Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

Annual Report of the Council of Inspectors General on Financial Oversight

This is the accessible text file for Report Entitled "Annual Report of the Council of Inspectors General on Financial Oversight - July 2019"

We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version.

The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version.

[Cover page]

Council of Inspectors General on Financial Oversight

Annual Report of the Council of Inspectors General on Financial Oversight - July 2019

(CIGFO member agency seals)

[End of Cover page]

Message from the Chair

In keeping with its mission, the Council of Inspectors General on Financial Oversight (CIGFO), which is authorized to oversee the Financial Stability Oversight Council (FSOC) operations, continued its work in 2018 and 2019. In its oversight role, it has, since 2011, established working groups that are comprised of staff from the CIGFO member Inspector General offices to conduct reviews of FSOC operations—CIGFO relies on these working groups to fulfill its mission. CIGFO issued an audit report by a Working Group convened in December 2017 that assessed FSOC’s monitoring of international financial regulatory proposals and developments. CIGFO also convened the following Working Groups:

• June 2018 – initiated a project to report on management and performance challenges identified in 2017 across CIGFO agencies. That report, Top Management and Performance Challenges Facing Financial Regulatory Organizations, was issued in September 2018.

• December 2018 – initiated a project to survey FSOC Federal members’ efforts to support implementation of the Cybersecurity Information Sharing Act. This project is expected to be completed in 2019.

• March 2019 – initiated a project to report on management and performance challenges identified in 2018 across CIGFO agencies. This project is expected to be completed in 2019.

In addition to CIGFO’s oversight activities, it has performed monitoring activities that included sharing financial regulatory information which enhanced the Inspectors General knowledge and insight about specific issues related to members’ current and future work. For example, during its quarterly meetings, CIGFO members discussed efforts to increase cybersecurity and the resiliency of the financial sector; swaps regulations, including related reforms under the Dodd-Frank Wall Street Reform and Consumer Protection Act; and other legislative activities that could impact the financial regulatory system.

In the coming year, CIGFO members will continue, through their individual and joint work, to help strengthen the financial system by oversight of FSOC and its Federal member agencies.

/s /

Rich Delmar

Acting Chair, Council of Inspectors General on Financial Oversight

Acting Inspector General, Department of the Treasury

[End of Message from the Chair]

Table of Contents

The Council of Inspectors General on Financial Oversight

Council of Inspectors General on Financial Oversight Reports

Office of Inspector General Board of Governors of the Federal Reserve System and Bureau of Consumer Financial Protection

Office of Inspector General Commodity Futures Trading Commission

Office of Inspector General Federal Deposit Insurance Corporation

Office of Inspector General Federal Housing Finance Agency

Office of Inspector General U.S. Department of Housing and Urban Development

Office of Inspector General National Credit Union Administration

Office of Inspector General U. S. Securities and Exchange Commission

Special Inspector General for the Troubled Asset Relief Program

Office of Inspector General Department of the Treasury

Appendix A: Top Management and Performance Challenges Facing Financial Regulatory Organizations

Appendix B: CIGFO Audit of the Financial Stability Oversight Council’s Monitoring of International Financial Regulatory Proposals and Developments

[End of Table of Contents]

[Seal Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau]

Office of Inspector General

Board of Governors of Federal Reserve System and Bureau of Consumer Financial Protection

The Office of Inspector General (OIG) provides independent oversight by conducting audits, inspections, evaluations, investigations, and other reviews of the programs and operations of the Board of Governors of the Federal Reserve System (Board) and the Bureau of Consumer Financial Protection Bureau (Bureau) and demonstrates leadership by making recommendations to improve economy, efficiency, and effectiveness, and by preventing and detecting fraud, waste, and abuse.

Background

Congress established the OIG as an independent oversight authority for the Board, the government agency component of the broader Federal Reserve System, and the Bureau.

Under the authority of the Inspector General Act of 1978, as amended (IG Act), the OIG conducts independent and objective audits, inspections, evaluations, investigations, and other reviews related to the programs and operations of the Board and the Bureau.

• We make recommendations to improve economy, efficiency, and effectiveness, and we prevent and detect fraud, waste, and abuse.

• We share our findings and make corrective action recommendations to the Board and the Bureau, but we do not have the authority to manage agency programs or implement changes.

• We keep the Board’s Chair, the Bureau’s Director, and Congress fully informed of our findings and corrective action recommendations, as well as the agencies’ progress in implementing corrective action.

In addition to the duties set forth in the IG Act, Congress has mandated additional responsibilities for the OIG. Section 38(k) of the Federal Deposit Insurance Act (FDI Act) requires that the OIG review failed financial institutions supervised by the Board that result in a material loss to the Deposit Insurance Fund (DIF) and produce a report within 6 months. The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd- Frank Act) amended section 38(k) of the FDI Act by raising the materiality threshold and requiring the OIG to report on the results of any nonmaterial losses to the DIF that exhibit unusual circumstances warranting an in-depth review.

Section 211(f ) of the Dodd-Frank Act also requires the OIG to review the Board’s supervision of any covered financial company that is placed into receivership under title II of the act and produce a report that evaluates the effectiveness of the Board’s supervision, identifies any acts or omissions by the Board that contributed to or could have prevented the company’s receivership status, and recommends appropriate administrative or legislative action.

The Federal Information Security Modernization Act of 2014 (FISMA) established a legislative mandate for ensuring the effectiveness of information security controls over resources that support federal operations and assets. In a manner consistent with FISMA requirements, we perform annual independent reviews of the Board’s and the Bureau’s information security programs and practices, including the effectiveness of security controls and techniques for selected information systems.

OIG Reports and Other Products Related to the Broader Financial Sector

In accordance with section 989E(a)(2)(B) of the Dodd-Frank Act, the following highlights the completed and ongoing work of our office, with a focus on issues that may apply to the broader financial sector.

Completed Work

Major Management Challenges for the Board and the Bureau

Although not required by statute, we annually report on the major management challenges facing the Board and the Bureau. These challenges identify the areas that, if not addressed, are most likely to hamper the Board’s and the Bureau’s accomplishment of their strategic objectives. Among other items, we identified five major management challenges for the Board that apply to the financial sector in 2018:

• Enhancing Organizational Governance

• Enhancing Oversight of Cybersecurity at Supervised Financial Institutions

• Ensuring an Effective Information Security Program

• Advancing Efforts to Improve Human Capital Management

• Remaining Adaptable to Internal and External Developments While Refining the Regulatory and Supervisory Framework

Among other items, we identified three major management challenges for the Bureau that apply to the financial sector in 2018:

• Ensuring That an Effective Information Security Program Is in Place

• Managing the Human Capital Program

• Strengthening Controls and Managing Risks

In Accordance With Applicable Guidance, Reserve Banks Rely on the Primary Federal Regulator of the Insured Depository Institution in the Consolidated Supervision of Regional Banking Organizations, but Document Sharing Can Be Improved, OIG Report 2018-SR-B-010, June 20, 2018

The Board is the consolidated supervisor of bank holding companies (BHCs)—entities that own or control one or more banks. The Board delegates authority to each Reserve Bank to supervise the BHCs in the Reserve Bank’s District. By law, the Reserve Banks must rely to the fullest extent possible on the work of the PFR of the BHCs’ subsidiary depository institutions. We conducted this evaluation to assess the effectiveness of the consolidated supervision of RBOs. We reviewed how Reserve Banks rely on other federal regulators to conduct consolidated supervision of RBOs—each with $10–$50 billion in assets.

In accordance with applicable guidance related to consolidated supervision, the Reserve Banks relied on the respective PFR of RBOs’ insured depository institutions to supervise the RBOs we sampled. We also noted that the Reserve Banks appear to have increased their reliance on the PFRs.

We identified an opportunity for the Board to establish general guidelines for reliance on PFR documents and to ensure that all examiners have access to those documents. In addition, we found that the Board and the Reserve Banks could improve document-sharing processes. Finally, several RBO executives noted the potentially avoidable regulatory burden created because RBO employees sometimes upload the same documentation to multiple systems in response to Reserve Bank and PFR documentation requests.

Our report contains recommendations designed to improve document sharing among the Board, the Reserve Banks, and the PFRs. The Board concurred with our recommendations.

The Board’s Currency Shipment Process Is Generally Effective but Can Be Enhanced to Gain Efficiencies and to Improve Contract Administration, OIG Report 2018-FMIC-B-021, December 3, 2018

The Board’s Banknote Issuance and Cash Operations section is responsible for the currency shipment process. This process includes monitoring and forecasting the demand for currency and planning and executing the issuance of currency to Reserve Bank cash offices. We assessed the efficiency and effectiveness of the Board’s management of the currency shipment process and the effectiveness of related contracting activities.

The Board’s currency shipment process is generally effective; however, the process can be enhanced to gain time and cost efficiencies. Streamlining the currency forecasting process could save time and minimize the potential for human error. Selecting different transportation modes for certain currency shipment routes and evaluating alternatives to transporting shipping equipment could yield transportation cost savings.

Additionally, the Board can improve the administration of its armored carrier contracts to help ensure that the Board is adequately protected against loss or damage during shipments, that armored carriers are adequately protecting Board data, and that the Board is receiving the expected level of service.

Our report contains recommendations designed to help the Board seek additional efficiencies in the currency shipment process and to improve the administration of armored carrier contracts. The Board concurred with our recommendations.

Knowledge Management for the Board’s Comprehensive Liquidity Analysis and Review Is Generally Effective and Can Be Further Enhanced, OIG Report 2018-SR-B-013, September 5, 2018

Through the CLAR program, the Federal Reserve System conducts a horizontal supervisory assessment of liquidity risk and risk management practices across Large Institution Supervision Coordinating Committee (LISCC) firms—the largest, most complex financial firms under Board supervision. We assessed the System’s knowledge management processes, practices, and systems in support of the CLAR program.

The CLAR program’s knowledge management practices generally align with many of the leading practices described in the academic studies and Harvard Business Review articles we reviewed related to preserving and transferring institutional knowledge. For example, CLAR leadership has fostered a culture that prioritizes knowledge management; CLAR teams practice regular, team-based collaboration; and the CLAR program uses an information- sharing application to capture, store, and share institutional knowledge. As a result, the CLAR program appears to preserve and maintain institutional knowledge related to supervisory findings and fosters effective collaboration.

Although the CLAR program has generally effective knowledge management practices, the practices can be further strengthened by (1) increasing CLAR program employees’ awareness of management’s office hours, during which they can discuss the rationale for decisions made during the CLAR letter-writing process; (2) formalizing employee onboarding procedures; and (3) standardizing the CLAR Steering Committee’s approach to meeting minutes.

Our report contains recommendations designed to further enhance the CLAR program’s knowledge management practices. The Board concurred with our recommendations.

Review of the Failure of Fayette County Bank, OIG Report 2018-SR-B-016, September 26, 2018

In accordance with the requirements of section 38(k) of the Federal Deposit Insurance Act, as amended by the Dodd-Frank Act, we conducted an in-depth review of the failure of Fayette County Bank (FCB) because the failure presented unusual circumstances that warranted an in-depth review.

FCB failed primarily because of an aggressive growth strategy coupled with ineffective oversight by its board of directors, leading to declining asset quality and rapid capital depletion. In addition, the bank’s board of directors was unable to hire and retain effective management following a long-tenured Chief Executive Officer’s retirement in December 2012.

The Federal Reserve Bank of St. Louis generally took decisive supervisory action to address FCB’s weaknesses and deficiencies during the time frame we reviewed, 2011 through 2017, by appropriately downgrading the bank’s CAMELS composite rating consistent with its risk profile and promptly issuing an emergency supervisory directive. The Federal Reserve Bank of St. Louis’s supervisory activity included formal enforcement actions and a recommendation to implement an enforcement action against an FCB bank official.

Our review resulted in a finding related to enhanced communication between the Board’s Legal Division and the Federal Reserve Bank of St. Louis. Because our office has recently issued a recommendation to address that communication issue, our report contains no new recommendations.

The Bureau Can Improve Its Follow-Up Process for Matters Requiring Attention at Supervised Institutions, OIG Report 2019-SR-C-001, January 28, 2019

During the examination process, Division of Supervision, Enforcement and Fair Lending (SEFL) employees may identify corrective actions that a supervised institution needs to implement to address certain violations, deficiencies, or weaknesses. These corrective actions include MRAs. We assessed SEFL’s effectiveness in monitoring MRAs and ensuring that supervised institutions address them in a timely manner.

SEFL can improve its follow-up process for MRAs. For example, we found that the Bureau’s approach for measuring how timely it resolves MRAs is prone to misinterpretation and therefore appeared to overstate the agency’s progress toward closing these actions. We also determined that some of the underlying data used to calculate the measurement were not reliable. Additionally, we observed inconsistent MRA follow-up documentation and workpaper retention practices in certain areas.

Our report contains recommendations designed to further enhance the MRA follow-up process. The Bureau concurred with our recommendations.

Security Control Review of the Bureau’s Mosaic System, OIG Report 2018-IT-C-012R, June 27, 2018

Mosaic, a public-facing web application running on a cloud-based platform-as- a-service, is used by the Bureau to manage consumer complaints related to financial products and services. It also provides the Bureau with enhanced services and tools related to workforce and resource management; entity boarding; and the creation and management of investigative records, company ratings, and surveys. In accordance with FISMA requirements, we evaluated the effectiveness of specific (1) security controls for the Mosaic system and (2) components of the planning, development, and delivery processes used for the system as they relate to the Bureau’s risk management program.

Overall, we found that the security controls we tested for the Mosaic system were operating effectively. Further, specific components of the planning, development, and delivery processes used for the system, as they relate to the Bureau’s risk management program, were performed effectively. For instance, we found that controls related to continuous monitoring, vulnerability scanning and remediation, and system and information integrity were operating effectively. Further, the Bureau developed a business case, which included an analysis of the benefits and risks, prior to implementing Mosaic. However, we found that the Bureau can strengthen controls in the area of identity and access management to ensure that the security control environment for Mosaic remains effective.

We made a recommendation in the area of identity and access management controls for Mosaic. The Bureau concurred with our recommendation. In addition, our report includes matters for management’s consideration in the areas of audit and accountability, contingency planning, and configuration management.

The Bureau Can Improve Its Risk Assessment Framework for Prioritizing and Scheduling Examination Activities, OIG Report 2019-SR-C-005, March 25, 2019

The scope of the Bureau’s financial institution oversight authorities covers depository institutions with more than $10 billion in total assets and thousands of nondepository institutions. The Bureau seeks to prioritize its examination activities based on an annual assessment of the risks that the products offered by these financial institutions present to consumers. We assessed the effectiveness of SEFL’s risk assessment framework, including the identification, analysis, and prioritization of specific institution product lines for examination, and we reviewed each region’s implementation of the results of the prioritization process through examination scheduling.

We identified opportunities for the Bureau to improve its risk assessment framework for prioritizing and scheduling examinations. Specifically, SEFL’s approach for assigning a key risk score to individual institution product lines is not transparent for some Bureau employees involved in the scoring process; these employees would benefit from additional training and guidance on that process. We also found that SEFL can improve its preliminary research on supervised institutions. Finally, we found that SEFL can improve the internal reporting of changes to the examination schedule.

Our report contains recommendations designed to improve the Bureau’s risk assessment framework for prioritizing and scheduling examination activities. The Bureau concurred with our recommendations.

Ongoing Work

Evaluation of the Effectiveness of the Board’s Cybersecurity Supervision (Phase 2)

We identified cybersecurity oversight at supervised financial institutions as a major management challenge for the Board on an annual basis from 2015 to 2018. In 2017, we issued a report focused on cybersecurity supervision of multiregional data processing servicers and financial market utilities, among other topics. We have initiated the second phase of our cybersecurity oversight activities focused on assessing the Board’s cybersecurity supervision of the nation’s largest and most systemically important financial institutions—those institutions in the Board’s Large Institution Supervision Coordinating Committee portfolio.

Audit of the Federal Reserve System’s Supervision and Oversight of Designated Financial Market Utilities

Title VIII of the Dodd-Frank Act grants the Board the authority to supervise certain financial market utilities designated as systemically important by the Financial Stability Oversight Council. Title VIII also grants the Board the authority to consult with federal agencies that supervise other designated financial market utilities. This project will assess the Federal Reserve System’s (1) process for supervising and overseeing designated financial market utilities and (2) processes for reviewing notices of material change from these institutions. We also plan to review the System’s collaboration with other federal agencies in these areas.

Evaluation of the Efficiency and Effectiveness of the Board’s and the Reserve Banks’ Enforcement Action Issuance and Termination Processes

The Board may take formal enforcement actions against supervised financial institutions for violations of laws, rules, or regulations; unsafe or unsound practices; breaches of fiduciary duty; and violations of final orders. The Board also may use a variety of informal enforcement tools to address deficiencies that are relatively small in number, are not material to the safety and soundness of the institution, and can be corrected by the institution’s current management. We are assessing the efficiency and effectiveness of the Board’s and the Federal Reserve Banks’ processes and practices for issuing and terminating enforcement actions.

Evaluation of the Board’s and the Reserve Banks’ Enforcement Action Monitoring Practices

An enforcement action generally requires a supervised financial institution to develop and implement acceptable plans, policies, and programs to remedy the deficiencies that resulted in the action. Under delegated authority from the Board, the Federal Reserve Banks conduct supervision activities, including monitoring institutions’ efforts to address the terms of enforcement actions. We are assessing the effectiveness of the Board’s and the Reserve Banks’ practices for monitoring open enforcement actions against supervised financial institutions.

Evaluation of Postemployment Restrictions for Senior Examiners

The Intelligence Reform and Terrorism Prevention Act of 2004 prohibits specific employees who meet the definition of a senior examiner from knowingly accepting compensation as an employee, officer, director, or consultant from a depository institution, a depository institution holding company, or certain related entities that the employee may have supervised as a Reserve Bank employee. In November 2016, the Board issued new guidance on these postemployment restrictions that expanded the definition of a senior examiner. We are assessing the implementation of these updates across the Federal Reserve System and the effectiveness of controls that seek to ensure compliance with postemployment restrictions.

Evaluation of the Bureau’s Periodic Monitoring of Supervised Institutions

The Bureau has the authority to supervise depository institutions with more than $10 billion in total assets and nondepository institutions in certain markets, including credit reporting agencies. To supplement its onsite examinations of those institutions, the Bureau conducts periodic offsite monitoring of all the depository institutions within its supervisory jurisdiction and certain nondepository institutions, including credit reporting agencies. We plan to evaluate the Division of Supervision, Enforcement and Fair Lending’s policies and procedures for conducting periodic monitoring. This evaluation will assess the implementation of these practices across the Bureau’s regional offices and benchmark the Bureau’s approach to offsite monitoring activities against the monitoring activities of other financial regulators.

Evaluation of the Bureau’s Processes for Leveraging the Federal Risk and Authorization Management Program

The Federal Information Security Modernization Act of 2014 requires that we test the effectiveness of the Bureau’s policies, procedures, and practices for select information systems. In support of these requirements, we are conducting an evaluation of the Bureau’s risk management activities with respect to its various cloud computing platforms and providers, including the agency’s reliance on the Federal Risk and Authorization Management Program.

Our evaluation objective is to determine whether the Bureau has implemented an effective life cycle process for deploying and managing its cloud-based systems, including ensuring that effective security controls are implemented.

Evaluation of the Office of Consumer Response’s Efforts to Share Complaint Data Within the Bureau

The Office of Consumer Response (Consumer Response) is responsible for sharing consumer complaint information with internal stakeholders in order to help the Bureau supervise companies, enforce federal consumer financial laws, and write rules and regulations. The effective sharing of consumer complaint information can help the Bureau understand the problems consumers are experiencing in the financial marketplace and identify and prevent unfair practices from occurring before they become major issues. This evaluation is assessing the effectiveness of Consumer Response’s complaint-sharing efforts. Specifically, this project is examining (1) the extent to which Consumer Response’s consumer complaint-sharing efforts help to inform the work of internal stakeholders and (2) Consumer Response’s controls over internal access of shared complaint data, which can contain sensitive consumer information.

Evaluation of the Bureau’s Final Order Follow-Up Activities

This evaluation is assessing the Division of Supervision, Enforcement and Fair Lending’s final order follow-up processes. The Bureau generally has enforcement authority over any person or entity that violates federal consumer financial protection law. In executing that authority, the Bureau can file a civil suit in federal district court that may result in a federal court order. Alternatively, through the administrative adjudication process, the Bureau and the relevant entity may agree to a consent order that includes a series of required corrective actions by that entity. Our objective is to review the Bureau’s processes for monitoring and conducting follow-up activities related to final orders.

[Seal - Commodity Futures Trading Commission]

Office of Inspector General

Commodity Futures Trading Commission

The CFTC OIG acts as an independent Office within the CFTC that conducts audits, investigations, reviews, inspections, and other activities designed to identify fraud, waste and abuse in connection with CFTC programs and operations, and makes recommendations and referrals as appropriate.

Background

The CFTC OIG was created in 1989 in accordance with the 1988 amendments to the Inspector General Act of 1978 (P.L. 95-452). OIG was established as an independent unit to:

• Promote economy, efficiency and effectiveness in the administration of CFTC programs and operations and detect and prevent fraud, waste and abuse in such programs and operations;

• Conduct and supervise audits and, where necessary, investigations relating to the administration of CFTC programs and operations;

• Review existing and proposed legislation, regulations and exchange rules and make recommendations concerning their impact on the economy and efficiency of CFTC programs and operations or the prevention and detection of fraud and abuse;

• Recommend policies for, and conduct, supervise, or coordinate other activities carried out or financed by such establishment for the purpose of promoting economy and efficiency in the administration of, or preventing and detecting fraud and abuse in, its programs and operations; and

• Keep the Commission and Congress fully informed about any problems or deficiencies in the administration of CFTC programs and operations and provide recommendations for correction of these problems or deficiencies.

CFTC OIG operates independently of the Agency and has not experienced any interference from the CFTC Chairman in connection with the conduct of any investigation, inspection, evaluation, review, or audit, and our investigations have been pursued regardless of the rank or party affiliation of the target.1 The CFTC OIG consists of the Inspector General, the Deputy Inspector General/Chief Counsel, the Assistant Inspector General for Auditing, the Assistant Inspector General for Investigations, one Attorney-Advisor, two Auditors, one Senior Program Analyst, and one parttime consultant. The CFTC OIG obtains additional audit, investigative, and administrative assistance through contracts and agreements.

Footnote: 1 The Inspector General Act of 1978, as amended, states: “Neither the head of the establishment nor the officer next in rank below such head shall prevent or prohibit the Inspector General from initiating, carrying out, or completing any audit or investigation….” 5 U.S.C. App. 3 sec. 3(a).[End of Footnote]

Role in Financial Oversight

The CFTC OIG has no direct statutory duties related to oversight of the futures, swaps and derivatives markets; rather, the CFTC OIG acts as an independent Office within the CFTC that conducts audits, investigations, reviews, inspections, and other activities designed to identify fraud, waste, and abuse in connection with CFTC programs and operations, and makes recommendations and referrals as appropriate. The CFTC’s yearly financial statement and Customer Protection Fund audits are conducted by an independent public accounting firm, with OIG oversight.

Recent, Current or Ongoing Work in Financial Oversight

In addition to our work on CIGFO projects described elsewhere in this report, CFTC OIG completed the following projects during the past year:

Inspection & Evaluation: CFTC Stress-Testing Development Efforts (July 2018)

OIG’s Office of Legal and Economic Review completed and published a report titled Inspection & Evaluation: CFTC Stress-Testing Development Efforts. This inspection was motivated by allegations of mismanagement in the Risk Surveillance Branch (RSB) of the CFTC Division of Clearing and Risk (DCR), which was conveyed to us by multiple CFTC whistleblowers. We first brought the allegations to the attention of the Chairman’s Chief of Staff in July 2017. The Chairman appointed a new Director of DCR in September 2017, and OIG communicated frequently with the new DCR Director beginning in October 2017. We circulated a summary memo to the Chairman in October 2017, followed by a substantially complete version of the report in December 2017. In January 2018, we met with the Chairman, his staff, and the Director of DCR; they stated they had no major disagreements with the report. We finalized a discussion draft in February 2018 and circulated it to the Commission. We accommodated the Chairman’s request for an extended time to respond to the February 2018 discussion draft. We received no formal written response or any stated disagreements, and circulated the report as final on July 30, 2018.

We found that leadership in the Division of Clearing and Risk (DCR)’s Risk Surveillance Branch (RSB) retarded the development of CFTC stress-testing capabilities, undermined efforts to improve the usability of uncleared swaps data, denied various employees access to certain information technology resources, and overstated publicly the independence and coverage of its November 2016 Supervisory Stress Test of Clearing Houses report (November 2016 report). To complete our inspection and evaluation, we contracted with National Economic Research Associates, Inc. (NERA). NERA assisted our technical evaluation of two CFTC stress-test methodologies. NERA issued detailed analysis, including substantive criticism of the methodology CFTC employed in the November 2016 report. No recommendations were issued by NERA or OIG.

In our cover memo, we disclosed that, in lieu of a written response, the new DCR Director verbally informed us that a new Deputy Director of the Risk Surveillance Branch (RSB) would be named shortly, and this has occurred. In addition, we were told there will be a reorganization of RSB, including greater integration of the related endeavors of margin model review and stress-testing; that there will be greater emphasis on technical acumen, technological development, and automation; and that there will be greater quantitative analytical support of other business divisions within the CFTC. We understand these processes are ongoing, and we intend to monitor the issues identified in our report and in NERA’s report.

Customer Protection Outreach Whitepaper (September 2018)

This whitepaper examined possible locations for targeted CFTC education initiatives based on the locations of highvolumes of complaints and enforcement filings (“hotspots”), coupled with the locations of airport hubs and relevant state regulators.

We compared identified hotspots with recent outreach efforts by CFTC’s Office of Customer Education and Outreach (OCEO), and concluded that OCEO’s educational outreach activities could better align with existing hotspots, specifically in the Southern and Western United States, where large hotspots exist that have not been visited by OCEO (or have not been visited frequently). We noted that CFTC does not have a permanent physical presence in these regions; CFTC’s furthermost western (and southern) presence is in Kansas City, Missouri. We believe OCEO should target its efforts where customer education and outreach appears most needed.

In addition, we addressed factors impacting the feasibility of increased outreach efforts by OCEO, including: 1) Consumer Protection Funds (CPF) availability and the adequacy of CFTC’s financial system to track and monitor expenditures; 2) CFTC’s authority to spend CPF funds on education initiatives; and 3) CFTC’s ability to detail appropriate CFTC staff to strengthen OCEO on a reimbursable basis. We concluded that CFTC has the current ability to track and monitor expenditures, and agreed with the Office of General Counsel that CFTC has the authority to spend CPF funds on education initiatives. Furthermore, we concluded that CFTC has current funds available to further support education activities, and we forecast -- based on our analysis of CFTC collections activity -- that funds availability should continue.

We asked the Commission to consider –

• Establishing OCEO personnel in the CFTC Kansas City regional office;

• Opening additional CFTC field offices or establishing permanent remote OCEO employees in the hotspots;

• Detailing personnel from other Divisions to OCEO (on a reimbursable basis from the CPF); and

• Engaging appropriate Federal, State, and local government entities and other relevant entities located in hotspots to facilitate customer education initiatives.

Management expressed their appreciation for our report and provided detailed comments. Management’s comments, and our responses, are published with the whitepaper.

Inspection and Evaluation of the February 2018 CFTC-SEC Harmonization Briefing (October 2018)

Under the Dodd-Frank Act, the CFTC and the Securities and Exchange Commission have certain joint responsibilities.2 Our report titled Inspection and Evaluation of the February 2018 CFTC-SEC Harmonization Briefing responded to two outside complaints that the SEC-CFTC harmonization briefing held on February 27, 2018, might have violated the Government in the Sunshine Act.3 Lacking a specific allegation of misconduct by any individual, we determined to conduct an inspection and evaluation of the meeting. After interviewing all CFTC attendees, as well as reviewing all matters voted on by the Commission from the date of the meeting until the appointment of a full Commission, we concluded that CFTC complied with the Government in the Sunshine Act in the conduct of the meeting.

Footnote: 2 See, e.g., Memorandum of Understanding Between the U.S. Securities and Exchange Commission and the U.S. Commodity Futures Trading Commission Regarding Coordination in Areas of Common Regulatory Interest and Information Sharing, July 11, 2018. [End of footnote]

Footnote: 3 The Government in the Sunshine Act, 5 U.S.C. § 552b (1976), requires that meetings of multi-member federal agencies shall be open to the public, with the exception of discussions in ten narrowly defined areas. The Sunshine Act defines “meeting” as “the deliberations of at least the number of individual agency members required to take action on behalf of the agency where such deliberations determine or result in the joint conduct or disposition of official agency business” [with exceptions]. Id. [End of footnote]

[Logo - Office of Inspector General, Federal Deposit Insurance Corporation]

Office of Inspector General

Federal Deposit Insurance Corporation

The FDIC OIG mission is to prevent, deter, and detect fraud, waste, abuse, and misconduct in FDIC programs and operations; and to promote economy, efficiency, and effectiveness at the agency.

Background

The Federal Deposit Insurance Corporation (FDIC) was created by the Congress in 1933 as an independent agency to maintain stability in the nation’s banking system by insuring deposits and independently regulating state-chartered, non-member banks. The FDIC insures more than $7.5 trillion in deposits at more than 5,400 banks and savings associations, and promotes the safety and soundness of these institutions by identifying, monitoring, and addressing risks to which they are exposed. The FDIC is the primary federal regulator for approximately 3,500 of the insured institutions. An equally important role for the FDIC is as Receiver for failed institutions; the FDIC is responsible for resolving the institution and managing and disposing of its remaining assets.

The FDIC Office of Inspector General (OIG) is an independent and objective oversight unit established under the Inspector General (IG) Act of 1978, as amended. The FDIC OIG mission is to prevent, deter, and detect fraud, waste, abuse, and misconduct in FDIC programs and operations; and to promote economy, efficiency, and effectiveness at the agency.

Importantly, also in connection with matters affecting the financial sector, in February 2019, our Office published its assessment of the Top Management and Performance Challenges Facing the FDIC. This assessment was based on our extensive oversight work and research relating to reports by other oversight bodies, review of academic and other relevant literature, perspectives from Government agencies and officials, and information from private sector entities.

In addition, we conducted significant investigations into criminal and administrative matters involving complex multi-million-dollar schemes of bank fraud, embezzlement, money laundering, and other crimes committed by corporate executives and bank insiders. Our cases reflect the cooperative efforts of other OIGs, U.S. Attorneys’ Offices, FDIC Divisions and Offices, and others in the law enforcement community throughout the country. These working partnerships contribute to ensuring the continued safety and soundness of the nation’s banks and help ensure integrity in the FDIC’s programs and activities.

Finally, over the past year, we continued to coordinate with our financial IG counterparts on issues of mutual interest. As a member of CIGFO, the FDIC OIG is also participating in the joint project related to the Financial Stability Oversight Council members’ efforts to support implementation of the Cybersecurity Information Sharing Act.

Top Management and Performance Challenges Facing the FDIC

The OIG identified the Top Management and Performance Challenges facing the FDIC and provides its assessment to the Corporation for inclusion in the FDIC’s annual performance and accountability report. This year, we identified nine areas representing the most significant challenges for the FDIC, a number of which have implications to the financial sector, and ways to improve financial oversight. The identification of these challenges helps the FDIC and other policymakers to identify the primary risks at the agency, and provides guidance for our Office to focus its attention and work efforts, as shown in the following summaries of each of these challenges.

Enhancing Oversight of Banks’ Cybersecurity Risk

Cybersecurity continues to be a critical risk facing the financial sector. Cyber risks can affect the safety and soundness of institutions and lead to the failure of banks, thus causing losses to the FDIC’s Deposit Insurance Fund. For example, a cybersecurity incident could disrupt services at a bank, resulting in the exploitation of personal information in fraudulent or other illicit schemes, and an incident could start a contagion that spreads through established interconnected banking relationships. Despite increased spending on cybersecurity, banks are encountering difficulties in getting ahead of the increased frequency and sophistication of cyberattacks. The FDIC’s IT examinations should ensure strong management practices within financial institutions and at their service providers.

Adapting to Financial Technology Innovation

FDIC policy-makers and examiners must keep pace with the adoption of new financial technology to assess safety and soundness of institutions and its impact on the stability of the banking system. The pace of change and breadth of innovation requires that the FDIC create agile and nimble regulatory processes, so that it can respond to and adjust policies, examination processes, supervisory strategies, preparedness and readiness, and resolution approaches as needed.

Strengthening FDIC Information Security Management

The FDIC maintains thousands of terabytes of sensitive data within its IT systems and has more than 180 IT systems that collect, store, or process the PII of FDIC employees; bank officials at FDIC-supervised institutions; and bank customers, depositors, and bank officials associated with failed banks. FDIC systems also hold sensitive supervisory data about the financial health of banks, bank resolution strategies, and resolution activities. The FDIC must continue to strengthen its implementation of governance and security controls around its IT systems to ensure that information is safeguarded properly.

Preparing for Crises

Central to the FDIC’s mission is readiness to address crises in the banking system. The FDIC must be prepared for a broad range of crises that could impact the banking sector. These readiness activities should help to ensure the safety and soundness of institutions, as well as the stability and integrity of our nation’s banking system.

Maturing Enterprise Risk Management

Enterprise Risk Management (ERM) is a critical part of an agency’s governance, as it can inform prudent decisionmaking at an agency, including strategic planning, budget formulation, and capital investment. ERM program requirements include identifying risks that could affect the organization (Risk Profile and Inventory), establishing the amount of risk an organization is willing to accept (Risk Appetite), prioritizing strategies to address risks in the proper sequence, and responding to and mitigating the risks. The FDIC established an ERM program office in 2011, but has neither developed the underlying ERM program requirements nor realized the benefits of a mature ERM program.

Sharing Threat Information with Banks and Examiners

Federal Government agencies and private-sector entities share information about threats to U.S. critical infrastructure sectors, including the financial sector. Sharing actionable and relevant threat information among Federal and privatesector participants protects the financial system by building threat awareness and allowing for informed decision-making.The FDIC must ensure that relevant threat information is shared with its supervised institutions and FDIC examiners as needed, in a timely manner, so that actions can be taken to address the threats. Threat information also provides FDIC examiners with context to evaluate banks’ processes for risk identification and mitigation strategies.

