FDIC Office of Inspector General
Inspector General's Statement
As I write this statement, our military men and women are engaged in operations in Iraq. We honor the memory of brave Americans who have sacrificed their lives in that effort and appreciate all others who dedicate themselves to serving our country in the military. Their commitment to our nation deepens the pride that we feel as public servants carrying out the mission of the Office of Inspector General (OIG) at the Federal Deposit Insurance Corporation (FDIC).
In that regard, my statement for this 6-month period focuses on the Corporation's progress in areas that the OIG previously identified and areas where further actions are necessary. During the period, FDIC Chairman Donald Powell continued to provide strong leadership and direction to the Corporation. His 1st Quarter Letter to Stakeholders articulated the corporate priorities for 2003: Stability of the industry and the insurance funds, Sound Policy positions supported by substantive research and led by comprehensive deposit insurance reform legislation, and Stewardship of the Corporation and insurance funds to ensure that the FDIC does its job in the most efficient and effective manner possible. The OIG supports and will continue efforts to further these priorities through our audits, evaluations, and investigations.
The priorities outlined above warrant attention of the highest governance level of the FDIC-the Board of Directors. Again, I express my concern over an FDIC Director vacancy going back to September 1998. The balance between the various interests implicit in the Board's structure is preserved only when all Board positions are filled. I continue to believe that the overall governance of the Corporation would be best served by filling the vacant position so that a full Board is in place to pursue corporate priorities.
A notable area where the Corporation has continued to make progress during the reporting period relates to the FDIC's efforts to contain organizational costs. Corporate downsizing, reorganizations in both headquarters and field sites, office closings, and plans for a new Virginia Square facility to house FDIC employees are just some of the successful measures undertaken to reduce organizational costs and increase efficiencies. Now, with more organizational stability, the Corporation can increase attention given to operational costs as well-that is, more fully integrating cost considerations into day-to-day decision making. The OIG first identified the challenge of assessing business processes and containing costs as a Major Issue in our April 2001 semiannual report and will continue to foster the Corporation's initiatives in this area.
The Corporation has also made progress in the information security area. As highlighted in our last semiannual report, based on the results of our 2002 Government Information Security Reform Act evaluation, we listed 10 steps that the Corporation could take in the near term to improve information security. We advised that one such step would be to strengthen accountability and authority for information security by appointing a permanent Chief Information Officer who would report directly and solely to the Chairman and by filling key vacancies within the Division of Information Resources Management (DIRM) that support information security initiatives and operations. The Corporation has filled a number of DIRM vacancies since that time and is now actively seeking a Chief Information Officer.
A second step involved completing an enterprise architecture to document current and desired relationships among business and management processes and information technology. Again, the Corporation has progressed in this area by devoting resources, developing policies, and preparing an enterprise architecture blueprint. These actions have set the stage for an enterprise architecture that will facilitate planning and decision making and help improve information technology security. The Corporation now needs to sustain the momentum and actually establish such an architecture. A third critical step was ensuring contractor security, a vulnerable area given the FDIC's reliance on contractor support for information technology operations. Through the efforts of an FDIC task force, a number of policies and procedures are underway to better ensure security of contractor information and resources. Our office is monitoring corporate efforts to address all information security concerns as part of our 2003 review under the Federal Information Security Management Act and will report results in the next semiannual period.
Turning now to the OIG's recent progress. During the past 6 months, we continued efforts to stabilize our organization and operations through downsizing measures that are now nearly complete. Despite our reduction in staff, we have managed to maintain and in some cases increase our productivity, and we continue to work cooperatively with corporate management and the FDIC Audit Committee on issues of mutual interest. Among our accomplishments during the reporting period, we issued 27 audit reports containing 90 nonmonetary recommendations and nearly $1.26 million in monetary benefits. OIG investigations resulted in 13 indictments/informations; 14 convictions; and approximately $26.2 million in fines, restitution, and other monetary recoveries. We reported the results of our material loss review of the failure of Connecticut Bank of Commerce, an institution whose failure caused an estimated $63 million loss to the insurance funds. We provided our assessment of the Most Significant Management and Performance Challenges to the Corporation and issued our 2003 Performance Plan, an ambitious strategic framework that drives OIG results. We also celebrated several noteworthy individual accomplishments during the reporting period: Mike Lombardi and Monte Galvin from our Office of Audits were honored at the Corporation's Annual Awards Ceremony in March 2003 with the Chairman's Award for Excellence for a Team Contribution, and the Nancy K. Rector Award for Public Service, respectively.
