This regular feature focuses on developments that affect the bank examination function. We welcome ideas for future columns. Readers are encouraged to e-mail suggestions to firstname.lastname@example.org.
It is Friday afternoon, and an examination of the bank starts on Monday. The bank has not provided paper copies of its policies, procedures, board minutes, or sample customer disclosures. No loan files have been pulled. The bank has spent minimal time and resources responding to examiner requests for information. Yet preexamination planning has been completed, and, using standard procedures, the examination has been risk-scoped.
How was this achieved? The bank is undergoing an e-Exam, conducted under the FDIC’s e-Exam policy.1 All of the documents and data needed for preexamination planning were provided electronically using appropriate security measures. Moreover, a significant amount of the examination activities will be conducted in the FDIC’s offices—not at the bank.
The Changing Face of Examinations
An important component of bank examinations is the review of a bank’s books and records, which includes a wide variety of written documents. Improved technology for electronic storage and retrieval of written documents has created opportunities to improve the quality and timeliness of the document review conducted during examinations. Over the past few years, examiners have asked for more and more off-site information, performing most of the preexamination analysis and some of the ongoing examination tasks outside the bank. In most cases, however, much of the information needed for an examination was aggregated and copied by the bank, which was time consuming, burdensome, and often resulted in several boxes of documents being created for the examiners. Until recently, examiners had to be on-site at least for certain tasks: to analyze the areas requiring extensive documentation that could not be readily copied, such as loan files or other sizeable financial reports, and to obtain missing information.
Given the advancements in technology, FDIC examiners have explored how the examination process could be made more efficient. By securely exchanging electronic information, could we reduce the burden of the examination process on both bank management and examiners, while still maintaining an effective, risk-focused examination process?
Introducing the e-Exam
An e-Exam, or electronic examination, is a financial institution examination in which electronic data are exchanged through a secure delivery method. E-Exam procedures can be used for all examinations conducted by the FDIC, including risk management, compliance, and Community Reinvestment Act examinations. State authorities and other regulatory agencies also may employ e-Exam procedures at joint examinations with the FDIC.
Banks generally maintain a wide variety of information—written policies and procedures, customer disclosures, board minutes, and even loan files—in electronic format, either as an originally created document or as a scanned image. Managers at many institutions have been offering their imaging tools to examiners for some time, usually allowing access to imaged documents through compact discs (CDs) or bank terminals on-site. In early 2004, institutions began approaching the FDIC via telephone calls and personal contacts at trade events suggesting that examiners use banks’ imaging technology during examinations to make the process more efficient for both them and the examiners. Developing policies and procedures for electronically transferring such documents was the next logical step, and it is the basis of the e-Exam concept.
The FDIC’s e-Exam policy is designed to meet the needs of bankers and examiners by using these imaging tools to enhance the examination process. Under the policy, board minutes and financial reports can be reviewed off-site in the preexamination planning stage, loan reviews can be conducted off-site using imaged loan files, and additional information requests or amended documents responding to examiner questions or concerns can be transmitted electronically as the examination comes to a close. Examiners can and do, however, go on-site for discussions with management and certain types of transaction testing.2
Improving Examination Efficiencies for Bankers and Examiners
Industry response to e-Exams has been positive. Examination work conducted on-site requires extensive bank resources, including work space, employee time, and distractions from the normal course of bank business. Moreover, providing documentation to examiners electronically, rather than as the traditional hard copy, saves considerable time and effort for bank management.
Nikki Beisler, a senior vice president with First Bank and Trust Company of Indiantown, Florida, offers the following thoughts on the e-Exam policy and a recent e-Exam at her institution: “I love it. It saves time as I do not have to take time to create paper copies. It is easier to send documents electronically because we already have them in an electronic format. I am able to be more organized through this process. Being from a small institution, I have to wear a lot of hats, and there is not enough time to get things done. The process is simple to use and allows me to save time and be organized. The examination went very smoothly.”
As for the examination force, the response has been overwhelmingly positive. Many examiners consider the potential reduction in travel—one of the most-often-cited reasons for examiners leaving the FDIC—to be one of the most important benefits of the e-Exam program. The e-Exam policy also supports the flexibility examiners have in choosing their work environment through the FDIC’s Telework Program.
