Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

2016 Annual Report

Previous | Contents | Next

I. Management’s Discussion and Analysis

The Year in Review

SUPERVISION

Supervision and consumer protection are cornerstones of the FDIC’s efforts to ensure the stability of, and public confidence in, the nation’s financial system. The FDIC’s supervision program promotes the safety and soundness of FDIC-supervised financial institutions, protects consumers’ rights, and promotes community investment initiatives.

Examination Program

The FDIC’s strong bank examination program is the core of its supervisory program. As of December 31, 2016, the FDIC was the primary federal regulator (PFR) for 3,790 FDIC-insured, state-chartered institutions that were not members of the Federal Reserve System [generally referred to as “state nonmember” (SNM) institutions]. Through risk management (safety and soundness), consumer compliance and the Community Reinvestment Act (CRA), and other specialty examinations, the FDIC assesses an institution’s operating condition, management practices and policies, and compliance with applicable laws and regulations.

As of December 31, 2016, the FDIC conducted 1,727 statutorily required risk management examinations and all required follow-up examinations for FDIC-supervised problem institutions within prescribed time frames. The FDIC also conducted 1,311 statutorily required CRA/compliance examinations (709 joint CRA/compliance examinations, 594 compliance-only examinations, and 8 CRA-only examinations). In addition, the FDIC performed 3,854 specialty examinations (which include reviews for Bank Secrecy Act (BSA) compliance within prescribed time frames). The table below compares the number of examinations by type, conducted from 2014 through 2016.

FDIC EXAMINATIONS 2014-2016
(intentionally left blank) 2016 2015 2014
Risk Management (Safety and Soundness):
State Nonmember Banks 1,563 1,665 1,881
Savings Banks 164 206 206
State Member Banks 0 0 0
Savings Associations 0 0 0
National Banks 0 0 0
Subtotal – Risk Management Examinations 1,727 1,871 2,087
CRA/Compliance Examinations:
Compliance/Community Reinvestment Act 709 859 1,019
Compliance-only 594 478 376
CRA-only 8 10 11
Subtotal – CRA/Compliance Examinations 1,311 1,347 1,406
Specialty Examinations:
Trust Departments 351 365 428
Information Technology and Operations 1,742 1,886 2,113
Bank Secrecy Act 1,761 1,906 2,126
Subtotal – Specialty Examinations 3,854 4,157 4,667
TOTAL 6,892 7,375 8,160
Risk Management

All risk management examinations have been conducted in accordance with statutorily-established timeframes. As of September 30, 2016, 132 insured institutions with total assets of $24.9 billion were designated as problem institutions for safety and soundness purposes (defined as those institutions having a composite CAMELS1 rating of 4 or 5), compared to the 203 problem institutions with total assets of $51.1 billion on September 30, 2015. This is a 35 percent decline in the number of problem institutions and a 51 percent decrease in problem institution assets. For the 12 months ending September 30, 2016, 82 institutions with aggregate assets of $27.1 billion were removed from the list of problem financial institutions, while 11 institutions with aggregate assets of $2.3 billion were added to the list. The FDIC is the PFR for 91 of the 132 problem institutions, with total assets of $15.7 billion.

In 2016, the FDIC’s Division of Risk Management Supervision initiated 170 formal enforcement actions and 121 informal enforcement actions. Enforcement actions against institutions included, but were not limited to, 23 actions under Section 8(b) of the FDI Act (22 consent orders and 1 notice of charges), and 121 MOUs. Of these enforcement actions against institutions, 20 consent orders, and 22 MOUs were based, in whole or in part, on apparent violations of BSA and anti-money laundering (AML) laws and regulations. In addition, enforcement actions were also initiated against individuals. These actions included, but were not limited to, 95 removal and prohibition actions under Section 8(e) of the FDI Act (87 consent orders and 8 notices of intention to remove/prohibit), 3 actions under Section 8(b) of the FDI Act (1 notice of charges to pay restitution and 2 personal cease and desist orders), and 28 civil money penalties (CMPs) (25 orders to pay and 3 notices of assessment).

The FDIC has heightened its focus on forward-looking supervision aimed at ensuring that risks are mitigated before they lead to financial deterioration.

1The CAMELS composite rating represents the adequacy of Capital, the quality of Assets, the capability of Management, the quality
and level of Earnings, the adequacy of Liquidity, and the Sensitivity to market risk, and ranges from “1” (strongest) to “5” (weakest)..