Going forward, the OIG will build on past accomplishments and continue to emphasize productivity, performance, process improvement, and people. Our office, established in 1989 by the FDIC Board of Directors pursuant to the Inspector General (IG) Act amendments of 1988, also looks forward to October 2003 when we will join with others in the IG community to mark the 25th anniversary of the IG Act of 1978. Charged with promoting economy, efficiency, effectiveness, and integrity in government programs and operations, the community impacts society in positive ways. We at the FDIC OIG will be ready to celebrate our public service and recommit to our FDIC mission in the fall. I was sworn in as the IG at the FDIC 7 years ago to carry out the IG mission and have appreciated the support I have received from the Corporation, the Congress, and the FDIC OIG staff over the years. With their continued support, I am confident that we will successfully and cooperatively meet all challenges ahead.
Gaston L. Gianni, Jr
April 30, 2003
|Inspector General's Statement||2|
|Management and Performance Challenges||11|
|Reporting Terms and Requirements||52|
|Appendix I: Statistical Information Required by the Inspector General Act of 1978, as amended||54|
|Abbreviations and Acronyms||63||
|Table 1: Significant OIG Achievements||47|
|Table 2: Nonmonetary Recommendations||47||
|Figure 1: Products Issued and Investigations Closed||50|
|Figure 2: Questioned Costs/Funds Put to Better Use||50|
|Figure 3: Fines, Restitution, and Monetary Recoveries Resulting from OIG Investigations||50|
The Management and Performance Challenges section of our report presents OIG results of audits, evaluations, and other reviews carried out during the reporting period in the context of the OIG's view of the most significant management and performance challenges currently facing the Corporation. We identified the following 10 management and performance challenges and, in the spirit of the Reports Consolidation Act of 2000, we presented our assessment of them to the Chief Financial Officer of the FDIC in February 2003. The Act called for these challenges to be presented in the FDIC's consolidated performance and accountability report. Our work has been and continues to be largely designed to address these challenges and thereby help ensure the FDIC's successful accomplishment of its mission.
OIG work conducted to address these areas during the reporting period includes 27 audit and evaluation reviews containing both monetary and nonmonetary recommendations; comments and input to the Corporation's various performance plans and accountability reports; participation at meetings, symposia, conferences, and other forums to jointly address issues of concern to the Corporation and the OIG; and assistance provided to the Corporation in such areas as the conduct of the U.S. General Accounting Office financial statement audit and review of the Corporation's Internal Control and Risk Management Program. (See pages 11-32.)
In the Investigations section of our report, we feature the results of work performed by OIG agents in Washington, D.C., Atlanta, Dallas, and Chicago who conduct investigations of alleged criminal or otherwise prohibited activities impacting the FDIC and its programs. In conducting investigations, the OIG works closely with U.S. Attorney's Offices throughout the country in attempting to bring to justice individuals who have defrauded the FDIC. The legal skills and outstanding direction provided by Assistant United States Attorneys with whom we work are critical to our success. The results we are reporting for the last 6 months reflect the efforts of 19 U.S. Attorney's Offices throughout the United States. Our write-ups also reflect our partnering with the Federal Bureau of Investigation, the Internal Revenue Service, Secret Service, and other law enforcement agencies in conducting investigations of joint interest.
Investigative work during the period led to indictments or criminal charges against 13 individuals and convictions of 14 defendants. Criminal charges remained pending against 14 individuals as of the end of the reporting period. Fines, restitutions, and recoveries stemming from our cases totaled almost $26.2 million. This section of our report also includes information on a legislative proposal we have put forth to the Congress to enhance enforcement authority for misrepresentations regarding FDIC insurance. (See pages 33-42.)
In the Organization section of our report, we note some of the significant internal activities that the FDIC OIG has recently pursued. Chief among these are (1) issuance of our Fiscal Year 2003 Performance Plan, which reflects an updated strategic framework with improved linkages to the FDIC Strategic Plan, the OIG Human Capital Strategic Plan, the OIG Office of Audits' Assignment Plan, and the OIG-identified Management and Performance Challenges referenced above and (2) efforts in furtherance of our Human Capital Strategic Plan related to competencies and the business knowledge and skills needed by OIG staff to provide maximum value to the Corporation. Activities of OIG Counsel and cumulative OIG results covering the past five reporting periods are also shown in this section. (See pages 43-51.)
The Appendix of our report contains much of the statistical information required under the Inspector General Act, as amended. Additionally, the back section of our report features career accomplishments of some of our current and past FDIC OIG colleagues. Page 66 of our report highlights the IG community's results during fiscal year 2002. (See pages 54-end.)
