2017 Annual Report
I. Management’s Discussion and Analysis
The Year in Review
Supervision and consumer protection are cornerstones of the FDIC’s efforts to ensure the stability of, and public confidence in, the nation’s financial system. The FDIC’s supervision program promotes the safety and soundness of FDIC-supervised financial institutions, protects consumers’ rights, and promotes community investment initiatives.
The FDIC’s strong bank examination program is the core of its supervisory program. As of December 31, 2017, the FDIC was the primary federal regulator for 3,636 FDIC-insured, state-chartered institutions that were not members of the Federal Reserve System (generally referred to as “state nonmember” institutions). Through risk management (safety and soundness), consumer compliance and the Community Reinvestment Act (CRA), and other specialty examinations, the FDIC assesses an institution’s operating condition, management practices and policies, and compliance with applicable laws and regulations.
As of December 31, 2017, the FDIC conducted 1,611 statutorily required risk management examinations, including a review of Bank Secrecy Act (BSA) compliance, and all required follow- up examinations for FDIC-supervised problem institutions, within prescribed time frames. The FDIC also conducted 1,168 statutorily required CRA/ compliance examinations (770 joint CRA/compliance examinations, 393 compliance-only examinations, and 5 CRA-only examinations). In addition, the FDIC performed 3,614 specialty examinations (which include reviews for BSA compliance) within prescribed time frames.
The table below compares the number of examinations by type, conducted from 2015 through 2017.
|Risk Management (Safety and Soundness):|
|State Nonmember Banks||1,440||1,563||1,665|
|State Member Banks||0||0||0|
|Subtotal – Risk Management Examinations||1,611||1,727||1,871|
|Compliance/Community Reinvestment Act||770||709||859|
|Subtotal – CRA/Compliance Examinations||1,168||1,311||1,347|
|Information Technology and Operations||1,627||1,742||1,886|
|Bank Secrecy Act||1,640||1,761||1,906|
|Subtotal – Specialty Examinations||3,614||3,854||4,157|
All risk management examinations have been conducted in accordance with statutorily- established time frames. As of September 30, 2017, 104 insured institutions with total assets of $16.0 billion were designated as problem institutions for safety and soundness purposes (defined as those institutions having a composite CAMELS1 rating of 4 or 5), compared to the 132 problem institutions with total assets of $24.9 billion on September 30, 2016. This is a 21 percent decline in the number of problem institutions and a 36 percent decrease in problem institution assets. For the 12 months ended September 30, 2017, 47 institutions with aggregate assets of $15.3 billion were removed from the list of problem financial institutions, while 19 institutions with aggregate assets of $7.6 billion were added to the list. The FDIC is the primary federal regulator for 72 of the 104 problem institutions, with total assets of $11.6 billion.
In 2017, the FDIC’s Division of Risk Management Supervision (RMS) initiated 134 formal enforcement actions and 152 informal enforcement actions. Enforcement actions against institutions included, but were not limited to, 13 actions under Section 8(b) of the Federal Deposit Insurance Act (FDI Act )(all of which were consent orders), and 103 memoranda of understanding (MOUs). Of these enforcement actions against institutions, three consent orders, and 14 MOUs were based, in whole or in part, on apparent violations of BSA and anti-money laundering (AML) laws and regulations. In addition, enforcement actions were also initiated against individuals. These actions included, but were not limited to, 65 removal and prohibition actions under Section 8(e) of the FDI Act (58 consent orders and seven notices of intention to remove/prohibit), nine actions under Section 8(b) of the FDI Act (one order to pay restitution and 8 personal cease and desist orders and 25 civil money penalties (CMPs) (22 orders to pay and 3 notices of assessment).
The FDIC continues to focus on forward-looking supervision by assessing risk management practices during the examination process to ensure that risks are mitigated before they lead to financial deterioration.
As of December 31, 2017, 37 insured state nonmember institutions, about 1 percent of all supervised institutions, with total assets of $58 billion, were problem institutions for compliance, CRA, or both. All of the problem institutions for compliance were rated “4” for compliance purposes, with none rated “5.” For CRA purposes, the majority were rated “Needs to Improve,” and only two were rated “Substantial Noncompliance.” As of December 31, 2017, all follow-up examinations for problem institutions were performed on schedule.
As of December 31, 2017, the FDIC conducted all required compliance and CRA examinations and, when violations were identified, completed follow-up visits and implemented appropriate enforcement actions in accordance with FDIC policy. In completing these activities, the FDIC substantially met its internally-established time standards for the issuance of final examination reports and enforcement actions.
