On-site bank examinations play a key role in the supervisory process. The written report of examination (ROE) is the principal document of record by which examination findings and conclusions are communicated to banks. The vast majority of institutions, encompassing a wide range of business models, activities, and risk profiles, receive satisfactory examination ratings. For these satisfactorily rated institutions, examinations can provide an early warning of operational issues that need improvement. Significant recommended improvements are communicated in the ROE as Matters Requiring Board Attention (MRBA).1 When bank management promptly takes action to address concerns detailed in MRBAs, potential problems can be fixed early, before they become more difficult to address.
Analyzed collectively, MRBA trends can provide a picture of risks that may be developing within the industry. Many bankers are interested in hearing about issues and risks that examiners are observing in the field to proactively address weaknesses in their institutions. In that spirit, this article summarizes the types of issues identified by risk management examiners as reflected by MRBAs listed in FDIC ROEs from 2011 through 2015, focusing primarily on activities reported in the last two years.2
An important initial observation is that the percentage of FDIC risk management examinations resulting in MRBAs is on the decline. In 2015, 36 percent of examinations of satisfactorily rated institutions resulted in MRBAs, down substantially from 55 percent in 2011 (see Chart 1).
Moreover, the types of issues identified in MRBAs have not been static and to some extent mirror changes in the risks facing the banking industry. The remainder of this article describes MRBA trends at a high level in relation to banking-industry risks, provides more detail about selected MRBA categories highlighted in ROEs, and notes the satisfactory response by most bankers to addressing issues identified in MRBAs.3
MRBA Trends and Banking Industry Risks
By a wide margin, loans and management-related issues have been the most frequently cited categories of MRBAs at satisfactorily rated banks during the five-year period reviewed for this article (see Chart 2). As indicated in Chart 2, MRBAs cited in the board/ management category increased and represent most of the MRBAs reported in 2014 and 2015. Most deficiencies cited relate to policies and procedures or the audit function, highlighting the need for enhancements to corporate governance. Corporate governance requires close cooperation between a bank’s board and senior management and an awareness and understanding of the bank’s risk profile. Failure to identify, measure, monitor, and control areas of risk can lead to unnecessary exposure to loss. Evaluating a bank’s risk profile includes assessing the business model for risk; determining how those risks and growth plans will be managed; and considering the potential impact external threats could have on the bank’s operating environment. The FDIC published a special corporate governance edition of Supervisory Insights in April 2016, which highlights key governance concepts, roles, and responsibilities of directors and senior management and provides a list of resources to help bank directors fulfill their duties.4
As credit quality improves in the banking industry, the frequency of MRBAs in the loans category has steadily declined. However, trends within loan subcategories indicate that an increasing proportion of loan-related MRBAs are addressing concentration risk management. Since community banks typically serve a relatively small market area and generally specialize in a limited number of loan types, concentration risks are a part of doing business. Consequently, the way these banks manage their concentration risk is important. In 2014, approximately 12 percent of loan-related MRBAs addressed concerns with the risk management practices governing concentrated loan exposures; in 2015, credit concentration-related MRBAs rose to 22 percent. Recommendations related to credit concentration risk management practices frequently addressed the need to establish risk limits, implement or improve internal monitoring and board reporting, or enhance practices for evaluating the sensitivity of the concentration to stressed conditions, including the regular validation of assumptions.
The trend in concentration-related MRBAs is consistent with Call Report data showing the percentage of banks with elevated concentrations and high growth has significantly increased during the past few years. From 2013 to 2015, roughly one-third of all banks reported a total CRE or total agriculture concentration over 300 percent of total capital. Of these banks, the percentage with a three- year growth rate in excess of 50 percent in either portfolio increased from 23 percent at year-end 2013 to 34 percent at year-end 2015; this percentage increased to 39 percent in the first quarter of 2016. For banks with unusually rapid loan growth or heightened concentrations, effective risk management and responsiveness to MRBAs, as applicable, can reduce the likelihood of future problems.