Management and Performance Challenges
The Federal Deposit Insurance Corporation (FDIC) is an independent agency created by the Congress to maintain stability and confidence in the nation's banking system by insuring deposits, examining and supervising financial institutions, and managing receiverships. Approximately 5,400 individuals within seven specialized operating divisions and other offices carry out the FDIC mission throughout the country. According to the Corporation's Letter to Stakeholders, issued for the 1st Quarter 2003, as of December 30, 2002, the FDIC insured $3.387 trillion in deposits for 9,372 institutions. As of March 31, 2003, the FDIC supervised 5,354 institutions and held assets in liquidation of $1.538 billion. There are 40 active receiverships in the Bank Insurance Fund and Savings Association Insurance Fund. The Corporation maintains insurance funds in excess of $43 billion to ensure depositors are safeguarded.
In previous semiannual reports, we identified our view of the most significant issues facing the Corporation as it carries out its mission. Over the past 7 years, we have reported our work in the context of these major issues in our semiannual reports, largely in response to the request of various congressional Committees that OIGs identify these issues across the government. During the reporting period, we again considered these issues, but in a slightly different context. To explain-in the spirit of the Reports Consolidation Act of 2000, in February 2003, we provided the Chief Financial Officer (CFO) of the FDIC the OIG's assessment of "the most significant management and performance challenges" facing the Corporation. The Act calls for these challenges to be included in the FDIC's 2002 consolidated performance and accountability report.
We identified the following management and performance challenges:
Earlier, we shared a listing of these challenges with corporate offices and divisions. There are close parallels between our previously reported "major issues" and the challenges we presented in February. The Corporation's more recent comments on the challenges attested to the fact that the Corporation has had a number of actions underway to address each of the areas discussed, and we encouraged continued attention to all of these challenges. For its part, the OIG will continue to pursue audits, evaluations, investigations, and other reviews that address the management and performance challenges we identified. Our work during the reporting period can be linked directly to these challenges and is presented as such in the sections that follow. We will continue to work with corporate officials to successfully address each challenge.
A number of well-publicized announcements of business failures, including financial institution failures, have raised questions about the credibility of accounting practices and oversight in the United States. These recent events have increased public concern regarding the adequacy of corporate governance and, in part, prompted passage of the Sarbanes-Oxley Act of 2002. The public's confidence in the nation's financial system can be shaken by deficiencies in the adequacy of corporate governance in insured depository institutions. For instance, the failure of senior management, boards of directors, and auditors to effectively conduct their duties has contributed to some recent financial institution failures. In certain instances, Board members and senior management engaged in high-risk activities without proper risk management processes, did not maintain adequate loan policies and procedures, and circumvented or disregarded various laws and banking regulations. In other instances, independent public accounting firms rendered unqualified opinions on the institutions' financial statements when, in fact, the statements were materially misstated. To the extent that financial reporting is not reliable, the regulatory processes and FDIC mission achievement, that is ensuring the safety and soundness of the nation's financial system, can be adversely affected. For example, essential research and analysis used to achieve the supervision and insurance missions of the Corporation can be complicated and potentially compromised by poor quality financial reports and audits. Potentially the insurance funds can be affected by financial institution and other business failures involving financial reporting problems. In the worst case, illegal and otherwise improper activity by management of financial institutions or their boards of directors can be concealed, resulting in significant potential losses to the FDIC insurance funds.
The Corporation has initiated various measures designed to mitigate the risk posed by these concerns, such as reviewing the bank's board activities and ethics policies and practices and reviewing auditor independence requirements. In addition, the FDIC reviews the financial disclosure and reporting obligations of publicly traded state nonmember institutions as well as their compliance with other Securities and Exchange Commission regulations and the Federal Financial Institutions Examination Council-approved and recommended policies to help ensure accurate and reliable financial reporting through an effective external auditing program. Other corporate governance initiatives include the FDIC issuing Financial Institution Letters, allowing bank directors to participate in regular meetings between examiners and bank officers, a "Director's Corner" on the FDIC Web site, and expansion of the Corporation's "Director's College" program. The adequacy of corporate governance will continue to require the FDIC's vigilant attention.
OIG Comments on Corporation's Inclusion of Corporate Governance
Issues in Consolidated Annual Report
The OIG provided a substantive suggestion to the CFO and the Acting Director of the Office of Internal Control Management for consideration in the preparation of the Corporation's consolidated annual report. We suggested that the report include a discussion of the risks associated with bank corporate governance (including the quality of bank financial reporting and auditing) and the challenges of Sarbanes-Oxley Act implementation. To facilitate consideration of this matter, we provided a risk analysis document on March 10, 2003, entitled 2003 Update: FDIC Continuing Risk - The Quality of Bank Financial Reporting and Auditing and Corporate Governance.
