Appeals of Material Supervisory Determinations: Guidelines & Decisions
SARC-98-05 (July 17, 1998)
Your appeal of a material supervisory determination was decided by the Supervision Appeals Review Committee (Committee) of the Federal Deposit Insurance Corporation (FDIC) on July 16, 1998. The Committee considered your appeal of [Bank] (Bank) composite rating and the conclusions of the joint Information Systems examination as of February 10, 1998, and concluded that the composite rating and overall findings of the report to examination are appropriate. Commissioner Lynn Y. Wakatsuki of Hawaiis Division of Financial Institutions was provided a copy of your letter of appeal, as the examination was prepared jointly by the State and the FDIC. Commissioner Wakatsuki responded that the Division of Financial Institutions continues to concur with the ratings and overall findings of the report.
We have given careful consideration to the issues raised in your appeal letter of June 4, 1998. Although we have concluded that the composite rating and the overall conclusions regarding Year 2000 risk were accurately reflected in the report, we do recognize the positive steps taken by management since the examination, particularly with respect to preparation for the Year 2000. While much additional work is necessary, we hope your ongoing efforts to address the criticisms enumerated in the examination report will strengthen the areas of identified weakness and result in improved ratings in future examinations.
This appeal was reviewed separately from the proposed enforcement actions being considered regarding the Information Systems (IS) examination and Year 2000 issues. As stated in Financial Institutions Letter-28-95 dated April 4, 1995 Guidelines for Appealing Material Supervisory Determinations, decisions to initiate formal or informal enforcement actions may not be appealed. Concerns raised in the appeal letter regarding the assessment of management and its response to Year 2000 risk were reviewed in the context of the composite rating of the IS examination and in the assessment of Banks Year 2000 readiness. The Year 2000 readiness was considered separately by the Committee, notwithstanding the fact that Year 2000 risk is also factored into the composite rating for the IS examination. The Committees findings on the composite IS examination rating and the Year 2000 assessment are presented below along with an explanation of the reason for the decision.
The appeal letter states that Banks appealing from conclusions and determinations in EDP Report of Examination, commenced February 10, 1998. Accordingly, the conclusions and the supporting information provided in the report were reviewed to determine if the composite rating of 4 appropriately reflected the condition of Banks information systems. We have concluded that the composite rating is appropriate and that the report satisfactorily identifies and addresses the deficiencies that resulted in the overall unsatisfactory condition of operations and controls relating to the information systems function.
Most of the deficiencies listed in previous examination reports remain uncorrected. The resources expended to address the problems associated with the mismanaged 1997 computer conversion limited the time available to rectify these identified problems, which continue to require managements prompt attention. Management has failed to adequately plan, organize, control, or monitor the conversion process. The conversion resulted in using a significant amount of human resources to attempt to balance accounts and perform manual calculations due to unreliability of the system output.
In particular, managements concerted efforts in the areas of audit, management, operations, and Year 2000 readiness are required in order to achieve a satisfactory rating for Banks information systems. These areas are fully described in the February 10, 1998 Information Systems examination prepared jointly by the FDIC and the State. The letter of appeal did not specifically contest any of the findings in these areas and each deficiency listed in the report is considered significant. In combination with managements failure to satisfactorily address problems listed in previous examinations, these deficiencies have resulted in the unacceptable condition of the data processing function, and the resulting composite rating of 4.
The composite rating 4, as was disclosed in the report of examination, states in part that Data centers in this group are operating under unacceptable conditions which could impair future viability. In contrast to the description of a composite 4 rating, a key aspect of a composite 3 rating is that The overall strength of management and supporting staff and the financial capacity of the data center are such as to make operational failure only a remote possibility. Since management has not yet demonstrated its effectiveness by rectifying the ongoing problems, we believe the composite rating of 4 fairly characterizes the condition of the information systems. While we recognize that the visitation conducted in June did note some limited progress since the examination, the overall findings of the joint Informations Systems examination as of the examination date fully support the rating assigned. The supervisory response to the joint examination will be provided to you by the San Francisco Regional Office and the State.
Year 2000 Assessment
The appeal letter stated that the conclusions regarding management and its response to the Year 2000 risk and the determinations resulting there are wrong and unsupported. They are driven by an agenda having nothing to do with the results of the examination. Considering the overall comments on Year 2000 issues contained in the appeal, we reviewed the efforts of management to address Year 2000 issues as disclosed in the report, and carefully reviewed those efforts in comparison to the guidelines set forth by the Federal Financial Institutions Examination Council (FFIEC). These guidelines, which apply to all federally supervised financial institutions, are an integral part of our supervisory process with the goal being to ensure that financial institutions avoid major disruptions due to Year 2000 issues. We have concluded that Banks apparent non-existent efforts as of the date of the examination regarding Year 2000 risk, and its failure to conform to even the most basic guidance as described in the various FFIEC Interagency Statements, were fairly portrayed in the Information Systems report of examination.
We understand that your institution is small and has limited transaction activity, especially in comparison to commercial banks. Nonetheless, the failure of Banks computer system due to year 2000 problems would threaten the ongoing operations of the institution. The problems associated with most recent computer conversion serve to highlight this point. While Bank could possibly resort to a manual system for a short period of time, the personnel cost associated with such a system preclude its long-term use. The significant amount of overtime needed at the end of 1997 to manually calculate and review year-end interest statements is a good example of the problems that would develop without the use of a computer system.
While we find that the conclusions of the February 10, 1998 examination appropriately assessed Year 2000 risk as of the examination date, we are pleased to see progress since the examination in addressing this issue. The Year 2000 Visitation Report, which commenced June 16, 1998, noted important activity toward addressing the issues outlined in the Interagency Statements. Despite the progress, the overall assessment of Year 2000 compliance of Needs Improvement at the visitation indicates continued less than satisfactory performance in key phases of the Year 2000 management process. Therefore, the Regional Office submitted to you the Memorandum of Understanding to serve as an informal corrective program. Management is urged to comply with each of the provisions of the Memorandum of Understanding to diminish the risk of disruption to the operation of the institution as a result of Year 2000 issues.
In accordance with Guidelines for Appealing Material Supervisory Determinations, the scope of this review was limited to the facts and circumstances that existed at the time of the examination and no consideration was afforded any changes occurring after that date or to any subsequent corrective action. Such changes and corrective action were reviewed in the visitation of Year 2000 and Information Systems issues conducted since the February 10, 1998 examination. The San Francisco Regional Office has considered these actions in its determination of the proposed supervisory response.
This determination is considered the Federal Deposit Insurance Corporations final supervisory decision.
By direction of the Supervision Appeals Review Committee of the Federal Deposit Insurance Corporation.