Managing Human Capital

The FDIC relies on skilled personnel to fulfill its mission, and 68 percent of the FDIC’s operating budget for 2019 ($1.8 billion) was for salaries and associated benefits for employees. Forty-two percent of FDIC employees are eligible to retire within 5 years, which may lead to knowledge and leadership gaps. To ensure mission readiness, the FDIC should find ways to manage this impending shortfall. In addition, the FDIC should seek to hire individuals with the advanced technical skills needed for IT examinations and supervision of large and complex banks.

Administering the Acquisitions Process

The FDIC relies heavily on contractors for support of its mission, especially for IT and administrative support services. The average annual expenditure by the FDIC for contractor services over the past 5 years has been approximately $587 million. The FDIC should maintain effective controls to ensure proper oversight and management of such contracts and should conduct regular reviews of contractors. In addition, the FDIC should also perform due diligence to mitigate security risks associated with supply chains for goods and services.

Improving Measurement of Regulatory Costs and Benefits

Before issuing a rule, the FDIC should ensure that the benefits accrued from a regulation justify the costs imposed. The FDIC should establish a sound mechanism to measure both costs and benefits at the time of promulgation, and it should continue to evaluate the costs and benefits of a regulation on a regular basis, even after it has been issued. Additional information on these Challenges can be found in the full Top Management and Performance Challenges report, available on our Website, www.fdicoig.gov. These Challenges align with those facing the financial regulatory community as a whole, as discussed in the CIGFO report entitled Top Management and Performance Challenges Facing Financial Regulators.

FDIC OIG Audits and Evaluations Made Significant Recommendations for Improvements to the FDIC

During the 12-month period ending March 31, 2019, the FDIC OIG issued 14 audit, evaluation, and other reports and made 53 recommendations to strengthen controls in FDIC programs and operations. Our work covered diverse topics such as information security, processing of consumer complaints, and the FDIC’s Forward-Looking Supervision program, among others.

The FDIC’s Forward-Looking Supervision Program

The goals of the FDIC’s Forward-Looking Supervision initiative are to identify and assess risk before it impacts a financial institution’s financial condition and to ensure early risk mitigation. Prior to the financial crisis of 2008-2011, examiners often identified weak risk management practices at financial institutions, but they delayed taking supervisory action until the institution’s financial performance declined. Forward-Looking Supervision seeks to avoid this result.

Our evaluation objective was to determine whether the Forward- Looking Supervision approach achieved its outcomes—the Division of Risk Management Supervision pursued supervisory action upon identifying risks and the financial institutions implemented corrective measures. Our review showed that examiners substantially achieved the intended outcomes of the Forward-Looking Supervision approach for our sampled institutions. Examiners applied Forward-Looking Supervision concepts during their financial institution examinations, rated institutions based on risk, and recommended corrective actions based on their risk assessments. Also, the financial institutions committed to implement the corrective actions.

We found that:

• The FDIC did not have a comprehensive policy guidance document on Forward-Looking Supervision and should clarify guidance associated with its purpose, goals, roles, and responsibilities;

• Examiners typically documented their overall conclusions regarding the financial institutions’ concentration risk management practices; however, they did not always document certain Forward-Looking Supervision concepts in pre-examination planning documents and when reporting examination results;

• Examiners typically reported or elevated identified overall concentration risk management conclusions and concerns; however, a greater number of these concerns should have appeared in the report section that includes issues requiring the attention of the institution’s board; and

• Examiners generally identified concentration risk management concerns on a timely basis; however, in certain instances, they identified concentration risk management concerns that had not been identified during the prior examination cycle.

We made four recommendations to the FDIC to: (1) issue a comprehensive policy guidance document defining Forward-Looking Supervision; (2) issue guidance to reinforce how and where examiners should be documenting concentrations and an institution’s concentration risk management practices in the Report of Examination; (3) provide additional case studies on Forward-Looking Supervision to strengthen training for examiners; and (4) conduct recurring retrospective reviews to ensure examiners are documenting the concentration risk management analysis.

The full report is available on our Website, www.fdicoig.gov.

Federal Information Security Modernization Act (FISMA) Audit – 2018

We evaluated the effectiveness of the FDIC’s information security program and practices. A strong information security program is needed for the protection of sensitive information the FDIC collects in conducting is work, including sensitive bank data and personal information of borrowers. The IG FISMA Reporting Metrics require IGs to assess the effectiveness of their agencies’ information security programs and practices on a maturity model spectrum. We found that the FDIC’s overall information security program was operating at a Maturity Level 3 (Consistently Implemented) on a scale of 1 to 5, which is an improvement from 2017 but not considered effective under the metrics.

We found that the FDIC established a number of information security program controls and practices that complied or were consistent with standards and guidelines, and took steps to strengthen controls following the 2017 FISMA report. However, ongoing security control weaknesses limited the effectiveness of the FDIC’s information security program and practices and placed the confidentiality, integrity, and availability of the FDIC’s information systems and data at risk. In many cases, these security control weaknesses were identified by other OIG audits or through security control assessments completed by the FDIC. Although the FDIC was working to address these previously identified control weaknesses, the FDIC had not yet completed corrective actions at the time of the audit. Accordingly, the security control weaknesses continued to pose risk to the FDIC. The highest risk weaknesses included:

• Information Security Risk Management. The FDIC had not fully defined or implemented an enterprise-wide and integrated approach to identifying, assessing, and addressing the full spectrum of internal and external risks, including those related to cybersecurity and the operation of information systems. This limits the ability of FDIC Divisions and Offices to make effective risk management decisions, and prevents the FDIC from ensuring it is effectively prioritizing resources toward addressing risks with the most significant potential impact on achieving strategic objectives.

• Enterprise Security Architecture. Our 2017 FISMA audit noted that the FDIC had not established an enterprise security architecture, which is considered a fundamental component of an effective information security program and describes the structure and behavior of an organization’s security processes, systems, personnel, and subunits and shows their alignment with the organization’s mission and strategic plans. In July 2018, the FDIC provided the OIG with documentation describing its enterprise security architecture. The OIG is reviewing this documentation, along with other information related to the enterprise security architecture provided by the FDIC, to determine whether it is responsive to the recommendation in our FISMA audit report issued in 2017. The lack of effective enterprise security architecture increased the risk that the FDIC’s information systems would be developed with inconsistent security controls that are costly to maintain.

• Security Control Assessments. In separate OIG audit work, we identified instances in which contractorperformed security control assessments did not include testing of security control implementation, when warranted. Instead, assessors relied on narrative descriptions of the controls in FDIC policies, procedures, and system security plans and/or interviews of FDIC or contractor personnel. Without testing, assessors did not have a basis for concluding on the effectiveness of security controls. Inadequate FDIC oversight of security control assessments contributed to this weakness. Because the FDIC relies on the results of the assessments to support a number of important risk management activities, the FDIC must ensure that personnel perform security control assessments at an appropriate level of depth and coverage.

• Patch Management. The FDIC’s patch management processes were not always effective in ensuring that the FDIC implemented patches within FDIC-defined timeframes. Unpatched systems increase the risk of exposing the FDIC’s network to a security incident.

• Backup and Recovery. Our 2017 FISMA report noted that the FDIC’s IT restoration capabilities were limited and that the FDIC had not taken timely action to address known limitations with respect to its ability to maintain or restore critical IT systems and applications during a disaster. In December 2017, the FDIC’s Board of Directors authorized a multi-year Backup Data Center Migration Project to ensure that designated IT systems and applications supporting mission-essential functions can be recovered within targeted timeframes. While the FDIC established governance over this project, assurance that the FDIC can maintain and restore mission- essential functions during an emergency within applicable timeframes will be limited until the scheduled completion of the project in 2019.

We made four recommendations to improve the effectiveness of the FDIC’s information security program controls and practices.

The publicly-releasable Executive Summary of this report is available on our Website, www.fdicoig.gov.

Our ongoing audit and evaluation reviews are addressing the FDIC’s:

• Enterprise Risk Management Program;

• Cost-Benefit Analysis Process for Rulemaking;

• Anti-Sexual Harassment Program;

• Readiness for Crises;

• Contract Oversight Management Program; and

• Privacy Program.

These ongoing reviews are also listed on our Website, www.fdicoig.gov, and, when completed, their results will be posted there.

FDIC OIG Special Inquiry Report Made Significant Recommendations Regarding Breach Response, Reporting, and Interactions with Congress

In addition to the audit and evaluation reports listed above, the OIG issued a multi- disciplinary Special Inquiry report in April 2018.

During late 2015 and early 2016, the FDIC experienced eight information security incidents as departing employees improperly took sensitive information shortly before leaving the FDIC. Seven of the eight incidents involved Personally Identifiable Information (PII), including Social Security Numbers, and thus constituted breaches. In the eighth incident, the departing employee took highly sensitive components of resolution plans submitted by certain large systemically important financial institutions without authorization.

In April and May 2016, the Committee on Science, Space, and Technology of the House of Representatives (SST Committee) examined the FDIC’s handling of these incidents, its data security policies, and reporting of the “major incidents.” As part of its investigation, the SST Committee requested pertinent documents from the FDIC about the incidents. The SST Committee held two hearings in May and July 2016 about the incidents at the FDIC and issued an interim report on the matter. During the hearings and in its interim report, as well in correspondence with the FDIC, the SST Committee expressed concerns about the FDIC’s information security program, the accuracy of certain FDIC statements, and the completeness of the FDIC’s document productions.

On June 28, 2016, the then-Chairman of the Senate Committee on Banking, Housing, and Urban Affairs requested that our Office examine issues at the FDIC related to data security, incident reporting, and policies, as well as the representations made by FDIC officials.

The FDIC OIG conducted a Special Inquiry in response to that request. We examined the circumstances surrounding the eight information security incidents. The FDIC initially estimated that the incidents involved sensitive information that included the PII of approximately 200,000 individual bank customers related to approximately 380 financial institutions, as well as the proprietary and sensitive data of financial institutions. Based on additional analysis, the FDIC later revised the number of affected individuals to 121,633.

Our work revealed certain systemic weaknesses that hindered the FDIC’s ability to handle multiple information security incidents and breaches efficiently and effectively; contributed to untimely, inaccurate, and imprecise reporting of information to the Congress; and led to document productions that did not fully comply with Congressional document requests. We also identified shortcomings in the performance of certain individuals in key leadership positions as they handled the incidents and related activities.

Importantly, in its handling of the information security incidents, the FDIC did not fully consider the range of impacts on bank customers whose information had been compromised or consider customer notification as a separate decision from whether it would provide credit monitoring services. As a result, the FDIC delayed notifying consumers and thus precluded them from taking proactive steps to protect themselves.

Also of note, when reporting incidents to the Congress, the FDIC used broad characterizations and referenced mitigating factors that were sometimes inaccurate and imprecise, and tended to diminish the potential risks. Despite several opportunities to clarify or correct the record regarding the nature of the incidents, the FDIC did not provide the Congress with accurate and complete information about the incidents.

Finally, with regard to document production, the SST Committee had requested that the FDIC produce relevant documents and information. The FDIC did not initially respond to these requests in a complete manner and should have been clear in its communications with the Committee as to its approach and progress in complying with the document production requests. Later, the FDIC took steps to better identify and provide responsive records.

Throughout and subsequent to our Special Inquiry, the FDIC took steps to address prior recommendations pertaining to incident and breach response. In addition, we made 13 recommendations in this Special Inquiry report to address the systemic issues associated with the FDIC’s incident response and reporting and interactions with the Congress.

FDIC OIG Investigations Seek to Ensure Integrity in the Banking Sector

OIG investigations over the past months continued to complement our audit and evaluation work. Our investigative results over the 12 months ending March 31, 2019, included the following: 64 indictments; 35 arrests; 43 convictions; and potential monetary recoveries (fines, restitution, and asset forfeitures) of over $354 million.

Our current cases involve fraud and other misconduct on the part of senior bank officials, and include money laundering, embezzlement, bank fraud, and other financial crimes. The perpetrators of such crimes can be those very individuals entrusted with governance responsibilities at the institutions—directors and bank officers. In other cases, parties providing professional services to the banks and customers, others working inside the bank, and customers themselves are principals in fraudulent schemes. The FDIC OIG also investigates significant matters of wrongdoing and misconduct relating to FDIC employees and contractors.

Our Office is committed to partnerships with other OIGs, the Department of Justice (DOJ), and other state and local law enforcement agencies in pursuing criminal acts in open and closed banks and helping to deter fraud, waste, and abuse. The OIG also actively participates in many financial fraud working groups nation-wide to keep current with new threats and fraudulent schemes that can undermine the integrity of the FDIC’s operations and the financial services industry as a whole.

The FDIC OIG’s Office of Investigations also continues to identify emerging financial fraud schemes that affect FDICsupervised and insured institutions. Our relationships with DOJ’s Money Laundering and Asset Recovery Section, and DOJ’s Fraud Section and Anti-Trust Division, have allowed us to play a lead role in money laundering and foreign currency exchange rate manipulation investigations. We also work with other agencies, including the Small Business Administration, to identify fraud in the guaranteed loan portfolios of FDIC-supervised institutions. These investigations are important, as large-scale fraud schemes can significantly affect the financial industry and the financial condition of FDIC-insured institutions.

Former Senior Employee at FDIC Convicted of Stealing Confidential Documents

On December 11, 2018, a former senior employee in the FDIC’s Office of Complex Financial Institutions (OCFI) was convicted of two thefts of government property in the possession of the FDIC. OCFI was created after passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act to oversee and conduct, if necessary, an orderly bankruptcy of the world’s largest banks and financial institutions. Each of these banks and financial institutions is required to file resolution plans, referred to as “living wills,” with the FDIC. The plans contain confidential information about the bank, including its assets, business operations, data center locations, critical vendors, agreements with other banks, and potential weaknesses or other deficiencies that pose risk during a time of financial crisis.

In August 2015, the then-FDIC employee used her office computer to review listings for and apply for jobs with financial institutions that filed living wills with the FDIC. On August 27, 2015, one day after being contacted about a possible position at one of the banks, she logged on to a secure FDIC database and printed living will information for that bank. On September 16, 2015, she resigned her position at the FDIC. A review of FDIC Data Loss Prevention software revealed that on her last day of work, the then- FDIC employee copied numerous electronic files from the FDIC network to external USB drives, including living wills for U.S. banks where she had been seeking employment.

Former Bank President Sentenced to Prison and Ordered to Pay $137 Million

On December 14, 2018, the former president and CEO of The Bank of Union in El Reno, Oklahoma, was sentenced to 4 years in federal prison followed by 2 years of supervised release for making a false statement to the FDIC. He had previously pled guilty to this charge in 2017. The sentence requires the former president to pay over $137 million in restitution, over $97 million of which is owed to the FDIC.

State banking regulators closed The Bank of Union in 2014 because of the bank’s loan losses, and the FDIC was appointed as receiver. According to a 2016 indictment, the former president defrauded the bank in several ways: (1) by issuing loans with insufficient collateral and falsifying financial statements for several high-dollar bank borrowers; (2) by originating nominee loans to circumvent the bank’s legal lending limit; (3) by concealing the bank’s true financial condition from the Board of Directors; (4) by soliciting a fraudulent investment; and (5) by falsely representing the bank’s true status to the FDIC.

Over a 4-year period, the former president conspired with borrowers by issuing them millions of dollars in loans secured by collateral they did not have and issuing them new loans to keep them off of overdraft reports. The former president misled the Board of Directors by falsely stating the borrowers were paying down their loans. The former president also defrauded a partial owner and investor in the bank by convincing him to wire nearly $40 million. The former president falsely represented to the investor that the bank was growing rapidly and performing well and that his investment would not be at risk, despite knowing that the bank was on the brink of failure and needed an immediate capital infusion.

Finally, the former president was charged with falsely representing the bank’s loan status to the FDIC. Between September 2012 and September 2013, he continued to renew certain unpaid loans by capitalizing unpaid interest. Pursuant to a 2013 FDIC examination, he allegedly falsely represented that he had not renewed or extended any loans without full collection of the interest due during that time period. He also falsely represented in writing that the bank had total equity capital of more than $36 million in July 2013, when he knew the bank’s equity capital was significantly less.

The partial owner who wired money for the bank’s benefit is due $40 million of the restitution amount, and the remaining $97 million is due to the FDIC, which lost money when it assumed the bank’s liabilities as receiver in January 2014.

South Florida Resident Convicted of $100 Million International Fraud Scheme that Led to Collapse of One of Puerto Rico’s Largest Banks

On February 4, 2019, the former chairman and CEO of a pharmaceutical company was convicted of eight counts of wire fraud affecting a financial institution after a three- week trial in the Southern District of Florida. The former CEO’s scheme triggered a series of events leading to the insolvency and collapse of Westernbank of Puerto Rico. According to evidence presented at trial, from 2005 to 2007, the individual served as chairman and CEO of Inyx, Inc., a publicly-traded multinational pharmaceutical manufacturing company. Beginning in early 2005, the then-CEO caused Westernbank to enter into a series of loan agreements in exchange for a security interest in Inyx’s assets. Under the loan agreements, Westernbank agreed to advance money based on Inyx’s customer invoices from “actual and bona fide” sales.

However, the then-CEO orchestrated a scheme to defraud Westernbank by causing numerous Inyx employees to make tens of millions of dollars’ worth of fake customer invoices purportedly payable by customers in the United Kingdom, Sweden, and elsewhere. The then- CEO caused these invoices to be presented to Westernbank as valid invoices and made false representations to Westernbank about purported repayments from lenders in order to lull Westernbank into continuing to lend money to Inyx. He also fraudulently represented to Westernbank executives that he had additional collateral, including purported mines in Mexico and Canada worth hundreds of millions of dollars, to induce Westernbank to lend additional funds.

The then-CEO caused Westernbank to lend approximately $142 million and diverted tens of millions of dollars for his own personal benefit, including to buy a private jet, luxury homes and cars, luxury hotel stays, and extravagant jewelry and clothing expenditures.

In or around June 2007, Westernbank declared the loan in default and ultimately suffered losses exceeding $100 million. These losses later triggered a series of events leading to Westernbank’s insolvency and ultimate collapse. At the time of its collapse, Westernbank had approximately 1,500 employees and was one of the largest banks in Puerto Rico.

In addition, the then-CEO knowingly deposited a $3 million check at Mellon Bank from the purported sale of his private jet. At the time of its deposit, he knew that the check was worthless; he had actually agreed to sell his plane to a different buyer. After receiving a provisional credit for the check from Mellon Bank, the then-CEO wired out all of the provisional credit, including a $1 million wire to his personal account in Canada. Upon Mellon Bank’s request to reverse this $1 million wire, he refused to do so, resulting in at least a $1 million loss to Mellon Bank.

[Seal - Federal Housing Finance Agency]

Office of Inspector General

Federal Housing Finance Agency

Created by the Housing and Economic Recovery Act of 2008 (HERA), the Federal Housing Finance Agency (FHFA or Agency) supervises and regulates (1) the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac) (together, the Enterprises), (2) the Federal Home Loan Banks (FHLBanks) (collectively, the regulated entities), and (3) the FHLBanks’ fiscal agent, the Office of Finance. Since September 2008, FHFA has also served as conservator for the Enterprises. As of year-end 2018, the Enterprises collectively reported approximately $5.4 trillion in assets. The FHLBanks collectively reported roughly $1.1 trillion in assets.

Also created by HERA, the FHFA Office of Inspector General (OIG) conducts, supervises, and coordinates audits, evaluations, investigations, and other activities relating to the programs and operations of FHFA. OIG promotes economy, efficiency, and effectiveness and protects FHFA and the entities it regulates against fraud, waste, and abuse, contributing to the liquidity and stability of the nation’s housing finance system. We accomplish this mission by providing independent, relevant, timely, and transparent oversight of the Agency to promote accountability, integrity, economy, and efficiency; advising the Director of the Agency and Congress; informing the public; and engaging in robust enforcement efforts to protect the interests of American taxpayers.

Background

FHFA serves as supervisor of the Enterprises and the FHLBanks, and as conservator of the Enterprises. FHFA’s conservatorships of the Enterprises, now in their 11th year, are of unprecedented scope, scale, and complexity. FHFA’s dual roles continue to present novel challenges. Consequently, OIG must structure its oversight program to examine FHFA’s exercise of its dual responsibilities, which differ significantly from the typical federal financial regulator. Beginning in Fall 2014, OIG determined to focus its resources on programs and operations that pose the greatest financial, governance, and/or reputational risk to the Agency, the Enterprises, and the FHLBanks to best leverage its resources to strengthen oversight.

Our annual Audit, Evaluation, and Compliance Plan describes FHFA’s and OIG’s roles and missions, explains our riskbased methodology for developing this plan, provides insight into particular risks within four areas, and generally discusses areas where we will focus our audit, evaluation, and compliance resources. In addition to our risk-based work plan, OIG completes work required to fulfill its statutory mandates.

An integral part of OIG’s oversight is to identify and assess FHFA’s top management and performance challenges and to align our work with these challenges. On an annual basis, we assess FHFA’s major management and performance challenges. In October 2018, we identified four challenges (all of which carried over from prior years) and a management concern. In our view, these are the most serious management and performance challenges facing FHFA for the foreseeable future and, if not addressed, could adversely affect FHFA’s accomplishment of its mission. (See OIG, Fiscal Year 2019 Management and Performance Challenges (October 15, 2018)). During this reporting period, OIG continued to focus much of its oversight activities on identifying vulnerabilities in these areas and recommending positive, meaningful actions that the Agency could take to mitigate these risks and remediate identified deficiencies.

These challenges and the management concern are:

Supervision of the Regulated Entities – Upgrade Supervision of the Enterprises and Continue Robust Supervision of the FHLBanks

As supervisor of the Enterprises and the FHLBanks, FHFA is tasked by statute to ensure that these entities operate safely and soundly so that they serve as a reliable source of liquidity and funding for housing finance and community investment. Examinations of its regulated entities are fundamental to FHFA’s supervisory mission. Within FHFA, the Division of Federal Home Loan Bank Regulation (DBR) is responsible for supervision of the FHLBanks, and the Division of Enterprise Regulation (DER) is responsible for supervision of the Enterprises.

As a former FHFA Director observed, Fannie Mae and Freddie Mac would be Systemically Important Financial Institutions (SIFIs), but for the conservatorships, and are subject to the heightened supervision requirements for SIFIs, except that they are supervised by FHFA, not the Federal Reserve. Because the asset size of the FHLBanks and Office of Finance, together, is a fraction of the asset size of the Enterprises and because the Enterprises are in conservatorship, we determined that the magnitude of risk is significantly greater for the Enterprises. Since the Fall of 2014, the majority of our work on supervision issues has focused on FHFA’s supervision of the Enterprises.

Based on our assessments of different elements of DER’s supervision program, over the past few years, we identified four recurring themes, which were explained in a roll-up report issued during FY 2017.4 Those themes are:

1. FHFA lacks adequate assurance that DER’s supervisory resources are devoted to examining the highest risks of the Enterprises.

2. Many supervisory standards and guidance issued by FHFA and DER lack the rigor of those issued by other federal financial regulators.

3. The flexible and less prescriptive nature of many requirements and guidance promulgated by FHFA and DER has resulted in inconsistent supervisory practices.

4. Where clear requirements and guidance for specific elements of DER’s supervisory program exist, DER examiners-in-charge and subordinate examiners have not consistently followed them.

In that roll-up report, we cautioned that “[w]ithout prompt and robust Agency attention to address the shortcomings we have identified,” the “safe and sound operation of the Enterprises cannot be assumed from FHFA’s current supervisory program.” The findings from subsequent audits, evaluations, and compliance reports regarding FHFA’s supervision program for the Enterprises identified additional shortcomings. In light of the observation that the Enterprises would be SIFIs, but for the conservatorships, FHFA must make a heightened and sustained effort to improve its supervision of the Enterprises.

We also looked at elements of FHFA’s supervision program for the FHLBanks. While our reports of that work identified some shortcomings, they did not identify significant weaknesses. Like any other federal financial regulator, FHFA faces challenges in appropriately tailoring and keeping current its supervisory approach to the FHLBanks.

Conservatorship Operations – Improve Oversight of Matters Delegated to the Enterprises and Strengthen Internal Review Processes for Non-Delegated Matters

As conservator of the Enterprises since September 2008, FHFA has expansive authority to oversee and direct operations of two large, complex financial institutions that dominate the secondary mortgage market and the mortgage securitization sector of the U.S. housing finance industry. Under HERA, FHFA, as conservator, possesses all rights and powers of any stockholder, officer, or director of the Enterprises and is vested with express authority to operate the Enterprises and conduct their business activities. Given the taxpayers’ enormous investment in the Enterprises, the unknown duration of the conservatorships, the Enterprises’ critical role in the secondary mortgage market, and their uncertain ability to sustain future profitability, FHFA’s administration of the conservatorships remains a major risk.

Footnote: 4 See OIG, Safe and Sound Operation of the Enterprises Cannot Be Assumed Because of Significant Shortcomings in FHFA’s Supervision Program for the Enterprises (OIG-2017-003, Dec. 15, 2016). [End of footnote]

FHFA has delegated authority for many matters, both large and small, to the Enterprises. FHFA, as conservator, can revoke delegated authority at any time (and retains authority for certain significant decisions).

Since the Fall of 2014, OIG’s body of work has found that FHFA has limited its oversight of delegated matters largely to attendance at Enterprise internal management and board meetings as an observer and to discussions with Enterprise managers and directors. Read together, our findings in these reports show that, for the most part, FHFA, as conservator, has not assessed the reasonableness of Enterprise actions pursuant to delegated authority, including actions taken by the Enterprises to implement conservatorship directives, or the adequacy of director oversight of management actions. FHFA also has not clearly defined the Agency’s expectations of the Enterprises for delegated matters and has not established the accountability standard that it expects the Enterprises to meet for such matters. Our work has identified internal control systems at the Enterprises that fail to provide directors with accurate, timely, and sufficient information to enable them to exercise their oversight duties. Likewise, we have identified a lack of rigor by some directors in seeking information from management about the matters for which they are responsible. We have also identified instances in which corporate governance decisions generally reserved to the board of directors have been delegated to management.

As the Enterprises’ conservator, FHFA is ultimately responsible for actions taken by the Enterprises, pursuant to authority it has delegated to them. FHFA’s challenge, therefore, is to improve the quality of its oversight of matters it has delegated to the Enterprises.

Generally, FHFA has retained authority (or has revoked previously delegated authority) to resolve issues of significant monetary and/or reputational value. FHFA has established written internal review and approval processes for non- delegated matters, designed to provide a consistent approach for analyzing and resolving such matters and for providing decision-makers with all relevant facts and existing analyses. FHFA faces challenges in ensuring that its established processes are followed.

Information Technology Security – Enhance Oversight of Cybersecurity at the Regulated Entities and Ensure an Effective Information Security Program at FHFA

Cybersecurity, as defined by the National Institute of Standards and Technology (NIST), is the process of protecting information by preventing, detecting, and responding to attacks. In May 2017, President Trump issued an executive order to strengthen the cybersecurity of federal networks and critical infrastructure. The Financial Stability Oversight Council (FSOC) has identified cybersecurity oversight as an emerging threat for increased regulatory attention. The Council reported that cybersecurity-related incidents create significant operational risk, impacting critical services in the financial system, and ultimately affecting financial stability and economic health.

As cyberthreats and attacks at financial institutions increase in number and sophistication, FHFA faces challenges in designing and implementing its supervisory activities for the financial institutions it supervises. These supervisory activities may be made increasingly difficult by FHFA’s continuing need to attract and retain highly-qualified technical personnel, with expertise and experience sufficient to handle rapid developments in technology.

Computer networks maintained by federal government agencies have proven to be a tempting target for disgruntled employees, hackers, and other intruders. Over the past few years, cyber attacks against federal agencies have increased in frequency and severity. As cyber attacks continue to evolve and become more sophisticated and harder to detect, they pose an ongoing challenge for virtually every federal agency to fortify and safeguard its internal systems and operations.

As conservator of and supervisor for the Enterprises and supervisor for the FHLBanks, FHFA collects and manages sensitive information, including personally identifiable information (PII), that it must safeguard from unauthorized access or disclosure. Equally important is the protection of its computer network operations that are part of the nation’s critical financial infrastructure. FHFA, like other federal agencies, faces challenges in enhancing its information security programs, ensuring that its internal and external online collaborative environments are restricted to those with a need to know, and ensuring that its third-party providers meet information security program requirements.

Counterparties and Third Parties – Enhance Oversight of the Enterprises’ Relationships with Counterparties and Third Parties

The Enterprises rely heavily on counterparties and third parties for a wide array of professional services, including mortgage origination and servicing. That reliance exposes the Enterprises to counterparty risk, including the risk that the counterparty will not meet its contractual obligations, and the risk that a counterparty will engage in fraudulent conduct. FHFA has delegated to the Enterprises the management of their relationships with counterparties and reviews that management largely through its supervisory activities.

Our publicly reportable criminal investigations include inquiries into alleged fraud by different types of counterparties, including real estate brokers and agents, builders and developers, loan officers and mortgage brokers, and title and escrow companies.

In light of the financial, governance, and reputational risks arising from the Enterprises’ relationships with counterparties and third parties, FHFA is challenged to effectively oversee the Enterprises’ management of risks related to their counterparties.

Management Concern: Sustain and Strengthen Internal Controls Over Agency and Enterprise Operations FHFA’s programs and operations are subject to legal and policy requirements common to federal agencies. Satisfying such requirements necessitates the development and implementation of, and compliance with, effective internal controls within the Agency.

In January 2019, there was a leadership change with the appointment of an acting FHFA Director, while the Senate considered the President’s nominee for the next FHFA Director (who was subsequently confirmed and took office in April 2019). Key senior positions within FHFA have been filled on an acting capacity for a long period of time (e.g., Chief Operating Officer and, until recently, the Deputy Director of the Division of Conservatorship). Our work demonstrates that FHFA is challenged to ensure that its existing controls, including its written policies and procedures, are sufficiently robust, and its personnel are adequately trained on these internal controls and comply fully with them.

Both Enterprises have also experienced significant leadership changes. For example, in late March 2019, Fannie Mae appointed a new Chief Executive Officer (CEO); that individual had been serving as Interim CEO with the departure of the previous CEO in October 2018. In addition, Freddie Mac announced that its CEO will retire with its current President to take over as CEO in July 2019. Among other things, changes in leadership can lead to lack of attention to internal controls.

Examples of OIG’s Oversight Accomplishments: Audit, Evaluation, and Compliance Activities

Supervision of the Regulated Entities

FHFA’s Housing Finance Examiner Commissioning Program: $7.7 Million and Four Years into the Program, the Agency has Fewer Commissioned Examiners (COM-2018-006, issued September 6, 2018)





In 2011, FHFA acknowledged that the efficiency and effectiveness of its examination program was impeded by the limited number of commissioned examiners then in its employ, totaling 46. The Agency agreed to develop a Housing Finance Examiner commission program (HFE Program) with the stated objectives of providing examiners with “broadbased knowledge to conduct successful risk-based examinations” and qualifying them “to lead the examination of a major risk area at Fannie Mae, Freddie Mac, and the Federal Home Loan Banks.”

Previously, we issued four reports on FHFA’s efforts to increase the size of its corps of commissioned examiners and two assessments of the HFE Program. During this semiannual period, we conducted a study to assess whether the HFE Program had increased the number of commissioned examiners on the FHFA staff and to determine how FHFA deployed its commissioned examiners and reported our findings. We found that the Agency has not achieved its goal of increasing the number of commissioned examiners nor is it on track to do so. Since the Agency began awarding HFE commissions in 2014, the total number of its commissioned examiners has decreased from 59 (as of June 2014) to 58 (as of June 2018). Almost seven years after the Agency committed to develop and implement a commissioning program and $7.7 million later, the Agency’s examination program continues to be hindered by an insufficient number of commissioned examiners.

We found the HFE Program suffers from a high non-completion rate. Of the 66 examiners who enrolled when the HFE Program first began in 2013, only 6 completed the HFE Program and passed its final examination. By June 2018 more than half (36) were no longer enrolled in the HFE Program. The remaining 24 continued to be enrolled as of June 1, 2018, almost five years into the approximately four-year program, and one-third (8) had completed less than 75% of the Program’s requirements after five years. Since 2014, only 9 individuals have graduated from the HFE Program and passed the final examination.

We also assessed the Agency’s deployment of its commissioned examiners. FHFA, in its 2013 Performance and Accountability Report, explained that the main objective of the HFE Program was to produce commissioned examiners who are “qualified to lead” examinations of major risk areas at the entities supervised by FHFA. However, that objective has not been fulfilled in practice. DBR records reflect that, for each of the last three supervisory cycles, commissioned examiners led roughly 75% of annual DBR exams. DER records show that, for the 2016 and 2017 annual supervisory cycles, DER initiated a total of 53 targeted examinations (defined by FHFA as “a deep or comprehensive assessment” of areas of high importance or risk) and none of these 53 targeted exams was led by an HFE commissioned examiner.

Based on our prior reports and the fieldwork for our September 2018 report, we hold the view that the multiple failures in FHFA’s administration of its HFE Program have derailed efforts to produce the HFE commissioned examiners that the Agency claimed to need. We questioned the $7.7 million in costs to develop, implement, and staff the HFE Program in light of the failure of that Program to yield the anticipated results.

Conservatorship Operations

Special Report on the Common Securitization Platform: FHFA Lacked Transparency and Exercised Inadequate Oversight Over a $2.13 Billion, Seven-Year Project (OIG-2019-005, issued March 29, 2019)

In 2012, FHFA directed the Enterprises to build a Common Securitization Platform (CSP or Platform) to replace their current separate “back-office” systems and to issue a single mortgage-backed security (single security). As originally envisioned, the CSP wasintended to facilitate issuance of mortgage-backed securities (MBS) by multiple market participants in a future housing finance system. In May 2014, the then-FHFA Director decided to limit the current scope of the Platform to working “for the benefit of Fannie Mae and Freddie Mac” and committed to transparency in its development.

The first phase of CSP development, Release 1, was rolled out in November 2016. Release 1 allowed Freddie Mac to use the CSP to issue single-family fixed-rate MBS. Under the second phase, Release 2, both Enterprises will use the CSP to issue the new single security. Release 2 is now scheduled for completion by June 2019.

In December 2016, we reported that FHFA had not fully met its commitment to transparency around the development of the CSP. We found that the Agency publicly disclosed only the actual costs incurred to develop and test the CSP; represented to Congress that, as of the first quarter of 2016, the actual and projected costs to develop and test the CSP through 2018 totaled $696 million; and did not disclose to Congress or the public what it knew about the Enterprises’ actual and projected integration costs. We also found that FHFA had not publicly disclosed the risks to successful development and implementation of the CSP.