Approximately 38 percent of the satisfactorily rated institutions with MRBAs reported in 2014 and 2015 also reported concentration levels in total CRE, ADC, or agriculture.5 The most frequently cited MRBA categories for this group of concentrated institutions, like other banks, are board/management and loans. For the concentrated banks, however, there has been a recent increase in the frequency of MRBAs related to liquidity risk (see Chart 3). The increase in liquidity-related MRBAs among credit- concentrated institutions is generally consistent with Call Report data indicating that the proportion of liquid assets to total assets held by smaller banks has been trending downward. At concentrated institutions with total assets less than $1 billion, one measure of highly liquid interest- bearing assets decreased from 9.1 percent of total assets in 2013 to 6.6 percent of total assets as of March 31, 2016.6 As the economy continues to expand and credit volumes increase, the board of directors and bank management should ensure strong risk management policies are in place, effective risk limits are established and monitored, and suitable audit practices are implemented
Liquidity issues cited in MRBAs are focused in asset liability management weaknesses followed by corporate governance deficiencies related to contingency funding plans. The federal banking regulatory agencies issued guidance in April 2010 on sound practices for managing funding and liquidity risk and strengthening liquidity risk management practices.7 This guidance emphasizes the importance of cash-flow projections, diversified funding sources, stress testing, a cushion of liquid assets, and contingency funding plans as essential tools for measuring and managing liquidity risk. The guidance also indicates that the agencies expect each financial institution to manage funding and liquidity risk using processes and systems that are commensurate with the institution’s complexity, risk profile, and scope of operations.
Finally, the information technology (IT) environment remains a challenging area of business risk and warrants bank management’s oversight and continuing due diligence. In a recently published Supervisory Insights article, the FDIC provided an overview of threats in the cybersecurity area and discussed how financial institutions’ information security programs can be enhanced to address evolving cybersecurity risk.8 In addition, the FDIC has produced a series of videos on cybersecurity awareness designed to help bank directors understand cybersecurity risks and evaluate related risk management programs.9 IT was cited in approximately 22 percent of the satisfactorily rated institutions with MRBAs during the past two years; this level of MRBAs indicates that IT and cybersecurity should be an area of increasing focus by bank management and boards. MRBAs in the IT area include the need for management to strengthen the Information Security Program, risk assessments, vendor management, and disaster recovery and business continuity plans.
Issues Identified by Examiners within Selected MRBA Categories
As noted earlier, among the decreasing proportion of institutions that have MRBAs, an increasing proportion of those MRBAs relate to board and management issues. In 2014-2015, board/management issues were listed more frequently than any other MRBA category. Board/ management issues were cited in 57 percent of all ROEs with MRBAs listed compared to approximately 45 percent addressing lending deficiencies (see Chart 4).
Within the broad category of board/ management, almost half the MRBAs were related to corporate governance issues attributable to incomplete or ineffective policies (see Chart 5). Corporate governance issues include revising or expanding policies to provide a clear governance framework; ensuring those policies incorporate sound objectives, procedures, and risk limits; and monitoring bank officer and employee compliance with those policies, banking laws, and regulations.
About 31 percent of the board/ management-related MRBAs addressed audit concerns. Audit recommendations included the need for improvements to audit plans so that such plans can better address an institution’s risk profile, as well as the need for increased board or management oversight of the audit function. Although not counted in the audit total under the board/management category, MRBAs regarding independent reviews were included within several of the subject areas listed in Chart 5. About 20 percent of all MRBAs reported among satisfactorily rated banks in 2014 and 2015 cited matters relating to independent review.10 Other board/management-related MRBAs included strategic planning, matters related to insider or affiliate activities, succession planning, appropriate staffing or training, risk management practices, and overall board oversight.
The second most commonly cited category for 2014 and 2015 was the lending function with more than two-thirds of those MRBAs relating to credit administration (see Chart 6). These MRBAs include the need to improve loan review and the loan grading system; prepare global cash flow analysis; and reduce technical credit data or collateral documentation exceptions.