Compliance

As of December 31, 2016, 50 insured SNM institutions, about 1 percent of all supervised institutions, with total assets of $72 billion, were problem institutions for compliance, CRA, or both. All of the problem institutions for compliance were rated “4” for compliance purposes, with none rated “5.” For CRA purposes, the majority were rated “Needs to Improve,” and only four were rated “Substantial Noncompliance.” As of December 31, 2016, all follow-up examinations for problem institutions were performed on schedule.

As of December 31, 2016, the FDIC conducted all required compliance and CRA examinations and, when violations were identified, completed follow-up visits and implemented appropriate enforcement actions in accordance with FDIC policy. In completing these activities, the FDIC substantially met its internally established time standards for the issuance of final examination reports and enforcement actions.

Overall, banks demonstrated strong consumer compliance programs. The most significant consumer protection issue that emerged from the 2016 compliance examinations involved banks’ failure to adequately monitor third-party vendors. For example, the FDIC found violations involving unfair or deceptive acts or practices relating to issues such as failure to disclose material information about product features and limitations, deceptive marketing and sales practices, and misrepresentations about the costs of products. As a result, the FDIC issued orders requiring the payment of CMPs.

As of December 31, 2016, the FDIC’s Division of Depositor and Consumer Protection initiated 15 formal enforcement actions and 23 informal enforcement actions to address compliance concerns (see chart on page 140). This included 4 consent orders, 2 removal and prohibition orders addressing safety and soundness concerns and breaching fiduciary duty, 9 CMPs, and 23 MOUs. Restitution orders are formal actions that require institutions to pay restitution in the form of consumer refunds for different violations of law. As of December 31, 2016, there were no restitution orders that required institutions to refund consumers. The CMPs totaled over $332,654.

Large Bank Supervision Program

The FDIC also established the Large Bank Supervision Program within the Division of Risk Management Supervision to address the growing complexity of large banking organizations with assets exceeding $10 billion and not assigned to the CFI Program. This group is responsible for both supervisory oversight and ongoing monitoring, and resolution planning, while supporting the insurance business line. For SNM banks over $10 billion, the FDIC generally applies a continuous examination program, whereby dedicated staff conducts ongoing on site supervisory examinations and institution monitoring. At institutions where the FDIC is not the primary federal regulator, FDIC has dedicated onsite examination staff at select banks, working closely with other financial institution regulatory authorities to identify emerging risks and assess the overall risk profile of large institutions.

The Large Insured Depository Institution (LIDI) Program remains the primary instrument for off-site monitoring of IDIs with $10 billion or more in total assets. The LIDI Program provides a comprehensive process to standardize data capture and reporting through nationwide quantitative and qualitative risk analysis of large and complex institutions. In 2016, the LIDI Program covered 92 institutions with total assets of $5.4 trillion. The comprehensive LIDI Program supports effective large bank supervision because it aids the Division in using individual institution information to deploy resources most effectively to high-risk areas, determine the need for supervisory action, and support insurance assessments and resolution planning.

The Shared National Credit (SNC) Program is an interagency initiative administered jointly by the FDIC, OCC, and FRB to ensure consistency in the regulatory review of large, syndicated credits, as well as identify risk in this market, which comprises a large volume of domestic commercial lending. In 2016, outstanding credit commitments identified in the SNC Program totaled $4.1 trillion. The FDIC, OCC, and FRB issued a joint press release detailing the results of the review in July 2016. The latest review showed the level of adversely rated assets remained higher than in previous periods of economic expansion, raising the concern that future losses and problem loans could rise considerably in the next credit cycle. The elevated level of risk observed during the recent SNC examination stems from the high inherent risk in the leveraged loan portfolio and growing credit risk in the oil and gas portfolio. Notwithstanding the riskiness of the existing portfolio, the agencies noted improved underwriting and risk management practices related to the most recent leveraged loan originations, as underwriters continued to better align practices with regulatory expectations, and as investor risk appetite moderated away from transactions at the lower end of the credit spectrum.

Information Technology, Cyber Fraud, and Financial Crimes

To address the specialized nature of technology- and operations-related supervision, cyber risks, and controls in the banking industry, the FDIC routinely conducts information technology (IT) and operations examinations at FDIC-supervised institutions.

IT Examinations

The FDIC conducts regular IT and operations risk examinations at all FDIC-supervised financial institutions and assigns an examination rating based on the Federal Financial Institutions Examination Council’s (FFIEC’s) Uniform Rating System for Information Technology (URSIT). The URSIT rating is incorporated into the Management component of the Safety and Soundness rating in Reports of Examination. In 2016, the FDIC conducted 1,742 IT and operations examinations at financial institutions and technology service providers (TSPs).