During this reporting period, we conducted a review to determine whether (1) FHFA honored its commitment to transparency about the CSP by disclosing updated projections for the total cost (development and integration) of the CSP and its internal assessment of the risks of this project after December 2016; and (2) FHFA exercised adequate oversight of the CSP project. We found that: (1) FHFA was not transparent; and (2) its oversight of the CSP project was inadequate.

FHFA issued a public update in March 2017, in which it projected a total of $1.12 billion in CSP development costs. However, FHFA did not disclose the projected $955 million cost to integrate the Enterprises’ IT systems into the CSP. Because it had conducted a thorough review of the program in late 2016, FHFA was aware that the CSP development was “off track” with a significant risk of untimely completion and additional costs. However, it disclosed no known issues or risks in its March 2017 update. It announced that Release 1 had been implemented but reported that Release 2 would be delayed by six months, until the second quarter of 2019.

Since March 2017, FHFA has provided no further cost information in public updates. Our review of internal FHFA documents found that, as of February 2019, FHFA projected that Platform development costs and Enterprise integration costs through Release 2 will total $2.13 billion by June 30, 2019. Although the Agency has asserted that the Platform was developed using standard industry technology and interfaces, it acknowledged to us that it has yet to develop plans, establish a timetable, and determine the costs for use of the Platform by any third party.

FHFA’s Approval of Senior Executive Succession Planning at Freddie Mac Acted to Circumvent the Congressionally Mandated Cap on CEO Compensation (EVL-2019-002, issued March 26, 2019) and FHFA’s Approval of Senior Executive Succession Planning at Fannie Mae Acted to Circumvent the Congressionally Mandated Cap on CEO Compensation (EVL-2019-001, issued March 26, 2019)

During this reporting period, we issued two reports that evaluated FHFA oversight of the Enterprises’ boards of directors’ succession planning efforts.

Under HERA, FHFA is empowered to operate the Enterprises “with all the powers of the shareholders, the directors, and the officers” while the Enterprises remain in conservatorship. FHFA delegated responsibility to the respective boards of directors to develop a succession plan for the CEO and President positions and select candidates for vacant CEO and President positions, and the selections are subject to review by FHFA as conservator. According to FHFA, it has, as a practical matter, chosen to approve such selections after review. FHFA has retained the responsibility to approve compensation actions for senior executive officers.

FHFA reported to us that the then-FHFA Director raised the need for succession planning with the Fannie Mae Board Chair in 2018, following the CEO’s notice of his likely departure. In June 2018, the Board Chair submitted the Board’s written proposed transition plan for directors and senior executive leadership (Board Transition Plan) to FHFA for approval. The Fannie Mae Board Transition Plan represented that the statutory cap of $600,000 on compensation for Enterprise CEOs imposed by the Equity in Government Compensation Act of 2015 created challenges to recruit internal and external qualified candidates for the CEO position.

To address these challenges, the Board Transition Plan recommended a change to Fannie Mae’s management structure by filling the positions of President and CEO with separate individuals. (Since 2008, those positions had been held by one individual.) Under the Fannie Mae Board Transition Plan, certain responsibilities previously executed by the individual holding the CEO and President positions would be assigned to the position of President. The Fannie Mae Board proposed that the annual compensation for the President position should be no less than Fannie Mae’s most highly compensated Fannie Mae officer, which was then $3.25 million. The then-FHFA Director approved the Board Transition Plan in July 2018.

We found that FHFA’s approval of the Fannie Mae Board Transition Plan acted to circumvent the congressionally mandated cap of $600,000 on CEO compensation. By authorizing Fannie Mae to fill the positions of CEO and President with two separate individuals and transfer substantial responsibilities from the CEO and President to the President position, FHFA permitted Fannie Mae to compensate its President at a level more than five times greater than the statutory cap. After the current President had served in the position for less than seven weeks, the Board approved an 11% increase in the President’s target compensation, raising it to $3.6 million per year, which FHFA approved in October 2018. Fannie Mae is now compensating its interim CEO and President a total of $4.2 million to execute the same responsibilities for which it had previously paid $600,000.

In addition, we found that the then-FHFA Director overrode internal controls for processing, tracking, and monitoring requests for conservator approval, which he was authorized to do, when he determined to review the Fannie Mae Board Transition Plan directly, without any staff analysis or recommendation. The decision by the then-FHFA Director to override established FHFA internal controls for conservator review and approval of an Enterprise request created an information vacuum within the Division of Conservatorship (DOC) and rendered it unable to execute its responsibilities.

To address these shortcomings, we recommended that FHFA (1) re-assess the appropriateness of the annual compensation award of $3.6 million to the Fannie Mae President; and (2) establish a process for maintaining and monitoring sensitive conservator requests in its tracking system. FHFA disagreed with our first recommendation and agreed with our second recommendation.

In a companion report, we focused on FHFA oversight of the Freddie Mac Board of Directors. FHFA reported that Freddie Mac’s CEO, who has served as CEO since May 2012, advised the Freddie Mac Board that he intends to retire during the second half of 2019. In May 2018, the Freddie Mac Board Chairman provided the then-FHFA Director with a Board Transition Plan that included recommendations to address this transition. The Freddie Mac Board Transition Plan stated that the statutory cap on the compensation of Enterprise CEOs of $600,000 created challenges to Freddie Mac’s ability to recruit qualified external candidates and an external search could be disruptive to existing internal leadership. The then-FHFA Director responded in writing to the Board Transition Plan, advising the Freddie Mac Board that the plan “strikes us as being very reasonable” and concurred with the Board’s request to forego an external search. Over the following months, the Freddie Mac Board Transition Plan was refined to include: designation of the senior executive who would succeed the CEO after his retirement; creation of a “Deputy CEO” position to be filled by this designated senior executive for one year; mentorship of the Deputy CEO by the CEO until his retirement; and a proposed compensation package for the Deputy CEO position at a level no less than the highest paid executive who reported to the CEO (then $3.25 million).

Acting upon a written staff recommendation, the then-FHFA Director approved this executive compensation package

of $3.25 million for the Deputy CEO position on August 15, 2018. Despite FHFA’s earlier response to Freddie Mac that the Board Transition Plan was reasonable, FHFA notified Freddie Mac after August 15, 2018, that the Enterprise would need to conduct an external search for a CEO and title the new position “President,” rather than Deputy CEO. FHFA approved creation of the position of President with the understanding that the individual in that position would serve as the “understudy” to the CEO and execute only those responsibilities previously executed by the CEO and now delegated to him over a one-year period.

We found that FHFA’s approval of a $3.25 million compensation package for the Deputy CEO position (which was never created) and subsequent approval of the same compensation for the President position, acted to circumvent the congressionally mandated cap of $600,000 on CEO compensation. As a result of FHFA’s approval, Freddie Mac provided a total of $3.85 million in compensation for the same set of CEO responsibilities for which it previously paid $600,000. We recommended that FHFA re-assess the appropriateness of the Freddie Mac President’s $3.25 million compensation. FHFA disagreed with our recommendation.

Fannie Mae Purchased Single-Family Mortgages, Including those Purchased through Master Agreements, in Accordance with Selected Credit Terms Set Forth in its Selling Guide for 2015 – 2017 (AUD-2019-006, issued March 27, 2019)

Fannie Mae manages the quality of its mortgage purchases by requiring mortgage sellers to comply with its Selling Guide. The Selling Guide sets forth Fannie Mae’s underwriting standards and eligibility guidelines, as well as its policies and procedures related to sales of single-family mortgages to it. Fannie Mae’s underwriting standards are developed, in part, based on risk-based criteria which enables it to evaluate a borrower’s willingness and capacity to repay a mortgage and the value of the property to ensure that it provides adequate collateral for the mortgage. Riskbased criteria relating to a borrower’s willingness and capacity include the debt- to-income (DTI) ratio, loan-to-value (LTV) ratio, and credit score while collateral value is assessed through property valuation. None of these criteria are considered in a vacuum but are considered together to build a snapshot of the potential risk level of the mortgage.

Historically, many mortgage sellers sought to sell mortgages to Fannie Mae that did not meet the underwriting standards and/or eligibility requirements in the Selling Guide. Fannie Mae captured these negotiated terms, referred to as variances, with its mortgage sellers in a document called a “master agreement.” Each master agreement supplemented the general requirements of the Selling Guide and set forth the additional negotiated terms under which Fannie Mae agreed to purchase mortgages from the mortgage seller.

We completed an audit in which we sought to assess FHFA’s oversight of Fannie Mae’s master agreements with its single-family mortgage sellers from 2015 through 2017 (review period). As part of the audit, we analyzed master agreements for Fannie Mae’s top three single-family mortgage sellers and found no variation between the terms in the master agreements for DTI ratio, LTV ratio, credit score, and property valuation method from the terms for the same element set forth in the Selling Guide.

We also obtained information from FHFA and Fannie Mae and analyzed loan- level data in FHFA’s Mortgage Loan Integrated System (MLIS) for all single- family mortgage sellers to determine whether the credit terms for DTI ratio, LTV ratio, credit score, and property valuation methods for the mortgages purchased by Fannie Mae differed from those credit terms in the governing Selling Guide. For the single-family mortgages purchased by Fannie Mae during the review period (nearly 6.46 million mortgages with a total unpaid principal balance of $1.49 trillion), through our analysis, we identified some differences with these credit terms, but those differences were not material (less than one-tenth of one percent of the mortgages purchased by Fannie Mae during the review period).

We did, however, identify issues with the reliability of certain data fields in MLIS. Specifically, we found instances where data fields for our selected credit terms were either missing information or were shown as “unknown.” particularly with respect to the data field for property valuation method. FHFA agreed with our recommendation to address this MLIS data field.

Information Technology Security

External Penetration Test of FHFA’s Network and Systems During 2018 (AUD- 2019- 003, issued February 11, 2019) To support our ongoing oversight of FHFA’s implementation of the Federal Information Security Modernization Act of 2014 (FISMA), we completed an audit during this period to determine whether FHFA’s security controls were effective to protect its network and systems against external threats.

We found that FHFA’s security controls successfully prevented us from gaining unauthorized access to its systems via the internet, wireless access points, or phishing email. Through a vulnerability scan of the Internet Protocol addresses registered to FHFA, we identified two medium severity vulnerabilities related to an outdated encryption protocol and web cookies; however, we were not able to exploit these vulnerabilities to gain unauthorized access to FHFA’s systems. Upon receiving our vulnerability scan reports, FHFA management reported that a plan was underway to replace systems with an outdated encryption protocol and FHFA took action to address the web cookie vulnerability.

We also performed a test that revealed FHFA employees were susceptible to email phishing. FHFA agreed with our three recommendations to address these matters.

Counterparties and Third Parties

FHFA Should Re-evaluate and Revise Fraud Reporting by the Enterprises to Enhance its Utility (EVL-2018-004, issued September 24, 2018)

HERA requires the Enterprises to establish and maintain procedures designed to discover and report instances of fraud and possible fraud. In 2010, FHFA promulgated a regulation to implement HERA’s fraud reporting requirements. This regulation requires each Enterprise to report to the FHFA Director instances of fraud and possible fraud relating to the purchase or sale of fraudulent loans or financial instruments. In addition, FHFA Advisory Bulletin 2015-02, Enterprise Fraud Reporting, directs the Enterprises to submit monthly and quarterly fraud status reports. FHFA provided standardized templates for specifying the information the Enterprises should include in their monthly and quarterly reports. Similarly, under the Bank Secrecy Act, the Enterprises are required to report fraud and other suspicious activities to the Financial Crimes Enforcement Network, a Treasury bureau.

FHFA is responsible for examining and monitoring the Enterprises’ fraud risk management practices and overseeing the Enterprises’ compliance with FHFA fraud reporting requirements. FHFA recognizes that timely fraud reporting to the Agency is essential to maintain the Enterprises’ safe and sound condition.

We reviewed the applicable requirements and guidance governing the Enterprises’ obligations to detect and report fraud, the Enterprises’ fraud detection and reporting practices, and FHFA’s use of the Enterprises’ fraud reports. We found that FHFA does not make any documented, systematic use of the content of the Enterprises’ fraud reports. FHFA advised us that it recently began to analyze trends of the information in the Enterprises’ fraud reports. While FHFA has considered using that information for risk analysis, it has not developed any framework in which to assess that information.

Because Congress required the Enterprises to prepare fraud reports and FHFA has directed them to submit detailed monthly and quarterly reports to meet this statutory requirement, we recommended that FHFA re-evaluate the fraud information it requires from the Enterprises and revise, as appropriate, its existing reporting requirements to enhance the utility of these reports with the goal of using these reports to inform its supervisory activities with respect to the risk that fraud poses to the Enterprises. FHFA agreed with our recommendation.

Examples of OIG Investigative Accomplishments

OIG is vested with statutory law enforcement authority that is exercised by its Office of Investigations (OI). OI conducts criminal and civil investigations into those, whether inside or outside of government, who waste, steal, or abuse in connection with the programs and operations of the Agency and the regulated entities. OI is staffed with special agents (SAs), investigative counsel, analysts, and attorney advisors who work in field offices across the nation. OI has offices located within several federal judicial districts that lead the nation in reported instances of mortgage fraud: the Southern District of Florida; the Northern District of Illinois; the District of New Jersey; and the Central District of California.

OI specializes in deterring and detecting fraud perpetrated against the Enterprises. OI’s focus on fraud committed against the Enterprises is essential to the well-being of the secondary mortgage market. Collectively, Fannie Mae and Freddie Mac hold more than $5 trillion worth of mortgages on their balance sheets. Each year the Enterprises acquire millions of mortgages worth several hundreds of billions of dollars. The potential for fraud in these circumstances is significant.

Civil Cases

OI continued to participate in residential mortgage backed securities (RMBS) investigations and other civil investigations by working closely with U.S. Attorneys’ offices to investigate allegations of fraud committed by financial institutions and individuals.

The Royal Bank of Scotland Agrees to Pay $4.9 Billion for Financial Crisis-Era Misconduct

In August 2018, the Department of Justice (DOJ) announced a $4.9 billion settlement with The Royal Bank of Scotland Group plc (RBS Group) resolving federal civil claims that RBS Group’s subsidiaries in the United States (RBS) misled investors in the underwriting and issuing of RMBS between 2005 and 2008. The penalty is the largest imposed by DOJ for financial crisis-era misconduct at a single entity.

Using recordings of contemporaneous calls and emails of RBS executives, the settlement includes a statement of facts alleged by DOJ (but not admitted or agreed to by RBS) that details how RBS routinely made misrepresentations to investors about significant risks it failed to disclose about its RMBS.

For example, RBS’s reviews of loans backing its RMBS (known as “due diligence”) confirmed that loan originators had failed to follow their own underwriting procedures, and that their procedures were ineffective at preventing risky loans from being made. As a result, RBS routinely found that borrowers for the loans in its RMBS did not have the ability to repay and that appraisals for the properties guaranteeing the loans had materially inflated the property values RBS’s RMBS contained, as its Chief Credit Officer put it, “total [expletive deleted] garbage” loans with “random” and “rampant” fraud that was “all disguised to, you know look okay kind of . . . in a data file.” RBS never disclosed that these material risks both existed and increased the likelihood that loans in its RMBS would default.

RBS’s due diligence practices did not remove fraudulent and high-risk loans from its RMBS. In fact, RBS executives internally discussed how RBS’s due diligence process was “just a bunch of [expletive deleted].”

To develop and maintain business relations with originators, RBS agreed to limit the number of loans it could review (due diligence caps) and/or limit the number of materially defective loans it could remove from an RMBS (kick-out caps). As a result, RBS securitized tens of thousands of loans that it determined or suspected were fraudulent or had material problems without disclosing the nature of the loans to investors.

Through its scheme, RBS earned hundreds of millions of dollars, while simultaneously ensuring that it received repayment of billions of dollars it had lent to originators to fund the faulty loans underlying the RMBS. RBS used RMBS to push the risk of the loans, and tens of billions of dollars in subsequent losses, onto unsuspecting investors across the world, including non- profits, retirement funds, and federally-insured financial institutions. As losses mounted, and after many mortgage lenders who originated those loans had gone out of business, RBS executives showed little regard for this misconduct and made light of it. For example, after RBS’s Head Trader received an e-mail from a friend stating “[I’m] sure your parents never imagine[d] they’d raise a son who [would] destroy the housing market in the richest nation on the planet,” the Head Trader answered, “I take exception to the word ‘destroy.’ I am more comfortable with ‘severely damage.’”

According to OIG’s Associate Inspector General Jennifer Byrne: “The actions of RBS resulted in significant losses to investors, including Fannie Mae and Freddie Mac, which purchased the Residential Mortgage-Backed Securities backed by defective loans.”

Criminal Cases

11 Individuals and 3 Businesses Charged in National Foreclosure Relief Scheme, Ohio

In March 2019, 11 people from across the country and three businesses were indicted for their roles in a scheme to defraud distressed homeowners by falsely representing that they could help the victims save their homes.

According to the 26-count indictment, the co-conspirators took advantage of homeowners’ desperation to save their homes and used money from homeowner victims to personally enrich themselves. It is alleged that co-conspirators were involved in a multilevel marketing scheme, which promised affiliates commissions by recruiting distressed homeowners to companies they controlled, including MVP Home Solutions, LLC, Bolden Pinnacle Group Corp., and Silverstein & Wolf Corp. They used multiple ways to recruit affiliates, including conference calls and direct mailings. For example, some co-conspirators hosted weekly conference calls where participants from across the country dialed in to hear details of the scheme and share sales strategies. During the calls, co-conspirators encouraged affiliates to recruit homeowners to their companies on the promise of easy money.

Some co-conspirators also allegedly promoted, organized, and attended conferences in which affiliates came to hear details of the scheme in person. For example, some co-conspirators organized and participated in a national conference in Columbus, Ohio, in April 2015 in which they provided “deep impact training” and techniques for affiliates to convince homeowners to enroll in Bolden Pinnacle Group Corp. and Silverstein & Wolf Corp. programs.

Affiliates were encouraged to be aggressive in recruiting homeowners. Affiliates used online databases and court records to identify vulnerable, financially distressed homeowners who had recently received notice of foreclosure on their home.

According to the indictment, some co-conspirators mailed more than 22,000 postcards promising that they could “stop foreclosure” or “stop the sheriff sale” for a fixed fee. Co-conspirators also reached out to homeowners using Craigslist ads, websites, emails, and social media platforms.

On the promise of reducing or eliminating mortgage obligations in exchange for a fee, initial recruiters would collect payments from homeowners and refer the victims to the co-conspirator’s companies.

Among other things, the referral programs promised to negotiate with mortgage lenders on the homeowners’ behalf for the purchase of the mortgage notes at a discount, negotiate the sale of their home and release of their mortgage loans through a short sale and/or deed in lieu of foreclosure sale, stop an imminent foreclosure sale, remove the mortgage lien via a tender offer, and achieve short sale prices at a fraction of the value of the outstanding lien/note.

Further, co-conspirators represented that they had “proprietary” methods or “legal tactics” to help homeowners stall or completely avoid foreclosure. In actuality, the indictment says co-conspirators persuaded homeowners to file chapter 13 bankruptcies in order to delay foreclosure actions.

Co-conspirators allegedly filed skeletal bankruptcy petitions that they called “pump fakes.” These petitions intentionally failed to disclose the co-conspirators as preparers and named the homeowners as filing pro se. Any relief from foreclosure delay was temporary until the bankruptcy court dismissed the proceeding.

In 2014 alone, one co-conspirator allegedly prepared and filed petitions for 30 homeowners without their knowledge.

The Enterprises suffered losses because of this scheme.

Vice President of Real Estate Management Company and Managing Director of Commercial Real Estate Financing Firm Pled Guilty in Multi-Million Dollar Mortgage Fraud Scheme, New York

Between December 2018 and March 2019, Kevin Morgan and Patrick Ogiony were charged by information and pled guilty to conspiracy to commit bank fraud.

According to court documents, Kevin Morgan and Ogiony, along with co-defendants Todd Morgan, Frank Giacobbe, and others, conspired to defraud financial institutions and the Enterprises. Kevin Morgan was employed as a Vice President at Morgan Management, LLC, a real estate management company that managed more than 200 multifamily properties. Todd Morgan also was employed by Morgan Management as a Project Manager. Kevin and Todd Morgan worked with Frank Giacobbe, who owned and operated Aurora Capital Advisors, LLC, a mortgage brokerage company, and Patrick Ogiony, an Aurora employee, to secure financing for properties managed by Morgan Management or certain principals of Morgan Management.

Kevin Morgan, Ogiony, and others created and provided false information to lenders, the Enterprises, and servicers, including reporting inflated revenues and reduced expenses for the properties managed by Morgan Management. This resulted in the financial institutions issuing loans for larger amounts than they would have authorized had they been provided with truthful information.

The co-defendants misled the financial institutions regarding the occupancy of properties. For example, Kevin Morgan and Ogiony conspired to provide false rent rolls to lenders and appraisers on a variety of dates, overstating either the number of renters in a property and/or the rent paid by occupants; conspired to provide false and inflated income statements for the properties; and worked with others to deceive inspectors into believing that unoccupied apartments were, in fact, occupied.

In one such instance, Kevin Morgan, Ogiony, and others provided false information to Berkadia Commercial Mortgage LLC and Freddie Mac, in connection with Rochester Village Apartments at Park Place, a multi-family residential community owned by certain Morgan Management principals. The false information included inflated income derived from storage unit rentals, parking revenue, and apartment leases. Additionally, during the construction phase, apartments were reported to lenders as “occupied” prior to the issuance of the certificates of occupancy. At another property, radon testing procedures were falsified to secure financing.

In addition, Kevin Morgan, Ogiony, and others made misrepresentations to the lending institutions to conceal the unauthorized use of loan proceeds by Morgan Management and its principals. Loan funding was used to maintain or improve other properties managed by Morgan Management, and to satisfy debts associated with other properties managed by Morgan Management. For example, the defendants included a fictitious $2.5 million debt in a loan application, purportedly owed to a Morgan Management controlled entity and created a fabricated payoff letter for that debt to increase the amount of the loan in connection with a property known as Autumn Ridge.

Charges are pending against Giacobbe and Todd Morgan. The investigation revealed fraud in at least 23 loans issued for over $500 million, secured by at least 21 different properties.

Loss calculations are ongoing. Some loans involved in this scheme were purchased or securitized by the Enterprises.

Ex-Fannie Mae Employee Found Guilty and Fannie Mae Real Estate Owned (REO) Broker Pled Guilty in Multi-Million Dollar Scheme Involving Property Listings and Approval of Below-Market Sales, California

In February 2019, Shirene Hernandez was found guilty at trial on charges of wire fraud and deprivation of honest services involving a scheme where she received bribes and kickbacks from brokers in exchange for Fannie Mae real estate listings and for approving the discounted sales of Fannie Mae-owned properties.

According to the evidence presented at a five-day trial, Hernandez was a sales representative at Fannie Mae. As part of its operations, Fannie Mae acquires properties through foreclosures and other methods, and then it manages and sells those properties for Fannie Mae’s benefit. Since at least 2012, Fannie Mae’s profits have gone to the U.S. Treasury for the benefit of U.S. taxpayers.

As a sales representative, Hernandez assigned Fannie Mae-owned properties to real estate brokers and approved sales of the properties based on offers the brokers submitted. In violation of Fannie Mae rules and federal law, Hernandez approved sales of Fannie Mae-owned properties at discounted prices to herself and to the brokers who paid her kickbacks. She also received bribes – mostly in cash payments – in return for listing opportunities and commissions that brokers earned on real estate sales.

Hernandez also assigned listings to family members who earned nearly $2 million in commissions in less than three years. Other brokers who paid kickbacks earned millions more. For her part in the scheme, Hernandez received more than $1 million in benefits, including the cash kickbacks that she received, and the value of a property that she obtained with kickback money.

As part of the scheme, Hernandez purchased a Fannie Mae-owned property in Sonoma, California, that she was responsible for selling, and she rejected higher, market-priced offers in favor of her own below-market price. Hernandez purchased the Sonoma property through intermediaries and affiliates that she controlled, selling it first to a company affiliated with a broker who was bribing her, then directing the broker to transfer the property to her sister-in-law, who paid for the property with a duffel bag filled with $286,450 in cash from Hernandez – far below the market price. The Sonoma property was rented out and Hernandez received the rent proceeds.

In a related case, in January 2019, Peter Michno, a broker, was charged and pled guilty to conspiracy to commit wire fraud involving deprivation of honest services for his role in this scheme.

According to the plea agreement, Michno was a Fannie Mae-approved REO broker entitled to receive a commission from the sale of REO properties as compensation for his services. Michno was not authorized to purchase Fannie Mae REO properties for himself or for his friends, relatives, and associates or permitted to pay referral fees, bribes, or kickbacks to Fannie Mae employees.

Michno paid co-conspirators, employed by Fannie Mae, cash bribes and kickbacks in exchange for the assignment of listings and the approval of below-market sales of Fannie Mae REO properties to him and his affiliates. Michno then transferred some of these properties to his co-conspirators as a kickback for the performance of their official duties.

Former Business Owner Convicted in Federal Court for Over $49 Million Bank Fraud, Maryland

In August 2018, Mark Gaver was convicted by a federal jury on charges of bank fraud and money laundering arising from a scheme in which he obtained over $49 million in bank financing for his company Gaver Technologies, Inc. (GTI), using false and fraudulent financial statements, balance sheets, and certifications of outstanding accounts receivable.

According to the evidence presented at his seven-day trial, Gaver formed GTI, an information technology company based in Frederick, Maryland. Gaver submitted materially false financial documents to Santander Bank, a federally insured bank, including fraudulent audit reports and contract status reports, to establish and obtain successive increases in the line of credit from the lender for GTI. Based upon the false documentation submitted by Gaver, the lender ultimately extended $50 million in financing to GTI.

The evidence showed that some of the funds obtained from the lender were used by Gaver to cover regular business expenses and thereby keep GTI open, but Gaver also diverted half of the loan proceeds—approximately $15 million—to his own personal use. For example, Gaver used loan proceeds to pay rental fees of private planes that he used for non-business purposes, as well as to pay for personal pleasure trips to France, Germany, Mexico, Jamaica, and the Bahamas. Gaver also used the funds to purchase vacation homes, including a 4,000-square foot condominium with a view of the Gulf of Mexico in Bonita Springs, Florida, a 2012 Maserati Gran Turismo, a 2011 Mercedes Benz SL Roadster, and a private membership at an exclusive golf club.

Gaver obtained a home equity line of credit that was pledged to the FHLBank of Pittsburgh. The estimated loss to Santander, a member bank of the FHLBank of Pittsburgh, is $49 million.

In December 2018, Gaver was sentenced to 17 years in prison, 3 years of supervised release, and ordered to pay $48,774,308 in restitution and $49,215,606 in forfeiture.

[Seal - Office of Inspector General, U.S. Department of Housing and Urban Development]

Office of Inspector General

U.S. Department of Housing and Urban Development

The HUD OIG conducts independent audits, evaluations, investigations, and other reviews of HUD operations and programs to promote economy, efficiency, and effectiveness, and protect HUD and its component entities from fraud, waste, and abuse.

Background

While organizationally located within HUD, the OIG operates independently with separate budget authority. Its independence allows for clear and objective reporting to HUD’s Secretary and Congress. HUD’s mission is to create strong, sustainable, inclusive communities and quality affordable homes for all. HUD is working to strengthen the housing market to bolster the economy and protect consumers, meet the need for quality affordable rental homes, and use housing as a platform for improving quality of life. Its programs are funded through more than $50 billion in annual congressional appropriations.

Within HUD are two entities that have major impact on the Nation’s financial system: the Federal Housing Administration (FHA) and Government National Mortgage Association (Ginnie Mae). FHA provides mortgage insurance for single-family homes, multifamily properties, nursing homes, and hospitals. FHA is the largest insurer of mortgages in the world, having insured more than 47.5 million loans since its inception in 1934. FHA mortgage insurance provides lenders with protection against losses as the result of homeowners defaulting on their mortgage loans. In fiscal year 2018, FHA generated more than $1.3 trillion in insured loans. FHA receives limited congressional funding and is primarily self-funded through mortgage insurance premiums.

Ginnie Mae is a self-financing, wholly owned U.S. Government corporation within HUD. It is focused on providing investors a guarantee backed by the full faith and credit of the United States for the timely payment of principal and interest on mortgage- backed securities (MBS) secured by pools of government home loans, which are insured or guaranteed by FHA, HUD’s Office of Public and Indian Housing, the U.S. Department of Veterans Affairs (VA), and the U.S. Department of Agriculture (USDA). The purchasing, packaging, and reselling of mortgages in a security form frees up funds that lenders use to provide more loans.

Ginnie Mae has an outstanding portfolio of MBS securities valued at more than $2 trillion. A majority of the MBS securities consist of FHA-insured mortgages. Ginnie Mae offers the only MBS securities carrying the full faith and credit guaranty of the U.S. Government, which means that its investors are guaranteed payment of principal and interest in full and on time. If an issuer of MBS securities fails to make the required pass-through payment of principal and interest to investors, Ginnie Mae is required to assume responsibility for it by defaulting the issuer and assuming control of the issuer’s MBS securities pools and the servicing of the loans in those pools.

HUD’s Top Management Challenges

OIG continually looks for ways to meet the needs of HUD’s beneficiaries and to protect taxpayer dollars. OIG’s oversight efforts focus on identifying and addressing HUD’s most serious management challenges, several of which relate to financial oversight:

• Ensuring the Availability of Affordable Housing that is Decent, Safe, Sanitary, and in Good Repair

• Protecting the FHA Mortgage Insurance Fund

• Administering Disaster Recovery Assistance

• Instituting Sound Financial Management

Identifying these challenges helps HUD and Congress mitigate the primary risks that hinder HUD in meeting its mission and being able to put taxpayer dollars to the best use. OIG uses these challenges to target its oversight efforts, as demonstrated in the following summaries.

Ensuring the Availability of Affordable Housing that is Decent, Safe, Sanitary, and in Good Repair

Part of HUD’s mission is to create quality, affordable homes for all. The housing that HUD insures and funds must be decent, safe, sanitary, and in good repair. Economic and demographic factors, as well as aging housing stock, have created an extreme shortage of housing that is affordable and safe. HUD’s challenge is to adapt existing programs to address ever-increasing housing pressures on the Nation’s lowest income residents.

One of HUD’s financial strategies to address affordable housing is to encourage public housing agencies (PHAs) to transition public housing units to a private-public partnership model. HUD developed its Rental Assistance Demonstration Program (RAD) to give PHAs a tool to preserve and improve public housing properties and address the $26 billion nationwide backlog of deferred maintenance. For fiscal year 2018, Congress increased to 455,000 the number of public housing units that may participate in RAD. OIG audited a number of PHAs in fiscal year 2018 to assess their conversion to the RAD program, and is continuing to conduct PHA RAD audits nationwide in fiscal year 2019. For example:

The Housing Authority of the City of Evansville, IN, Did Not Follow HUD’s and Its Own Requirements for Units Converted Under the Rental Assistance Demonstration

The Authority of the City of Evansville, IN, did not follow HUD’s and its own requirements for the units converted under RAD. Specifically, it (1) did not ensure that units complied with HUD’s housing quality standards before it entered into a housing assistance payments contract, (2) failed to obtain the services of a HUD-approved independent third party to perform housing quality standards inspections for units owned by entities it substantially controlled, and (3) did not apply the correct contract rents for the converted units. As a result, the Authority could not support the eligibility of more than $1 million in housing assistance payments to the entities and more than $10,000 in program funds paid to a contractor for housing quality standards inspection services. Further, the application of incorrect rents led to the underpayment of housing assistance to the entities, so these funds were not available for the administration of the Authority’s Project-Based Voucher Program. OIG made multiple recommendations to correct the identified deficiencies. (Audit Report: 2018-CH-1003)

Protecting the FHA Mortgage Insurance Fund

HUD is challenged in protecting the FHA mortgage insurance fund, which insures approximately 25 percent of all mortgages in the United States. Through the Mutual Mortgage Insurance (MMI) fund,5 FHA insures participating lenders against losses when borrowers default on loans, which allows lenders to make loans to higher risk borrowers. From April 2017 through March 2018, the MMI fund paid out almost $14 billion in reimbursements for defaulted loans. For those claims for which the lender conveyed the property to HUD and HUD resold the property, HUD recovered only about 54 percent of the funds paid out.

Without sufficient controls, oversight, and effective rules, FHA’s MMI fund is at risk of unnecessary losses. Further, if insurance fees collected from borrowers cannot support the fund, additional funding from the U.S. Department of the Treasury is required, as authorized for Federal credit programs.

In protecting the FHA and Ginnie Mae programs, HUD is confronted with

• a lack of sufficient safeguards in FHA’s mortgage insurance program,

• large losses to the insurance fund due to home equity conversion mortgages,

• an increase in Ginnie Mae’s nonbank issuers, and

• potential emerging risks related to a market shift toward an entirely digital mortgage life cycle.

For more than a decade, OIG has reported the need for more safeguards to protect the FHA insurance program, and fiscal year 2018 was no exception. For example:

FHA Insured $1.9 Billion in Loans to Borrowers Barred by Federal Requirements OIG audited FHA insured loans from calendar year 2016 to determine whether FHA insured loans to borrowers with delinquent Federal debt or who were subject to Federal administrative offset for delinquent child support.