Overall, banks demonstrated strong consumer compliance programs. The most significant consumer protection issue that emerged from the 2017 compliance examinations involved banks’ failure to adequately monitor third-party vendors. For example, the FDIC found violations involving unfair or deceptive acts or practices relating to issues such as failure to disclose material information about product features and limitations, deceptive marketing and sales practices, and misrepresentations about the costs of products. As a result, the FDIC issued orders requiring the payment of CMPs.
As of December 31, 2017, the FDIC’s Division of Depositor and Consumer Protection (DCP) initiated 26 formal enforcement actions and 22 informal enforcement actions to address compliance concerns. This included three restitution orders, one consent order, 20 CMPs, two Notices of Assessment, and 22 MOUs. Restitution orders are formal actions that require institutions to pay restitution in the form of consumer refunds for different violations of law. In 2017, these orders required the payment of approximately $3 million to harmed consumers. As of December 31, 2017, the CMP orders totaled $619,884.
Large Bank Supervision Program
The FDIC established the Large Bank Supervision Branch within RMS to address the growing complexity of large banking organizations with assets exceeding $10 billion and not assigned to the Complex Financial Institution Group (CFI). This branch is responsible for supervisory oversight, ongoing monitoring, and resolution planning, while supporting the insurance business line. For state nonmember banks with assets exceeding $10 billion, the FDIC generally applies a continuous examination program, whereby dedicated staff conducts ongoing on-site supervisory examinations and institution monitoring. At institutions where the FDIC is not the primary federal regulator, the FDIC has dedicated on-site examination staff at select banks, working closely with other financial institution regulatory authorities to identify emerging risks and assess the overall risk profile of large institutions.
The Large Insured Depository Institution (LIDI) Program remains the primary instrument for off- site monitoring of IDIs with $10 billion or more in total assets not assigned to CFI. The LIDI Program provides a comprehensive process to standardize data capture and reporting through nationwide quantitative and qualitative risk analysis of large and complex institutions. In 2017, the LIDI Program covered 101 institutions with total assets of $5.7 trillion. The comprehensive LIDI Program supports effective large bank supervision by using individual institution information to best deploy resources to high-risk areas, determining the need for supervisory action, and supporting insurance assessments and resolution planning.
The Shared National Credit (SNC) Program is an interagency initiative administered jointly by the FDIC, OCC, and FRB to ensure consistency in the regulatory review of large, syndicated credits, as well as identify risk in this market, which comprises a large volume of domestic commercial lending. In 2017, outstanding credit commitments identified in the SNC Program totaled $4.4 trillion. The FDIC, OCC, and FRB issued a joint press release detailing the results of the review in August 2017. The latest review showed the level of adversely rated assets remained higher than in previous periods of economic expansion, raising the concern that future losses and problem loans could rise considerably in the next credit cycle. The high level of credit risk observed during the recent SNC examination stems from leveraged borrowers, as well as distressed borrowers in the oil and gas sector or other industry sector borrowers exhibiting excessive leverage. Notwithstanding the riskiness of the existing portfolio, the agencies noted improved underwriting and risk management practices related to the most recent leveraged loan originations, as underwriters continued to better align practices with regulatory expectations and as investor risk appetite moderated away from transactions at the lower end of the credit spectrum. The agencies still identified several common weaknesses in leveraged lending underwriting including ineffective covenants, liberal repayment terms, and incremental debt provisions.
Sales Practices Review
Significant resources were allocated in 2017 to assess the retail sales practices of the large institutions. Initiatives included coordination with the OCC, FRB and Consumer Financial Protection Bureau (CFPB), in reviewing practices at the largest institutions and conducting a horizontal review of sales practices at 17 large FDIC-supervised institutions. The examinations did not find systemic problems in opening accounts without customer consent; however, institutions need to improve their risk management processes to better mitigate and identify potential sales practice weaknesses.
The FDIC examines information technology (IT), including information security, at each risk management examination. Examiners assign an IT rating using the Federal Financial Institutions Examination Council’s (FFIEC) Uniform Rating System for Information Technology (URSIT), and the IT rating is incorporated into the management component of the CAMELS rating, in accordance with the FFIEC’s Uniform Financial Institution Rating System (UFIRS).
