring Effective Enterprise Risk Management Practices
Enterprise risk management is a critical aspect of governance at the FDIC. Notwithstanding a stronger economy and financial services industry, the FDIC’s enterprise risk management framework and related activities need to be attuned to emerging risks, both internal and external to the FDIC that can threaten key business processes and corporate success. As evidenced in the challenges discussed above, certain difficult issues may fall within the purview of a single division or office, while others are cross-cutting within the FDIC, and others involve coordination with the other financial regulators and other external parties. The Corporation needs to maintain effective controls, mechanisms, and risk models that can address a wide range of concernsfrom specific, everyday risks such as those posed by personnel security practices and records management activities, for example, to the far broader concerns of the ramifications of an unwanted and harmful cyber attack or the failure of a large bank or systemically important financial institution.
The Corporation’s stakeholdersincluding the Congress, American people, media, and others expect effective governance, sound risk management practices, and vigilant regulatory oversight of the financial services industry. The Corporation needs to maintain the trust and confidence that it has instilled over the years. The FDIC Board of Directors, senior management, and individuals at every working level throughout the FDIC need to understand current and emerging risks to the FDIC mission and be prepared to take necessary steps to mitigate those risks as changes occur and challenging scenarios that can undermine the FDIC’s short- and long-term success present themselves.