While we acknowledged in our analysis that the passage of the Sarbanes-Oxley Act of 2002 was a significant step in addressing corporate governance and accountability issues, the Act has not been fully implemented and its future effectiveness is not known. We believe the FDIC, along with other financial institution regulators should play an active role, along with the Securities and Exchange Commission, in implementation of Sarbanes-Oxley.
The nature of the corporate governance and financial reporting risks involves unknown quantities (e.g., the extent of unreliable data reported and extent of undetected fraud), and, as a result, the true magnitude and impact of the risks cannot be reasonably quantified or projected. However, the potential impact of the risks could be material and constitutes a significant vulnerability to the FDIC's ability to effectively achieve its insurance and supervision missions. Absent full and effective implementation of mechanisms, such as those envisioned under Sarbanes-Oxley (including a program of effective oversight of the quality of independent public accounting audits), we believed reasonable assurance did not currently exist to conclude that the potential adverse impact of these risks could be prevented or avoided.
In consideration of our suggestion, the Corporation included a brief discussion of corporate governance in its report. The report noted various measures initiated to mitigate the risk of increased public concern regarding accounting practices and oversight and the adequacy of corporate governance, which, in part, prompted passage of the Sarbanes-Oxley Act of 2002. In particular, the report cited reviewing board activities, ethics policies and practices of the banks the FDIC supervises, and auditor independence requirements. The report also cited guidance issued by the FDIC in early 2003 to institutions about the Sarbanes-Oxley Act, including the actions that the FDIC encourages institutions to take to ensure sound corporate governance.
The issue of ineffective corporate governance was also identified in our Material Loss Review of the Connecticut Bank of Commerce as the main cause of the institution's failure (see write-up on page 16 of this report). Also in this connection, see our write-up of our audit of Examiner Use of Work Performed by Independent Public Accountants on page 20.
The FDIC is legislatively mandated to enforce various statutes and regulations regarding consumer protection and civil rights with respect to state-chartered, nonmember banks and to encourage community investment initiatives by these institutions. Some of the more prominent laws and regulations in this area include the Truth in Lending Act, Fair Credit Reporting Act, Real Estate Settlement Procedures Act, Fair Housing Act, Home Mortgage Disclosure Act, Equal Credit Opportunity Act, Community Reinvestment Act of 1977, and Gramm-Leach-Bliley Act.
The Corporation accomplishes its mission related to fair lending and other consumer protection laws and regulations by conducting compliance examinations, taking enforcement actions to address unsafe or unsound banking practices and compliance violations, encouraging public involvement in the compliance process, assisting financial institutions with fair lending and consumer compliance through education and guidance, and providing assistance to various parties within and outside of the FDIC.
The FDIC's examination and evaluation programs must assess how well the institutions under its supervision manage compliance with consumer protection laws and regulations and meet the credit needs of their communities, including low- and moderate-income neighborhoods. The FDIC must also work to issue regulations that implement federal consumer protection statutes-both on its own initiative and together with the other federal financial institution regulatory agencies. One important focus will be the Gramm-Leach- Bliley Act, as the Corporation must ensure it has a quality program to examine institution compliance with the privacy and other provisions of the Act.
The Corporation's community affairs program provides technical assistance to help banks meet their responsibilities under the Community Reinvestment Act. The current emphasis is on financial literacy, aimed specifically at low- and moderate-income people who may not have had banking relationships. The Corporation's "Money Smart" initiative is a key outreach effort. The FDIC must also continue efforts to maintain a Consumer Affairs program by investigating consumer complaints about FDIC-supervised institutions and answering consumer inquiries regarding consumer protection laws and banking practices.
The OIG's ongoing work in this area includes a review of the implementation of Gramm-Leach-Bliley Act customer privacy provisions. Results of this work will be presented in an upcoming semiannual report.
The adequate security of our nation's critical infrastructure has been at the forefront of the federal government's agenda for many years. Specifically, the President's Commission on Critical Infrastructure Protection (established in July 1996) was tasked to formulate a comprehensive national strategy for protecting the nation's critical infrastructure from physical and "cyber" threats. Included among the limited number of systems whose incapacity or destruction were deemed to have a debilitating impact on the defense or economic security of the nation was the banking and finance system. With the increased consolidation and connectivity of the banking industry in the years since 1996, and with the new awareness of the nation's vulnerabilities to terrorist attacks since September 11, 2001, the security of the critical infrastructure in the banking industry is even more important.