FHA insured an estimated 9,507 loans, worth more than $1.9 billion, which were not eligible for insurance because they were made to borrowers with delinquent Federal debt or who were subject to Federal administrative offset for delinquent child support. OIG recommended that FHA put more than $1.9 billion to better use by developing a method for using the U.S. Treasury Do Not Pay portal to identify delinquent Federal debt and delinquent child support to prevent future FHA insured loans to ineligible borrowers. (Audit Report: 2018-KC-0001)

HUD Paid an Estimated $413 Million for Unnecessary Preforeclosure Claim Interest and Other Costs Due to Lender Servicing Delays

OIG audited FHA’s preforeclosure sale claim process to determine the amount of unnecessary

preforeclosure claim

interest and other costs that resulted from lender noncompliance with HUD’s loan- servicing timeframe requirements. HUD paid more than $413 million in unnecessary interest and other costs for 27,634 preforeclosure claims because lenders failed to complete servicing actions for defaulted loans within established timeframes. Although the unnecessary amounts were caused by lenders’ inaction, HUD reimbursed lenders for these added costs through FHA insurance claims. As a result, the FHA insurance fund incurred unnecessary and unreasonable costs, and fewer funds were available to pay other claims or apply toward reducing FHA borrower mortgage insurance premiums. OIG recommended that HUD implement a change to regulations at 24 CFR (Code of Federal Regulations) Part 203 to require curtailment of preforeclosure interest and other costs caused by lender servicing delays, resulting in more than $413 million in funds to be put to better use. (Audit Report: 2018-LA-0007)

Footnote: 5 The MMI fund is a Federal fund that insures mortgages guaranteed by FHA. The MMI fund supports both FHA mortgages used to buy homes and reverse mortgages used by seniors to extract equity from their homes. [End of footnote]

HUD Failed to Enforce the Terms of a Settlement Agreement With Fifth Third Bank Because It Did Not Record Indemnified Loans in Its Tracking System

OIG worked with HUD to resolve outstanding matters related to two September 2015 agreements with Fifth Third Bank (FTB) and its principal subsidiary, Fifth Third Bancorp, a bank holding company. HUD had failed to properly record required indemnifications in its FHA Connection system; therefore, it did not hold FTB accountable to the terms of the settlement agreements. OIG recommended that HUD require FTB to reimburse HUD nearly $312,000 for two loans, for which HUD incurred losses when it sold the properties, and 15 loans for which FHA insurance had been terminated and HUD had paid loss mitigation claims to FTB. OIG also recommended that HUD record in FHA Connection the remaining indemnified loans, avoiding more than $47 million in estimated losses, and that HUD develop and implement controls to ensure that indemnification agreements that result from legal settlements have been properly recorded in FHA Connection. Finally, OIG recommended that HUD take appropriate administrative action against FTB for violations of the settlement agreement. (Memorandum: 2018-CF-0802)

OIG also conducted a civil fraud review of a professional services firm that provides auditing services to clients throughout the United States.

Deloitte & Touche, LLP, Settled Allegations That It Failed To Conduct Taylor, Bean & Whitaker Mortgage Corporation’s Audits in Conformance With Generally Accepted Auditing Standards

OIG and the U.S. Attorney’s Office conducted a civil fraud review of Deloitte & Touche, LLP, a professional services firm that provides auditing services to clients throughout the United States. Deloitte provided auditing services to its client, Taylor, Bean & Whitaker Mortgage Corporation (TBW). TBW was an FHA-approved direct endorsement lender and as such, was required to submit to HUD annual audited financial statements to maintain its status as a direct endorsement lender. Deloitte served as TBW’s independent outside auditor and submitted audit reports on TBW’s financial statements for its fiscal years ending April 30, 2002, through April 30, 2008. Deloitte stated in its reports that it had conducted its audits of TBW in accordance with generally accepted auditing standards.

Deloitte & Touche, LLP, entered into a settlement agreement with the Federal Government, agreeing to pay $149.5 million, of which $115 million was to be paid to HUD. Deloitte denied but settled allegations of alleged conduct in connection with its role as TBW’s independent outside auditor for fiscal years that ended April 30, 2002, through April 30, 2008. The settlement agreement was neither an admission of liability by Deloitte nor a concession by the United States that its claims were not well founded. (Memorandum: 2018-FO-1802)

OIG has several planned and ongoing audits focused on protecting the FHA mortgage insurance fund. For example, one ongoing audit has the objective of determining whether FHA insured loans made to borrowers that were ineligible due to delinquent Federal tax debt. OIG expects to issue this report in fiscal year 2019. Another audit that recently began focuses on whether FHA insured loans that did not meet the underwriting requirements for special flood hazard areas. OIG expects to issue this report in fiscal year 2020.

In addition, OIG continues to pursue resolution to concerns reported in previous years. OIG reported one of its highest concerns in October 2016, which was that OIG projected that HUD paid claims for nearly 239,000 properties that servicers did not foreclose upon or convey on time. As a result, HUD paid an estimated $2.23 billion in unreasonable and unnecessary holding costs over a 5-year period. These excessive costs were allowed to occur because HUD regulations do not establish a maximum period for filing a claim and do not place limitations on holding costs when servicers do not meet all deadlines. OIG recommended HUD make regulatory changes to establish a maximum claim filing period and sufficient limitation on holding costs after services missed deadlines. To date, HUD has not completed the regulatory changes and our recommendation remains open. These significant, excessive costs will continue to negatively affect the MMI fund until the regulatory changes are completed.

OIG also fears continued large losses to the FHA insurance fund due to home equity conversion mortgages (HECM). HECM is a reverse mortgage program that enables eligible homeowners age 62 and older to borrow funds using the equity in their homes. FHA’s fiscal years 2015 through 2018 annual reports on the status of the MMI fund showed an overall trend of large fluctuations in the value of the HECM portfolio and consistently negative net cash flows ranging from negative $1.6 billion to negative $4.5 billion. In total, the HECM program consumed $13 billion in MMI fund assets and $7 billion in General Insurance fund6 assets over the 4-year period of fiscal years 2015 through 2018.

OIG is currently conducting an audit with an objective to determine whether HUD designed the HECM program to control the risk of loss related to assignment claims and ensure program viability. Our subobjectives are to (1) identify the full cost of the HECM program and determine whether HUD reported that cost, (2) identify inherent program risks and existing or potential controls to mitigate risks and control costs, and (3) determine whether the HECM program can function as a stand-alone program without a Federal subsidy. OIG expects to issue this report in fiscal year 2019.

HUD is also challenged by the significant increase in the number of nonbanks issuing MBS pools that Ginnie Mae guarantees. In fiscal year 2018, nonbank issuers accounted for 78 percent of Ginnie Mae’s single-family MBS issuance volume for the year, up from 51 percent in June 2014 and from 18 percent in fiscal year 2010. As OIG and Ginnie Mae have reported, the increase in the number of nonbank issuers and their complexity continues to present an unmitigated challenge for monitoring efforts. As Ginnie Mae wrote in its 2018 Annual Report, “[a]s more non-banks issue Ginnie Mae’s securities, the cost and complexity of monitoring increases as the majority of these institutions involve more third parties in their transactions, making oversight more complicated. In contrast to traditional bank issuers, non-banks rely more on credit lines, securitization involving multiple players, and more frequent trading of [mortgage servicing rights].”

In addition, the mortgage industry is moving toward an entirely electronic loan process. FHA and Ginnie Mae intend to do the same. However, HUD, particularly FHA, has well-known technology challenges. Risks include information security, data transfers and platform integration, and system functionality, all of which could lead to fraudulent activities.

OIG continues to have concerns that an increase in demand on the FHA and VA programs will have collateral implications for the integrity of the Ginnie Mae MBS program, including the potential for increased fraud. Of particular concern is VA loan churning, in which lenders encourage veterans to repeatedly refinance their loans, which can result in the borrower incurring ever increasing fees on their loan. If the fees get too high, the veteran could lose his or her home. The churning produces profits for the lenders at the expense of the veterans, which means that lenders, at times, use deceptive practices to encourage repeated refinances. Since September 2017, the Ginnie Mae – VA Loan Churn Task Force has been working to address these concerns. Ginnie Mae has notified issuers that are outliers among market participants to develop corrective action plans. The action plans are aimed to prevent a few bad actors from raising the cost of homeownership for millions of Americans. A Ginnie Mae executive said “We expect issuers receiving these notices to respond quickly, produce a corrective action plan and come into compliance with our program.”

OIG also helps protect the FHA insurance fund by conducting investigations of alleged fraud against the fund, and securing recoveries to the fund. OIG completed 126 single- family investigations of fraud against the FHA insurance fund in fiscal year 2018. A majority of the investigations focused on loan origination fraud, for both forward and reverse mortgages. Recoveries from these cases totaled nearly $500 million. For example:

• The co-owner of a mortgage company was sentenced in U.S. District Court in connection with a guilty plea to 24 counts of wire fraud, 6 counts of bank fraud, and 3 counts of filing a false tax return. The defendant was sentenced to 60 months incarceration, followed by 5 years of probation, and ordered to pay $12.7 million in restitution. The co-owner and three other defendants defrauded numerous lenders into purchasing refinanced FHA and refinanced conventional mortgages that the mortgage company originated, for which the first mortgages were not paid off at the time of closing. The defendants used the closing escrow funds for their personal benefit. OIG, the U.S. Attorney’s Office, the Federal Bureau of Investigation (FBI), and the Internal Revenue Service Criminal Investigation division conducted the investigation.

Footnote: 6 The General Insurance fund (GI) provides a large number of specialized mortgage insurance activities, including insurance of loans for property improvements, cooperatives, condominiums, housing for the elderly, land development, group practice medical facilities, nonprofit hospitals, and reverse mortgages. To comply with the FHA Modernization Act of 2008, activities related to most single-family programs, including HECM, endorsed in fiscal year 2009 and going forward, are in the MMI fund. The single- family activities in the GI fund from fiscal year 2008 and prior remain in the GI fund. [End of footnote]

• A former accountant for a Ginnie Mae-approved loan servicing company was sentenced in U.S. District Court in connection with a guilty plea to an Information charging the defendant with reporting false transactions to HUD. The Court sentenced the former accountant to one year of supervised release and ordered her to pay HUD more than $108,000 in restitution. Over a period of about 18 months, the defendant helped the former owner of the loan servicing company divert millions of dollars in mortgage payments to an account that the former owner used for other business and personal expenses. The payments should have been made to Ginnie Mae investors. The former accountant and former company owner then falsely reported to Ginnie Mae that the defrauded borrowers had not made those mortgage payments. Given the shortfall in payments to investors, as well as tax and insurance payments that were supposed to have been escrowed for borrowers but were not, Ginnie Mae was forced to reimburse investors and borrowers, resulting in an approximate $2.8 million loss to HUD. OIG, the U.S. Attorney’s Office, the USDA OIG, the VA OIG, and the FBI conducted this investigation.

Administering Disaster Recovery Assistance

HUD has taken on significant leadership responsibilities in the area of disaster recovery assistance. Congress has appropriated more than $84 billion in supplemental funding to HUD for disaster recovery since 2001. This amount includes $35.8 billion appropriated by Congress in supplemental appropriations to HUD in 2017 and 2018 for recovery from Hurricanes Harvey in Texas; Irma in Florida, Georgia, South Carolina, and the U.S. Virgin Islands; Maria in Puerto Rico and the Virgin Islands; and Nate in Mississippi. These disasters resulted in the loss of many human lives and massive property destruction. Further, as the Federal Emergency Management Agency noted, economic recovery is a critical and integral part of disaster recovery. Disasters not only damage property, but also entire markets for goods and services. Considerable Federal funds are contributed to State, local, and Tribal economic recovery as well as to other areas of recovery that necessarily strengthen the economy.

The nature of disaster recovery is inherently risky and susceptible to fraud, given the complexity and range of challenges experienced when recovering from disasters. Disaster recovery appropriation funds may take decades to spend, as their purpose is for long-term recovery, which includes rebuilding homes and communities. HUD awards grants to States and units of local government for disaster recovery efforts. Over the years, HUD has gained more experience and made progress in assisting communities recovering from disasters, but it continues to face these challenges in administering and overseeing these grants:

• codifying the Community Development Block Grant - Disaster Recovery (CDBG-DR) program,

• ensuring that expenditures are eligible and supported,

• ensuring and certifying that grantees are following Federal procurement regulations,

• addressing concerns that citizens encounter when seeking disaster recovery assistance, and

• preventing fraud in disaster recovery assistance.

OIG reported on these areas in recent years, including fiscal year 2018. For example: HUD’s Office of Block Grant Assistance Had Not Codified the Community Development Block Grant Disaster Recovery Program OIG audited HUD’s disaster recovery program to determine whether HUD should codify the CDBG-DR funding as a program in the CFR. Although HUD had managed billions in CDBG-DR funds since 2002, it has not codified the program because it believed it did not have the authority under the Robert T. Stafford Disaster Relief and Emergency Assistance Act and had not determined whether it had the authority under the Housing and Community

Development Act of 1974, as amended. It also believed a Presidential Executive order presented a barrier to codification, as it required HUD to identify two rules to eliminate before creating a new codified rule. OIG believes HUD has the authority under the Housing Act of 1974 and it should codify the program. HUD’s use of multiple Federal Register notices to operate the CDBG-DR program presented challenges to the grantees. For example, 59 grantees with 112 active CDBG-DR grants, which totaled more than $47.4 billion as of September 2017, had to follow requirements contained in 61 different Federal Register notices to manage the program. Further, codifying the CDBGDR program would (1) ensure that a permanent framework is in place for future disasters, (2) reduce the volume of Federal Register notices, (3) standardize the rules for all grantees, and (4) ensure that grants are closed in a timely manner. OIG recommended that HUD work with its Office of General Counsel to codify the CDBG-DR program. (Audit Report: 2018-FW-0002)

The City of New York, NY, Did Not Always Use Disaster Recovery Funds Under Its Program for Eligible and Supported Costs

OIG audited the City of New York, NY’s Infrastructure Rehabilitation and Reconstruction of Public Facilities Program to determine whether the City used CDBG-DR funds under its program for eligible and supported costs. The City did not always use CDBG-DR funds under its program for eligible and supported costs. Specifically, for one of two projects reviewed, the City did not (1) have sufficient documentation to show that the use of salary multipliers for overhead and profit, resulting in more than $594,000 in additional costs, was supported and eligible; (2) maintain adequate documentation to show compliance with requirements of the Davis-Bacon Act and related acts; and (3) identify billing and payroll errors made by subcontractors. As a result, HUD did not have assurance that the City used nearly $598,000 in CDBG-DR funds as intended for matching requirements for other federally funded infrastructure projects, and HUD could not be assured that funds were disbursed for only eligible and supported costs that complied with applicable Federal requirements. OIG recommended that HUD require the City to adequately support identified expenditures or reimburse its program from non-Federal funds, and strengthen its controls to ensure compliance with applicable expenditure requirements. (Audit Report: 2018-NY-1007)

Grantees carry out the disaster recovery activities supported by CDBG-DR funding. The ability of these grantees to accomplish recovery from disasters and do so in an efficient and effective manner is critical to the recovery of the affected communities. To help HUD ensure that grantees have this ability, OIG conducts capacity reviews to determine whether these entities have the capability to administer their CDBG-DR grants in accordance with applicable regulations and requirements, particularly with regard to financial management, procurement, monitoring, and reporting. In fiscal year 2018, OIG conducted capacity reviews of the State of Florida’s Department of Economic Opportunity (2018-AT-1010) and the State of Texas’ General Land Office (2018-FW-1003). In fiscal year 2019, OIG has planned and ongoing capacity reviews and compliance audits of Puerto Rico’s Department of Housing, the U.S. Virgin Island’s Housing Authority, and the State of Texas’ General Land Office, among others. OIG expects to begin reporting on these audits starting in fiscal year 2019.

OIG is also currently conducting an audit of HUD to determine whether it is adequately prepared to respond to upcoming natural and man-made disasters. The audit focuses on disaster policies and procedures regarding interaction with external partners and disaster survivors, as well as for receiving and distributing disaster funds. OIG is coordinating this audit with several other Federal agencies and expects to issue a report in fiscal year 2019 or 2020.

Instituting Sound Financial Management

Over the last several years, HUD’s financial management has been operating at “inadequate” or “basic” levels of maturity7 due to (1) a weak governance structure, including the lack of a confirmed Chief Financial Officer for a number of years; (2) ineffective internal controls; and (3) an antiquated financial management system consisting of legacy systems and manual processes that have precluded HUD from producing reliable and timely financial reports As a result, HUD has been unable to achieve an unmodified audit opinion8 on its financial statements for the last 6 years and has received a disclaimer of opinion for the last 5 years.

Footnote: 7 U.S. Department of the Treasury, Bureau of the Fiscal Service, Federal Financial Management Maturity Model. The Maturity Model is a business tool that helps a CFO self-assess his or her organization’s level of financial management discipline, effectiveness, and efficiency. A copy of the model can be found at https://www.fiscal. treasury.gov/fsservices/gov/fit/MaturityModelHandout2017-05-10.pdf. [End of footnote]

One of HUD’s component entities, Ginnie Mae, has also been unable to achieve an unmodified opinion and has received a disclaimer of opinion for the last 5 years due to poor governance and a weak internal control framework. Ginnie Mae has been unable to appropriately account for and support several financial statement line items in accordance with generally accepted accounting principles, including its nonpooled loan asset portfolio, which totaled as much as $6 billion at one point. HUD’s unstable financial management environment weakens public confidence in the government programs HUD administers and prevents HUD’s stakeholders from being able to rely on HUD’s financial position.

[Seal - Office of Inspector General, National Credit Union Administration]

Office of Inspector General

National Credit Union Administration

The NCUA OIG promotes the economy, efficiency, and effectiveness of NCUA programs and operations and detects and deters fraud, waste and abuse, thereby supporting the NCUA’s mission of providing, through regulation and supervision, a safe and sound credit union system that promotes confidence in the national system of cooperative credit.

Agency Overview

The National Credit Union Administration (NCUA) is responsible for chartering, insuring, and supervising Federal credit unions and administering the National Credit Union Share Insurance Fund (Share Insurance Fund). The agency also manages the Operating Fund,9 the Community Development Revolving Loan Fund,10 and the Central Liquidity Facility.11

Credit unions are member-owned, not-for-profit cooperative financial institutions formed to permit members to save, borrow, and obtain related financial services. NCUA charters and supervises federal credit unions, and insures accounts in federal and most state- chartered credit unions across the country through the Share Insurance Fund, a federal fund backed by the full faith and credit of the United States government.

The NCUA’s mission is to provide through regulation and supervision, a safe and sound credit union system that promotes confidence in the national system of cooperative credit and its vision is to protect consumer rights and member deposits. NCUA further states that it is dedicated to upholding the integrity, objectivity, and independence of credit union oversight. The agency implements initiatives designed to meet these goals.

Major NCUA Programs

Supervision

NCUA supervises credit unions through annual examinations, regulatory enforcement, providing guidance in regulations and letters, and taking supervisory and administrative actions as necessary. The agency’s Office of National Examinations and Supervision (ONES) oversees examination and supervision issues related to consumer credit unions with assets greater than $10 billion and all corporate credit unions, which provide services to consumer credit unions (also known as natural person credit unions). Due to the relative size of their insured share base, they are deemed systemically important to the Share Insurance Fund. In addition, the Dodd-Frank Act gave the Consumer Financial Protection Bureau (CFPB) the authority to examine compliance with certain consumer laws and regulations by credit unions with assets over $10 billion.

Footnote: 9 The Operating Fund was created by the Federal Credit Union Act of 1934. It was established as a revolving fund in the United States Treasury under the management of the NCUA Board for the purpose of providing administration and service to the federal credit union system. A significant majority of the Operating Fund’s revenue is comprised of operating fees paid by federal credit unions. Each federal credit union is required to pay this fee based on its prior year asset balances and rates set by the NCUA Board. [End of footnote]

Footnote: 10 The NCUA’s Community Development Revolving Loan Fund, which was established by Congress, makes loans and Technical Assistance Grants to low-income designated credit unions. [End of footnote]

Footnote: 11 The Central Liquidity Facility is a mixed-ownership government corporation the purpose of which is to supply emergency loans to member credit unions. [End of footnote]

Insurance

NCUA administers the Share Insurance Fund, which is capitalized by credit unions and provides insurance for deposits held at federallyinsured credit unions nationwide. The insurance limit is $250,000 per depositor.

Credit Union Resources and Expansion

NCUA’s Office of Credit Union Resources and Expansion (CURE) supports credit union growth and development, including providing support to low-income, minority, and any credit union seeking assistance with chartering, charter conversions, by-law amendments, field of membership expansion requests, and low-income designations. CURE also provides access to online training and resources, grants and loans, and a program for preserving and growing minority institutions.

Consumer Protection

NCUA’s Office of Consumer Financial Protection (OCFP) is responsible for consumer protection in the areas of fair lending examinations, member complaints, and financial literacy. OCFP consults with the CFPB, which has supervisory authority over credit unions with assets of $10 billion or more. CFPB also can request to accompany NCUA on examinations of other credit unions. In addition to consolidating consumer protection examination functions within the agency, OCFP responds to inquiries from credit unions, their members, and consumers involving consumer protection and share insurance matters. Additionally, the office processes member complaints filed against federal credit unions.

Asset Management

NCUA’s Asset Management and Assistance Center (AMAC) conducts credit union liquidations and performs management and recovery of assets. AMAC assists agency regional offices with the review of large complex loan portfolios and actual or potential bond claims. AMAC also participates extensively in the operational phases of conservatorships and records reconstruction. AMAC’s purpose is to minimize costs to the Share Insurance Fund and to credit union members.

Office of Minority and Women Inclusion

NCUA formed the Office of Minority and Women Inclusion in January 2011, in accordance with the Dodd-Frank Act. The office is responsible for all matters relating to measuring, monitoring, and establishing policies for diversity in the agency’s management, employment, and business activities, and with respect to the agency’s regulated entities, excluding the enforcement of statutes, regulations, and executive orders pertaining to civil rights.

Office of Continuity and Security Management

The Office of Continuity and Security Management evaluates and manages security and ontinuity programs across NCUA and its regional offices. The office is responsible for continuity of operations, emergency planning and response, critical infrastructure and resource protection, cyber threat and intelligence analysis, insider threats and counterintelligence, facility security, and personnel security.

The NCUA Office of Inspector General

The 1988 amendments to the Inspector General Act of 1978 (IG Act) established IGs in 33 designated federal entities (DFEs), including the NCUA.12 The NCUA Inspector General (IG) is appointed by, reports to, and is under the general supervision of a three-member presidentially appointed Board. OIG staff consists of ten employees: the IG, the Deputy IG/Assistant IG for Audit, the Counsel to the IG/Assistant IG for Investigations, the Director of Investigations, five auditors, and an office manager. OIG promotes the economy, efficiency, and effectiveness of agency programs and operations, and detects and deters fraud, waste, and abuse, thereby supporting the NCUA’s mission of facilitating the availability of credit union services to all eligible consumers through a regulatory environment that fosters a safe and sound credit union system. OIG supports this mission by conducting independent audits, investigations, and other activities, and by keeping the NCUA Board and the Congress fully and currently informed of its work.

Recent Work

We coordinated with our counterparts in CIGFO on issues of mutual interest, including on the Top Management and Performance Challenges Facing Financial Regulatory Organizations report that CIGFO issued in September 2018. This report noted that cybersecurity was the most frequently identified cross-cutting challenge among CIGFO members and included our observation that the NCUA must continue to strengthen the resiliency of the credit union system to cyber threats.

In that regard, we currently are conducting an audit of the NCUA’s Information Systems and Technology Examination Program to determine whether the NCUA provides adequate oversight of the cybersecurity programs of federal credit unions with assets of $10 billion or more and all corporate credit unions. This audit follows our September 2017 audit focusing on the NCUA’s oversight of cybersecurity programs of credit unions with assets between $250 and $10 billion. Both of these audits could be instructive for the broader financial sector.

Footnote: 12 5 U.S.C. app. § 8G [End of footnote]

[Seal - U. S. Securities and Exchange Commission]

Office of Inspector General

U. S. Securities and Exchange Commission

The U.S. Securities and Exchange Commission (SEC or agency) Office of Inspector General (OIG) promotes the integrity, efficiency, and effectiveness of the critical programs and operations of the SEC and operates independently of the agency to help prevent and detect fraud, waste, and abuse in those programs and operations, through audits, evaluations, investigations, and other reviews.

Background

The SEC’s mission is to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation. The SEC strives to promote capital markets that inspire public confidence and provide a diverse array of financial opportunities to retail and institutional investors, entrepreneurs, public companies, and other market participants. Its core values consist of integrity, excellence, accountability, teamwork, fairness, and effectiveness. The SEC’s goals are focusing on the long-term interests of Main Street investors; recognizing significant developments and trends in evolving capital markets and adjusting agency efforts to ensure the SEC is effectively allocating its resources; and elevating the SEC’s performance by enhancing its analytical capabilities and human capital development.

The SEC is responsible for overseeing the nation’s securities markets and certain primary participants, including broker-dealers, investment companies, investment advisers, clearing agencies, transfer agents, credit rating agencies, and securities exchanges, as well as organizations such as the Financial Industry Regulatory Authority, Municipal Securities Rulemaking Board, Public Company Accounting Oversight Board, Securities Investor Protection Corporation, and the Financial Accounting Standard Board. Under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act), the agency’s jurisdiction was expanded to include certain participants in the derivatives markets, private fund advisers, and municipal advisors.

The SEC’s headquarters are in Washington, DC, and the agency has 11 regional offices located throughout the country. The agency’s functional responsibilities are organized into 5 divisions and 25 offices, and the regional offices are primarily responsible for investigating and litigating potential violations of the securities laws. The regional offices also have examination staff to inspect regulated entities such as investment advisers, investment companies, and broker-dealers. In fiscal year 2018, the SEC employed 4,483 full-time equivalents.

The SEC OIG was established as an independent office within the SEC in 1989 under the Inspector General Act of 1978, as amended (IG Act). The SEC OIG’s mission is to promote the integrity, efficiency, and effectiveness of the SEC’s critical programs and operations. The SEC OIG prevents and detects fraud, waste, and abuse through audits, evaluations, investigations, and other reviews related to SEC programs and operations.

The SEC OIG Office of Audits conducts, coordinates, and supervises independent audits and evaluations of the SEC’s programs and operations at its headquarters and 11 regional offices. These audits and evaluations are based on risk and materiality, known or perceived vulnerabilities and inefficiencies, and information received from the Congress, SEC staff, the U.S. Government Accountability Office, and the public.

The SEC OIG Office of Investigations performs investigations into allegations of criminal, civil, and administrative violations involving SEC programs and operations by SEC employees, contractors, and outside entities. These investigations may result in criminal prosecutions, fines, civil penalties, administrative sanctions, and personnel actions. The Office of Investigations also identifies vulnerabilities, deficiencies, and wrongdoing that could negatively impact the SEC’s programs and operations.

In addition to the responsibilities set forth in the IG Act, Section 966 of the Dodd-Frank Act required the SEC OIG to establish a suggestion program for SEC employees. The SEC OIG established its SEC Employee Suggestion Program in September 2010. Under this program, the OIG receives, reviews and considers, and recommends appropriate action with respect to such suggestions or allegations from agency employees for improvements in the SEC’s work efficiency, effectiveness, and productivity, and use of its resources, as well as allegations by employees of waste, abuse, misconduct, or mismanagement within the SEC.

SEC OIG Work Related to the Broader Financial Sector

In accordance with Section 989E(a)(2)(B)(i) of the Dodd-Frank Act, below is a discussion of the SEC OIG’s completed and ongoing work, focusing on issues that may apply to the broader financial sector.

Completed Work

Evaluation of the EDGAR System’s Governance and Incident Handling Processes, Report No. 550, September 21, 2018

On September 20, 2017, the Chairman of the SEC publicly disclosed that an incident—specifically, a software vulnerability in a component of the agency’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system— previously detected in 2016, resulted in unauthorized access to non-public information. On September 23, 2017, the Chairman, who began his service in May 2017 and was notified of the incident in August 2017, requested that the OIG review the agency’s handling of, and response to, the 2016 incident. In response, the OIG initiated an evaluation. In July 2018, the OIG presented the Chairman and other SEC Commissioners with the non-public results of its evaluation relative to the 2016 EDGAR intrusion. Report No. 550 presents the OIG’s findings related to the information security practices applicable to the EDGAR system between fiscal years (FYs) 2015 and 2017.

EDGAR is at the heart of the agency’s mission of protecting investors; maintaining fair, orderly, and efficient markets; and facilitating capital formation. The availability of accurate, complete, and timely information from EDGAR is essential to the SEC’s mission and the investing public. Without adequate controls to ensure the SEC identifies, handles, and responds to EDGAR system incidents in a timely manner, threat actors could gain unauthorized access to the system, which could lead to illicit trading, negative impacts to the economy and public access to filings, and loss of public confidence in the SEC.

We determined that, between FYs 2015 and 2017, the EDGAR system lacked adequate governance commensurate with the system’s importance to the SEC’s mission. In addition, we determined that certain preventive controls did not exist or did not operate as designed. Moreover, between September 2015 and September 2016, the SEC wasted at least $83,000 on a tool for which the SEC derived little, if any, benefit. Finally, we found that the SEC lacked an effective incident handling process. These weaknesses potentially increased the risk of EDGAR security incidents, and impeded the SEC’s response efforts. The SEC has since strengthened EDGAR’s system security posture, including the handling of and response to vulnerabilities. Among other actions, in August 2017, the agency established a Cyber Initiative Working Group to oversee and lead a number of priority cyber initiatives such as an EDGAR security uplift. As this and other work continues, opportunities for further improvement exist.

We issued our final report on September 21, 2018, and made 14 recommendations to improve the SEC’s EDGAR system governance, security practices, and incident handling processes. We also noted that open recommendations from prior OIG work should address some of our observations, and we encouraged management to implement agreed-to corrective actions. Management concurred with the recommendations, which will be closed upon completion and verification of corrective action.

Because the underlying report contains sensitive information about the SEC’s information security program, we prepared this summary with information releasable to the public. An executive summary is also available on our website at https://www.sec.gov/files/Eval-of-the-EDGAR- Systems-Governance-and-Incident-Handling-Processes.pdf.

TCP Established Method to Effectively Oversee Entity Compliance With Regulation SCI but Could Improve Aspects of Program Management, Report No. 551, September 24, 2018

In recent years, several factors, including a significant number of systems issues at exchanges and other trading venues, increased concerns over “single points of failure” in U.S. securities markets. These concerns contributed to the SEC’s decision to address technological vulnerabilities and improve agency oversight of the core technology of key U.S. securities markets entities. In November 2014, the SEC adopted Regulation Systems Compliance and Integrity (SCI), under which the agency monitors the security and capabilities of U.S. securities markets’ technological infrastructure. The SEC’s Office of Compliance Inspections and Examinations’ (OCIE) Technology Controls Program (TCP) is responsible for ensuring entities comply with Regulation SCI and for evaluating whether entities have established, maintained, and enforced written policies and procedures reasonably designed to ensure the capacity, integrity, resiliency, availability, and security of their Regulation SCI systems. We initiated an evaluation to assess OCIE’s TCP and determine whether the program provided effective oversight of entities’ compliance with Regulation SCI.

TCP has an established method to effectively oversee entity compliance with Regulation SCI. The program assesses compliance through its CyberWatch program and through TCP examinations. However, we identified opportunities to improve aspects of TCP program management. Specifically, we found that TCP’s examination manuals in effect at the outset of our evaluation were outdated, management had not identified or documented TCP risks and control activities in OCIE’s internal risk and control matrix, and TCPs’ development of the Technology Risk-Assurance, Compliance, and Examination Report (TRACER) system—the program’s system of record—was not well-planned or documented.

• Examination Manuals. The TCP Examination Manual and draft TRACER Examination User Manual in effect at the outset of our evaluation were outdated and did not align with TCP examination practices. Management was in the process of revising the TCP Examination Manual and, on June 25, 2018, released an updated version.

• Risks and Control Activities. TCP management had not identified or documented the program’s risks and corresponding control activities in OCIE’s risk and control matrix. Although TCP examinations appear to have similar risks and controls as other OCIE examinations, documentation we reviewed did not clearly identify comparable documented control activities specific to TCP examination processes for all identified risks.

• TRACER Development. Between September 2015 and January 2018, TCP continued development of the SEC’s TRACER system at a cost of nearly $780,000. As the system’s business owner during that time, TCP oversaw frequent (sometimes weekly) system updates, but did not properly plan or document its development efforts. TRACER’s purpose and functions evolved over time as TCP was considering continued development of the system or migration to an existing OCIE system known as the Tracking and Reporting Examinations National Documentation System (TRENDS). Certain planned system capabilities were not realized and it is unclear, based on a lack of documentation, how TCP assessed or managed system requirements. On May 4, 2018, TCP management decided to discontinue developing TRACER and transition its examination program to TRENDS, which is expected to yield operational and cost savings benefits.

We also identified two other matters of interest for management’s consideration. First, a majority of TCP staff who responded to a survey we administered indicated that they either did not receive adequate training or only sometimes received adequate training. TCP management has completed a 3-year training plan. We encouraged management to continue to review TCP staff training to ensure staff members have the knowledge and skills necessary to perform TCP examinations. Secondly, we identified a gap in the Office of Acquisitions’ process for reviewing CORs’ files. We suggest that Acquisitions consider establishing follow-up procedures to address this gap.

At the outset of our evaluation, TCP management identified ongoing improvement initiatives and began implementing changes. We issued our final report on September 24, 2018, and, to further improve TCP program management, we recommended that OCIE: (1) ensure TCP management updates the TCP Examination Manual in a timely manner following TCPs’ transition to TRENDS; (2) identify and document the risks and controls related to TCP operations, and update OCIE’s risk and control matrix accordingly; and (3) ensure TCP management properly plans and documents TCP’s transition to TRENDS, and retains all relevant materials in a central location. Management concurred with the recommendations, which will be closed upon completion and verification of corrective action. Because the underlying report contains non-public information, we prepared this summary with information releasable to the public. Also, a redacted public version is available on our website at https://www.sec.gov/files/TCPEstablished-Method-to-Effectively-Oversee- Entity-Compliance-with-Reg-SCI--But-Could-Improve.pdf.

Although Highly Valued by End Users, DERA Could Improve Its Analytics Support by Formally Measuring Impact, Where Possible, Report No. 553, April 29, 2019

The SEC increasingly relies on data and analytics to guide its strategic and operational activities and to make more informed, effective decisions. Based on FY 2017 budget information, the SEC spends about $120 million annually on data management and about $20 million annually on analytics. Furthermore, the SEC’s Strategic Plan for FY 2018 through FY 2022 and FY 2020 Annual Performance Plan emphasize the agency’s goal of enhancing and expanding its use of analytics.

The SEC’s Division of Economic and Risk Analysis (DERA) assists the agency in executing its mission by integrating sophisticated, data-driven analytics and economic analysis into the work of the SEC. Analytics provided by DERA’s Office of Risk Assessment (ORA) and Office of Research and Data Services (ORDS) support exam planning and other agency oversight programs related to issuers, broker-dealers, investment advisers, exchanges, and other trading platforms. To assess DERA’s controls over integration of data analytics into the core mission of the SEC, we initiated an evaluation.

We determined that, although end users highly valued DERA’s analytics support and believed such analytics were indispensable for risk scoping, investor protection, detecting illegal conduct, allocating resources more efficiently, and helping the SEC achieve its mission, ORA and ORDS management generally did not formally measure the quantitative or qualitative impact of either office’s analytics support. Management noted that it tracked end user requests for analytics support, considered repeat customers as evidence analytics are valued, and identified potential metrics for measuring impact (such as efficiency gains and end user satisfaction); however, management had not formalized such metrics.