The FDIC continued to enhance its IT supervision in 2017. For example, examiners used the Information Technology Risk Examination Program (InTREx) in examinations of FDIC-supervised financial institutions. InTREx is an examiner work program introduced in 2016 that provides more efficient and risk-focused examination procedures. InTREx includes a cybersecurity preparedness assessment and provides more detailed examination results to institutions to help ensure management promptly identifies and addresses IT and cybersecurity risks. The FDIC also conducted a July webinar with other FFIEC members to provide financial institutions information on updates to the FFIEC’s Cybersecurity Assessment Tool (CAT). These updates provide institutions the ability to account for compensating controls used to achieve certain cybersecurity control objectives. The webinar provided financial institutions the opportunity to share their comments and questions with senior FFIEC staff and also to hear about updates to the FFIEC IT Examination Handbook.
The FDIC, OCC, and FRB also examine IT and other operational components of service providers that support financial institutions. During 2017, the agencies implemented a new cybersecurity examination work program to identify and assess risk at service providers of all sizes, and conducted an interconnectivity risk horizontal review of the most significant service providers.
The FDIC continues to actively engage with both the public and private sectors to assess cybersecurity and other operational risk issues to protect the financial institutions that the FDIC supervises. This work includes engaging with the Financial and Banking Information Infrastructure Committee (FBIIC), the Financial Services Sector Coordinating Council for Critical Infrastructure Protection, the Department of Homeland Security, the Financial Services Information Sharing and Analysis Center, other regulatory agencies, and law enforcement to share information regarding emerging issues and coordinate responses.
The FDIC played a significant role in organizing FBIIC incident management communication related to the financial services sector in areas affected by hurricanes Harvey, Irma, and Maria. The FDIC also actively participated in FBIIC working groups to better understand the financial sector’s vulnerability to a cybersecurity incident and consider ways to harmonize cybersecurity supervisory efforts.
Cyber Fraud and Financial Crimes
The FDIC has undertaken a number of initiatives in 2017 to protect the banking industry from criminal financial activities. These efforts include improving and automating the FDIC’s background investigations for banking applications, leading financial crimes- related training programs, and assisting financial institutions in identifying and shutting down “phishing” websites that attempt to fraudulently obtain an individual’s confidential personal or financial information.
In support of these efforts an article entitled “10 Scams Targeting Bank Customers: The Basics on How to Protect Yourself ” (Summer 2017) was published in the FDIC’s Consumer News.
Bank Secrecy Act/Anti-Money Laundering
In 2017, as a member of the Anti-Money Laundering and Countering the Financing of Terrorism (AML/ CFT) Expert Group, the FDIC contributed to the update of correspondent banking guidance issued by the Basel Committee on Bank Supervision. The FDIC also worked with domestic and international regulators and bankers to consider input regarding customer due diligence and beneficial ownership guidance and procedures that will coincide with the implementation of related regulations. In addition, the FDIC coordinated with the other FFIEC members to initiate revisions to the FFIEC BSA/AML Examination Manual by contacting various banking trade associations for their comments and suggestions to improve the manual’s content.
The Summer 2017 issue of the Supervisory Insights Journal included an article focused on the FDIC’s BSA/AML supervision program. The article discussed trends in supervision and enforcement, and included examples of rare, but significant failures identified by FDIC examiners in BSA/AML compliance programs. The article provided examiners and bankers with perspective on BSA/AML examinations and risk.
Examiner Training and Development
Examiner training continued to receive high priority and attention in 2017 on multiple fronts. The FDIC strives to deliver effective and efficient training that includes a variety of delivery methods including on- the-job, classroom, and computer-based instruction to all learners. A cadre of highly trained and highly skilled instructors facilitates classroom learning provided to regulatory partners from international and state agencies along with FDIC examination staff. Oversight of the training program is provided by senior and mid-level management to ensure that content and delivery are effective, appropriate, and current. Working in collaboration with partners across the organization and with the FFIEC, the FDIC strives to be agile so that emerging risks and topics are incorporated and conveyed timely. Examination staff at all levels benefit from targeted and tenure-appropriate content. No less relevant to the formal training program, peer-to-peer knowledge transfer is critical to ensure that institutional knowledge and experience is preserved.
The FDIC has undertaken a multi-year project to expand and strengthen its examiner development programs for specialty examinations, such as IT, BSA/ AML, trust, capital markets, and accounting. As banks become more specialized, enhancing examiner skills in these areas is key to ensuring an effective examination program. The goal of this project is to standardize the skills needed to examine banks of varying levels of risk and complexity in each specialty area, and then to develop on-the-job training programs to provide opportunities for examiners to acquire higher level competencies in these specialty areas.