In 2016, the FDIC continued to enhance its IT supervision and improve its programs to fight cyber fraud and financial crimes more generally. This year, the FDIC released updated IT and operations risk examination procedures that are more efficient and risk-focused, include a cybersecurity preparedness assessment, and provide more detailed examination results to institutions. This enhanced Information Technology Risk Examination program, or InTREx, helps ensure that financial institution management promptly identifies and effectively addresses IT and cybersecurity risks. The InTREx work program and training was completed on June 24, 2016, and fully implemented by September 30, 2016.

Supervision for Technology Service Providers

The FDIC and other banking agencies also conduct IT and operations risk examinations of TSPs, that support financial institutions. During 2016, the FDIC, OCC, and FRB piloted the newly developed Interconnectivity Horizontal Review Program with three of the largest TSPs. The program focused on the IT risks of large and complex supervised institutions and TSPs. This new program will help strengthen the FDIC’s supervision of TSPs that present the most risk to the banking industry.

Other Activities

The FDIC continues to provide resources to raise awareness of cyber risks and to encourage practices that help protect the financial institutions it supervises. For example, in 2016, the FDIC hosted an industry webinar titled “Cybersecurity Resources to Help Your Customers Protect Themselves,” and made available brochures with tips on how to conduct business safely online. Financial institutions can reprint these brochures for their retail banking and business customers.

Additionally, the FDIC monitors cybersecurity issues in the banking industry through regulatory and intelligence reports. The FDIC works with the Financial and Banking Information Infrastructure Committee, the Financial Services Sector Coordinating Council for Critical Infrastructure Protection, Homeland Security, the Financial Services Information Sharing and Analysis Center (FS- ISAC), other regulatory agencies, law enforcement, and others to share information regarding emerging issues and to coordinate responses.

During 2016, the FDIC served as chair of the Cybersecurity and Critical Infrastructure Working Group (CCIWG) of the FFIEC Task Force on Supervision. The CCIWG serves as a forum to address policy related to cybersecurity and critical infrastructure, enables members to communicate and collaborate on activities to support and strengthen the resilience of the financial services sector, and provides input to FFIEC principal members regarding cybersecurity matters.

Major interagency accomplishments as a member of the FFIEC included the following:

Enhancing the FDIC’s IT Security

Information security is critical to the FDIC’s ability to carry out its mission of maintaining stability and public confidence in the nation’s financial system. In 2016, the FDIC implemented policies and technologies to strengthen its own cybersecurity posture by initiating an aggressive 60-day plan to improve information security and an FDIC IT Action Plan to lay the foundation for modernizing the agency’s IT services to ensure scalability and resilience. Steps taken included:

These actions are in addition to protections that were already in place, such as:

The FDIC requires employees to take annual security and privacy training so they are aware of FDIC security standards. This is supplemented by periodic phishing tests to help ensure employees stay watchful to possible outside threats.

The FDIC will remain alert and continue to adjust security controls in light of the changing threat landscape.

Access Control Program and Personal Identity Verification Card Implementation

The FDIC’s Access Control Program (ACP) was established to ensure the agency’s compliance with the Homeland Security Presidential Directive 12 (HSPD- 12): Policy for a Common Identification Standard for Federal Employees and Contractors. HSPD-12 requires the use of Personal Identity Verification (PIV) cards— smart card credentials containing data that allow the cardholder to be granted access to facilities and information systems—to assure appropriate levels of security and offer enhanced protection by requiring multifactor authentication (MFA). MFA requires two or more of the following verification mechanisms to access a user’s work station or network:

In 2016, the FDIC expanded use of MFA for securely downloading assessment invoices and official FDIC correspondence, and performing other secure file exchanges.

This year, the FDIC successfully issued PIV cards to more than 5,300 eligible employees and contractors by partnering with the General Services Administration (GSA) USAccess program. In order to track and manage the rollout of the PIV card issuance effectively, the agency developed an Inventory Executive Dashboard by division, region, and office. By year-end 2016, approximately 94 percent of eligible FDIC employees and contractors have been issued a PIV card.

The FDIC also enforced the use of PIV cards to access the FDIC network (i.e., logical access). As of year- end 2016, PIV-based authentication is required to access the FDIC network across the agency. ACP’s global communications and organizational change management efforts have resulted in approximately 90 percent of FDIC staff and contractors using their cards for logical access.

Insider Threat Program

During 2016, in support of the National Insider Threat Policy, the FDIC established an Insider Threat and Counterintelligence Program (ITCIP) to strengthen and develop new processes and technologies to combat insider threats.