DERA management and end users of DERA’s analytics acknowledged that it might be difficult to devise meaningful impact measurement metrics for some analytics projects. For example, even though ORA analytics identified outliers that led to at least one Division of Enforcement investigation, not all analytics produce such directly measurable outcomes. Management was also apprehensive about burdening end users with requests for feedback regarding analytics’ impact. However, by not measuring, where possible, the impact of ORA’s and ORDS’ analytics support, DERA risks limiting its ability to assess its organizational performance, increase awareness of its analytics capabilities (including through outreach efforts), and fully integrate analytics into the work of the SEC in accordance with the agency’s strategic goals and objectives.

In addition, we reviewed available usage data for two analytics tools that incorporated ORA analytics and found that end users used and valued both tools. Although DERA did not regularly review the usage data for one tool and usage data for the other tool was incomplete, we determined that DERA’s review of such data would not significantly help the Division meet agency goals and objectives.

We also assessed DERA’s interactions with the SEC’s other divisions and offices, including its coordination and outreach efforts, and determined that staff in other divisions and offices generally viewed interactions with DERA favorably; duplicative analytics work across the SEC was not apparent; and DERA proactively engaged in outreach. However, a majority of respondents to a question in a survey we administered (22 of 37, or almost 60 percent) expressed an interest in further DERA outreach. Respondents believed that promoting the nature and benefits (that is, impact) of DERA analytics and systems could be useful to the SEC’s other divisions and offices.

Finally, we identified one other matter of interest related to data management. Although we did not assess the SEC’s data management practices and are not making any recommendations regarding data management at this time, we noted that data management is the foundation of analytics. Therefore, it is important to verify completion of the SEC’s plans to improve in this area. We will continue to monitor the agency’s plans and progress related to data management.

We issued our final report on April 29, 2019, and to improve its ability to assess its organizational performance, increase awareness of its analytics capabilities, and fully integrate analytics into the work of the SEC in accordance with the agency’s strategic goals and objectives, we recommend that DERA (1) work with end users of its analytics projects to develop metrics, where possible, for formally measuring analytics support impact; (2) modify existing internal tracking processes to include, where possible, analytics impact measurement; and (3) incorporate the results of analytics impact measurements in the Division’s outreach efforts. Management concurred with the recommendations, which will be closed upon completion and verification of corrective action.

This report is available on our website at https://www.sec.gov/files/Although- Highly-Valued-by-End-Users-DERA-Could-Improve-Report-No-553_0.pdf.

Final Management Letter: Update on the SEC’s Progress Toward Redesigning the EDGAR System

In September 2017, we reported observations about controls over the SEC’s EDGAR system enhancements and redesign efforts.13 We noted that the SEC’s EDGAR Redesign (ERD) program is a multi-year, cross-agency initiative and, since 2014, the SEC had taken steps to develop and implement a new electronic disclosure system that meets agency needs, including spending about $10.6 million on related contracts. Since issuing our September 2017 report, we have continued to monitor the SEC’s progress toward redesigning the EDGAR system. We did not conduct an audit or evaluation in conformance with generally accepted government auditing standards or the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation. However, based on the work performed, on May 23, 2019, we reported concerns that warrant management’s attention. Specifically, we determined that:

• The agency’s approach to redesigning the EDGAR system is unclear;

• ERD program cost and schedule estimates presented to agency decision makers and senior officials were not based on best practices; and

• The EDGAR Business Office (EBO) created a Grand Functional Requirements Document (Grand FRD) for the redesigned EDGAR system, but did not include sufficient detail about the system’s security requirements.

On May 7, 2019, we provided SEC management with a draft of our management letter for review and comment. In its May 17, 2019, response, management concurred with our overall observations and stated that it remains committed to modernizing and improving the security, functionality, and maintainability of the EDGAR system. Although management did not use cost and schedule estimates based on best practices for its deliberations about the appropriate high-level strategy for the EDGAR system, management anticipates preparing more detailed estimates, based on best practices, later in the process. Also, although the Grand FRD did not describe in detail security requirements for redesigning EDGAR, management anticipates it will obtain detailed security requirements in a future phase of the project. Finally, management expects that completed and ongoing work will modernize much of the EDGAR system, achieve many of the goals of the original EDGAR redesign project, and position the system for further modernization.

Footnote: 13 U.S. Securities and Exchange Commission, Office of Inspector General, Audit of the SEC’s Progress in Enhancing and Redesigning the Electronic Data Gathering, Analysis, and Retrieval System, Report No. 544; September 28, 2017. [End of footnote]

To help us determine whether further action by the OIG is warranted, we requested that, no later than June 6, 2019, management provide to the OIG the SEC’s approach to redesigning the EDGAR system and its planned or ongoing actions to (a) manage the ERD program using reliable cost and schedule estimates based on established methods and valid data; (b) integrate “functional requirements” with “non-functional requirements,” including those for security, recoverability, testability, and maintainability, with sufficient detail that future offerors can propose viable solutions and designs as part of a future competitive procurement; and (c) further manage the existing EDGAR system.

The final management letter contains non-public information about the agency’s efforts to redesign the EDGAR system. We redacted the non-public information to create this public summary. Our public version of the letter is also available on our website at https://www.sec.gov/files/Final-Mgmt-Ltr-Update-on-the-SECs-Progress- Toward-Redesigning-EDGAR.pdf.

Ongoing Work

Evaluation of the Division of Trading and Markets’ Office of Broker-Dealer Finances

The SEC prescribes broker-dealer net capital and risk assessment reporting requirements through various rules, overseen by the Division of Trading and Markets’ Office of Broker-Dealer Finances (OBDF). On June 10, 2019, we initiated an evaluation of OBDF’s efficiency and effectiveness. Specifically, we will determine whether OBDF (1) ensures efficient use of government resources to help achieve organizational goals and objectives, and (2) provides effective oversight of broker-dealer compliance with capital and risk reporting requirements, in accordance with applicable rules and guidance. We expect to issue a report summarizing our findings during 2020.

Evaluation of the SEC’s Delinquent Filer Program

In 2004, the SEC initiated the delinquent filer program, administered jointly by the Division of Enforcement and the Division of Corporation Finance, to bring administrative proceedings under Exchange Act Section 12(j) to revoke the Exchange Act registrations of securities of issuers that are more than 1-year delinquent in their Exchange Act reports and have been unresponsive to SEC requests for compliance.14 At the same time, the Division of Enforcement seeks Commission approval for trading suspensions under Section 12(k) to suspend trading of the securities of the non-filing issuers under certain circumstances. On June 10, 2019, we initiated an evaluation of the SEC’s delinquent filer program to assess the SEC’s process for identifying, tracking, and notifying delinquent filers and issuing related revocation orders and/or trading suspensions in accordance with applicable laws, rules, and regulations. As part of the evaluation, we will also review the Division of Enforcement’s efforts to decentralize the delinquent filer process. We expect to issue a report summarizing our findings during 2020.

Footnote: 14 According to a 2004 advice memo, an enhanced delinquent filings program for issuers was needed because publicly traded companies that are delinquent in filing Exchange Act reports deprive investors of accurate financial information upon which to make informed investment decisions. Further, these entities are often vehicles for fraudulent stock manipulation schemes. [End of footnote]

[Seal - Special Inspector General for the Troubled Asset Relief Program]

Special Inspector General for the Troubled Asset Relief Program

The Special Inspector General for the Troubled Asset Relief Program (SIGTARP) has the duty, among other things, to conduct, supervise, and coordinate audits and investigations of the purchase, management, and sale of assets under the Troubled Asset Relief Program (TARP) or as deemed appropriate by the Special Inspector General.

Background

SIGTARP is primarily a Federal law enforcement agency protecting the interests of the American people by investigating crime at financial institutions that received TARP funds or at other TARP recipients in housing programs. All TARP programs are intended to promote financial stability.

When first created, SIGTARP found that financial institution fraud had evolved from the insider self-dealing fraud that marked the savings and loan crisis, to escape detection from traditional fraud identification methods of self-reporting and regulator referrals. SIGTARP created an intelligence-driven approach and leveraged technological solutions to discover insider crimes at banks that previously went undetected. Now, as a result of SIGTARP investigations, 105 bankers have been criminally charged and 74 have been sentenced to prison with more bankers awaiting trial and sentencing.

SIGTARP is applying its intelligence-driven approach to search for crime in TARP housing and foreclosure prevention programs. TARP recipients include large mortgage servicers in the Making Home Affordable (MHA) Program, like Wells Fargo, Bank of America, and JPMorgan Chase.

SIGTARP assesses that the top threat in TARP today is unlawful conduct by any of the 152 banks and other financial institutions that received $20.1 billion or will continue to receive $3.7 billion for foreclosure prevention in TARP’s MHA Program. With an uptick in enforcement actions against financial institutions in MHA, SIGTARP has shifted resources to counter this threat.

The Most Serious Management and Performance Challenges & Threats of Fraud, Waste, & Abuse Facing the Government in TARP

SIGTARP identifies the most serious management and performance challenges and threats facing the Government in TARP. Our selection is based on the significance and duration of the challenge/threat to the mission of TARP and to Government interests; the risk of fraud or other crimes, waste or abuse; the impact on agencies in addition to Treasury; and Treasury’s progress in mitigating the challenge/threat.

Risk of Fraud, Waste, and Abuse by Large Banks and Others in the Making Home Affordable Program (Until Sep. 2023)

Unlawful conduct by any of the 152 banks or institutions that received $20.1 billion or will continue to receive $3.7 billion in TARP’s MHA program is the top threat in TARP. Treasury will pay up to $3.1 billion to Ocwen, Wells Fargo, JPMorgan Chase, Bank of America, Nationstar, Select Portfolio Servicing, CitiMortgage, OneWest/CIT, Bayview Loan Servicing, and Specialized Loan Servicing along with 131 institutions. These TARP payments require compliance with the law and Treasury’s rules for the institutions assisting the 834,206 consumers in all 50 states. Wells Fargo recently disclosed in two SEC filings its wrongful denial of homeowners for admission to the program. Despite enforcement actions and other wrongdoing by many of these financial institutions, Treasury has significantly scaled back its compliance reviews. The risk of fraud, waste, and abuse also jeopardizes the GSEs, FHA, and Veterans Affairs that participate in MHA.

Risk of Waste and Misuse of TARP Dollars by State Agencies for Their Own Administrative Expenses in the Hardest Hit Fund (Until Dec. 2021)

Treasury has budgeted $1.1 billion in TARP dollars for administrative expenses of 19 state agencies to distribute HHF assistance. In March 2019, SIGTARP issued an audit that found state agencies violated federal cost regulations by charging more than $400,000 in prohibited travel and conference costs to the Hardest Hit Fund. SIGTARP found waste, a lack of internal controls at state agencies, and lack of effective oversight by Treasury. State agencies did not have the documentation required by Federal regulations to charge the travel and conferences to HHF. The audit also identified outright waste, including TARP funds spent on luxury hotels, conferences and extravagant dinners and receptions. In 2016 and 2017, SIGTARP identified $11 million in wasteful and unnecessary spending by state housing agencies, including, for example, catered barbeques, parties, country club events, leasing a Mercedes, cash bonuses, gym memberships, gifts, free parking, settlements and legal fees in discrimination cases, other costs not associated with HHF, and more. In 2018, SIGTARP issued an audit that found that while Treasury anticipates millions of dollars in spending on lawyers, accountants, auditors, consultants, information technology, communications, risk management, training, and marketing, there is no Federal requirements for competition.

Risk of Corruption, Anticompetitive Actions, and Fraud in the Hardest Hit Fund Blight Elimination Program (Until Dec. 2021)

There is a risk of corruption, anticompetitive acts, and fraud as TARP funds the demolitions of abandoned homes and apartments. The number of municipalities in the program increased to 378 cities or counties. There have already been criminal indictments for corruption in HHF.

Risk of Asbestos Exposure, Contaminated Soil, and Illegal Dumping in the Hardest Hit Fund Blight Elimination Program (Until Dec. 2021)

In November 2017, based on the U.S. Army Corps of Engineers’ findings, SIGTARP warned that the standard protections in demolition are not present in the TARP program. The Army Corps found missing industry standard safeguards that protect against the risk of asbestos exposure, illegal dumping of debris, and contaminated material filling the hole. Treasury did not implement SIGTARP’s recommendations, even to require basic documentation of proper asbestos abatement, certain inspections, landfill receipts for dumping, and receipts showing the purchase of clean dirt. SIGTARP’s investigation into a demolition contractor for illegal dumping of contaminated soil in Fort Wayne, Indiana was resolved for over $800,000 through remediation and a settlement by DOJ under the False Claims Act.

TARP may expand even further in this area: The Economic Growth, Regulatory Relief, and Consumer Protection Act authorizes Treasury to use TARP dollars to remediate lead and asbestos hazards in residential properties.

No Complete List or Data Identifying All Contractors and Others Doing Work in the Hardest Hit Fund Blight Subprogram and What They Were Paid

Treasury and the state agencies do not know, and cannot provide to SIGTARP a complete list of contractors receiving TARP dollars in the program. SIGTARP and Treasury cannot conduct oversight over contractors and other entities that are unknown. Treasury rejected SIGTARP’s 2015 recommendation to maintain a list and accounting of payments in HHF. SIGTARP’s proactive analysis has identified 2,210 land banks or other partners, contractors, or subcontractors that have done or are contracted to do work in the program—but given the missing data, we believe the actual numbers may be much higher. State agency data is incomplete. The data provided by state agencies to SIGTARP also provides limited detail about the $510.5 million that has been spent in the Blight Elimination Program beyond the first-level recipient. As a result, there may be hundreds, or perhaps thousands, of additional unknown subcontractors doing work in the program. Without complete records and accounting, the program and taxpayers are vulnerable.

Risk of Waste from Weakened Oversight by Treasury of State Agencies in the Hardest Hit Fund

Starting in October 2018, Treasury has allowed state agencies to shift HHF dollars between programs and removed caps on administrative expenses (by the greater of five percent or $50,000). Treasury also decreased oversight in the HHF program in 2018 by reducing OFS personnel charged with providing oversight of the HHF program by 30%. These Treasury changes increase risk of fraud, waste and abuse because state agencies can move more TARP money to higher risk subprograms. These changes also have weakened Treasury oversight of state administrative spending after SIGTARP has proven waste and misuse of TARP dollars by state agencies. Additionally, GAO found in a December 2018 study that “Treasury is missing an opportunity to ensure that HFAs are appropriately assessing their risk.”

SIGTARP’s Investigations Approach

SIGTARP gained expertise in investigating large institutions which resulted in significant DOJ enforcement actions against Goldman Sachs, Bank of America, JPMorgan Chase, Morgan Stanley, Ally Financial, Wilmington Trust, Sun Trust Bank, Fifth Third Bank, Jefferies & Co., and RBS Securities.

SIGTARP’s law enforcement counters threats to public safety and Government interests by investigating criminal actors and working with the Justice Department to prosecute those criminal actors. With 278 people sentenced to prison resulting from a SIGTARP investigation, at an average prison sentence of nearly five years, the threat these crimes pose is significant. SIGTARP’s ongoing criminal investigations of recipients of TARP dollars in TARP housing programs promote free and fair trade by improving the overall condition for competition, and counter threats to public safety and Government interests, including financial institution fraud, public corruption, antitrust (unfair competition), contract fraud, and organized crime. Recent DOJ charges, pleas and false claim settlements continue to demonstrate that these threats are current and real.

Financial Institution Fraud: SIGTARP’s highest priority is investigating banks and other financial institutions receiving TARP dollars in the Making Home Affordable Program. Our investigations into TARP banks have already resulted in 104 bankers criminally charged and 73 sentenced to prison. Many await trial. Our remaining investigative work in this area focuses on supporting the Justice Department in its efforts to prosecute TARP bankers. SIGTARP’s work on financial institution fraud supports Justice Department prosecutions of individuals investigated by SIGTARP, such as international money laundering charges related to a TARP bank, that help identify and reduce vulnerabilities in the financial system while stopping abuses by illicit actors.

Public Corruption: The corruption of local officials threatens public safety and fair competition. State and local officials award contracts under the more than $760 million Hardest Hit Fund blight demolition program.

Antitrust Violations: Unfair competitive practices in TARP housing programs including contract steering, bid rigging and price fixing, threatens the quality of work, harms public safety, threatens fair competition, and results in higher costs.

Contract Fraud, False Claims/Theft or Bribery in TARP Programs: Demolition contractors and State agencies play key roles in administering HHF programs. Fraud in any of these risk areas harm Government interests and fair competition. Organized Crime: Organized crime in the over $760 million blight demolition program or in TARP banks threatens public safety, fair competition and harms Government interests.

Selected SIGTARP’s Investigations Results (April 1, 2018 to March 31, 2019)

Wilmington Trust Corporation

In December 2018 and January 2019, a federal court sentenced seven former Wilmington Trust bankers to prison terms of up to six years. As a result of a SIGTARP investigation, the bank’s former president, chief financial officer, chief credit officer and controller were convicted of securities fraud after a trial. Wilmington Trust Bank received a $330 million TARP bailout. As the conspiracy was ongoing and while in TARP, the bank collapsed and was acquired by M&T Bank at a discount of approximately 46% from the bank’s share price the prior trading day.

SIGTARP’s investigation uncovered a scheme by bank insiders to conceal the total quantity of past due loans on its books from the Federal Reserve, the Securities and Exchange Commission and the investing public. After the trial, a jury convicted former president Robert Harra, former chief financial officer David Gibson, former chief credit officer William North, and former controller Kevyn Rakowski of hiding more than $300 million in loans that were 90 days past due.

At their sentencing, U.S. District Judge Richard G. Andrews said the investigation uncovered the “the biggest financial crime in Delaware, at least in the past 35 years.” The court sentenced former president Harra and former chief financial officer Gibson to six years in prison and ordered them to pay $300,000 each. The court sentenced former chief credit officer North to four and half years in prison and ordered him to pay $100,000 and former controller Rakowski to three years in prison. The court separately sentenced three other Wilmington Trust officers: former head of commercial real estate Delaware Brian Baily to two and half years, former vice president for commercial real estate for Delaware Joseph Terranova to one year and nine months and former commercial real estate relationship manager for Delaware Peter Hayes to one year and three months.

In October 2017, as part of a criminal investigation Wilmington Trust admitted wrongdoing and agreed to pay $60 million. Wilmington Trust was the only TARP bank indicted by the Justice Department.

SIGTARP was joined in the investigation by the Federal Bureau of Investigation, the Internal Revenue Service-Criminal Investigation, and the Federal Reserve Bank-Office of Inspector General. The U.S. Attorney’s Office for the District of Delaware prosecuted the case.

Sonoma Valley Bank of California

In August 2018, a federal court sentenced both the Sonoma Valley Bank CEO Sean Cutting and Chief Loan Officer Brian Melland to eight years and four months in prison, and the attorney of a bank borrower to six years and eight months in prison. SIGTARP’s investigation uncovered that leading up to and during the time Sonoma Valley Bank was in TARP, the bank officers conspired to commit fraud that would contribute to the failure of the bank and a complete loss to TARP of $8.6 million. They made millions in illegal bank loans to “straw” borrowers, knowing the proceeds would go to one bank borrower who was a real estate developer. They then tried to cover up the scheme by falsifying the bank’s books and lying to the bank’s regulators.

During the fraud, the bank applied for TARP, with the CEO describing TARP as a “cookie jar” and saying it only made sense for the bank to take some. After a Federal jury trial in December 18, 2017, the jury found Cutting and Melland guilty of conspiracy, bank fraud, wire fraud, attempted obstruction of justice, and other offenses. The real estate developer was indicted but died prior to the trial when his car drove over a cliff on Highway 1. The court ordered $19 million in restitution and forfeiture of a condominium complex involved in the fraud.

SIGTARP was joined in the investigation by the Federal Housing Finance Agency Office of Inspector General, the Federal Deposit Insurance Corporation Office of Inspector General, the Marin County Sheriff’s Office, the Sonoma County Sheriff’s Office, and the Santa Rosa Police Department. The U.S. Attorney’s Office for the Northern District of California prosecuted the case.

Southern Bancorp

As a result of a SIGTARP investigation, in February 2019, a federal court sentenced bank officer Michael J. Erickson to two years in prison after he was convicted of embezzling funds from Southern Bancorp. The court ordered Erickson to pay $1.4 million to Southern Bancorp. Taxpayers lost $2.3 million on the investment; the bank received a $33.8 million bailout from TARP.

In its investigation, SIGTARP uncovered a scheme where Erickson stole thousands of dollars for his own personal enrichment from a commercial loan he managed. SIGTARP was joined in the investigation by the Federal Bureau of Investigation. The U.S. Attorney’s Office for the Northern District of Mississippi prosecuted the case.

Saigon National Bank

In February 2019, a federal court sentenced Vivian Tat to two years in federal prison for laundering tens of thousands of dollars in cash. This case is the result of Operation “Phantom Bank,” targeting TARP recipient Saigon National Bank, which resulted in six indictments that charge a total of 25 defendants. SIGTARP was joined in the investigation by the FBI and the IRS Criminal Investigation. The U.S. Attorney’s Office for the Central District of California prosecuted the case.

First Legacy Community Credit Union of North Carolina

In March 2019, President and CEO of First Legacy Community Credit Union (FLCCU) Saundra Torrence was sentenced to six months in prison and ordered to pay $187,066 in restitution for making or causing false entries. SIGTARP’s investigation uncovered that Scales falsified the credit union’s books, misapplied and stole funds from the credit union, and fraudulently used the identity of at least one third party victim to obtain a loan from FLCCU. Torrence’s wrongdoing caused significant losses to the credit union. The fraudulent entries she made to conceal her wrongdoing caused the credit union’s reported financial results to be inaccurate.

SIGTARP was joined in the investigation by the FBI. The U.S. Attorney’s Office for the Western District of North Carolina prosecuted the case.

First State Bank

In October 2018, former First State Bank CEO Joseph Natale, financier Albert Gasparro, and business owner Gary Ketchum were indicted for their roles in a scheme to defraud the now defunct First State Bank, which attempted to obtain TARP funds.

The defendants are charged with conspiracy to mislead the FDIC and First State Bank, conspiracy to commit bank fraud and bank fraud. Former First State Bank legal counsel Donna Conroy, a conspirator, pleaded guilty in May 2017 and is awaiting sentencing. SIGTARP was joined in the investigation by the FBI and the FDIC Office of Inspector General. The U.S. Attorney’s Office for New Jersey is prosecuting the case.

Lone Star Bank

Following a SIGTARP investigation, in September 2018, a Federal court sentenced Lone Star Bank loan officer Ricky Hajdik to 20 months in prison and sentenced co-conspirator Hugo Lafuente to 25 months in prison for a conspiracy to defraud the bank out of $1.3 million in loans. Hajdik knew that Lafuente’s income would not qualify for a construction loan. Hajdik conveyed to loan broker Leonard Tyson an inflated and untrue income number that LaFuente needed to qualify for the construction loan. Lafuente then directed Mark Zylker to prepare fraudulent income tax returns that inflated his income, which Hajdik used for the bank to make the loan. When Lafuente defaulted on this loan and a Small Business Administration Loan, the bank suffered losses $735,758. TARP suffered a $1.2 million loss on the bank and the bank missed dividend payments of $2.2 million.

SIGTARP was joined in the investigation by the Federal Deposit Insurance Corporation Office of Inspector General. The U.S. Attorney’s Office for the Southern District of Texas prosecuted the case.

SIGTARP’s Audit Approach

SIGTARP conducts audits over TARP housing programs, helping promote financial stewardship by the Government. Much of SIGTARP’s audit work is at the request of members of Congress. SIGTARP specializes in forensic audits that follow the money, analyzing general ledgers, credit card statements, invoices, and receipts.

SIGTARP assists Treasury in these efforts by auditing and evaluating housing programs to determine whether the Government is receiving fair value for its money and that recipients are spending TARP funds appropriately to accomplish the stated goals. To promote financial stewardship, SIGTARP reports on fraud, waste, and abuse and makes recommendations to Treasury (which has oversight of all TARP programs) to recover wasteful spending and prevent future fraud, waste, and abuse.

Travel and Conference Charges to the Hardest Hit Fund that Violated Federal Regulations

In a March 2019 audit, SIGTARP uncovered that state agencies violated federal cost regulations by charging HHF $411,658 in prohibited travel and conference costs. Remarking on the findings, Special Inspector General Goldsmith Romero said, “Flying around the country, staying at luxury hotels, attending conferences beachside and at other vacation destinations are not ‘must have’ costs for a local foreclosure prevention program.”

SIGTARP’s Recoveries from Audits and Investigations

SIGTARP continues to assess current and future operations to fulfill its mission and reduce spending, while supporting financial stewardship by providing recoveries to assist in funding the Government at the least cost over time. SIGTARP’s investigations and audits have recovered $10 billion. Fiscal Year 2018 recoveries of more than $314 million, including more than $294 million recovered for the government, are a 9 times return on investment from the Fiscal Year 2018 appropriated budget. Already in Fiscal Year 2019, SIGTARP has recovered $804 million, including more than $336 million paid to the government, a 35 times annual return on investment from the Fiscal Year 2019 appropriated budget.

[Seal - Office of Inspector General, Department of the Treasury]

Office of Inspector General

Department of the Treasury

The Department of the Treasury Office of Inspector General performs independent, objective reviews of specific Treasury programs and operations with oversight responsibility for one federal banking agency – the Office of the Comptroller of the Currency. That federal banking agency supervises approximately 1,260 financial institutions.

Introduction

The Department of the Treasury (Treasury) Office of Inspector General (OIG) was established pursuant to the 1988 amendments to the Inspector General Act of 1978. The Treasury Inspector General is appointed by the President, with the advice and consent of the Senate. Treasury OIG performs independent, objective reviews of Treasury programs and operations, except for those of the Internal Revenue Service (IRS) and the Troubled Asset Relief Program (TARP), and keeps the Secretary of the Treasury and Congress fully informed. Treasury OIG is comprised of four divisions: (1) Office of Audit, (2) Office of Investigations, (3) Office of Counsel, and (4) Office of Management. Treasury OIG is headquartered in Washington, DC, and has an audit office in Boston, Massachusetts, and investigative offices in Greensboro, North Carolina; Houston, Texas; and Jacksonville, Florida.

Treasury OIG has oversight responsibility for the Office of the Comptroller of the Currency (OCC). OCC is responsible for approximately 891 national banks, 316 federal savings associations, and 57 federal branches of foreign banks. The total assets under supervision are $12.5 trillion. Treasury OIG also oversees four offices created by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) which are (1) the Office of Financial Research (OFR), (2) the Federal Insurance Office, (3) the Office of Minority and Women Inclusion within Treasury’s Departmental Offices (DO), and (4) the Office of Minority and Women Inclusion within OCC. Additionally, Treasury OIG oversees Treasury’s role related to the financial solvency of the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac) under the Housing and Economic Recovery Act of 2008 (HERA), to include Treasury’s Senior Preferred Stock Purchase Agreements established for the purpose of maintaining the positive net worth of both entities.

Treasury Management and Performance Challenges Related to Financial Regulation and Economic Recovery

In accordance with the Reports Consolidation Act of 2000, the Treasury Inspector General annually provides the Secretary of the Treasury with his perspective on the most serious management and performance challenges facing the Department. In a memorandum to the Secretary dated October 15, 2018, the Inspector General reported three management and performance challenges that were directed towards financial regulation and economic recovery.

Those challenges are: Operating in an Uncertain Environment, Cyber Threats, and Anti-Money Laundering and Terrorist Financing/Bank Secrecy Act Enforcement.15

Operating in an Uncertain Environment

The proposed budget cuts and new requirements imposed by Executive Order (EO) 13781, Comprehensive Plan for Reorganizing the Executive Branch (March 13, 2017) create an uncertain environment that affect Treasury’s operations. In its implementation of EO 13781 the Office of Management and Budget (OMB) required agencies to submit Agency Reform Plans to OMB, which included long-term workforce plans that are in alignment with their strategic plans. These plans were to include proposals in four categories: eliminate activities; restructure or merge; improve organizational efficiency and effectiveness; and workforce management. In June 2018, after consideration of all Agency Reform Plans, OMB developed it comprehensive “Government- wide Reform Plan and Reorganization Recommendations” (Government-wide Reform Plan) to reorganize the Executive Branch.

The Government-wide Reform Plan includes a recommendation to transfer alcohol and tobacco responsibilities from the Bureau of Alcohol, Tobacco, Firearms and Explosives within the Department of Justice to Treasury’s Alcohol and Tobacco Tax and Trade Bureau (TTB) in order to leverage the expertise of TTB. Other potential impacts on Treasury include OMB recommendations to increase coordination and avoid duplication of agency’s roles in the areas of small business programs, the housing finance market, and financial literacy and education. Until OMB and agencies begin discussions with Congress to prioritize and refine the proposals in the Government-wide Reform Plan, there is looming uncertainty as to the plan’s impact. Nonetheless, the Department must plan for the potential long-term restricting of certain functions or offices/bureaus and expected budget cuts.

Cyber Threats

Cybersecurity continues to be a long-standing and serious challenge facing the Nation today. A reliable critical infrastructure, including information systems and networks, is vital to our national security and economic stability. Cyber threats are a persistent concern as Treasury’s information systems are critical to the core functions of government and the Nation’s financial infrastructure. As cyber threats continue to evolve and become more sophisticated and subtle, they pose an ongoing challenge for Treasury to fortify and safeguard its internal systems and operations and the financial sector it oversees.

Attempted cyber attacks against Federal agencies, including Treasury, and financial institutions are increasing in frequency and severity, in addition to continuously evolving. Such attacks include distributed denial of service attacks, phishing or whaling attacks, fraudulent wire payments, malicious spam (malspam), and ransomware. Organized hacking groups leverage published and unpublished vulnerabilities and vary their methods to make attacks hard to detect and even harder to prevent. Criminal groups and nation-states are constantly seeking to steal information; commit fraud; and disrupt, degrade, or deny access to information systems.

Effective public-private coordination continues to be required to address the cyber threat against the Nation’s critical infrastructure. In this regard, Treasury is looked upon to provide effective leadership to financial institutions in particular, and the financial sector in general, to strengthen awareness and preparedness against cyber threats. Anti-Money Laundering and Terrorist Financing/Bank Secrecy Act Enforcement Identifying, disrupting, and dismantling the financial networks that support terrorists, organized transnational crime, weapons of mass destruction proliferators, and other threats to international security continue to be a challenge. Treasury’s Office of Terrorism and Financial Intelligence (TFI) is dedicated to countering the ability of terrorist organizations to support such activities through intelligence analysis, sanctions, and international private-sector cooperation that identify donors, financiers, and facilitators funding terrorist organizations.

Footnote: 15 The Treasury Inspector General’s memorandum included one other challenge not directly related to financial regulation and economic recovery: Efforts to Promote Spending Transparency and to Prevent and Detect Improper Payments. The memorandum also discussed concerns about two matters: currency and coin production and excise tax reform. [End of footnote]

Disrupting terrorist financing depends on a whole-of-government approach and requires collaboration and coordination within Treasury and with other Federal agencies. Effective coordination and collaboration and TFI’s ability to effectively gather and analyze intelligence information on financial crimes and terrorism requires a stable cadre of staff. TFI filled long standing vacancies such as the Assistant Secretary of Intelligence and Analysis, which is a key leadership position that had been vacant for approximately 2 years. Stability, experienced leadership, and coordination within TFI is imperative to enhance information gathering and intelligence analysis and increase efficiency.

Completed and In-Progress Work on Financial Oversight

OFR’s Procurement Activities – Contracts

We initiated an audit of OFR’s procurement activities. We reported that OFR effectively and efficiently acquired goods and services to accomplish its mission and those acquisitions were made in compliance with applicable procurement regulations. We did not make any recommendations as a result of our audit; however, in light of OFR’s recent workforce restructuring efforts, we encouraged the Acting Director to ensure the files of OFR’s contracting officer representatives are maintained and accessible in the event of any changes in contracting officer representatives’ responsibilities.

OCC’s Supervision of Federal Branches of Foreign Banks (In Progress)

We initiated an audit of OCC’s supervision of federal branches of foreign banks. The objective of this audit is to assess OCC’s supervision of federal branches and agencies of foreign banking organizations operating in the United States.

OCC’s Supervision of Wells Fargo Bank (In Progress)

We initiated an audit of OCC’s supervision of Wells Fargo Bank’s sales practices. The objectives of this audit are to assess (1) OCC’s supervision of incentive-based compensation structures within Wells Fargo and (2) the timeliness and adequacy of OCC’s supervisory and other actions taken related to Wells Fargo sales practices, including the opening of accounts.

OCC’s Supervision Related to De-risking by Banks (In Progress)

We initiated an audit of OCC’s supervisory impact on the practice of de-risking16 by banks. The objectives of this audit are to determine (1) whether supervisory, examination, or other staff of the OCC have indirectly or directly caused banks to exit a line of business or to terminate a customer or correspondent account, and (2) under what authority OCC plans to limit, through guidance, the ability of banks to open or close correspondent or customer accounts, including a review of laws that govern account closings and OCC’s authority to regulate account closings.

OFR’s Hiring Practices (In Progress)

We initiated an audit of OFR’s hiring practices. The objective for this audit is to determine whether OFR’s hiring practices are in accordance with Office of Personnel Management, Treasury, OFR, and other Federal requirements.

OCC’s Controls over Purchase Cards (In Progress)

We initiated an audit of OCC’s controls over purchase cards. The objective for this audit is to assess the controls in place over OCC’s purchase card use and identify any potential illegal, improper, or erroneous transactions.

Footnote 16: The Financial Action Task Force defines de-risking as the termination or restriction, by financial institutions, of business relationships with categories of customers. [End of footnote]

OCC Human Capital Policies and Planning (In Progress)

We initiated an audit of OCC’s human capital policies and resource planning. The objective for this audit is to determine whether OCC’s human capital policies and planning align with its mission and strategic goals.

Failed Bank Reviews

In 1991, Congress enacted the Federal Deposit Insurance Corporation Improvement Act (FDICIA) amending the Federal Deposit Insurance Act (FDIA). The amendments require that banking regulators take specified supervisory actions when they identify unsafe or unsound practices or conditions. Also added was a requirement that the Inspector General for the primary federal regulator of a failed financial institution conduct a material loss review when the estimated loss to the Deposit Insurance Fund is “material.” FDIA, as amended by Dodd-Frank, defines the loss threshold amount to the Deposit Insurance Fund triggering a material loss review as a loss that exceeds $50 million for 2014 and thereafter (with a provision to temporarily raise the threshold to $75 million in certain circumstances). The act also requires a review of all bank failures with losses under these threshold amounts for the purposes of (1) ascertaining the grounds for appointing Federal Deposit Insurance Corporation (FDIC) as receiver and (2) determining whether any unusual circumstances exist that might warrant a more in-depth review of the loss. As part of the material loss review, OIG auditors determine the causes of the failure and assess the supervision of the institution, including the implementation of the prompt corrective action provisions of the act.17 As appropriate, OIG auditors also make recommendations for preventing any such loss in the future.