On May 22, 1998, the Presidential Decision Directive (PDD) 63 was signed, calling for a national effort to ensure the security of the nation's critical infrastructures. PDD 63 defined the critical infrastructure as the "physical and cyber-based systems essential to the minimum operations of the economy and government." President Bush declared that securing our critical infrastructure is essential to our economic and national security and issued two Executive Orders (EO 13228, The Office of Homeland Security and the Homeland Security Council and EO 23231, Critical Infrastructure Protection in the Information Age) to improve the federal government's critical infrastructure protection program in the context of PDD 63.
The intent of PDD 63 is to ensure that the federal government maintains the capability to deliver services essential to the nation's security, economy, and the health and safety of its citizens, in the event of a cyber- or physical-based disruption. Much of the nation's critical infrastructure historically has been physically and logically separate systems that had little interdependence. However, as a result of technology, the infrastructure has increasingly become automated and interconnected. These same advances have created new vulnerabilities to equipment failures, human error, and natural disasters as well as terrorism and cyber attacks.
To effectively protect critical infrastructure, the FDIC's challenge in this area is to implement measures to mitigate risks, plan for and manage emergencies through effective contingency and continuity planning, coordinate protective measures with other agencies, determine resource and organization requirements, and engage in education and awareness activities. The FDIC will need to continue to work with the Department of Homeland Security and the Finance and Banking Information Infrastructure Committee created by EO 23231 and chaired by the Department of the Treasury, on efforts to improve security of the critical infrastructure of the nation's financial system.
The OIG is nearing completion of its review of the FDIC's efforts to implement its Information Security Strategic Plan. This review is part of the President's Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency Audit Committee's review of the nation's critical infrastructure assurance program. Our review objective is to evaluate the adequacy of the FDIC's activities for protecting critical cyber-based infrastructures. We will issue the results of that work in our next semiannual report.
A primary goal of the FDIC under its insurance program is to ensure that its deposit insurance funds do not require resuscitation by the U.S. Treasury. Achieving this goal is a considerable challenge, given that the FDIC supervises only a portion of the insured depository institutions. The identification of risks to non-FDIC supervised institutions requires effective communication and coordination with the other federal banking agencies. The FDIC engages in an ongoing process of proactively identifying risks to the deposit insurance funds and adjusting the risk-based deposit insurance premiums charged to the institutions.
Recent trends and events continue to pose risks to the funds. From January 1, 2002 to March 31, 2003, 11 banks and 1 thrift institution have failed and the potential exists for additional failures. While some failures may be attributable primarily or in part to economic factors, bank mismanagement and fraud have also been factors in most recent failures. The environment in which financial institutions operate is evolving rapidly, particularly with the acceleration of interstate banking, new banking products and complex asset structures, and electronic banking. The industry's growing reliance on technologies, particularly the Internet, has changed the risk profile of banking. The consolidations that may occur among banks and securities firms, insurance companies, and other financial services providers resulting from the Gramm-Leach- Bliley Act pose additional risks to the FDIC's insurance funds. The Corporation's risk-focused examination process must operate to identify and mitigate these risks and their real or potential impact on financial institutions to preclude adverse consequences to the insurance funds.
Another risk to the insurance funds results from bank mergers that have created "megabanks," or "large banks" (defined as institutions with assets of over $25 billion). For many of these institutions, the FDIC is the insurer but is not the primary federal regulator. Megabanks offering new or expanded services also present challenges to the FDIC. The failure of a megabank, for example, along with the potential closing of closely affiliated smaller institutions, could result in such losses to the deposit insurance funds as to require significant increases in premium assessments from an institution.
Offices of Inspector General Sponsor Second Emerging Issues SymposiumDuring the reporting period, the Offices of Inspector General of the Department of the Treasury, the Board of Governors of the Federal Reserve System, and the FDIC jointly sponsored a second Emerging Issues Symposium at the FDIC's Seidman Center. Again this year, the forum brought together a number of speakers who shared their perspectives on the banking and financial services industries and the challenges facing all who are involved in those arenas. Among the distinguished speakers were Vice Chairman Reich from the FDIC; John Hawke, Comptroller of the Currency; James Gilleran, Director of the Office of Thrift Supervision (OTS); and Rick Riccobono, Deputy Director, OTS. Additionally, staff representatives from the Senate Committee on Banking, Housing and Urban Affairs and the House Committee on Financial Services highlighted certain banking and financial services-related issues of congressional interest and the role the Inspector General community can play in addressing such issues. Other sessions included presentations by several of our FDIC colleagues on such topics as Emerging Risks to the Insurance Funds, Basel II, and Identity Theft; a session on Cyber Security by a representative from the General Accounting Office; a panel discussion by the Securities and Exchange Commission on Accounting Issues and Corporate Governance; a discussion of Trends in Financial Institution Crime, given by a Senior Trial Attorney from the Department of Justice; and a presentation by the Director of FinCEN. Participants at the symposium appreciated the opportunity to come together and hear such dynamic and enlightening discussion. Ideas presented during the symposium will serve to enhance the work of the Inspector General community and the value we can add to our respective agencies.