About one-fourth of loan-related MRBAs addressed elevated volumes in problem assets, and a similar percentage focused on the ALLL. MRBAs directed at problem assets included the need to reduce the level of criticized assets, nonperforming loans, nonaccruals, and past dues; implement risk reduction plans for criticized assets above a defined dollar threshold; and update or improve work out plans on adversely classified assets. Matters related to the ALLL typically involved the need to correct deficiencies identified with the methodology, improve qualitative or quantitative factors used to support calculations, or provide for additional provisions to restore the institution’s ALLL to an appropriate level.
The remaining noteworthy sub-category in lending-related MRBAs pertains to concentrations of credit. Concentrations are identified by common characteristics such as collateral, geographic area, industry, product line, or some other commonly shared distinction. Roughly 16 percent of loan-related MRBAs in 2014 and 2015 addressed rising concentration risk, reflecting the need for increased monitoring and oversight of concentrations of commercial real estate (CRE), agriculture, commercial and industrial (C&I), and acquisition, development, and construction (ADC) loans.
After board/management issues and loans, the next most frequently cited MRBA category in 2014 and 2015 was apparent violations of laws or regulations or contraventions of statements of policy and nonconformance with regulatory guidance. This category was reported in approximately 30 percent of all ROEs with MRBAs listed. MRBAs in the violations category focused on a board of directors’ need to correct apparent violations of banking laws or regulations, resolve contraventions of statements of policy, and to reduce such instances in the future.11
The next most commonly recorded MRBA category was interest rate risk (IRR) concerns, reported in more than 27 percent of the ROEs that contained MRBAs. IRR matters frequently focused on the need to develop strategies that more effectively monitor, measure, and control IRR, including establishing risk tolerance parameters for IRR model results; enhance models to better address risks present in the institution’s balance sheet; and improve board oversight of models that measure and monitor IRR.12
MRBAs addressing IT concerns were identified in about 22 percent of ROEs followed by MRBAs associated with earnings-related matters in approximately 18 percent of ROEs in 2014 and 2015. MRBAs in the IT area focused on improvements needed in information security programs, including the need for expanded risk assessments, independent reviews of controls and systems in place, vendor management programs, data and physical security, and business continuity plans. Earnings MRBAs were centered on the need to improve earnings to a satisfactory level by developing and implementing budgeting or profit planning strategies to improve core earnings.
Bank Management Response to MRBAs
Bank management is generally responsive to addressing weaknesses identified in the MRBAs. In about 70 percent of the MRBAs reported in 2014 and 2015 examinations, bank management sufficiently addressed problem areas in the first response. This is somewhat less than the first- response resolution rate of over 80 percent for MRBAs cited during examinations from 2010 to 2013, but still reflects a satisfactory response by most bankers to resolve issues identified in MBRAs. The FDIC continues to request additional information from bank management on any outstanding MRBA until the issue is satisfactorily resolved. This may be the case, for example, when management’s responses are general in nature and lack sufficient details about how management addressed or planned to address the MRBA. Management’s and the board’s willingness to effectively address weaknesses in a timely manner is essential for mitigating potential risks and fostering long-term financial bank stability.
Conclusion
The MRBA trends discussed in this article emphasize the need for strong risk management policies and practices, particularly as credit volumes continue to increase during this current economic expansion. MRBAs identified at examinations over the past two years have often called for a heightened management focus on corporate governance practices, credit administration, and rising credit concentrations, with attention also warranted in the areas of IT and liquidity. How banks address weaknesses and risks identified during examinations can be of critical importance to their long-term financial health. The FDIC continues to use MRBAs to highlight areas of potential risk that, if addressed timely and effectively by bank boards of directors and senior management, can reduce the likelihood those institutions will experience serious negative financial effects.
Angela M. Herrboldt
Senior Examination Specialist
Division of Risk Management Supervision
aherrboldt@fdic.gov
Kenneth A. Weber
Senior Quantitative Risk Analyst
Division of Risk Management Supervision
kweber@fdic.gov
1 The MRBA page was added to the Report of Examination in 1993 in conjunction with the Interagency Policy Statement of the Uniform Common Core Report of Examination released by the four federal banking agencies. These agencies in 1993 were the Office of the Comptroller of the Currency, FDIC, Federal Reserve Board, and Office of Thrift Supervision.