From 2007 through March 2019, FDIC and other banking regulators closed 538 banks and federal savings associations. One hundred and forty-two (142) of these were Treasury-regulated financial institutions; in total, the estimated loss to FDIC’s Deposit Insurance Fund for these failures was $36.4 billion. Of the 142 failures, 58 resulted in a material loss to the Deposit Insurance Fund, and our office performed the required reviews of these failures.

During the period covered by this annual report, we completed a material loss review of Washington Federal Bank for Savings (Washington Federal) located in Chicago, Illinois, whose failure in December 2017 resulted in a loss to the Deposit Insurance Fund estimated at $82.6 million. We determined that Washington Federal failed because of fraud18 in the bank’s loan activity perpetrated by bank employees. The fraudulent activity depleted the bank’s capital, with the result that the bank was insolvent and in an extremely unsafe or unsound condition to transact business. Regarding supervision, we found that OCC generally performed examinations of Washington Federal in accordance with laws, regulations and guidance; however, we identified weaknesses in the execution of OCC’s supervision of the bank that led to missed opportunities for timely enforcement actions related to the bank’s loan portfolio. Specifically, we identified the following supervisory weaknesses: (1) the Supervisory Office and Examiners-in-Charge (EIC) did not provide sufficient supervision of examination staff comprised mainly of first-time Assistant Examiners-in-Charge (AEIC) and examiners with limited experience; (2) examiner conclusions were contradicted by documentation in the OCC work papers; (3) examiners did not act promptly to address significant weaknesses in the loan portfolio reporting capability of the bank’s management information system; (4) examiners missed red flags related to Washington Federal’s loan portfolio and resultantly did not timely expand the core assessment minimum procedures; (5) examiners did not identify and did not report unsafe or unsound practices that were contrary to agency guidance and bank policy related to the appraisal program; and (6) examiners did not identify a lack of independence in the bank’s lending or loan review function.

We recommended the Comptroller of the Currency: (1) assess the need for additional guidance related to the supervision of non-commissioned examiners by the EIC and the Supervisory Office including the need to require that supervision be documented; (2) revise examination guidance to clarify the roles and responsibilities of an EIC in supervising an examination team, with an emphasis on reviewing work papers and confirming that conclusions in work papers are supported by the documentation; (3) reinforce to examiners and provide training where necessary to ensure they understand: (a) the requirements of OCC Bulletin 2000-20 and the importance of the bank maintaining sufficient loan portfolio reporting for extensions, deferrals, renewals, and rewrites of closed-end loans; (b) that bank assurances made to examiners regarding deficiencies being resolved should be viewed with skepticism unless support for the assurances is provided and the examiner validates the effectiveness of the bank’s corrective actions, especially when the deficiencies result in noncompliance with regulation or law; (c) that expanded procedures are recommended when an examination team is comprised of examiners in training positions and those with limited experience, including AEICs; (d) that expanded procedures are recommended for banks, or examination areas, that are consistently considered low risk; (e) the need to identify and report appraisal exceptions as required by the Interagency Appraisal and Evaluation Guidelines; and (f ) the need to identify and address issues of independence in small banks where employees or board members are participating in more than one function or committee.

Footnote 17: Prompt corrective action is a framework of supervisory actions for insured institutions that are not adequately capitalized. It was intended to ensure that action is taken when an institution becomes financially troubled in order to prevent a failure or minimize the resulting losses. These actions become increasingly severe as the institution falls into lower capital categories. The capital categories are well-capitalized, adequately capitalized, undercapitalized, significantly undercapitalized, and critically undercapitalized. [End of footnote]

Footnote 18: The use of this term “fraud” comes from OCC’s finding in its Supervisory Memorandum. As of the date of the issuance of this material loss review report (November 7, 2018), no criminal or civil judicial finding of fraud has been made and applied to the bank’s activities[End of footnote]

[Cover page]

Council of Inspectors General on Financial Oversight

Top Management and Performance Challenges Facing Financial Regulatory Organizations

Approved July 2019

[Images of OIG seals: Board of Governors of the Federal Reserve System Consumer Financial Protection Bureau, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Housing Finance Agency, United States Department of Housing and Urban Development, National Credit Union Administration, U.S. Securities and Exchange Commission, Troubled Asset Relief Program, Treasury]

Top Management and Performance Challenges Facing Financial-Sector Regulatory Organizations

Council of Inspectors General on Financial Oversight

[End of Cover page]

EXECUTIVE SUMMARY

Purpose

The purpose of this report is to consolidate and provide insight into cross-cutting management and performance challenges facing Financial-Sector Regulatory Organizations in 2019, as identified by members of CIGFO.

Approach

Following a review of 10 TMPC reports issued by CIGFO members, we synthesized the primary areas of concern facing Financial-Sector Regulatory Organizations. We sought to identify common insights within the financial sector.

CIGFO Members

• Department of the Treasury (Chair)

• Federal Deposit Insurance Corporation

• Federal Housing Finance Agency

• Commodity Futures Trading Commission

• Department of Housing and Urban Development

• Board of Governors of the Federal Reserve System and the Bureau of Consumer Financial Protection

• National Credit Union Administration

• Securities and Exchange Commission

• Special Inspector General for the Troubled Asset Relief Program

The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd- Frank Act) established the Council of Inspectors General on Financial Oversight (CIGFO) to oversee the Financial Stability Oversight Council (FSOC) and suggest measures to improve financial oversight. FSOC has a statutory mandate that created collective accountability for identifying risks and responding to emerging threats to U.S. financial stability.

The Inspectors General within CIGFO report annually on the Top Management and Performance Challenges (TMPC) facing their respective Financial-Sector Regulatory Organizations. This is CIGFO’s second report reflecting the collective input from the Inspectors General in CIGFO and identifying cross-cutting Challenges facing multiple Financial-Sector Regulatory Organizations. This report reiterates the six challenges from our 2018 report and includes an additional challenge for 2019 – Improving Contract and Grant Management.

• Enhancing Oversight of Financial Institution Cybersecurity

• Managing and Securing Information Technology at Regulatory Organizations

• Sharing Threat Information

• Ensuring Readiness for Crises

• Strengthening Agency Governance

• Managing Human Capital

• Improving Contract and Grant Management

It is important to address the Challenges in this report because financial- sector activities – such as consumer and commercial banking, and funding, liquidity and insurance services – were identified by the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, as National Critical Functions. Those functions are so vital to the United States that any disruption, corruption, or dysfunction would have a debilitating effect on U.S. security, the national economy, and/or public health and safety.

Although Financial-Sector Regulatory Organizations have individual missions, this report emphasizes the importance of addressing challenges holistically through coordination and information sharing. Considering issues on a whole-of-Government approach versus a siloed, agency-by-agency basis allows for more effective and efficient means to address Challenges through a coordinated approach.

By consolidating and reporting these Challenges, CIGFO aims to inform FSOC, regulatory organizations, Congress, and the American public of the cross-cutting Challenges facing the financial sector.

[End of EXECUTIVE SUMMARY]

TABLE OF CONTENTS

BACKGROUND AND OBSERVATIONS

CHALLENGE 1: ENHANCING OVERSIGHT OF FINANCIAL INSTITUTION CYBERSECURITY

CHALLENGE 2: MANAGING AND SECURING INFORMATION TECHNOLOGY AT REGULATORY ORGANIZATIONS

CHALLENGE 3: SHARING THREAT INFORMATION

CHALLENGE 4: ENSURING READINESS FOR CRISES

CHALLENGE 5: STRENGTHENING AGENCY GOVERNANCE

CHALLENGE 6: MANAGING HUMAN CAPITAL

CHALLENGE 7: IMPROVING CONTRACT AND GRANT MANAGEMENT

CONCLUSION

APPENDIX 1: ABBREVIATIONS AND ACRONYMS

APPENDIX 2: METHODOLOGY .

[End of TABLE OF CONTENTS]

BACKGROUND AND OBSERVATIONS

The Dodd-Frank Act established CIGFO to oversee FSOC and suggest measures to improve financial oversight. FSOC has a statutory mandate that established collective accountability for identifying risks and responding to emerging threats to U.S. financial stability.

CIGFO meets regularly to facilitate the sharing of information among Inspectors General, with a focus on concerns that affect the financial sector and ways to improve financial oversight. CIGFO publishes an annual report that describes the concerns and recommendations of each Inspector General and a discussion of ongoing and completed oversight work. Additionally, Congress authorized CIGFO to convene working groups to evaluate FSOC’s effectiveness and internal operations.

CIGFO members include the Inspectors General of the Department of the Treasury, the Federal Deposit Insurance Corporation, the Commodity Futures Trading Commission, the Department of Housing and Urban Development, the Board of Governors of the Federal Reserve System and the Bureau of Consumer Financial Protection, the Federal Housing Finance Agency, the National Credit Union Administration, the Securities and Exchange Commission, and the Special Inspector General for the Troubled Asset Relief Program. CIGFO members oversee one or more Financial-Sector Regulatory Organizations, as shown in Figure 1.

Figure 1: CIGFO Membership & Oversight Responsibilities

Table

Row 1; CIGFO MEMBERSHIP: Department of the Treasury (Chair); OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: • Department of the Treasury • Office of the Comptroller of the Currency;

Row 2; CIGFO MEMBERSHIP: Federal Deposit Insurance Corporation; OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: Federal Deposit Insurance Corporation;

Row 3; CIGFO MEMBERSHIP: Commodity Futures Trading Commission; OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: Commodity Futures Trading Commission;

Row 4; CIGFO MEMBERSHIP: Department of Housing and Urban Development; OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: Department of Housing and Urban Development;

Row 5; CIGFO MEMBERSHIP: Board of Governors of the Federal Reserve System and Bureau of Consumer Financial Protection; OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: • Board of Governors of the Federal Reserve System • Bureau of Consumer Financial Protection;

Row 6; CIGFO MEMBERSHIP: Federal Housing Finance Agency; OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: Federal Housing Finance Agency;

Row 7; CIGFO MEMBERSHIP: National Credit Union Administration; OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: National Credit Union Administration;

Row 8; CIGFO MEMBERSHIP: Securities and Exchange Commission; OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: Securities and Exchange Commission;

Row 9; CIGFO MEMBERSHIP: Special Inspector General for the Troubled Asset Relief Program; OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: Special Inspector General for the Troubled Asset Relief Program;

[End of table]

[End of Figure 1: CIGFO Membership & Oversight Responsibilities]

The Inspectors General within CIGFO, as well as the Inspectors General of other agencies, annually identify what they consider to be the TMPCs facing their agency. Each Inspector General’s TMPCs generally appear in the host Agency’s annual performance and accountability report under the Reports Consolidation Act of 2000.

On March 26, 2019, CIGFO approved a motion to compile a report identifying the top Challenges facing Financial-Sector Regulatory Organizations. The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) led the working group to conduct this analysis and compile this report.

This CIGFO report reflects the collective input from the nine CIGFO Member Inspectors General and identifies cross-cutting Challenges facing multiple Financial-Sector Regulatory Organizations. The report reiterates the six challenges from our September 2018 report, Top Management and Performance Challenges Facing Financial Regulatory Organizations, with an additional Challenge for 2019 – Improving Contract and Grant Management.

• Enhancing Oversight of Financial Institution Cybersecurity

• Managing and Securing Information Technology at Regulatory Organizations

• Sharing Threat Information

• Ensuring Readiness for Crises

• Strengthening Agency Governance

• Managing Human Capital

• Improving Contract and Grant Management

This report identifies significant financial-sector cybersecurity challenges. Financial-Sector Regulatory Organizations are faced with responsibilities to protect the information held by their respective agencies against cyber attacks, and to ensure that financial institutions and their third-party service providers have processes in place to mitigate cyber risks. Financial-Sector Regulatory Organizations must take a holistic, financial sector-wide view to address cybersecurity threats because a security incident for any participant has the possibility of infecting the entire financial sector.

Identifying threats, such as cyber risk and other vulnerabilities, requires the sharing of information among Government agencies and throughout the entire financial sector. Financial-Sector Regulatory Organizations face challenges to ensure effective gathering, analysis, and sharing of timely and actionable threat information. Absent such threat information, financial sector participants may not have a full understanding of the risks. This could result in informational gaps that can negatively impact risk mitigation and supervisory strategies and/or the financial sector. Financial-Sector Regulatory Organizations must also mitigate risks and stand ready when necessary to address threats that may escalate into a crisis. This report observes that Financial-Sector Regulatory Organizations must ensure that plans and resources are in place to address such crises.

Financial-Sector Regulatory Organizations also face Challenges to govern their internal operations. Controls should be in place to manage Financial-Sector Regulatory Organizations appropriately, including ensuring a sufficient workforce with skillsets to achieve organization missions. Further, controls should be in place to manage contract and grant funding so that organizations receive appropriate goods and services and grantees use funds as prescribed by statute and regulation.

Although Financial-Sector Regulatory Organizations have individual missions, this report emphasizes the importance of addressing challenges holistically through coordination and information sharing. Considering issues on a whole-of-Government approach versus a siloed, agency-by-agency basis allows for more effective and efficient means to address challenges through a coordinated approach. By consolidating and reporting these Challenges, CIGFO aims to inform FSOC, regulatory organizations, Congress, and the American public of the cross- cutting Challenges facing the financial sector.

[End of BACKGROUND AND OBSERVATIONS]

CHALLENGE 1: ENHANCING OVERSIGHT OF FINANCIAL INSTITUTION CYBERSECURITY

Cybersecurity continues to be a critical risk facing the financial sector. FSOC recognized in its December 2018 Annual Report that as financial institutions increase their reliance on technology, there is an increased risk that a cybersecurity event could have “severe negative consequences, potentially entailing systemic implications for the financial sector and the U.S. economy.”1 The Office of the Comptroller of the Currency (OCC) echoed this sentiment in its Semiannual Risk Perspective (Fall 2018), finding that cybersecurity threats “target operational vulnerabilities that could expose large quantities of personally identifiable information (PII)2 and proprietary intellectual property, facilitate misappropriation of funds and data at the retail and wholesale levels, corrupt information, and disrupt business activities.”3

Footnote 1: The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 established FSOC, which has responsibility for identifying risks and responding to emerging threats to financial stability. FSOC brings together the expertise of Federal financial regulators, an independent insurance expert, and state regulators. [End of footnote]

Footnote 2: According to OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, the term PII refers to information that can be used to distinguish or trace an individual's identity, such as their name, Social Security Number, biometric records, etc. alone, or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. [End of footnote]

Footnote 3: OCC Semiannual Risk Perspective (Fall 2018). [End of footnote]

In February 2018, the White House Council of Economic Advisors estimated that the United States economy loses between $57 and $109 billion per year to malicious cyber activity. Cyberattacks—such as distributed denial of service and ransomware—may be global in nature and have disrupted financial services in several countries around the world.4 Verizon Communications’ 2019 annual review of global data breaches across multiple sectors, including the financial sector, reported that there were more than 41,000 security incidents and 2,000 data breaches across 65 countries between April 2018 and April 2019.5 This review also found that cyberattacks happen very quickly, with breaches occurring within seconds, and breach discovery taking months.

Footnote 4: World Bank Group, Financial Sector’s Cybersecurity: Regulations and Supervision (2018). [End of footnote]

Footnote 5: Verizon Communications Inc., 2019 Verizon Communications Data Breach Investigations Report, 11th Edition (April 2019). [End of footnote]

A 2018 study by the U.S. Chamber of Commerce and FICO (Fair Isaac Corporation) evaluated the cyber risk at 2,574 U.S. firms across 10 sectors, including the financial sector. This study provided cybersecurity ranking scores from 300 (high risk) to 850 (low risk) for each sector as well as a national average. The cyber risks faced by the finance and banking sector exceeded eight other sectors and the national average, as shown in Figure 2.

Figure 2: Cyber Risk Scores Across Ten Sectors

Agriculture & Food 671,

Business Services 704,

Construcion 764,

Energy & Utilities 707,

Finance and Banking 642,

Transportation 709,

Retail and Consumer Services 697,

Media Telecom Tech 619,

Materials & Manufacturing 672,

Health Care 679.

[End of Figure 2: Cyber Risk Scores Across Ten Sectors]

Financial-Sector Regulatory Organizations are responsible for examining financial institutions to identify Information Technology (IT) risks. The Interagency Guidelines Establishing Information Security Standards for bank regulators states that an insured financial institution must “implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities.”6 Most Financial-Sector Regulatory Organizations7 conduct IT examinations using the Uniform Rating System for Information Technology created by the Federal Financial Institutions Examination Council (FFIEC).8 The primary purpose of the rating system is to assess risks introduced by IT at institutions and service providers, and to identify those institutions requiring supervisory attention.9 When examinations identify risks and weak management practices at institutions, regulators may use enforcement procedures to address such risks.

Footnote 6: See 12 C.F.R. Part 364, Appendix B and 12 C.F.R. Part 748. The FDIC, OCC, and Board of Governors of the Federal Reserve issued the Interagency Guidelines Establishing Information Security Standards. [End of footnote]

Footnote 7: The National Credit Union Administration does not use the Uniform Rating System for Information Technology. [End of footnote]

Footnote 8: The FFIEC was established on March 10, 1979, pursuant to title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978, Public Law 95-630. The Council is an interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System, the FDIC, the National Credit Union Administration, the OCC, and the Bureau of Consumer Financial Protection and to make recommendations to promote uniformity in the supervision of financial institutions.[End of footnote]

Footnote 9: FFIEC, Uniform Rating System for Information Technology, 64 Fed. Reg. 3109 (January 20, 1999). [End of footnote]

CIGFO members identified Challenges to keep pace with the changing cybersecurity landscape. The Federal Housing Finance Agency (FHFA) OIG identified that the FHFA will be challenged to design and implement supervisory activities for the financial institutions it supervises. Specifically, the FHFA must ensure that cybersecurity examination modules are updated in response to changes in the cybersecurity environment. The FHFA must also recruit and retain a complement of examiners with the experience and expertise needed to conduct IT examinations, and ensure those examiners have ongoing training. Similarly, the Board of Governors of the Federal Reserve System (Federal Reserve Board) and Bureau of Consumer Financial Protection (Bureau) OIG noted that the Federal Reserve Board is challenged to ensure that supervised financial institutions manage and mitigate the risks and vulnerabilities of cyberattacks. The Federal Reserve Board should ensure that its supervisory approaches keep pace with evolving cybersecurity threats.

The FDIC OIG also identified cybersecurity as a significant challenge to FDIC- supervised institutions. The FDIC must ensure the effectiveness and efficiency of its IT examination work programs. One example would be using data to review and understand cybersecurity risks across all institutions. The FDIC is also challenged to have the appropriate number of IT examiners and to keep its examination staff skillsets up-to-date given the increasing complexity and sophistication of IT environments at banks. Similarly, the National Credit Union Administration (NCUA) OIG also noted cybersecurity as a continued and significant challenge to the stability and soundness of the credit union industry. The NCUA OIG believes the NCUA must acquire and deploy resources to enhance its oversight capabilities to maintain safety and soundness.

Financial institutions face increased cybersecurity risk through inter- connections with financial technology companies. The Group of Twenty’s Financial Stability Board defined financial technology as “innovation that could result in new business models, applications, processes, or products with an associated material effect on financial markets and institutions and the provision of financial services.”10 Financial technology innovation includes, for example, mobile wallets, digital currencies, and digital financial advice.11 The rapid pace of financial technology is being driven by capital investment, demand for speed and convenience, and digitization.12 According to the Department of the Treasury (Treasury Department), from 2010 to 2017, more than 3,330 new technology companies were formed to serve the financial industry.13 The Treasury Department also estimated that one-third of online U.S. consumers use at least two financial technology services—including financial planning, savings and investment, online borrowing, or some form of money transfer and payment.14 Further, KPMG estimated that global investment in financial technology was $57.9 billion in just the first 6 months of 2018.15

Footnote 10: Financial Stability Implications from FinTech, Supervisory and Regulatory Issues That Merit Authorities’ Attention, (June 27, 2017). The Financial Stability Board (FSB) was chartered by the Group of Twenty (G20) on September 25, 2009. The G20 Members include Argentina, Australia, Brazil, Canada, China, France, Germany, India, Indonesia, Italy, Japan, Republic of Korea, Mexico, Russia, Saudi Arabia, South Africa, Turkey, the United Kingdom, the United States, and the European Union (plus Hong Kong, Singapore, Spain, and Switzerland). The FSB charter aims to promote global financial stability by coordinating the development of regulatory, supervisory and other financial-sector policies and conducts outreach to non-member countries. The G20 members represent about two-thirds of the world’s population, 85 percent of global gross domestic product, and over 75 percent of global trade. [End of footnote]

Footnote 11: Basel Committee on Banking, Sound Practices – Implications of Fintech Developments for Banks and Bank Supervisors (February 2018). [End of footnote]

Footnote 12: Department of the Treasury, A Financial System that Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation (July 2018); Basel Committee on Banking, Sound Practices – Implications of Fintech Developments for Bank and Bank Supervisors (February 2018). [End of footnote]

Footnote 13: A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation (July 2018). [End of footnote]

Footnote 14: A Financial System That Creates Economic Opportunities: Nonbank Financials, Fintech, and Innovation (July 2018). [End of footnote]

Footnote 15: KPMG, The Pulse of Fintech 2018: Biannual Global Analysis of Investment in Fintech (July 2018). KPMG is a professional services company. [End of footnote]

Financial technology companies are interconnected with IT systems at banks, yet these technology companies may not be subjected to regulatory requirements for safety and soundness and may not be examined by financial regulators. Certain banks reported that between 20 and 40 percent of online banking logins are attributable to financial technology companies, and many banks represented that they cannot distinguish among computer logins, as to whether they originate from consumers, data aggregators, or even malicious actors.16 IT system interconnections may provide a pathway for a cybersecurity incident at a financial technology company to infect the banking system.

Footnote 16: Lael Brainard, Member, Board of Governors of the Federal Reserve System, Where Do Banks Fit in the Fintech Stack? Remarks delivered at the Northwestern Kellogg Public-Private Interface Conference on “New Developments in Consumer Finance: Research & Practice” (April 29, 2017). [End of footnote]

Additionally, when financial institutions have multiple financial technology services and relationships, they face ambiguity and uncertainty as to the applicability of certain privacy rules, the Bank Secrecy Act provisions and regulations, and Anti-Money Laundering standards. Banks and credit unions may be unsure as to whether they or the service provider must comply with rules, regulations, and requirements. Moreover, financial institutions face challenges to have sufficient skilled staff and capabilities to monitor these risks and operations of financial technology companies.

The FDIC OIG stated that the FDIC faces challenges to ensure that banks have proper governance and risk management practices around these technologies. The FDIC may need to increase training and adjust staffing to ensure that examiners have the skills to effectively supervise the risks involved with new technology. Further, the FDIC may need to modify examination policies and procedures that pre-date financial innovation to improve supervision of financial innovation risk. The NCUA OIG stated that the NCUA faces significant challenges with technology-driven changes in the financial landscape that could potentially impact the safety and soundness of the credit union system and the Share Insurance Fund. The NCUA OIG believes it is imperative that the NCUA’s examination and supervision program continues to evolve with emerging financial technologies that represent not only risks, but also opportunities to the credit union system.

Mitigating Third-Party Service Provider Risk

Banks and credit unions frequently hire third-party Technology Service Providers (TSP) to perform operational functions on behalf of the financial institution—such as IT operations and business product lines. TSPs may further sub-contract services to other vendors. According to the OCC, banks are increasingly reliant upon TSPs and sub-contractors, and such dependence creates a high level of risk for the banking industry.17 The OCC indicates that TSPs are increasingly targets for cybercrimes and espionage and may provide avenues for bad actors to exploit a bank’s systems and operations. For example, on December 20, 2018, the Department of Justice announced that two Chinese nationals were charged with computer intrusion offenses harming more than 45 service providers whose clients included the banking and finance industry and the U.S. Government. The hackers targeted service providers in order to gain unauthorized access to the computer networks of their clients and steal intellectual property and confidential business information.18

Footnote 17: The FFIEC described the term TSP to include “independent third parties, joint venture/limited liability corporations, and bank and credit union service corporations that provide processing services to financial institutions.” Supervision of Technology Service Providers, FFIEC IT Examination Handbook InfoBase. [End of footnote]

Footnote 18: Department of Justice Press Release, Two Chinese Hackers Associated With the Ministry of State Security Charged with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information (December 20, 2018). [End of footnote]

A financial institution must manage the interconnections, system interfaces, and systems access of TSPs and sub-contractors and must implement appropriate controls.19 Significant consolidation among TSPs caused large numbers of banks to rely on a few large service providers for core systems and operations support.20 As a result, a cybersecurity incident at one TSP has the potential to affect multiple financial institutions.21 A financial institution’s Board of Directors and senior managers are responsible for the oversight of activities conducted by a TSP on their behalf to the same extent as if the activity were handled within the institution.22

Footnote 19: OCC Semiannual Risk Perspective (Spring 2018). [End of footnote]

Footnote 20: OCC Semiannual Risk Perspective (Spring 2018). [End of footnote]

Footnote 21: OCC Semiannual Risk Perspective (Spring 2018). [End of footnote]

Footnote 22: Financial Institution Letter 44-2008, Guidance for Managing Third-Party Risk (June 6, 2008). [End of footnote]

The Federal Reserve Board and Bureau OIG identified the need for the Federal Reserve Board to enhance its oversight of firms that provide technology services to supervised institutions. Specifically, the Federal Reserve Board can enhance its oversight by implementing an improved governance structure and providing additional guidance to examination teams on the supervisory expectations for such firms. The FDIC OIG also noted challenges with FDIC- supervised institutions’ oversight of the TSPs with whom they do business. The FDIC must ensure that supervised financial institutions assess TSP cybersecurity risks, including due diligence of cybersecurity contract terms.

Financial-Sector Regulatory Organizations play a vital role in addressing financial institutions’ cybersecurity risk which, if left unchecked, could threaten the safety and soundness of institutions as well as the stability of the financial system. Financial-Sector Regulatory Organizations must ensure that IT examinations assess how financial institutions manage cyber- security risks, including risks associated with TSPs and new financial technology, and address such risks through effective supervisory strategies.

[End of CHALLENGE 1: ENHANCING OVERSIGHT OF FINANCIAL INSTITUTION CYBERSECURITY]

CHALLENGE 2: MANAGING AND SECURING INFORMATION TECHNOLOGY AT REGULATORY ORGANIZATIONS

In March 2019, the Government Accountability Office (GAO) identified securing Federal systems and information as a high-risk area in need of significant attention.23 An Office of Management and Budget (OMB) and Department of Homeland Security (DHS) review of Federal cybersecurity capabilities at 96 civilian agencies across 76 metrics found that 74 percent (71 agencies) had cybersecurity programs that were either “At Risk” or “High Risk.24 Further, the Government sector represented a total of 56 percent of the over 41,000 cybersecurity incidents identified by Verizon Communications in its 2019 annual review of global data breaches across multiple sectors.25

Footnote 23: U.S. Government Accountability Office, High-Risk Series: Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas, GAO-19-157SP (March 2019). [End of footnote]

Footnote 24: Federal Cybersecurity Risk Determination Report and Action Plan (May 2018). “At Risk” meant that some essential policies, processes, and tools were in place to mitigate overall cybersecurity risk, but significant gaps remained; while “High Risk” meant that fundamental cyber- security policies, processes, and tools were either not in place or not deployed sufficiently. [End of footnote]

Footnote 25: Verizon Communications Inc., 2019 Verizon Communications Data Breach Investigations Report, 11th Edition (April 2019). [End of footnote]

Financial-Sector Regulatory Organizations’ IT systems house commercially valuable and market sensitive information. For example, the Securities and Exchange Commission (SEC) OIG reported that the SEC’s e-Discovery program alone is approaching one petabyte of data.26 Financial-Sector Regulatory Organizations may also house significant amounts of personally identifiable information for bank and credit union officials, depositors, and borrowers. Without proper safeguards, those IT systems are vulnerable to individuals and groups with malicious intentions who can intrude and use their access to obtain sensitive information, commit fraud and identify theft, disrupt operations, or launch attacks against other computer systems and networks. Further, interconnections among Financial-Sector Regulatory Organizations and other Federal and state government agencies or private-sector institutions increase the likelihood of contagion in which a cybersecurity incident occurring anywhere within the systems may negatively impact the entire financial system.27

Footnote 26: One petabyte of data is roughly the equivalent to the amount that can be stored in about 20 million four-drawer filing cabinets. U.S. Government Accountability Office, Military Base Realignments and Closures: The National Geospatial-Intelligence Agency’s Technology Center Construction Project, GAO-12-770R, (June 29, 2012). [End of footnote]

Footnote 27: Financial Services Sector-Specific Plan 2015 issued jointly among the Department of the Treasury, Department of Homeland Security, and the Financial Services Sector Coordinating Council. [End of footnote]

Securing IT from Evolving Threats

According to the GAO, risks to Federal IT systems are increasing.28 Threats to Federal IT systems include those from witting or unwitting employees as well as global threats from nation states.29 Federal agencies must develop, document, and implement department- and agency-wide information security programs to protect information and information systems.30 Federal agencies use a common framework developed by the National Institute of Standards and Technology to manage their cyber risk.31

Footnote 28: GAO, Cybersecurity Challenges Facing the Nation – High Risk Issue. [End of footnote]

Footnote 29: Worldwide Threat Assessment of the US Intelligence Community, January 29, 2019 [End of footnote]

Footnote 30: Federal Information Security Modernization Act of 2014, Public Law No. 113-283. [End of footnote]

Footnote 31: Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 11, 2017. [End of footnote]

The Department of Housing and Urban Development (HUD) OIG recognized that HUD faces challenges in the management and oversight of its IT systems. HUD has demonstrated an inability to incorporate Federally mandated requirements and key practices into effective operational management of its IT systems. Persistent IT management challenges have affected HUD’s ability to manage and oversee key programs. As a result, IT systems vulnerabilities that could lead to breaches exist within HUD’s IT environment. Since 2007, HUD OIG has made 483 recommendations to HUD management to address IT challenges and 197 of those recommendations remain open or unresolved.

The FDIC OIG found that the FDIC must continue to strengthen its implementation of governance and security controls around its IT systems to ensure proper safeguarding of information. The FDIC OIG identified security control weaknesses that limited the effectiveness of the FDIC’s information security program and practices and placed the confidentiality, integrity, and availability of the FDIC’s information systems and data at risk. For example, the FDIC had not fully defined or implemented an enterprise-wide and integrated approach to identifying, assessing, and addressing the full spectrum of internal and external risks, including those related to cyber -security and the operation of information systems.

The Federal Reserve Board and Bureau OIG noted that the Federal Reserve Board’s decentralized IT services results in an incomplete view of security risks facing the agency as a whole, which impacts the implementation of an effective information security program. The Federal Reserve Board also faces challenges in implementing agency-wide processes for managing vulnerabilities and software inventories. The Federal Reserve Board and Bureau OIG also found that the Bureau faces challenges in centralizing and automating processes to better manage insider risks; ensuring that automated feeds from all systems, including contractor-operated systems, feed into the Bureau’s security information and event management tool; and aligning its information security program, policies, and procedures with the agency’s evolving enterprise risk management program.

The Treasury Department OIG noted challenges with the mitigation of risks to the Treasury Department’s IT systems posed by interconnection agreements with other Federal, State, and local agencies as well as third- party cloud service providers. Similarly, the FHFA OIG found that the FHFA needs to ensure that access to its internal and external online collaborative environment is restricted to those with a need for the information.

The SEC OIG also noted that the SEC must mature its IT security programs to minimize risks of unauthorized disclosure, modification, use, and disruption of the SEC’s non-public information. Specifically, the SEC can improve its management of IT risks, including access, continuous monitoring, and incident management. Further, the SEC could better manage information security risks of outside expert services contractors who have access to sensitive, non-public information.

Modernizing IT Systems

Some Financial-Sector Regulatory Organizations are relying on systems that are outdated, cannot be adapted to handle increasingly complex tasks, and are no longer supported by vendors. According to the GAO, use of such systems increases the vulnerability of unauthorized access to the information within those systems.32

Footnote 32: U.S. Government Accountability Office, Information Security: SEC Improved Control of Financial Systems but Needs to Take Additional Actions, GAO-17-469 (July 2017). [End of footnote]

HUD OIG reported that HUD is using aging technology for most of its operations – technology that was implemented dating back to 1974. Many of HUD’s systems remain at risk of failure or exploitation because critical vendor fixes or updates are no longer available. That situation increases the risk of possible HUD data breaches. Further, HUD’s legacy systems are very costly to maintain because of the specialized skills and support needed to operate them. Over the last 5 years, HUD spent on average 70 to 95 percent of its $280 million annual IT budget on operations and maintenance.

Similarly, the U.S. Commodity Futures Trading Commission (CFTC) OIG identified that the CFTC faces challenges because it has not formalized IT capital planning. Specifically, the CFTC has not established accountabilities to eliminate manual-intensive legacy systems, reduce high-cost IT functions, and adopt a modern IT infrastructure. CFTC OIG noted that IT modernization efforts could yield cost savings and technological efficiencies during periods of fiscal austerity.

The Treasury Department OIG also noted the impact of uncertain budgetary funding on the Treasury Department’s IT modernization efforts. The Treasury Department is challenged to balance cybersecurity requirements with expenditures for the modernization and maintenance of existing Treasury Department IT systems.

Enhancing the IT Security Workforce

According to the GAO, “a key component of mitigating and responding to cyber threats is having a qualified, well-trained cybersecurity workforce.”33 The GAO has identified, however, that there are cybersecurity workforce skills gaps across the Federal Government.34

Footnote 33: U.S. Government Accountability Office, Cybersecurity Workforce: Agencies Need to Improve Baseline Assessments and Procedures for Coding Positions, GAO-18-466 (June 2018). [End of footnote]

Footnote 34: U.S. Government Accountability Office, High-Risk Series: Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas, GAO-19-157SP (March 2019). [End of footnote]

CIGFO members identified mission challenges related to cybersecurity skills gaps. The Treasury Department OIG found that many IT security measures lacked adequate cybersecurity resources and/or management oversight. Similarly, HUD OIG noted that the maintenance of many of HUD’s systems requires specialized skills. HUD OIG further noted that turnover among senior leadership and resource constraints hindered the completion of three IT modernization projects totaling approximately $370 million.