Further, because of bank mergers and acquisitions, many institutions hold both Bank Insurance Fund (BIF) and Savings Association Insurance Fund (SAIF) insured deposits, obscuring the difference between the funds. There has been ongoing consideration of merging the two insurance funds, with the thought being that the merged fund would not only be stronger and better diversified but would also eliminate the concern about a premium disparity between the BIF and the SAIF. Assessments in the merged fund would be based on the risk that institutions pose to the single fund. The prospect of different prices for identical deposit insurance coverage would be eliminated. Also, insured institutions would no longer have to track their BIF and SAIF deposits separately, resulting in cost savings for the industry. The Corporation has worked hard to bring about deposit insurance reform and needs to continue to work with the banking community and the Congress in the interest of eventual passage of reform legislation. Shortly after the end of the reporting period, on April 2, 2003, the House of Representatives passed comprehensive deposit insurance reform by a vote of 411-11.
Another risk to the insurance funds relates to the designated reserve ratio. As of March 31, 2002, the BIF reserve ratio was at 1.23 percent, the first time it had fallen below 1.25 percent since 1995. By June 30, 2002, the BIF reserve ratio was at 1.26 percent, slightly above the statutorily mandated designated reserve ratio for the deposit insurance funds. As of December 31, 2002, the BIF ratio was at 1.27 percent. If the BIF ratio is below 1.25 percent, in accordance with the Federal Deposit Insurance Act (FDI Act), the FDIC Board of Directors must charge premiums to banks that are sufficient to restore the ratio to the designated reserve ratio within 1 year. The Corporation's challenge is to maintain or exceed the designated reserve ratio, as required by statute.
The process for setting deposit insurance premiums, which is closely related to the above discussion of the designated reserve ratio, represents yet another significant risk to the insurance funds. Insurance premiums are not generally assessed based on risk but rather the funding requirements of the insurance funds. This approach has the impact of assessing premiums during economic downturns when banks are failing and likely not in the best position to afford the premiums. Also, numerous "free rider" institutions have benefited from being able to sharply increase insured deposits without contributions to the insurance funds commensurate with this increased risk. This can occur because the designated reserve ratio has not been breached thereby triggering across-the-board premiums. Current deposit insurance reform proposals include provisions for riskbased premiums to be assessed on a more regularly scheduled basis than would occur using the existing approach. Risk-based premiums can provide the ability to better match premiums charged to institutions with related risk to the insurance funds.
Material Loss Review of the Failure of the Connecticut Bank of
Commerce, Stamford, Connecticut
During the reporting period, in accordance with Section 38(k) of the FDI Act, the OIG conducted a material loss review of the failure of the Connecticut Bank of Commerce (CBC), Stamford, Connecticut. Our audit objectives were to: (1) ascertain why the bank's failure resulted in a material loss to the insurance fund and (2) assess the FDIC's supervision of the bank, including implementation of the Prompt Corrective Action requirements of Section 38 of the FDI Act. CBC was closed on June 26, 2002. At the time of failure, CBC had total assets of approximately $379 million. As of December 31, 2002, the FDIC estimated that the failure of CBC may ultimately cost the BIF $63 million.
We reported that CBC failed and resulted in a material loss to the BIF because of ineffective corporate governance, including the external auditors' issuance of unqualified opinions on the bank's financial statements that briefly described but did not challenge the fair presentation and integrity of certain transactions and asset valuations. A major component of the $63 million loss to the insurance fund resulted from the Chairman of the Board orchestrating nominee loan schemes. These nominee loans, which had outstanding balances of $34 million when the bank was closed, had the effect of misleading bank regulators and CBC depositors as to the true financial condition of CBC, ultimately leading to CBC's insolvency and closure.
With respect to the supervision of CBC, FDIC and state examiners periodically conducted examinations, consistently identifying and reporting deficiencies, and taking various formal and informal enforcement actions. Further, the FDIC identified and investigated the complex loan schemes, which required substantial effort in order to determine the flow and ultimate recipient of funds. However, in retrospect, more aggressive supervisory action and additional scrutiny of CBC's application to purchase MTB Bank-a New York state-chartered commercial bank-was warranted in light of CBC's:
Finally, the FDIC implemented Prompt Corrective Action in accordance with the requirements of Section 38 of the FDI Act; however, Prompt Corrective Action was not fully effective due to improper asset valuations that had overstated CBC's capital for several years.