Security Is Paramount
The FDIC’s e-Exam policy accommodates financial institutions’ desire to provide imaged documentation and realizes the benefits of using emerging technologies as part of the examination process. However, enhanced policy and procedure considerations are necessary to mitigate information security risks arising from the use of e-Exam procedures. Strict adherence to applicable information security policies and procedures are required to effectively accommodate the use of emerging technologies.
The extent of imaging technologies employed, the financial institution management’s willingness to participate in e-Exams, and the available security measures represent the primary considerations when implementing e-Exam procedures. Although many technologies are available to accommodate the electronic exchange of information, the only ones currently approved for use in an e-Exam are FDICconnect, web-based applications, and electronic media (including CDs and DVDs). These three delivery technologies, which are discussed later in this article, have proven their reliability and consistency and provide a degree of security for delivery of bank information. In all instances, however, the increased volume of portable, electronic confidential information associated with e-Exams necessitates enhanced security measures to ensure the continued confidentiality, integrity, and availability of financial institution records and data. Therefore, the FDIC has structured formal security policies according to the specific delivery channels used, and the e-Exam policy outlines the necessary measures to mitigate the unique threats and challenges that each delivery channel presents.
Different Technologies Facilitate the e-Exam
Based on the results of ongoing surveys3 completed by FDIC examiners and bankers, the FDIC estimates that approximately 800 FDIC-supervised institutions have some document imaging capabilities, with more than 250 of these institutions being fully imaged. The e-Exam policy provides examiners the flexibility to work with various technologies banks may employ to facilitate an e-Exam. As previously mentioned, three delivery methods are currently used during examinations to navigate and view imaged documents in a secure manner: FDICconnect, CDs/DVDs, and web-based applications.
Using a secure Internet connection, FDICconnect provides on-demand file exchange capabilities and automated encryption with the transmission and storage of data. All FDIC examiners and insured financial institutions registered with FDICconnect can use the Examination File Exchange (EFE) module of FDICconnect. (See text box for information on registering with FDICconnect.) The FDICconnect application is easy for both examiners and bankers to navigate, providing a user-friendly, safe, and secure method for transmitting files during examinations. Bankers simply aggregate and copy requested examination information to FDICconnect for review by examiners. Currently, this is the most frequently used method of exchanging examination-related information—most likely because it is easy to use and bankers and examiners are comfortable with FDICconnect ’s built-in security and encryption features.
Perspectives from an FDIC Examiner
While FDIC strives to complete examinations with local examiners, for a variety of reasons, that is not always possible. When that happens, examiners from out of the area—sometimes even out of the region—help out. I recently served as the examiner-in-charge (EIC) of a bank located in another region. Having the option of conducting an e-Exam facilitated getting much of the work done at my field office, while shortening some of my on-site activities.
The $68 million bank effectively transmitted the requested items, including loan files, through FDICconnect. Using the information provided in advance by the bank, my crew of eight examiners, all from out of the bank’s area, was able to effectively risk scope the examination. Four examiners conducted portions of the examination at the bank, while the remaining four examiners conducted the loan review from the field office. Using FDICconnect, the examiners were able to review loan files, collect missing documentation, and complete the loan review with little difficulty.
As EIC, I felt the e-Exam was efficient and cost effective. We were able to save considerable dollars in travel expenses and, by saving more than 60 hours of travel time, complete the examination in only one week. Overall, bank management was receptive to the process and expressed their preference for having fewer examiners on-site than in past examinations.