2 The analysis in this article reflects data collected from FDIC-supervised institutions rated “1” or “2” as defined by the Uniform Financial Institutions Rating System, FIL-105-96, “Adoption of Revised FFIEC Policy Statement on Uniform Financial Institutions Rating System,” December 26, 1996. https://www.fdic.gov/news/news/financial/1996/fil96105.html.
3 A similar article analyzing MRBA trends between 2010 and 2013 was published in a previous Supervisory Insights issue. Goni, Catherine H., Vigil, Paul S., Von Arb, Larry R., and Weber, Kenneth A. “Supervisory Trends: ‘Matters Requiring Board Attention’ Highlight Evolving Risks in Banking,” Supervisory Insights, Volume 11, Issue 1, Summer 2014. https://www.fdic.gov/regulations/examinations/supervisory/insights/sisum14/sisum14.pdf.
4 Miller, Rae-Ann, Newbury, Laura B., Gross, Judy E., and Sen, Surge. “A Community Bank Director’s Guide to Corporate Governance: 21st Century Reflections on the FDIC Pocket Guide for Directors,” Supervisory Insights, April 2016 https://www.fdic.gov/regulations/examinations/supervisory/insights/sise16/si-se2016.pdf.
5 Concentration thresholds for purposes of this article are total CRE to total capital over 300 percent, ADC to total capital greater than 100 percent, or agriculture to total capital over 300 percent. These figures are not supervisory limits on exposures.
6 Highly liquid interest-bearing assets as measured by interest-bearing balances from depository institutions, Federal funds sold, and securities purchased under agreements to resell.
7 FIL-13-2010, “Funding and Liquidity Risk Management Interagency Guidance,” April 5, 2010. https://www.fdic.gov/news/news/financial/2010/fil10013.html.
8 Benardo, Michael B. and Weatherby, Kathryn M. “A Framework for Cybersecurity,” Supervisory Insights, Winter 2015 https://www.fdic.gov/regulations/examinations/supervisory/insights/siwin15/siwinter15-article1.pdf.
9 Cybersecurity Awareness videos, Directors’ Resource Center, Technical Assistance Video Program https://www.fdic.gov/regulations/resources/director/technical/cybersecurity.html.
10 An independent review includes those reviews performed by a competent, objective, and independent party that may include verifying or validating important risk management programs or systems within the bank. Independent reviews need not be conducted by outside parties; such reviews can often be conducted by bank personnel with sufficient expertise and independence of the area being reviewed. MRBAs cited for independent review weaknesses were included in interest rate risk (IRR), allowance for loan and lease losses (ALLL), Bank Secrecy Act (BSA), or IT categories.
11 Examples of apparent violations of laws and regulations and contraventions of FDIC statements of policy cited in MRBAs include 12 CFR 337.3 (limits on extensions of credit to executive officers, directors, and principal shareholders of insured nonmember banks); 12 U.S.C. 1828(j) (restrictions on transactions with affiliates, which apply the restrictions in sections 23A and 23B of the Federal Reserve Act to state nonmember banks); 12 CFR Part 323 (appraisals); 12 CFR Part 326 (minimum security devices and procedures and Bank Secrecy Act compliance); 12 CFR Part 353 (Suspicious Activity Reports); Interagency Policy Statements on Interest Rate Risk Management, Appraisal and Evaluation Guidelines, Allowance for Loan and Lease Losses, and Guidance on Concentrations in Commercial Real Estate Lending and Sound Risk Management Practices.
12 Refer to www.fdic.gov for IRR resources including directors’ resource videos on IRR at http://www.fdic.gov/regulations/resources/director/technical/irr.html, Financial Institution Letter FIL 2-2010 - Financial Institution Management of Interest Rate Risk https://www.fdic.gov/news/news/financial/2010/fil10002.html, and Financial Institution Letter FIL 46-2013 - Managing Sensitivity to Market Risk in a Challenging Interest Rate Environment https://www.fdic.gov/news/news/financial/2013/fil13046.html.