In summary, we recommended that the Director, Division of Supervision and Consumer Protection (DSC):
DSC agreed to take action in response to our recommendations. DSC also provided comments regarding other aspects of the report. DSC noted that ineffective corporate governance resulted in excessive risk taking, disregard for laws and regulations, and questionable asset valuations-all of which exacerbated the potential loss to the FDIC. However, DSC disagreed with the OIG's conclusion that CBC failed and resulted in a material loss to the BIF because of ineffective corporate governance. It is DSC's position that "the proximate cause of CBC's failure was insider fraud in the form of nominee loans totaling at least $34 million." As discussed in the report, we agree that the nominee loan schemes were a key component of the material loss to the BIF and ultimately resulted in the bank's closure. However, in our opinion, the loan schemes were the proximate cause of the bank's closure, not the failure, which we believe is an important distinction. Assuming the FDIC receives nothing for the $34 million in nominee loans, the magnitude of the loss indicates that other activities allowed to occur both before and after the nominee loans because of ineffective corporate governance significantly contributed to the demise of this bank and resulting material loss.
The Banking Commissioner for the State of Connecticut also provided comments to our draft report, stating that our review was "reasonably presented" and the recommendations "entirely appropriate." The Commissioner also indicated that the State Banking Department has proposed legislation that, if enacted, would address issues raised in this report pertaining to legal lending limits.
DSC Procedures for Addressing Deviations from Business Plans by
Newly Established Banks
We issued a report on DSC's procedures for addressing deviations from business plans by newly established banks. The DSC Director requested this review and expressed concern that managers of some newly chartered banks were not adhering to the business plans approved by the FDIC during the new bank application process.
We concluded that the procedures used by FDIC case managers and examiners for evaluating and addressing new banks that have departed from initial business plan projections subsequent to their application for approval from the FDIC were adequate. Examiners were taking steps to review and assess a bank's adherence to its approved business plan and/or subsequent strategic plans and budgets.
Of added importance, we found that new banks, in effect, could be established through various regulatory and financial transactions that allow existing insured depository institutions to transfer their charters and insurance to new owners. When a new bank is created through the normal formation process, regulatory approval is sought through the application process for federal deposit insurance. However, other various transactions, including mergers, acquisitions, assumptions, and changes in control, are subject, by statute, to a less comprehensive application process because a new application for deposit insurance is not required.
Accordingly, we made two recommendations intended to enhance DSC's regulatory oversight in the application process for mergers, acquisitions, or changes in control and in the advance notification of changes in bank management. DSC management suggested an acceptable alternative action for one recommendation and concurred with the second recommendation.
In January 2003, the Corporation proposed a number of regulatory burden relief initiatives for the 108th Congress. Included among those were two that are consistent with recommendations we made in our report. These relate to proposed amendments to the Bank Merger Act, Bank Holding Company Act, and Change in Bank Control Act.
OIG Issues Multiple Reports on FDIC Examiner Assessments of Risk
We issued several reports this period that focused on examiners' assessments of specific activities that institutions engage in that can pose risks to the safety and soundness of the institutions and the insurance funds.
We concluded that opportunities existed for improvement regarding examiner assessment of appraisals and cash flow. Specifically, examiners were not always using the lesser of acquisition cost or appraised value to assess loan-to-value ratios, were not updating old appraisal assumptions, and in some cases did not provide sufficient evidence that a cash flow analysis was performed. Moreover, we could not determine whether examiner review of loan policies was adequate in most cases due to the varying degrees in the way examiners documented their work.
The report contained six recommendations intended to improve the DSC's examinations of institutions with high levels of commercial real estate loans. DSC management concurred with one recommendation but did not concur with the remaining five recommendations, suggest acceptable alternative actions, or provide information that would convince us to revise any recommendations. DSC considers the concerns identified in the report as OIG-perceived documentation deficiencies. At issue is whether there is a correlation between the quality of the examination procedures supported by evidence in the working papers and the quality of the examinations themselves. It is our position that the two are inseparable. We requested DSC to reconsider its comments in light of our evaluation of them and provide a subsequent response.
DSC responded that planned examiner training programs and upcoming initiatives would address the outstanding recommendations. If these planned actions address the concerns covered by our recommendations, we may accept the results of this initiative as alternative actions to the recommendations.