Patrick Bachelor Examiner
Kansas City, MO
Prior to the development and acceptance of FDICconnect, CDs/DVDs were often the primary means of obtaining imaged documents at examinations. Many bankers and examiners continue to use CDs/DVDs, particularly when Internet connections are not available or access speeds are poor. Bank management can aggregate and copy requested examination information to CDs/DVDs for review by examiners, much as they would for e-Exams using FDICconnect. Bankers and examiners have also found that CDs/DVDs can easily be used to obtain missing documentation or to meet additional examiner requests once the examination has commenced. For example, if examiners are on-site and missing just a couple of policies or a loan file, it may be easier to copy these documents to a CD/DVD and simply hand it to the examiners rather than establishing an FDICconnect session for an electronic transfer. In general, using CDs/DVDs requires very little technical assistance. However, some additional security precautions are necessary. Bankers sometimes express reservations about having electronic data, including confidential customer information, outside the institution’s control because of privacy and security issues related to safeguarding such information. The FDIC shares this concern and therefore requires that CDs/DVDs be properly secured through encryption and that proper physical security controls be in place when transporting disks.
Some institutions maintain information on a web server. Under this arrangement, examiners use standard web browsers and FDIC laptops to retrieve images over the Internet via encrypted sessions. The institution and the FDIC are able to secure the confidentiality and integrity of bank information by using user ID/password authentication and by enforcing appropriate access controls to restrict examiners’ abilities to create, modify, or delete bank information.
Because much of the information required to conduct an examination is already available on the institution’s web server, bank management often has to extend little, if any, effort to meet examiner requests for information. This approach for accessing bank information is considered reliable, consistent, and effective. Again, there are some additional security precautions that have to be taken with web-based applications. Although there is some concern that direct website access may not support multifactor authentication (i.e., user ID/password, biometrics, or token-based devices), examiners’ limited access (just for the duration of the examination, only within business hours, and to a single URL address) reduces the potential for examiners to be misdirected or subject to a successful phishing attempt.
Registering with FDICconnect
The FDIC encourages all financial institutions to register to use FDICconnect by completing a Designated Coordinator (DC) Registration Form available at https://www2.fdicconnect.gov. Because an executive officer of the financial institution is required to sign the registration form, each institution’s management is aware of the principal person on their staff who “speaks for the institution” using FDICconnect.
Institutions should choose the coordinator carefully and implement controls to address operational risks inherent in online transactions. FDICconnect staff will provide the coordinator with technical guidance for using FDICconnect. The coordinator may designate other individuals’ access to execute transactions on behalf of the institution. These users can be employees of the institution, the holding company, an outside data servicer, or a law firm. When appropriate, such as in the case of data servicers, authorized FDICconnect users may execute transactions on behalf of more than one institution.
The Future of the e-Exam
Technology will continue to offer new ways to make examinations more efficient. As the banking industry continues to take advantage of advancements in technology, such as document imaging and remote access capabilities, the use of e-Exam procedures will doubtless grow.
The FDIC has established an e-Exam Working Group to monitor developments in technology, including imaging. This working group, with the help of subject-matter experts in the FDIC regions, will
Monitor changes in technology;
Provide an accurate system for tracking institutions with document imaging;
Ensure that policies and procedures are updated;
Provide recommendations for meeting increases or changes in hardware and software needs so that we can respond to advancements in the industry; and
Pilot, test, and develop procedures for new technologies.
As the landscape of technology evolves, the examination process must also evolve to ensure that the FDIC is conducting business in the most effective, efficient, and secure manner. The FDIC’s e-Exam policy was developed in that spirit, improving the efficiency of the examination process without compromising its integrity.
Stephen P. Jones Case Manager,
San Francisco, CA
Shawn D. Meyer Field Supervisor (Risk Management), Madison, WI
1 Division of Supervision and Consumer Protection Memorandum, “e-Exam Policy,” Transmittal No. 2006-018, July 7, 2006. Under the e-Exam policy, examiners are directed to maximize the use of electronic information, when available, to conduct examinations and visitations.
2 The following portions of the fair lending review must be conducted on-site: criteria interview, a sample of actual loan files to ensure imaged files received electronically are complete, and any follow-up discussions if the off-site file review indicates possible disparate treatment.
3 In 2004, the FDIC implemented a Document Imaging Survey, completed by examiners in conjunction with examinations, to assess the potential for using imaging technologies in future examinations. The survey was replaced on May 21, 2007, with an enhanced e-Exam Imaging Inventory, which examiners will use to monitor the extent of banks’ use of imaging technologies and to assist with identifying developing technologies.