An insider threat is a concern or risk posed to the FDIC that involves an individual who misuses or betrays, wittingly or unwittingly, his or her authorized access to FDIC resources. This individual may have access to sensitive, personally identifiable information and/or privileged access to critical infrastructure and/ or business sensitive information (e.g., bank data).

The ITCIP blends both physical and logical safeguards to minimize the risk, likelihood, and impact of an executed insider threat.

An ITCIP Working Group was established to focus on detecting, identifying, assessing, mitigating, and preventing insider threat or external threat activity through the centralized and integrated analysis of threat information. An ITCIP Executive Committee also was established to support planning and provide oversight in the implementation of the program.

Further, the FDIC designated a senior Executive as the Senior Agency Official principally responsible for establishing a process to gather, integrate, centrally analyze, and respond to relevant information indicative of a potential insider threat.

Bank Secrecy Act/Anti-Money Laundering

In 2016, the Financial Action Task Force (FATF) completed a mutual evaluation of the U.S. anti- money laundering (AML) regime. The FDIC provided input through on-site discussions regarding the U.S. banking industry’s AML supervision and enforcement and provided comments on final documents addressing the U.S. banking industry’s compliance with the FATF AML standards.

Examiner Development

The FDIC has undertaken a multi-year project to expand and strengthen its examiner development programs for specialty examinations, such as information technology, BSA/AML, trust, capital markets, accounting, and anti-fraud. Due to the increased complexity of institutions, specialty skills are becoming paramount in risk assessment. In addition, this initiative is an important component of succession planning; proactively addressing knowledge transfer will enable the FDIC to mitigate the impact of the future retirement of senior technical experts.

The goal of this project is to standardize nationwide the skills needed to examine banks of varying levels of risk and complexity in each specialty area, and then to develop on-the-job training programs to provide opportunities for examiners to develop higher level competencies in these specialty areas. This initiative will:

In 2016, the FDIC validated competency models in the BSA/AML, trust, and capital markets areas, began developing specialty on-the-job training programs in BSA/AML and trust, and made progress in developing information technology and accounting competency models.

Minority Depository Institution Activities

The preservation of minority depository institutions (MDIs) remains a high priority for the FDIC. In 2016, the FDIC continued to support MDI and Community Development Financial Institution (CDFI) industry-led strategies for success. These strategies include: increased collaboration between MDI and CDFI bankers; partnering to share costs, raise capital, or pool loans; and making innovative use of federal programs. The FDIC supports this effort by providing technical assistance to MDI and CDFI bankers.

In 2016, the FDIC sponsored a discussion between trade groups representing MDIs and CDFIs and representatives of potential bank partners, focusing on CRA partnerships. In addition, the FDIC provided technical assistance to a group seeking to develop a private equity fund to invest in MDIs. The FDIC’s assistance addressed how the proposed structure might be considered under the Basel Capital Rules as well as the CRA. Both community banks and larger insured financial institutions have valuable incentives under the CRA to undertake ventures with MDIs, including capital investment and loan participations.

In 2016, the FDIC, OCC, and FRB co-hosted a webinar on strategic planning attended by approximately 50 MDIs, and began planning the 2017 Interagency MDI and CDFI Bank Conference, which the agencies will co-sponsor. The conference will be held in Los Angeles where there is a significant concentration of MDIs. The conference will feature an interactive panel with FDIC Chairman Martin J. Gruenberg, a Federal Reserve Board Governor, and Comptroller of the Currency Thomas J. Curry.

The FDIC continued its efforts to improve communication and interaction with MDIs and to respond to the concerns of minority bankers. The FDIC maintains active outreach with MDI trade groups and offers to arrange annual meetings between FDIC regional management and each MDI’s board of directors to discuss issues of interest. The FDIC routinely contacts MDIs to offer return visits and technical assistance following the conclusion of FDIC safety and soundness, compliance, CRA, and specialty examinations to assist bank management in understanding and implementing examination recommendations. These return visits, normally conducted 90 to 120 days after the examination, are intended to provide useful recommendations or feedback for improving operations, not to identify new issues. The FDIC’s website encourages and provides contact information for any MDI to request technical assistance at any time.

In 2016, the FDIC provided 135 individual technical assistance sessions on approximately 66 risk management and compliance topics, including:

The FDIC’s regional offices also held outreach, training, and educational programs for MDIs through conference calls and regional banker roundtables. In 2016, topics of discussion for these sessions included many of those listed above, as well as the FDIC’s National MDI Program, the FDIC’s Community Banking Initiative, and the availability of Technical Assistance Videos on corporate governance, strategic planning, director responsibilities, community banking initiatives, compliance guidance, concentration risk management, and bank merger and acquisition.