In 2017, the FDIC validated competency models in the accounting and IT areas, and made progress in developing specialty on-the-job training programs in BSA/AML, trust, and IT.
Minority Depository Institution Activities
The preservation of minority depository institutions (MDI) remains a high priority for the FDIC. In 2017, the FDIC continued to support MDI and Community Development Financial Institution (CDFI) industry-led strategies for success. These strategies include increasing collaboration between MDI and CDFI bankers; partnering to share costs, raise capital, or pool loans; and making innovative use of federal programs. The FDIC supports this effort by providing technical assistance to MDI and CDFI bankers.
In December 2017, the FDIC published a Financial Institution Letter (FIL) to encourage collaboration among MDIs and between MDIs and other institutions. This publication describes some of the ways that financial institutions, including community banks, can partner with MDIs to the benefit of all institutions involved, as well as the communities they serve. Both community banks and larger insured financial institutions have valuable incentives under the CRA to undertake ventures with MDIs, including capital investment and loan participations.
In February 2017, the federal banking agencies co-sponsored a two-day conference titled, “Expanding the Impact: Increasing Capacity and Influence,” for approximately 110 bankers from more than 70 MDIs around the country. Key topics discussed at the conference included strategic planning and succession management, banking and innovation, and enhancing capacity through collaboration. Bankers provided very positive feedback on the conference, which was held in Los Angeles, where there is a significant concentration of MDIs. The conference featured an interactive panel with FDIC Chairman Martin J. Gruenberg, Federal Reserve Board Governor Jerome H. Powell, and former Comptroller of the Currency Thomas J. Curry.
Also, in 2017, the FDIC updated the information in its 2014 research study that captures the impact of structural changes on the assets controlled by MDIs. Between 2002 and 2016, the number of voluntary mergers (72) was nearly twice the number of failures (39). Among MDIs that voluntarily merged or consolidated during that same period, 54 percent of the institutions and 76 percent of total assets were acquired by another MDI. Among MDIs that failed between 2002 and 2016, 38 percent of the institutions and 86 percent of total assets were acquired by another MDI. Although the rate of acquisition by another MDI was higher for voluntary mergers than for failures, the FDIC demonstrated its commitment to the statutory goal of preserving the minority character in mergers and acquisitions and providing technical assistance to help prevent insolvency. In the event of a potential MDI failure, the FDIC contacts all MDIs nationwide that qualify to bid on failing institutions. The FDIC solicits qualified MDIs’ interest in the failing institution, discusses the bidding process, and provides technical assistance regarding completion of bid forms.
The FDIC continuously pursued efforts to improve communication and interaction with MDIs and to respond to the concerns of minority bankers in 2017. The FDIC maintains active outreach with MDI trade groups and offers to arrange annual meetings between FDIC regional management and each MDI’s board of directors to discuss issues of interest. The FDIC routinely contacts MDIs to offer return visits and technical assistance following the conclusion of FDIC safety and soundness, compliance, CRA, and specialty examinations to assist bank management in understanding and implementing examination recommendations. These return visits, normally conducted within 90 to 120 days after the examination, are intended to provide useful recommendations or feedback for improving operations, not to identify new issues.
The FDIC’s website also encourages and provides contact information for any MDI to request technical assistance at any time.
In 2017, the FDIC provided 211 individual technical assistance sessions on approximately 60 risk management and compliance topics, including:
- Bank Secrecy Act and Anti-Money Laundering;
- brokered deposits/waivers;
- capital planning;
- Community Reinvestment Act;
- compliance management systems;
- funding and liquidity;
- information technology risk management and cybersecurity;
- loan underwriting and administration;
- mortgage lending rules;
- troubled debt restructuring; and
- succession planning.
The FDIC also held outreach, training, and educational programs for MDIs through conference calls and regional banker roundtables. In 2017, topics of discussion for these sessions included many of those listed above, as well as MDI research, strategic planning, new products and services, BSA training, cybersecurity, and liquidity risk.
1 The CAMELS composite rating represents the adequacy of Capital, the quality of Assets, the capability of Management, the quality and level of Earnings, the adequacy of Liquidity, and the Sensitivity to market risk, and ranges from “1” (strongest) to “5” (weakest).