Cybersecurity threats against Government agencies continue to increase. Financial-Sector Regulatory Organizations must remain vigilant in their efforts to institute necessary controls and properly protect the information entrusted to them.

[End of CHALLENGE 2: MANAGING AND SECURING INFORMATION TECHNOLOGY AT REGULTORY ORGANIZATIONS]

CHALLENGE 3: SHARING THREAT INFORMATION

On November 16, 2018, the President signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018 (Act). The Act established the Cybersecurity and Infrastructure Security Agency (CISA) within the DHS to, among other things, make the United States cyber and physical infrastructure more secure by sharing information at all levels of Government and the private and non-profit sectors.35

Footnote 35: Cybersecurity and Infrastructure Security Act of 2017, House Report 115-454, 115th Congress, December 11, 2017. [End of footnote]

On April 30, 2019, the CISA published a list of National Critical Functions, which were defined as, “[t]he functions of government and private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”36 The provision of consumer and commercial banking, funding and liquidity services, and insurance services were included on the list of National Critical Functions.37 Rather than relying on prior, sector-specific or asset-based risk identification, the National Critical Functions construct looks across sectors to provide a holistic approach to capture risks and dependencies within and across sectors.38 As shown in Figure 3, the National Critical Functions are presented in four overarching areas – connect, distribute, manage, and supply.

Footnote 36: National Critical Functions – An Evolved Lens for Critical Infrastructure and Security Resilience, DHS Cybersecurity and Infrastructure Security Agency, April 30, 2019. [End of footnote]

Footnote 37: National Critical Functions – An Evolved Lens for Critical Infrastructure and Security Resilience, DHS Cybersecurity and Infrastructure Security Agency, April 30, 2019. [End of footnote]

Footnote 38: National Critical Functions – An Evolved Lens for Critical Infrastructure and Security Resilience, DHS Cybersecurity and Infrastructure Security Agency, April 30, 2019. [End of footnote]

Figure 3: National Critical Functions

National Critical Functions Set

Critical Function - CONNECT:

• Operate Core Network

• Provide Cable Access Network Services

• Provide Internet Based Content, Information, and Communication Services.

• Provide Internet Routing, Access, and Connection Services

• Provide Positioning, Navigation, and Timing Services

• Provide Radio Broadcast Access Network Services

• Provide Satellite Access Network Services

• Provide Wireless Access Network Services

• Provide Wireline Access Network Services

Critical Function - DISTRIBUTE:

• Distribute Electricity

• Maintain Supply Chains

• Transmit Electricity

• Transport Cargo and Passengers by Air

• Transport Cargo and Passengers by Rail

• Transport Cargo and Passengers by Road

• Transport Cargo and Passengers by Vessel

• Transport Materials by Pipeline

• Transport Passengers by Mass Transit

Critical Function - MANAGE:

• Conduct Elections

• Develop and Maintain Public Works and Services

• Educate and Train

• Enforce Law

• Maintain Access to Medical Records

• Manage Hazardous Materials

• Manage Wastewater

• Operate Government

• Perform Cyber Incident Management Capabilities

• Prepare for and Manage Emergencies

• Preserve Constitutional Rights

• Protect Sensitive Information

• Provide and Maintain Infrastructure

• Provide Capital Markets and Investment Activities

• Provide Consumer and Commercial Banking Services

• Provide Funding and Liquidity Services

• Provide Identity Management and Associated Trust Support Services

• Provide Insurance Services

• Provide Medical Care

• Provide Payment, Clearing, and Settlement Services

• Provide Public Safety

• Provide Wholesale Funding

• Store Fuel and Maintain Reserves

• Support Community Health

Critical Function - SUPPLY:

• Exploration and Extraction Of Fuels

• Fuel Refining and Processing Fuels

• Generate Electricity

• Manufacture Equipment

• Produce and Provide Agricultural Products and Services

• Produce and Provide Human and Animal Food Products and Services

• Produce Chemicals

• Provide Metals and Materials

• Provide Housing

• Provide Information Technology Products and Services

• Provide Materiel and Operational Support to Defense Research and Development

• Supply Water

Source: Cybersecurity and Infrastructure Security Agency

[End of Figure 3: National Critical Functions]

One key focus of the CISA and the National Critical Functions is collecting and sharing information, including informing intelligence collection requirements.39 FSOC noted, in its 2018 Annual Report, the critical importance to the financial sector of sharing timely and actionable threat information among the Federal Government and the private sector. FSOC stated that Federal agencies should consider how to share information and when possible “declassify (or downgrade classification) of information to the extent practicable, consistent with national security needs.”40 The GAO also identified various sources of threat information that could be shared with financial institutions. Figure 4 illustrates how the GAO captured threat information flows from multiple sources.

Footnote 39: National Critical Functions – An Evolved Lens For Critical Infrastructure Security and Resilience, Cybersecurity and Infrastructure Security Agency, National Risk Management Center, April 30, 2019. [End of footnote]

Footnote 40: FSOC 2018 Annual Report. [End of footnote]

Figure 4: Sources of Threat Information for Financial Institutions

Figure 1: Sources of Threat information for Financial Institutions

[Figure depicting information flow to and/or from Depository Institution]

Entity: Blogs Information Source: Open Information Flow: To

Entity: Media Reports Information Source: Open Information Flow: To

Entity: Security Researchers Information Source: Open Information Flow: To Depository Institution

Entity: RSS aggregators Information Source: Open Information Flow: To Depository Institution

Entity: Bulletin baords/forums Information Source: Open Information Flow: To Depository Institution

Entity: Technology Service Providers Information Source: Private Information Flow: To Depository Institution

Entity: Trade Associations Information Source: Private Information Flow: To Depository Institution

Entity: SSANS Institute Information Source: Private Information Flow: To Depository Institution

Entity: National Cyber-Forensics and Training Alliance Information Source: Private Information Flow: To Depository Institution

Entity: Payment Processors Information Sharing Council Information Source: Public/Private Information Flow: To Depository Institution

Entity: Financial Services Sector Coordinating Council Information Source: Public/Private Information Flow: To Depository Institution

Entity: Federal Bureau of Investigation Inter-Agency information flow: to - Department of the Treasury Information Source: Government Information Flow: To Depository Institution

Entity: National Security Agency Inter-Agency information flow: to - Department of the Treasury Information Source: Government Information Flow: To Depository Institution

Entity: Central Intelligence Agency Inter-Agency information flow: to - Department of the Treasury Information Source: Government Information Flow: To Depository Institution

Entity: U.S. Secret Service, Department of Homeland Security Inter- Agency information flow: to - Department of the Treasury Information Source: Government Information Flow: To Depository Institution

Entity: US Computer Emergency Readiness Team, Department of Homeland Security Inter-Agency information flow: to - Department of the Treasury Information Source: Government Information Flow: To Depository Institution

Entity: NCIC, National Cybersecurity and Communications Integration Center, Department of Homeland Security Inter-Agency information flow: to - Department of the Treasury Information Source: Government Information Flow: To Depository Institution

Entity: Department of the Treasury Information Source: Government Inter-Agency information flow: to - FS-ISAC, Financial Services Information Sharing and Analysis Center Information Flow: To Depository Institution

Entity: FS-ISAC, Financial Services Information Sharing and Analysis Center Information Source: Public/Private Inter-Agency information flow: To/From - Office of the Comptroller of the Currency Inter-Agency information flow: To/From - Federal Deposit Insurance Corporation Inter-Agency information flow: To/From - Federal Reserve Inter-Agency information flow: To/From - National Credit Union Administration Information Flow: To/From Depository Institution

Entity: Office of Comptroller of the Currency Information Source: Government (Member of the Federal Financial Institution Examination Council) Inter-Agency information flow: To/From - Office of the Comptroller of the Currency Inter-Agency information flow: To/From - Federal Deposit Insurance Corporation Inter-Agency information flow: To/From - Federal Reserve Inter-Agency information flow: To/From - National Credit Union Administration Information Flow: To/From Depository Institution

Entity: Federal Deposit Insurance Corporation Information Source: Government (Member of the Federal Financial Institution Examination Council) Inter-Agency information flow: To/From - Office of the Comptroller of the Currency Inter-Agency information flow: To/From - Federal Deposit Insurance Corporation Inter-Agency information flow: To/From - Federal Reserve Inter-Agency information flow: To/From - National Credit Union Administration Information Flow: To/From Depository Institution

Entity: Federal Reserve Information Source: Government (Member of the Federal Financial Institution Examination Council) Inter-Agency information flow: To/From - Office of the Comptroller of the Currency Inter-Agency information flow: To/From - Federal Deposit Insurance Corporation Inter-Agency information flow: To/From - Federal Reserve Inter- Agency information flow: To/From - National Credit Union Administration Information Flow: To/From Depository Institution

Entity: National Credit Union Administration Information Source: Government (Member of the Federal Financial Institution Examination Council) Inter-Agency information flow: To/From - Office of the Comptroller of the Currency Inter-Agency information flow: To/From - Federal Deposit Insurance Corporation Inter-Agency information flow: To/From - Federal Reserve Inter-Agency information flow: To/From - National Credit Union Administration Information Flow: To/From Depository Institution

Source: GAO | GAO - 15 - 509

[End of Figure 4: Sources of Threat Information for Financial Institutions]

Sharing Threat Information Throughout the Financial Sector

Financial institutions must be prepared to address many threats, and Financial-Sector Regulatory Organizations must ensure through supervisory processes that financial institutions are ready to mitigate those risks. According to the FFIEC, financial institutions should have business continuity plans that “[a]nalyze threats based upon the impact to the institution, its customers, and the financial market it serves.”41 Further, the FFIEC notes that financial institutions should have “a means to collect data on potential threats that can assist management in its identification of information security risks.”42

Footnote 41: FFIEC, Business Continuity Planning Booklet, Risk Assessment, (Available on the FFIEC website). [End of footnote]

Footnote 42: FFIEC IT Examination Handbook Infobase, Information Security Booklet, II, Information Security Program Management (Available on the FFIEC website). [End of footnote]

In November 2014, the FFIEC members encouraged financial institutions to join the Financial Services Information Sharing and Analysis Center (FS-ISAC), through its Statement on Cybersecurity Threat and Vulnerability Monitoring and Sharing (Cybersecurity Sharing Statement).43 FS-ISAC is a group of 7,000 member organizations whose purpose is to share timely, relevant, and actionable security threat information. The Cybersecurity Sharing Statement also suggested using other resources such as the Federal Bureau of Investigation’s (FBI) InfraGard,44 U.S. Computer Emergency Readiness Team,45 and Secret Service Electronic Crimes Task Force.46 Threat awareness is important because financial institutions are links in the chain of financial services system interconnections; an incident involving one community bank has the potential to affect the broader financial sector.47 Therefore, as part of the supervisory examination process, Financial-Sector Regulatory Organizations must ensure that supervised institutions can receive and access threat information, and that they have business continuity plans to address such threats.

The Treasury Department leads financial sector readiness efforts. The Treasury Department OIG recognized the Department’s challenge to provide financial-sector leadership, ensure effective public-private coordination, and strengthen awareness and preparedness against cyber threats. The FDIC OIG identified challenges for the FDIC to ensure that relevant threat information is shared with its supervised institutions and examiners as needed, in a timely manner, to prompt responsive action to address the threats. Threat information provides FDIC examiners with context to evaluate banks’ processes for risk identification and mitigation strategies.

Sharing Information to Combat Terrorist Financing, Money Laundering, and Other Financial Crimes

According to the Director of the Financial Crimes Enforcement Network, “Financial institutions are often the first to detect and block illicit financing streams, combat financial crimes and related crimes and bad acts, and manage risk.”48 Providing the financial sector with information about illicit activity can help sector participants identify and report such activities; this assists law enforcement in disrupting money laundering and other financial crimes.49 Such information is especially important with the use of virtual currencies to identify illicit actors who use virtual currency to “… facilitate criminal activity such as human trafficking, child exploitation, fraud, extortion, cybercrime, drug trafficking, money laundering, terrorist financing, and to support rogue regimes and facilitate sanctions evasion.”50

Footnote 50: Financial Crimes Enforcement Network, Advisory on Illicit Activity Involving Convertible Virtual Currency (May 9, 2019). [End of footnote]

The Treasury Department OIG reported challenges affecting the Department’s ability to effectively gather and analyze intelligence information. Specifically, the Treasury Department must do more to collaborate and coordinate with other Federal agencies to identify and disrupt financial networks that support terrorist organizations. The Treasury Department also faces staffing challenges threatening its ability to ensure effective gathering and analysis of intelligence information. The Department requested approximately 100 new analyst positions for Fiscal Year 2019. Those positions are difficult to fill, however, because of required expertise and the length of time to process security clearance for such personnel.

Threat information can be considered by financial institutions and Financial- Sector Regulatory Organizations in developing and examining bank and credit union mitigation strategies and continuity plans. Absent such threat information, financial institutions and examiners may lack a full understanding of the risks facing banks and credit unions, and thus, risk mitigation and supervisory strategies might have gaps which could affect the safety and soundness of institutions.

[End of CHALLENGE 3: SHARING THREAT INFORMATION]

CHALLENGE 4 ENSURING READINESS FOR CRISES Source: Federal Emergency Management Agency

The financial sector is a vital component of the infrastructure of the United States. As noted by DHS, “large-scale power outages, recent natural disasters, and an increase in the number and sophistication of cyberattacks demonstrate the wide range of potential risks facing the sector.”51

Footnote 51: Department of Homeland Security, CISA, Financial Services Sector available on the DHS website. [End of footnote]

Financial-Sector Regulatory Organizations support the financial sector by identifying and mitigating potential systemic problems. When supervisory mitigation cannot stem risks or economic events overtake such efforts, Financial-Sector Regulatory Organizations, in conjunction with other Federal and state regulators, must be ready to stabilize financial markets and provide disaster aid.

Crisis readiness requires advanced preparation, regardless of whether the crisis results from financial disruption in the markets, economic turmoil, a cyber attack, natural disaster, or other event. “When the unexpected, enterprise-threatening crisis strikes, it is too late to begin the planning process. Events will quickly spin out of control, further adding to the loss of reputation and avoidable costs necessary to survive and recover with minimal damage.”52

Footnote 52: Hastings Business Law Journal, The Board’s Responsibility for Crisis Governance (Spring 2017). [End of footnote]

Although crises may be different in their cause or complexity, implementation of fundamental principles allows Financial-Sector Regulatory Organizations, to plan and prepare for such events. Figure 5 illustrates the Crisis Management Preparedness Cycle, which includes the following five components:53

Footnote 53: Federal Emergency Management Agency National Incident Management System. [End of footnote]

• Plan – Supports effective operations by identifying objectives, describing organizational structures, assigning tasks to achieve objectives, identifying responsibilities to accomplish tasks, and contributing to the goals.

• Organize – Identifies necessary skillsets and technical capabilities.

• Train – Provides personnel with the knowledge, skills, and abilities to respond to a crisis.

• Exercise – Identifies strengths and weaknesses through an assessment of gaps and shortfalls with plans, policies, and procedures to respond to a crisis.

• Evaluate and Improve – Compiles lessons learned, develops improvement plans, and tracks corrective actions to address gaps and deficiencies identified.

Figure 5: Crisis Management Preparedness Continuous Cycle

Preparedness Cycle.

Step 1 - Plan

Step 2 - Organize/Equip

Step 3 - Train

Step 4 - Exercise

Step 5 - Evaluate/Improve

Source: Federal Emergency Management Agency

[End of figure 5]

Preparing for Potential Financial Institution Disruptions and Failures

It has been more than a decade since Financial-Sector Regulatory Organizations were called upon to address the financial crisis. An FDIC study described the financial crisis as two interconnected and overlapping crises.54 The first phase of the crisis involved systemic threats to the financial system as a whole through the failure of large financial and non-financial institutions during 2008-2009. The second overlapping phase involved a rapid increase in the number of smaller troubled and failed banks between 2008-2013. As noted by FDIC Chairman Jelena McWilliams on April 3, 2019, “[t]here were regulatory gaps leading up to the crisis—perhaps none more important than the inadequate planning for potential failure of the largest banks and their affiliates.” 55 As described by Chairman McWilliams, the lessons learned from the crisis are that large and small banking institutions must be able to fail “without taxpayer bailouts and without undermining the market’s ability to function.” 56

Footnote 54: FDIC, Crisis and Response, An FDIC History, 2008-2013 (November 30, 2017). [End of footnote]

Footnote 55: FDIC Chairman Jelena McWilliams, Bank Resolution: A Global Perspective, International Banker (April 3, 2019). [End of footnote]

Footnote 56: FDIC Chairman Jelena McWilliams, Bank Resolution: A Global Perspective, International Banker (April 3, 2019). [End of footnote]

Financial-Sector Regulatory Organizations, in conjunction with other Federal and state regulators, must be prepared to mitigate financial institution risks and, when necessary, resolve failed banks and credit unions. The Dodd-Frank Act introduced significant changes since the crisis. The Dodd-Frank Act required that bank holding companies plan for potential resolution through bankruptcy. The Dodd-Frank Act also provided new resolution authority to orderly liquidate financial companies in extreme cases during severe financial crisis. In addition, the FDIC instituted regulations requiring that insured depository institutions with more than $50 billion in assets also prepare resolution plans addressing how the FDIC could resolve the institution under the Federal Deposit Insurance Act. These steps clarify resolution authority, but Financial-Sector Regulatory Organizations must be able to execute those resolutions.

The FDIC OIG identified challenges with the FDIC’s readiness to fulfill its mission to manage receiverships. According to the FDIC, the events of the financial crisis unfolded more quickly than the FDIC expected and were more severe than the FDIC’s planning efforts anticipated.57 For example, in July 2008, the FDIC resolved IndyMac, the most expensive FDIC failure, estimated to cost about $12.3 billion, and in September 2008, Washington Mutual, the sixth-largest FDIC-insured institution, also failed. The FDIC had not planned for several large and small banks to fail at the same time, and these failures occurred at a quicker pace than in previous crises. The FDIC OIG stated that the FDIC is challenged to ensure that it has the ability to on-board the staff needed to address escalating crisis workloads. For example, during the crisis, the FDIC authorized funding for additional personnel but faced challenges expediting the hiring process to on-board needed staff.

Footnote 57: FDIC, Crisis and Response, An FDIC History, 2008-2013 (November 30, 2017). [End of footnote]

Further, the FDIC faced challenges dealing with the increased volume of contracts required during the time of crisis. During the financial crisis, the FDIC awarded over 6,000 contracts totaling more than $8 billion. The size of the FDIC acquisition staff was initially insufficient, which resulted in delays to modify existing contracts and award new contracts. The FDIC needed to rapidly hire and train personnel to oversee the contracts. The FDIC is also challenged to ensure that it has plans in place to react and respond quickly to a crisis, irrespective of its cause, nature, magnitude, or scope; ensure those plans are current and up-to-date; and incorporate lessons learned from past crises and the related bank failures.

The NCUA OIG also noted several challenges faced by the NCUA pertaining to risks to the safety and soundness of credit unions and the protection of the National Credit Union Share Insurance Fund which, similar to the Deposit Insurance Fund, insures credit union member accounts against losses up to $250,000.58 These risks include: significant threats posed by cyberattacks, competitive challenges to credit unions posed by new technology-driven financial products; increasing competition in the financial services industry; and continuing consolidation among depository institutions. The NCUA needs to: strengthen the resiliency of the credit union systems and the agency; work with credit unions to manage risks of new financial products and services; and continue to monitor consolidation trends among depository institutions.

Footnote 58: Created by Congress in 1970, NCUA administers the Share Insurance Fund and insures individual credit union member accounts against losses up to $250,000 and a member’s interest in all joint accounts combined up to $250,000. The Deposit Insurance Fund is administered by the FDIC and insures account holder deposits in FDIC insured banks and provides funds to resolve failed banks. [End of footnote]

Preparing to Administer Disaster Aid

HUD plays a substantial role in national disaster recovery initiatives and often receives more disaster recovery funding than any other Federal agency. After a national disaster, Congress may authorize additional funding to HUD for the Community Development Block Grant Program (Community Development Grants) for significant unmet needs for long-term recovery.59 Since 2001, Congress has awarded HUD more than $84.6 billion for disaster recovery. HUD awards Community Development Grants to state and local governments who, in turn, may grant money to state agencies, non-profit organizations, economic development agencies, citizens, and businesses. The state and local governments provide these funds for disaster relief, long-term recovery, restoration of infrastructure, housing, and economic revitalization.

Footnote 59: Community Development Block Grant Disaster Recovery Fact Sheet. [End of footnote]

HUD OIG noted that, by their nature, Community Development Grants pose a risk as they are provided at a time when a community is recovering from a disaster. HUD OIG identified that HUD’s Community Development Grant requirements are not codified in the Federal Register. Instead, HUD issues multiple requirements and waivers for each disaster in Federal Register notices, which leads to confusion among program grantees. For example, HUD OIG noted that 59 grantees with 112 active Community Development Grants totaling more than $47.4 billion were required to follow 61 different Federal Register notices to manage the program. Further, HUD OIG identified continuing risks to HUD concerning the more than $18 billion in disaster recovery sent to Puerto Rico during a time when Puerto Rico was close to filing for bankruptcy.

HUD OIG also reported that HUD is challenged to ensure that grantees have the capacity to administer Community Development Grants and ensure the funds are used for eligible and supported items. Since 2006, HUD OIG has completed 120 audits and 6 evaluations of the Community Development Block Grant Program, identifying $477.4 million in ineligible costs, $906.5 million in unsupported costs, and $5.5 billion in funds that could be put to better use.

HUD also faces challenges to ensure that grantees follow Federal procurement regulations. HUD OIG identified that state disaster recovery programs may not align with Federal procurement requirements. As a result, products and services obtained through grant funds may not have been purchased competitively at fair and reasonable prices. HUD OIG also identified challenges in HUD’s ability to expedite disaster assistance grants while also maintaining adequate safeguards to deter and detect fraud.

Additionally, HUD OIG found that Americans face challenges in attempting to receive assistance from HUD and other disaster relief agencies. Citizens face a circuitous path to receive disaster recovery assistance depending on how, when, and where they enter the disaster relief process. As a result, citizens may face significant delays in processing their applications for assistance, delays in receiving funding, and possible duplication of benefits.

Financial-Sector Regulatory Organizations protect the financial sector and American citizen when crises strike. Crises in the financial sector may come from many sources and at any time. Financial-Sector Regulatory Organizations must plan, prepare, train, exercise, and maintain readiness for scenarios that could lead to crises.

[End of CHALLENGE 4: SHARING THREAT INFORMATION]

CHALLENGE 5 STRENGTHENING AGENCY GOVERNANCE

According to OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, (OMB Circular A-123), Federal agencies face internal and external risks to achieving their missions, including “economic, operational, and organizational change factors, all of which would negatively impact an Agency’s ability to meet goals and objectives if not resolved.”60 To address those risks, Federal leaders and managers generally must establish a governance structure to direct and oversee implementation of a risk management and internal control process.61 Enterprise Risk Management (ERM) and internal controls are components of this governance framework. OMB defines ERM “as an enterprise-wide, strategically-aligned portfolio view of organizational challenges that provides better insight about how to most effectively prioritize resource allocations to ensure successful mission delivery.”62

Footnote 60: Office of Management and Budget Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control (July 15, 2016). [End of footnote]

Footnote 61: Office of Management and Budget Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control (July 15, 2 016). [End of footnote]

Footnote 62: Office of Management and Budget Appendix A to OMB Circular A-123, Management Reporting and Data Integrity Risk (June 6, 2018). [End of footnote]

Establishing Enterprise Risk Management

ERM focuses specifically on the identification, assessment, and management of risk, and it should include these elements:

• A risk management governance structure;

• A methodology for developing a risk profile; and

• A process, guided by an organization’s senior leadership, to consider risk appetite and risk tolerance levels that serves as a guide to establish strategy and select objectives.

Figure 6: Enterprise Risk Management Program

Enterprise Risk Management

Strategic Decisions (OMB A-11):

-Mission/Vision, Performance Goal Setting/Metrics, Objective Setting, Establish Risk Thresholds

Budget Decisions(OMB A-11):

-Policy, President's Budget, Congressional Justification

Program Management (OMB A-11):

-Cross Agency Priority Goals, Agency Priority Goals, Agency Program Reviews

CXO Operations Support (OMB A-123):

- Operational Control Objectives, Report Control Objectives, Comliance Control Objectives, Risk Assessments

Source: CFO Playbook: Enterprise Risk Management for the U.S. Federal Government.

[End of Figure 6]

OMB urges agencies to adopt an enterprise-wide view of ERM—a “big picture” perspective— thus synthesizing the management of risks into the very fabric of the organization; it should not be viewed in “silos” among different divisions or offices. As shown in Figure 6, ERM should integrate risk management into the agency’s processes for budgeting, including strategic planning, performance planning, and performance reporting practices.

The Federal Reserve Board and Bureau OIG found that the Federal Reserve Board has a complex governance system that creates challenges for the Governors to effectively carry out their roles and responsibilities and to have an enterprise- wide view of the management of certain administrative functions. For example, the Federal Reserve Board and Bureau OIG noted that Federal Reserve Board guidance does not set clear expectations for communication among Governors and between Governors and Division Directors. Such communication challenges may result in the Federal Reserve Board Governors being unaware of certain activities, and Board officials missing opportunities to leverage the Governors’ knowledge and experience. In addition, the decentralization of information technology among Divisions does not allow for a complete view of IT security risks and impedes the ability to have an effective information security program. Additionally, the Federal Reserve Board Chief Human Capital Officer has had difficulty implementing enterprise-wide succession planning.

Similarly, the FDIC OIG identified challenges in the FDIC’s implementation of its ERM program. Although the FDIC began ERM implementation efforts in 2010, the FDIC currently does not have an enterprise-wide and integrated approach to identifying, assessing, and addressing the full spectrum of internal and external risks. As a result, the FDIC faces difficulties integrating risk into its budget, strategic planning, performance reporting, and internal controls. In addition, FDIC Divisions and Offices are not able to evaluate risk determinations in the context of the agency’s overall risk levels, tolerance, and profile. For example, the FDIC could not be sure that its resources were being allocated toward addressing the most significant risks in achieving strategic objectives.

Ensuring Effective Internal Controls

As described by the GAO, “a key factor in improving accountability in achieving an entity’s mission is to implement an effective internal control system. An effective internal control system helps an entity adapt to shifting environments, evolving demands, changing risks, and new priorities.”63 OMB Circular A-123 emphasizes the need for agencies to coordinate risk management and strong and effective internal controls into existing business activities as an integral part of governing and managing an agency.

Footnote 63: U.S. Government Accountability Office, Standards for Internal Control in the Federal Government, GAO-14-704G, (September 2014). [End of footnote]

HUD OIG noted HUD’s continuing struggle with effective oversight controls to monitor operations and programs. HUD faces challenges to effectively manage its programs that distribute about $48.2 billion annually to state and local government, organizations, and individuals through grants, subsidies, and other payments. For example, in 2018, HUD OIG reports identified more than $1.3 billion in ineligible, unsupported, unnecessary, or unreasonable costs. HUD OIG also noted that HUD’s lack of compliance with the GAO’s internal control standards has deprived HUD management of an important monitoring tool that can provide feedback on the effectiveness and efficiency of departmental operations.

FHFA OIG identified that internal control systems at Fannie Mae and Freddie Mac, which are under government conservatorship, fail to provide directors with accurate, timely, and sufficient information to enable them to exercise their oversight duties that are delegated to them by FHFA as conservator. Further, the FHFA OIG found that leadership changes in 2018 and 2019 may lead to a lack of attention to internal controls.

Governance is an important tool for Financial-Sector Regulatory Organizations to ensure that they fulfill their missions and responsibilities to citizens and taxpayers. ERM and internal control programs synthesize the management of Financial-Sector Regulatory Organizations’ risks into an organization’s culture, so that these risks may be considered and incorporated into budget, strategic planning, performance reporting, and internal controls for the agency as a whole.

[End of CHALLENGE 5 STRENGTHENING AGENCY GOVERNANCE]

CHALLENGE 6 MANAGING HUMAN CAPITAL

Financial-Sector Regulatory Organizations rely on the skills of over 117,000 employees to ensure the safety and soundness of the U.S. financial system.64 In March 2019, the GAO recognized strategic human capital management as a continuing Government-wide area of high risk.65 The GAO noted the need for Federal agencies to “measure and address existing mission-critical skills gaps, and use workforce analytics to predict and mitigate future gaps so agencies can effectively carry out their missions.”66

Footnote 64: CIGFO Working Group analysis of OPM Fedscope data as of March 2018 available at https://www.fedscope.opm.gov. [End of footnote]

Footnote 65: U.S. Government Accountability Office, High-Risk Series: Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas, GAO-19-157SP (March 2019). [End of footnote]

Footnote 66: U.S. Government Accountability Office, High-Risk Series: Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas, GAO-19-157SP (March 2019). [End of footnote]

Succession Planning to Fill Leadership Gaps

Government-wide retirement eligibility in 2022 is estimated to be 31.6 percent of all permanent Federal employees.67 According to the GAO, retirements could cause gaps in leadership and institutional knowledge and exacerbate existing skill gaps. According to the Office of Personnel Management (OPM), succession planning for such retirements forms an integral part of workforce planning and helps ensure an ongoing supply of qualified staff to fill leadership and other key positions.68 Specifically, OPM requires that the head of each agency, in consultation with OPM, develop a comprehensive management succession program, based on the agency's workforce succession plans, to fill agency supervisory and managerial positions. Agency succession programs should be supported by employee training and development programs.

Footnote 67: U.S. Government Accountability Office, High-Risk Series: Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas, GAO-19-157SP (March 2019). [End of footnote]

Footnote 68: 5 C.F.R. Part 412. [End of footnote]

The Federal Reserve Board and Bureau OIG cited potential leadership and skills gaps as a result of a projected increase in numbers of Federal Reserve Board employees becoming eligible for retirement. Similarly, the FDIC OIG found that the percentage of FDIC employees eligible to retire more than doubles (2.3 times) over the next 5 years, increasing from 18 percent in 2018 to 42 percent in 2023. Further, the FDIC OIG identified potential leadership gaps resulting from the retirement eligibility of 66 percent of the Executive Management employees and another 57 percent of Managers between 2018 and 2022.

HUD OIG also identified that leadership gaps have affected HUD’s management of its programs and operations. Specifically, constant turnover and extended vacancies in HUD’s most important political and career executive positions led to poor management decisions and questionable execution of internal business functions. The SEC OIG also noted that, although the agency’s multi-year strategic plan identified the need to strengthen human capital management, the SEC lacked a formal succession plan.

Skills Gap Identification and Mitigation

OPM’s Human Capital Framework requires that agencies use comprehensive data analytic methods to monitor and address skills gaps and develop gap closure strategies.69 CIGFO members identified challenges in the identification and mitigation of agency skill set gaps especially in response to new technologies. The Federal Reserve Board and Bureau OIG found that the Federal Reserve Board remains challenged to identify a diverse workforce with the necessary technical, managerial, and leadership skills. Continually evolving workforce expectations and a highly competitive environment for individuals with specialized skills presents challenges for the Federal Reserve Board. The FDIC OIG found that the FDIC was challenged to ensure that examination staff skill sets kept pace with the increasing complexity and sophistication of IT environments at banks as well as the introduction of new financial technology. The FDIC OIG also identified examiner skillset imbalances among FDIC regional offices. As a result, senior examiners may be required to travel more frequently in order to supervise less experienced staff and sign reports of examination.

Footnote 69: See OPM Human Capital Framework Structure and SEC OIG, The SEC Made Progress But Work Remains to Address Human Capital Management Challenges and Align With the Human Capital Framework (September 11, 2018), Report No. 549. [End of footnote]

The Federal Reserve Board and Bureau OIG stated that to address vacancies in the Bureau’s workforce, the agency is reallocating staff resources through reassignments or detail opportunities. However, some of these vacancies are for highly specialized skillsets, and the Bureau may face challenges in identifying the necessary skillsets in its current workforce. The SEC OIG found that, although the SEC began a skill set assessment project in 2016, the SEC was delayed in implementing the project. Specifically, as of July 2018, the SEC had not completed competency assessment surveys or similar reviews to identify and close skill gaps within SEC divisions, offices, and regional offices.

Financial-Sector Regulatory Organizations’ workforce plays a vital role in ensuring mission success. Mission success is contingent on each organization’s management of human capital activities – workforce planning, recruitment, on-boarding, compensation, engagement, succession planning, and retirement programs – to allow for proactive responses to anticipated changes and maximize human capital efficiency and effectiveness.

[End of CHALLENGE 6 MANAGING HUMAN CAPITAL]

CHALLENGE 7 IMPROVING CONTRACT AND GRANT MANAGEMENT

The Administration recognized the importance of improving Federal Government acquisitions in finding that such acquisitions “often fail to achieve their goals because many Federal managers lack the program management and acquisition skills to successfully manage and integrate large and complex acquisitions into their projects.”70 In addition, the GAO found that Government contracting officials were carrying heavier workloads, and thus, it was more difficult for these officials to oversee complex contracts and ensure that contractors adhered to contract terms.

Footnote 70: The President’s Management Agenda: Modernizing Government for the 21st Century. [End of footnote]

Grants are an important policy tool to provide funding to state and local governments, and nongovernmental entities for national priorities. According to the GAO, effective oversight and internal control is important to provide reasonable assurance to Federal managers and taxpayers that grants are awarded properly, grant recipients are eligible, and grants are used as intended according to laws and regulations.71

Footnote 71: U.S. Government Accountability Office, Grants Management: Observations on Challenges and Opportunities for Reform, GAO-18-676T (July 25, 2018). [End of footnote]

Strengthening Contract Oversight

According to the GAO’s Framework for Assessing the Acquisition Function at Federal Agencies, agencies should effectively manage their acquisitions process in order to ensure that contract requirements are defined clearly and all aspects of contracts are fulfilled.72 Agencies must properly oversee contractor performance and identify any deficiencies.

Footnote 72: U.S. Government Accountability Office, Framework for Assessing the Acquisition Function at Federal Agencies, GAO-05-218G (September 2005). [End of footnote]

The Special Inspector General for the Troubled Asset Relief Program (SIGTARP) identified challenges to Treasury Department’s oversight of Troubled Asset Relief Program (TARP) Funds. Over 150 banks or other institutions have or can receive $23 billion through agreements entered under the Making Home Affordable Program (MHA Program). The MHA Program pays TARP dollars when banks and institutions comply with rules and guidelines to modify mortgages to help struggling homeowners. SIGTARP found that despite enforcement actions and other wrongdoing of many financial institutions, the Treasury Department is significantly scaling back on MHA Program compliance reviews.

