The Federal Deposit Insurance Corporation (FDIC) plays a critical role in maintaining the safety and soundness at financial institutions, and the stability of our financial system. The agency insures more than $7.4 trillion in deposits at more than 5,400 financial institutions, and directly supervises approximately 3,500 of these banks.
Each year, Federal Inspectors General are required to identify and report on the top challenges facing their respective agencies, pursuant to the Reports Consolidation Act of 2000. The Office of Inspector General (OIG) has identified the Top Management and Performance Challenges facing the FDIC, based upon the OIG’s experience and observations from our oversight work, reports by other oversight bodies, review of academic and other relevant literature, perspectives from Government agencies and officials, and information from private sector entities. Our report recognizes the following nine Challenges at the FDIC:
Enhancing Oversight of Banks’ Cybersecurity Risk: Cybersecurity continues to be a critical risk facing the financial sector. Cyber risks can affect the safety and soundness of institutions and lead to the failure of banks, thus causing losses to the FDIC’s Deposit Insurance Fund. The FDIC’s information technology (IT) examinations should ensure strong management practices within financial institutions and at their service providers.
Adapting to Financial Technology Innovation: FDIC policymakers and examiners must keep pace with the adoption of new financial technology to assess its impact on the safety and soundness of institutions and the stability of the banking system. The pace of change and breadth of innovation requires that the FDIC create agile and nimble regulatory processes, so that it can respond to, and adjust policies, examination processes, supervisory strategies, preparedness and readiness, and resolution approaches, as needed.
Strengthening FDIC Information Security Management: The FDIC maintains thousands of terabytes of sensitive data within its IT systems and has more than 180 IT systems that collect, store, or process Personally Identifiable Information (PII). FDIC systems also hold sensitive supervisory data about the financial health of banks, bank resolution strategies, and resolution activities. The FDIC must continue to strengthen its implementation of governance and security controls around its IT systems to ensure that information is safeguarded properly.
Preparing for Crises: The FDIC must be prepared for a broad range of crises that could impact the banking sector. The FDIC’s readiness activities should help to ensure the safety and soundness of institutions, as well as the stability and integrity of our nation’s banking system.
Maturing Enterprise Risk Management: Enterprise Risk Management (ERM) is a critical part of an agency’s governance, as it can inform prudent decision-making at an agency, including strategic planning, budget formulation, and capital investment. The FDIC established an ERM program office in 2011, but has neither developed the underlying ERM program requirements nor realized the benefits of a mature ERM program.
Sharing Threat Information with Banks and Examiners: Federal Government agencies and private-sector entities share information about threats to U.S. critical infrastructure sectors, including the financial sector. The FDIC must ensure that relevant threat information is shared with its supervised institutions and examiners as needed, in a timely manner, so that actions can be taken to address the threats.
Managing Human Capital: The FDIC relies on skilled personnel to fulfill its mission. Forty-two percent of FDIC employees are eligible to retire within 5 years, which may lead to knowledge and leadership gaps. To ensure mission readiness, the FDIC should find ways to manage this impending shortfall. In addition, the FDIC should seek to hire individuals with advanced technical skills needed for IT examinations and supervision of large and complex banks.
Administering the Acquisitions Process: The FDIC relies heavily on contractors for support of its mission. The average annual expenditure by the FDIC for contractor services over the past 5 years has been approximately $587 million. The FDIC should maintain effective controls to ensure proper oversight and management of such contracts and should conduct regular reviews of contractors. The FDIC should also perform due diligence to mitigate security risks associated with supply chains for goods and services.
Improving Measurement of Regulatory Costs and Benefits: Before issuing a rule, the FDIC should ensure that the benefits accrued from a regulation justify the costs imposed. The FDIC should establish a sound mechanism to measure both costs and benefits at the time of promulgation, and it should continue to evaluate the costs and benefits of a regulation on a regular basis, even after it has been issued.
We hope that our report is informative for policymakers, including the FDIC and Congressional oversight bodies, and the American public about the programs and operations at the FDIC and the Challenges it faces.