Mutual Institutions

In August 2016, the FDIC and OCC co-hosted the Joint Agency Mutual Forum, which was open to all mutual banking institutions regardless of charter type. Mutually-owned related institutions represent about 9 percent of all FDIC-insured institutions and are among the oldest form of depository institution. Attended by approximately 125 participants, the forum provided an opportunity for the mutual bankers to learn about current trends and engage in a dialogue on the strengths of and challenges facing mutual institutions. The forum featured presentations and banker panels covering topics of interest relating to the mutual industry, including an economic outlook, strategic planning, cyber challenges, regulatory compliance update, and an opportunity for each agency to hold an agency-specific session to address other current matters and respond to banker inquiries.

Cyber Fraud and Financial Crimes

The Cyber Fraud and Financial Crimes Section leads the FDIC’s efforts to protect the banking industry from criminal financial activities. These efforts include managing the FDIC’s background investigations for banking applications, leading financial crimes-related training programs, and assisting financial institutions in identifying and shutting down “phishing” websites that attempt to obtain fraudulently and use an individual’s confidential personal or financial information. This Section serves a leading role in education and outreach, including through the development of webinars and informational publications. During 2016, the Cyber Fraud and Financial Crimes Section hosted a banking industry webinar (titled “Cybersecurity Resources to Help Your Customers Protect Themselves”) held in conjunction with National Consumer Protection Week, and authored a special edition of the FDIC’s Consumer News focused on consumer cybersecurity awareness. The Department of Homeland Security shared the Consumer News edition with more than 58,000 partners during October 2016 in observation of National Cybersecurity Awareness Month.

Supervision Policy
Brokered Deposits

In June 2016, the FDIC finalized updates to its FAQs regarding brokered deposits. The FAQs were updated in response to numerous questions regarding brokered deposit determinations. The FAQs address supervisory expectations for identifying, accepting, and reporting brokered deposits. The answers are based on Section 29 of the FDI Act and Section 337.6 of the FDIC Rules and Regulations, as well as explanations provided to the industry through published advisory opinions and the FDIC’s Study on Core Deposits and Brokered Deposits, issued in July 2011.

Applications for Deposit Insurance

In April 2016, the FDIC issued guidance in the form of supplemental “Questions and Answers” (Q&As) to aid applicants in developing applications for deposit insurance. The supplemental Q&As provide additional transparency to the application process and supplement guidance previously issued in November 2014.

Prudent Risk Management of Oil and Gas Exposures

In July 2016, the FDIC issued guidance to remind FDIC-supervised institutions with direct or indirect oil and gas exposures to maintain sound underwriting standards, strong credit administration practices, and effective risk management strategies. When oil and gas related borrowers experience financial difficulties, the FDIC encourages financial institutions to work constructively with borrowers to strengthen the credits and to mitigate losses where possible.

Third-Party Lending

In July 2016, the FDIC issued a request for public comment on proposed guidance for third-party lending. The proposed guidance sets forth safety and soundness and consumer compliance measures FDIC- supervised institutions should follow when lending through a business relationship with a third party. The proposed guidance is intended to supplement the FDIC’s existing Guidance for Managing Third-Party Risk, which is applicable to a number of third-party arrangements, including lending through a third party. Public comments are being evaluated as part of the process of developing the final guidance.

FDIC Examination Findings

In July 2016, the FDIC issued guidance to emphasize the importance of open communication regarding supervisory findings. An open dialogue with bank management is critical to ensuring the supervisory process is effective in promoting an institution’s strong financial condition and safe and sound operation. The FDIC encourages bank management to provide feedback on FDIC supervisory activities and engage FDIC personnel in discussions to ensure a full understanding of the FDIC’s supervisory findings and recommendations. If an institution disagrees with examination findings, there are several informal and formal avenues available to raise its concerns.

Regulatory Relief

During 2016, the FDIC issued 11 financial institution letters providing guidance to help financial institutions and to facilitate recovery in areas affected by tornadoes, flooding, wild fires, landslides, mudslides, and other severe events. In these letters, the FDIC encouraged banks to work constructively with borrowers experiencing financial difficulties as a result of natural disasters. The letters also clarified that prudent extensions or modifications of loan terms in such circumstances can contribute to the health of communities and serve the long-term interests of lending institutions.

 

Previous | Contents | Next

Skip Footer back to content