HUD OIG identified challenges with HUD’s oversight of IT procurement. According to HUD’s Chief Procurement Officer, fewer than five people were adequately trained and possessed the expertise to manage IT projects and contracts. HUD lacked well-documented and fully developed selection processes to ensure consistent application of selection criteria used for applicants for contracts. In addition, HUD did not have robust processes for contractor oversight and evaluating contractor performance against expected outcomes to ensure that its contractors met their obligations.

According to the FDIC OIG, the FDIC relies heavily on contractors for support of its mission, especially for IT and administrative support services. The FDIC OIG identified a number of contract challenges at the FDIC, including defining contract requirements, coordination between contracting and program office personnel, and establishing implementation milestones. For example, FDIC personnel did not fully understand and communicate the requirements to transition a nearly $25 million data management services contract from one contractor to another.

The Federal Reserve Board and Bureau OIG identified that the Bureau needed to strengthen controls for contract financing and management. Specifically, for one of its largest contracts, the Bureau did not comply with the Federal Acquisition Regulation requirements concerning contract financing requirements and documenting annual blanket purchase agreement reviews. Additionally, Bureau staff did not verify contractor expenses by obtaining and reviewing supporting source documents. The Federal Reserve Board and Bureau OIG also noted contracting challenges for the Federal Reserve Board’s oversight of physical infrastructure changes. The Federal Reserve Board encountered significant delays, scope changes, and cost increases for renovations to its William McChesney Martin, Jr. building.

The SEC OIG identified challenges with the SEC’s management and oversight of contracts. For example, the SEC OIG found that contract oversight personnel did not enforce contract requirements for experts performing work for the SEC. Further, contract oversight personnel had limited first-hand knowledge of the sufficiency of contract deliverables and therefore could not determine whether the invoices accurately reflected work performed.

Improving Grant Management

Grants are typically categorized as (1) categorical grants – which restrict funds to narrow, specific activities; (2) block grants – which are less restrictive funding for broader categories of activities; and (3) general purpose grants – which allow the greatest amount of discretion to be used for government purposes. Oversight and internal control of grants are important to ensure grants are used by eligible participants for allowable purposes.

SIGTARP identified challenges with the Treasury Department’s oversight of TARP expenses charged by state housing finance agencies to administer the Hardest Hit Fund (HHF), a grant-like program. The Treasury Department’s $9.6 billion for HHF provides funding to state housing finance agencies to assist unemployed homeowners and individuals whose mortgages are greater than their current home’s value. SIGTARP has issued several reports on Treasury’s lack of oversight for grantees. Between 2016 and 2017, SIGTARP identified $11 million in wasteful, abusive, and unnecessary funding by states for items such as gym memberships, parties, and country club events. Further, SIGTARP reported that there is no Federal requirement for states to use competition when spending funds on fees for consultants, accountants, and lawyers.

HUD OIG reported that HUD continues to struggle with effective program management of the nearly $50 billion in Federal funds that HUD passes to state and local governments, organizations, and individuals in the form of grants, subsidies, and other payments. Approximately 16 percent of HUD’s annual appropriations are provided as grants through the Office of Community Planning and Development. HUD OIG identified that 21 of their audits performed from 2014-2017 found that there was little or no monitoring of grantees. As a result, HUD did not have assurances that it correctly identified high-risk grantees or conducted adequate monitoring to mitigate risks.

Financial-Sector Regulatory Organizations rely on contracts and grants to perform their respective missions. Strong oversight and controls over contract and grant processes are critical to ensure proper stewardship over taxpayer funds.

[End of CHALLENGE 7 IMPROVING CONTRACT AND GRANT MANAGEMENT]

CONCLUSION

This is the second report developed by CIGFO members to identify cross-cutting Challenges faced by Financial-Sector Regulatory Organizations. In this report, we continue to emphasize to policy makers the importance of considering a whole-of-Government approach to coordination and information sharing to address these Challenges.

Consistent with the mission of Inspectors General, this report helps inform the public by providing them with information about the important Challenges facing the financial sector to which most of the public is directly connected through bank or credit union accounts and mortgages. This report also informs CIGFO members in their identification of future Challenges and collaboration on reviews addressing cross-cutting Challenges facing the financial sector.

APPENDIX 1 ABBREVIATIONS AND ACRONYMS

Bureau - Bureau of Consumer Financial Protection

CFTC - Commodity Futures Trading Commission

Challenges - The CIGFO Top Management and Performance Challenges identified in this report.

CIGFO - Council of Inspectors General on Financial Oversight

CISA - Cybersecurity and Infrastructure Security Agency

DHS - Department of Homeland Security

Dodd-Frank Act - The Dodd-Frank Wall Street Reform and Consumer Protection Act

ERM - Enterprise Risk Management

FBI - Federal Bureau of Investigation

FDIC - Federal Deposit Insurance Corporation

Federal Reserve Board - Board of Governors of the Federal Reserve System

FEMA - Federal Emergency Management Agency

FFIEC - Federal Financial Institutions Examination Council

FHFA - Federal Housing Finance Agency

Financial-Sector Regulatory Organizations - Federal Departments and Agencies overseen by CIGFO Inspectors General.

FISMA - Federal Information Security Modernization Act of 2014

FSB - Financial Stability Board

FS-ISAC - Financial Services Information Sharing and Analysis Center

FSOC - Financial Stability Oversight Council

GAO - U.S. Government Accountability Office

HHF - Hardest Hit Fund

HUD - Department of Housing and Urban Development

IT - Information Technology

MHA Program - Making Home Affordable Program

NCUA - National Credit Union Administration

NIST - National Institute of Standards and Technology

OCC - Office of the Comptroller of the Currency

OIG - Office of Inspector General

OMB - Office of Management and Budget

OPM - Office of Personnel Management

SEC - Securities and Exchange Commission

SIGTARP - Special Inspector General for the Troubled Asset Relief Program

TMPC - Top Management and Performance Challenges

Treasury Department - Department of the Treasury

TSP - Technology Service Provider

[End of APPENDIX 1 ABBREVIATIONS AND ACRONYMS]

APPENDIX 2 METHODOLOGY

Department of the Treasury, link - https://www.treasury.gov/about/organizational-structure/ig/Agency%20Documents/OIG-CA-19-004.pdf

Federal Deposit Insurance Corporation, link - https://www.fdicoig.gov/report-release/top-management-and-performance-challenges-facing-federal-deposit-insurance

Commodity Futures Trading Commission, link - https://www.cftc.gov/sites/default/files/2018-10/oigmgmtchal082718.pdf

Bureau of Consumer Financial Protection, link - https://oig.federalreserve.gov/reports/bureau-major-management-challenges-sep2018.pdf

Department of Housing and Urban Development link - https://www.hudoig.gov/sites/default/files/2018-11/TMC%20-%20FY%202019.pdf

Board of Governors of the Federal Reserve System link - https://oig.federalreserve.gov/reports/board-major-management-challenges-sep2018.pdf

Federal Housing Finance Agency link - https://www.fhfaoig.gov/Content/Files/FY2019%20Management%20and%20Performance%20Challenges%20Facing%20FHFA_0.pdf

National Credit Union Administration link - https://www.ncua.gov/files/annual-reports/annual-report-2018.pdf

Securities and Exchange Commission link - https://www.sec.gov/Inspector-Generals-Statement-on-the-SECs-Mgt-and-Performance-Challenges-Oct-2018.pdf

Special Inspector General for the Troubled Asset Relief Program link - https://www.sigtarp.gov/Pages/Reports-Testimony-Home.aspx

Footnote: 73 The Special Inspector General for the Troubled Asset Relief Program issues to the Treasury Department and has published its assessment of the most serious management and performance challenges and threats facing the Government in TARP in its Quarterly Report to Congress since October 2017. [End of footnote]

[End of APPENDIX 2 METHODOLOGY]

CIGFO Audit of the Financial Stability Oversight Council’s Monitoring of International Financial Regulatory Proposals and Developments

May 2019

CIGFO-2019-01

[CIGFO member OIG agency seals]

Table of Contents

Transmittal Letter

Executive Summary

CIGFO Working Group Audit

Background

Audit Approach

FSOC’s Activities to Monitor International Financial Regulatory Proposals and Devlopments

FSOC Members Consider the Monitoring

Process Adequate

Conclusion

Appendices

Appendix I: Objective, Scope, and Methodology

Appendix II: Prior CIGFO Reports

Appendix III: FSOC Response

Appendix IV: CIGFO Working Group

[End of Table of Contents]

Abbreviations

CIGFO Council of Inspectors General on Financial Oversight

Dodd-Frank Act Dodd-Frank Wall Street Reform and Consumer Protection Act

FSB Financial Stability Board

FSOC or Council Financial Stability Oversight Council

IOSCO International Organization of Securities Commissions

LIBOR London Interbank Offered Rate

RRC Regulation and Resolution Committee

SRC Systemic Risk Committee

Treasury Department of the Treasury

[End of Abbreviations]

Message from the Chair

Dear Mr. Chairman:

I am pleased to present you with the Council of Inspectors General on Financial Oversight (CIGFO) report titled, Audit of the Financial Stability Oversight Council’s Monitoring of International Financial Regulatory Proposals and Developments.

One of the statutory duties of the Financial Stability Oversight Council (FSOC) is to monitor domestic and international financial regulatory proposals and developments, including insurance and accounting issues, and to advise Congress and make recommendations in such areas that will enhance the integrity, efficiency, competitiveness, and stability of the U.S. financial markets.

FSOC’s monitoring of international financial regulatory proposals and developments is conducted in the context of FSOC’s statutory purposes, which focuses on developments that could pose risks to the stability of the U.S. financial system.

CIGFO convened a Working Group to assess FSOC’s monitoring of international financial regulatory proposals and developments. In this resulting audit report, we concluded that FSOC has a process for monitoring international financial regulatory proposals and developments. All FSOC members or member representatives who offered an opinion described FSOC’s monitoring process as adequate. Although described as adequate, several FSOC members or representatives offered suggestions for enhancing the process. We encourage FSOC to consider incorporating into its process the suggestions made by its members to the extent the suggestions are consistent with FSOC’s focus on identifying and addressing threats to the stability of U.S. financial system. We are not making any recommendations to FSOC as a result of this audit.

I would like to take this opportunity to thank the FSOC members for their support, especially those Department of the Treasury officials who assisted with this effort.

CIGFO looks forward to working with you on this and other issues. In accordance with the Dodd-Frank Wall Street Reform and Consumer Protection Act, CIGFO is also providing this report to Congress.

Sincerely,

/s/

Eric M. Thorson

Chair, Council of Inspectors General on Financial Oversight

[End of Message from the Chair]

Executive Summary

Why and How

We Conducted this Audit

The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act)1 created regulatory and resolution frameworks designed to reduce the likelihood, and severe economic consequences, of financial instability. The Dodd-Frank Act established the Financial Stability Oversight Council (FSOC or Council) and charged it with identifying risks to the nation’s financial stability, promoting market discipline, and responding to emerging threats to the stability of the nation’s financial system. Among other duties, Title I of the Dodd-Frank Act requires FSOC to monitor domestic and international financial regulatory proposals and developments, including insurance and accounting issues, and to advise Congress and make recommendations in such areas that will enhance the integrity, efficiency, competitiveness, and stability of the U.S. financial markets.

The Dodd-Frank Act also created the Council of Inspectors General on Financial Over-sight (CIGFO), whose members include the Inspectors General with oversight authority for the majority of FSOC’s member agencies. The Dodd-Frank Act authorizes CIGFO to convene a Working Group of its members to evaluate the effectiveness and internal operations of FSOC. In December 2017, CIGFO convened a Working Group to conduct an audit to assess FSOC’s monitoring of international financial regulatory proposals and developments for the period of January 2016 to January 2018.2 The Working Group was led by the Department of the Treasury’s (Treasury) Office of Inspector General, whose Inspector General is the Chair of CIGFO.

To accomplish the audit objective, the Working Group reviewed the Dodd-Frank Act to determine FSOC’s statutory purposes and duties. It reviewed FSOC’s governance documents, annual reports, meeting minutes, and committee meeting agendas. It also interviewed staff from the FSOC Secretariat at Treasury as well as interviewed or received responses from FSOC members and member agency representatives to develop a better understanding of FSOC’s monitoring of international financial regulatory proposals and developments. The Working Group conducted fieldwork from February 2018 through June 2018. Appendix I provides additional details about the objective, scope, and methodology of this audit.

Footnote 1: Public Law No. 111-203, enacted July 21, 2010. [End of footnote]

Footnote 2: See Appendix IV for a listing of Working Group members. [End of footnote]

What We Learned

FSOC monitors international financial regulatory proposals and developments in several ways. First, FSOC develops and publishes an annual report, which describes important international financial regulatory proposals and developments, identifies emerging threats to U.S. financial stability, and can include recommendations related to these issues. FSOC also follows up on the issues, threats, and recommendations identified in its annual report. Second, FSOC members periodically discuss international topics at their meetings, and are given presentations by experts from relevant member agencies. Third, the staffs of FSOC member agencies share information on these topics in FSOC’s staff-level committees, primarily the Systemic Risk Committee (SRC). Finally, some FSOC member agencies have their own international engagement, which can inform their participation in FSOC meetings

FSOC members and FSOC member agency representatives expressed their overall satisfaction with FSOC’s monitoring of international activities and proposals, and believed that the process was adequate. Several FSOC members offered suggestions for process enhancements which are included on pages 8 and 9 of this report. We encourage FSOC to consider incorporating the suggestions made by these members into its processes to the extent the suggestions are consistent with FSOC’s purposes of identifying risks to U.S. financial stability, promoting market discipline, and responding to emerging threats to the stability of the U.S. financial system. We are not making any recommendations to FSOC as a result of our audit.

FSOC Response

In a written response, Treasury, on behalf of the FSOC Chairperson, acknowledged the findings and conclusions in this report. The response stated that the suggestions made by several FSOC members to further enhance the Council’s work will be considered. The response is provided as Appendix III.

[End of Executive Summary]

CIGFO Working Group Audit

This report presents the results of the CIGFO Working Group’s audit of FSOC’s monitoring of international financial regulatory proposals and developments. CIGFO is issuing this report to FSOC and Congress as part of CIGFO’s responsibility to oversee FSOC under the Dodd-Frank Act. See Appendix II for a listing of previous CIGFO reports.

Background

The Dodd-Frank Act established FSOC to create joint accountability for identifying and mitigating potential threats to the stability of the nation’s financial system. By creating FSOC, Congress recognized that protecting financial stability would require the collective engagement of the entire financial regulatory community. As shown in Figure 1, the Council consists of 10 voting members and 5 non-voting members and brings together the expertise of federal financial regulators; state regulators; an insurance expert appointed by the President, by and with the advice and consent of the Senate; and others.3 The voting members of FSOC provide a federal financial regulatory perspective as well as an independent insurance expert’s view. The non-voting members offer different insights as state-level representatives from bank, securities, and insurance regulators or as the directors of offices within Treasury — the Office of Financial Research and the Federal Insurance Office, established in Titles I and V of the Dodd-Frank Act, respectively. Within Treasury, a dedicated policy office of Treasury staff, led by a Deputy Assistant Secretary, functions as the FSOC Secretariat and assists in coordinating the work of the Council among its members and member agencies.

The statutory purposes of FSOC are to:

• identify risks to the financial stability of the U.S. that could arise from the material financial distress or failure, or ongoing activities, of large, interconnected bank holding companies or nonbank financial companies, or that could arise outside the financial services marketplace;

Figure 1: FSOC Council Membership

Federal and Independent Members

• Secretary of the Treasury, Chairperson (v)

• Chairman of the Board of Governors of the Federal Reserve System (v)

• Comptroller of the Currency (v)

• Director of the Bureau of Consumer Financial Protection (v)

• Chairman of the Securities and Exchange Commission (v)

• Chairperson of the Federal Deposit Insurance Corporation (v)

• Chairman of the Commodity Futures Trading Commission (v)

• Director of the Federal Housing Finance Agency (v)

• Chairman of the National Credit Union Administration Board (v)

• Director of the Office of Financial Research

• Director of the Federal Insurance Office

• Independent member with insurance expertise (v) State Members

State Insurance Commissioner

State Banking Supervisor

State Securities Commissioner

[End of Figure 1: FSOC Council Membership]

• promote market discipline, by eliminating expectations on the part of shareholders, creditors, and counterparties of such companies that the Government will shield them from losses in the event of failure; and

• respond to emerging threats to the stability of the U.S. financial system.4

Footnote 4: 12 U.S.C. 5322(a)(1). [End of footnote]

Audit Approach

Our audit objective was to assess FSOC’s monitoring of international financial regulatory proposals and developments. Our audit scope focused on FSOC’s efforts to monitor international activities over a 2-year period, January 2016 through January 2018. To accomplish our objective, participating Offices of Inspector General collected information from FSOC members and/or FSOC member representatives, through interviews or self-reporting guided by a questionnaire developed by the CIGFO Working Group, regarding their perspectives on FSOC’s efforts to monitor international financial regulatory proposals and developments. In addition, we interviewed officials of the FSOC Secretariat and reviewed FSOC annual reports and laws applicable to FSOC’s authority to monitor international financial regulatory proposals and developments. We conducted our audit fieldwork from February 2018 through June 2018.

FSOC’s Activities To Monitor International Financial Regulatory Proposals And Developments

The Dodd-Frank Act provides that FSOC has the duty to monitor international financial regulatory proposals and developments, including insurance and accounting issues, and to advise Congress and make recommendations in such areas that will enhance the integrity, efficiency, competitiveness, and stability of the U.S. financial markets. FSOC’s monitoring of international financial regulatory proposals and developments is conducted in the context of FSOC’s statutory purposes, which focuses on developments that could pose risks to the stability of the U.S. financial system.

The Dodd-Frank Act does not establish specific guidelines or expectations for how FSOC is to fulfill its duty to monitor international financial regulatory proposals and developments. Accordingly, the CIGFO Working Group developed a methodology for reviewing FSOC’s activities in this regard.

Through our interviews with the FSOC Secretariat and FSOC members and/or representatives and their responses to the questionnaire developed by the CIGFO Working Group, we learned that FSOC monitors these activities in several ways: (1) periodic discussion of international topics at the FSOC principals’5 meetings, including presentations by experts from relevant member agencies; (2) information sharing at FSOC committee-level meetings; and (3) the development and publishing of its annual reports, which describe important international proposals and developments, identify potential emerging threats to U.S. financial stability, and may include recommendations related to these issues. In addition, some member agencies have their own international engagement, which can inform their participation in FSOC meetings.

FSOC Principals and FSOC Committee Meetings

FSOC has a statutory duty to facilitate information sharing and coordination among its member agencies and other Federal and State agencies.6 Through this role, FSOC works to address gaps and weaknesses within the regulatory structure that could pose risks to U.S. financial stability, and to promote a safer and more stable financial system. FSOC exercises its convening authority both through meetings of FSOC members and through its staff-level committee structure. We noted that the principals held 17 meetings during the audit period and international topics were discussed at 10 of those meetings.

Footnote 5: Principals are FSOC members, most of whom are heads of federal or state financial regulatory agencies. [End of footnote]

Footnote 6: 12 U.S.C. 5322(a)(2)(E). [End of footnote]

FSOC operates under a committee structure to promote shared responsibility among its members and member agencies and to leverage the expertise that already exists at each agency. These committees consist of senior or staff level representatives from each of the FSOC members. We identified two primary committees that support the Council’s monitoring of international activities, FSOC’s Regulation and Resolution Committee (RRC) and FSOC’s SRC. The RRC is tasked with identifying potential gaps in regulation that could pose risks to U.S. financial stability, and the SRC is tasked with identifying risks and responding to emerging threats to the stability of the U.S. financial system. During the audit period, the RRC held nine meetings to discuss topics that were regulatory in nature. We were told by an FSOC Secretariat official that most of the topics had international aspects. Additionally, the SRC held 10 meetings during the audit period to receive briefings from FSOC member agencies on a range of international topics that had a bearing or potential bearing on financial stability and to discuss the issues raised.

Topics discussed during SRC and RRC meetings included: European political and market developments, the United Kingdom referendum to leave the European Union (known as Brexit), Basel standards, the European banking sector (including Greece), China’s economy and potential spillover risks, virtual currency, the London Interbank Offered Rate (LIBOR), central counterparty supervisory stress tests, and qualified financial contracts. We determined that many topics discussed at the committee meetings were raised with the Council and were included, as appropriate, in FSOC’s annual report.

Most FSOC members and/or representatives that we interviewed or coordinated with noted that the SRC is FSOC’s primary mechanism to monitor international financial regulatory proposals and developments. The SRC serves as a forum for FSOC members and member agencies to identify, discuss, and analyze potential risks to U.S. financial stability, which may extend beyond the jurisdiction of a single agency.

Representatives from one member agency stated that proposals and developments monitored by these committees are shared with the Deputies Committee,7 sometimes as part of a committee meeting readout, and sometimes as a standalone presentation. Representatives from another member agency stated that when there is an international financial regulatory proposal or development of concern from a financial stability perspective, the Deputies Committee and/or the Council receive briefings from relevant experts from FSOC member agencies to inform them about the topic.

Footnote 7: The members of the Deputies Committee are senior officials from each of the member agencies. This committee coordinates and oversees the work of the other interagency staff committees. [End of footnote]

In addition, several FSOC members and/or representatives stated that FSOC focuses more on domestic activities than those of an international nature due to the greater potential influence of domestic developments on U.S. financial stability. For example, representatives from one member agency stated that FSOC member agencies that are the lead on domestic regulatory proposals and developments with financial stability implications are available to brief FSOC members and/or its committees. Despite the emphasis on domestic developments, briefings on international financial regulatory proposals and developments are provided by FSOC member experts.

Annual Reporting

The Dodd-Frank Act requires FSOC to report to Congress annually about: (1) its activities; (2) significant financial market and regulatory developments; (3) potential emerging threats to the financial stability of the United States; and (4) recommendations to: (i) enhance the integrity, efficiency, competitiveness, and stability of U.S. financial markets; (ii) promote market discipline; and (iii) maintain investor confidence, among other things. Consistent with this charge, we found that FSOC’s annual reports described the activities of the Council and its subcommittees, including international financial regulatory proposals and developments. Most of the FSOC members and/or representatives we interviewed or coordinated with, told us that FSOC monitors international financial regulatory proposals and developments through its annual reporting process. Specifically, many FSOC members and/or representatives participate in FSOC’s annual report drafting process, which serves as an opportunity for participating members and member agencies to discuss and provide input about international activities.

FSOC has made no recommendations related to international financial regulatory proposals and developments in its annual reports, which FSOC has issued to Congress each year since its inception in 2010. An FSOC Secretariat official told us that should the Council identify a need to make a recommendation related to an international regulatory proposal or development, it would likely accomplish this through its annual report.

Individual Member Agencies’ Efforts

Some FSOC member agencies independently monitor international activities within their agencies’ purview and hold discussions with foreign counterparts. The knowledge these member agencies gain from these activities can be shared among each other and at FSOC meetings. Examples of agencies’ independent activities include: participation in working groups and committees of the Financial Stability Board (FSB) and other international organizations,8 and information sharing with agencies’ international affairs offices. For example, Treasury participates in the FSB. The Securities and Exchange Commission is active in monitoring international activities and regulatory developments through a variety of methods, including participation in international financial regulatory organizations of which it is a member (e.g., FSB, International Organization of Securities Commission (IOSCO) and working groups thereof), and direct engagement with foreign counterparts that are market regulators. The Commodity Futures Trading Commission conducts its own monitoring of international financial regulatory proposals through its membership in the IOSCO, the Over-The- Counter Derivatives Regulators Group, and as an invited guest to working groups and committees of the FSB. The Federal Deposit Insurance Corporation participates in international standard-setting bodies and engages in its own discussions with international supervisors and regulators. The Board of Governors of the Federal Reserve System monitors international financial developments consistent with its mandate. For example, the Federal Reserve Board’s Division of International Finance conducts research, analyzes policies, and reports in the areas offoreign economic activity, U.S. external trade and capital flows, and developments in international financial markets and institutions. FSOC Secretariat officials told us that FSOC seeks to avoid duplication or overlap with its member agencies’ individual efforts in monitoring international developments.

Footnote 8: The FSB was established in April 2009 and serves as an international body that monitors and makes recommendations about the global financial system. The U.S. member institutions on the Board are the Board of Governors of the Federal Reserve System, the U.S. Securities and Exchange Commission, and Treasury. Additional background is available online at www.fsb.org.

FSOC MEMBERS CONSIDER THE MONITORING PROCESS ADEQUATE

All FSOC members and/or representatives who provided views on this issue described FSOC’s monitoring of international financial regulatory proposals and developments as adequate since FSOC’s monitoring process accomplishes its intended purpose, which is to keep abreast of international issues that may pose risks to the U.S. financial system and raise awareness of those issues. We note that as a practical matter, FSOC does not have decision making authority over international financial regulatory proposals or developments.

A couple of members suggested that FSOC could enhance its monitoring process by incorporating additional or more focused briefings at its principals and committee meetings. One of these members suggested that FSOC’s RRC could receive periodic updates on key international regulatory proposals being considered in various financial sectors while the SRC could receive periodic updates on international market developments. That member also suggested that it would be appropriate for the Nonbank Financial Companies Designations Committee (Nonbank Designations Committee)9 to receive updates regarding the global systemically important insurers’10 process and/or activities-based approach being discussed at the International Association of Insurance Supervisors.11 In addition, the member stated that it would make sense for the principals to receive briefings regarding the most significant proposals and market developments to the extent that those proposals and developments may impact U.S. financial stability.

Footnote 9: The Nonbank Designations Committee supports FSOC in fulfilling its responsibilities to consider, make, and review determinations that nonbank financial companies shall be supervised by the Board of Governors of the Federal Reserve System and be subject to enhanced prudential standards, pursuant to the Dodd-Frank Act. [End of footnote]

Footnote 10: Insurers identified by the FSB as those whose distress or disorderly failure, because of their size, complexity, and interconnectedness, would cause significant disruption to the global financial system and economic activity. [End of footnote]

Another member suggested that agencies who participate in international regulatory coordination and standard-setting bodies could make a greater effort to regularly present to the SRC, RRC, or other FSOC committees about their coordination efforts with international regulatory authorities, as appropriate. The member suggested FSOC should make a greater effort to cover, in committee meetings, the risks posed to systemically important foreign financial institutions by domestic and international financial regulatory proposals and developments. According to that member, international topics covered by the SRC are generally related to international economic or political developments as opposed to international financial regulatory developments. This member suggested that FSOC could make a greater effort to connect emerging international risks to international financial regulatory proposals intended to mitigate those risks. Additionally, this member stated that greater effort could be made by the SRC to cover international developments and proposals discussed in FSOC’s annual report.

Additionally, representatives from one FSOC member agency stated that FSOC does not need to get involved in areas where regulators already exist and should continue monitoring areas such as risks related to LIBOR, European debt, and the Chinese shadow banking system, where there is no lead U.S. financial regulatory agency.

Footnote 11: Established in 1994, the International Association of Insurance Supervisors is the international standard-setting body responsible for developing principles, standards, and other supporting material for the supervision of the insurance sector and assisting in their implementation. [End of footnote]

CONCLUSION

We determined that FSOC has a process for monitoring international financial regulatory proposals and developments. FSOC’s monitoring is evidenced by the discussion of international topics at FSOC principals’ meetings, information sharing at FSOC committee-level meetings, and the development and publishing of its annual report.

All FSOC members or member representatives who offered an opinion described FSOC’s process to monitor international financial regulatory proposals and developments as adequate. Although they described FSOC’s monitoring process as adequate, several members and/or representatives offered suggestions for enhancing the process which included, but were not limited to: (1) asking member agencies who participate in international regulatory coordination, as well as standard-setting bodies, to regularly present to FSOC’s committees on coordination efforts with international regulatory authorities; (2) making a greater effort to cover the risks posed to systemically important foreign financial institutions by domestic and international financial regulatory proposals and developments; (3) separating the types of periodic updates received by the SRC and RRC—specifically, international market updates versus international financial regulatory proposals, respectively; (4) receiving briefings at principals’ meetings regarding the most significant international financial regulatory proposals and market developments to the extent that those activities may impact U.S. financial stability; and (5) continuing FSOC’s monitoring efforts in areas where no lead financial regulatory agency exists.

We encourage FSOC to consider incorporating into its process the suggestions made by its members to the extent the suggestions are consistent with FSOC’s focus on identifying and addressing threats to the stability of U.S. financial system. We are not making any recommendations to FSOC as a result of our audit.

FSOC Response

In a written response, Treasury, on behalf of the FSOC Chairperson, acknowledged its monitoring of international financial regulatory proposals and developments as outlined in this report. The response stated that the suggestions made by several FSOC members to further enhance the Council’s work will be considered.

Appendix I:

Objective, Scope, and Methodology

Objective

The audit objective was to assess the Financial Stability Oversight Council’s (FSOC) monitoring of international financial regulatory proposals and developments.

Scope and Methodology

The scope of this audit included FSOC’s monitoring of international financial regulatory proposals and developments from January 2016 through January 2018.

To accomplish our objective, we:

• reviewed the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) to determine FSOC’s statutory purposes and duties;

• interviewed staff from the FSOC Secretariat to determine FSOC’s process of monitoring international financial regulatory proposals and developments;

• interviewed or coordinated with FSOC members and member agency representatives to obtain their views and to determine their involvement in FSOC’s process of monitoring international financial regulatory proposals and developments;

• reviewed past FSOC and Council of Inspectors General on Financial Oversight annual reports, FSOC’s bylaws, FSOC’s committee charters for the following committees: Data Committee; Financial Market Utilities and Payment, Clearing and Settlement Activities Committee; Nonbank Financial Companies Designations Committee; Regulation and Resolution Committee; and the Systemic Risk Committee;

• reviewed FSOC’s Principals’ meeting minutes, and meeting agendas for FSOC’s Systemic Risk Committee and Regulation and Resolution Committee (FSOC is not required to prepare meeting minutes for committee meetings; therefore, we could only review agendas for these groups); and

• created a questionnaire designed to gather specific information regarding each FSOC member and member agency’s participation in the monitoring of international financial regulatory proposals and developments as well as their assessment of FSOC’s work in this area. This questionnaire was used by each of the Working Group members to facilitate the consistent collection of information from all interviewees. Several members self-reported their responses to the questionnaire.

We performed fieldwork from February through June 2018. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

[End of Appendix 1 Objective, Scope, and Methodology]

Appendix II:

Prior CIGFO Reports

The Council of Inspectors General on Financial Oversight (CIGFO) has issued the following prior reports:

• Audit of the Financial Stability Oversight Council’s Controls over Non-public Information, June 2012

• Audit of the Financial Stability Oversight Council’s Designation of Financial Market Utilities, July 2013

• Audit of the Financial Stability Oversight Council’s Compliance with Its Transparency Policy, July 2014

• Audit of the Financial Stability Oversight Council’s Monitoring of Interest Rate Risk to the Financial System, July 2015

• Audit of the Financial Stability Oversight Council’s Efforts to Promote Market Discipline, February 2017

• CIGFO’s Corrective Verification Action on the Audit of the Financial Stability Oversight Council’s Designation of Financial Market Utilities, May 2017

• Top Management and Performance Challenges Facing Financial Regulatory Organizations, September 2018

[End of Appendix II: Prior CIGFO Reports]

Appendix III: FSOC Response

December 19, 2018

The Honorable Eric M. Thorson Chair, Council of Inspectors General on Financial Oversight (CIGFO) 1500 Pennsylvania Avenue, NW Washington, D.C. 20220

Re: Response to Draft Audit Report: CIGFO’s Audit of the Financial Stability Oversight Council’s Monitoring of International Financial Regulatory Proposals and Developments

Dear Mr. Chairman:

Thank you for the opportunity to review and respond to your draft audit report. Audit of the Financial Stability Oversight Council’s Monitoring of International Financial Regulatory Proposals and Developments (the Draft Report). The Financial Stability Oversight Council (FSOC) appreciates the CIGFO working group’s review of the FSOC’s efforts to monitor international issues consistent with its statutory duties. This letter responds on behalf of Secretary Mnuchin, as Chairperson of FSOC, to the Draft Report.

As the Draft Report notes, FSOC monitors international financial regulatory proposals and developments in several ways, including through the development of its annual reports; discussions at Council and staff-level committee meetings and other staff-level discussions; and through the direct international engagement of its member agencies that inform their participation on FSOC. The report noted that FSOC members and their staffs expressed their overall satisfaction with FSOC’s monitoring in this area and believe the process is adequate. CIGFO made no recommendations as a result of the working group review. The Draft Report notes that several FSOC members offered suggestions to further enhance FSOC’s work, which we will consider in the future.

Thank you again for the opportunity to review and comment on the Draft Report. We value CIGFO’s input and look forward to continuing our constructive engagement with you.

Sincerely,

/s/

Bimal Patel

Deputy Assistant Secretary for the Financial Stability Oversight Council

[End of Appendix III: FSOC Response]

Appendix IV: CIGFO Working Group

Department of the Treasury Office of Inspector General, Lead Agency

Eric M. Thorson, Inspector General, Department of the Treasury, and CIGFO Chair

Deborah Harker

Lisa Carter

Jeffrey Dye

Vicki Preston

Virginia Shirley

Clyburn Perry III

Board of Governors of the Federal Reserve System and the Bureau of Consumer Financial Protection Office of Inspector General

Mark Bialek, Inspector General, Board of Governors of the Federal Reserve System and Bureau of Consumer Financial Protection

Chie Hogenmiller

Melissa Chammas

Commodity Futures Trading Commission Office of Inspector General

A. Roy Lavik, Inspector General, Commodity Futures Trading Commission

Miguel Castillo

Branco Garcia

Federal Deposit Insurance Corporation Office of Inspector General

Jay N. Lerner, Inspector General, Federal Deposit Insurance Corporation

Robert Fry

Federal Housing Finance Agency Office of Inspector General

Laura Wertheimer, Inspector General, Federal Housing Finance Agency

Marla Freedman

Bob Taylor

Jim Lisle

April Ellison

Securities and Exchange Commission Office of Inspector General

Carl W. Hoecker, Inspector General, Securities and Exchange Commission

Rebecca L. Sharek

Carrie Fleming

[End of Appendix IV: CIGFO Working Group]

[End of report]

Print Print
Close