Examiner Assessment of High Loan-Growth Institutions: Another audit we conducted focused on examiner assessment of high loan-growth institutions. High loan growth is a high-risk indicator, and the FDIC's internal studies have shown that rapid loan growth has been identified repeatedly as a precursor to failure. We concluded that DSC examiners' loan review process for institutions that had experienced a significant level of loan growth was not sufficient in identifying risk. Specifically, examiners were not always:
As a result, there was insufficient assurance that examiners were consistently performing a comprehensive review and analysis of newly originated loans in high loan-growth institutions. Accordingly, the audit report contained six recommendations intended to improve DSC's regulatory oversight in the examination of high loan-growth institutions.
DSC questioned our assessments and conclusions based on its concerns with the scope of our audit. In addition, DSC management did not concur with these recommendations, suggest acceptable alternative actions, or provide information that would convince us to revise any recommendations. We requested DSC to reconsider its comments in light of our evaluation of them and provide a subsequent response.
DSC cited plans for a process improvement review that will focus on workpaper documentation. DSC invited the OIG's input to that review. If the initiative addresses the concerns covered by our recommendations, we may accept the results of this initiative as alternative actions to the recommendations.
Subprime Lending: We completed an audit of DSC's assessment of subprime lending in the course of safety and soundness examinations. We conducted this audit because of concerns stemming from recent financial institution failures involving subprime lending activities. Subprime lending provides borrowers with a credit source that may not otherwise be available due to concerns with their credit history or repayment capacity. However, recent examinations revealed a number of financial institutions that were engaged in subprime lending activities without properly assessing or controlling the risks associated with this type of lending. As a result, many institutions have suffered losses, which in turn has jeopardized the overall financial health of those institutions.
Our audit determined that DSC has taken reasonable steps to ensure that institutions manage risks associated with subprime lending programs effectively. Specifically, the interagency policies and procedures for examinations of subprime banks provided examiners with the necessary guidance to identify and assess the condition of subprime loan programs in insured institutions and the examiners adequately implemented this guidance. FDIC examiners conducted pre-examination planning that included steps to look for indications of subprime programs and generally followed the interagency subprime examination procedures involving examinations of capital levels during onsite examinations. In addition, DSC maintains a quarterly database to assist in monitoring the condition of FDIC-insured institutions with subprime programs.
We did not make recommendations in our report, but we identified an issue that may warrant management's attention. Specifically, we noted that existing guidance may not be sufficient for ensuring that custom credit scoring models correctly predict the creditworthiness of borrowers. As a result, there is a potential for a lack of consistency in onsite examinations of banks with subprime lending programs, particularly with regard to allowances for losses and capital level calculations. Also, in order for lenders to appropriately stratify the additional default risk and price the subprime products accordingly, constant monitoring and testing of credit scoring models is required to ensure that projected results are in line with actual performance.
Transactions with Affiliates: A bank's relationships and transactions with its affiliated organizations can significantly affect the operations and overall financial condition of a financial institution. As part of the safety and soundness examination of a bank, in situations where affiliated organizations are identified, DSC examiners determine whether a bank's transactions with its affiliates are in regulatory compliance and not detrimental to the safety and soundness of the financial institution. Material loss reviews and other reviews of several bank failures in recent years have identified concerns related to the failed financial institutions' relationships and transactions with their respective affiliates.
We conducted an evaluation to review DSC's efforts to identify affiliates of FDIC-supervised institutions and examine transactions with such affiliates and reported that DSC's efforts were generally adequate. DSC examiners relied on information requested of and provided by the financial institution and, in some cases, the Federal Reserve Board (FRB), to identify affiliates and affiliate transactions, assess the risks associated with affiliates and affiliate transactions, and establish an appropriate examination scope for affiliate activities. However, DSC examiners were not always requesting a list of affiliate transactions that had occurred since the prior examination or FRB reports regarding affiliate transactions and bank organizational structure.
We could not conclude on the adequacy of examination procedures applied to the financial institutions' affiliate activities for 4 of 21 financial institutions that we reviewed, because the examination procedures were not documented in the examination workpapers. DSC policies stipulate that examination documentation should provide written support for the examination and verification procedures performed, conclusions reached, and narrative comments in the Report of Examination.
We recommended that DSC include a request for a list of affiliate transactions in the Safety and Soundness Examination Request Package when DSC knows or has reason to believe that a financial institution has affiliate activities and request that the bank provide the types or categories of affiliate transactions that have occurred since the previous examination and a list of transactions with values greater than a predetermined dollar threshold when affiliate transaction activity is voluminous. We also recommended that DSC inform examiners and case managers as to the availability of certain FRB Reports as additional resources for identifying affiliates and affiliate transactions. We further recommended that DSC ensure through several of its existing review programs that examiners follow DSC's policies for documenting affiliate work and the examination procedures used, documents relied upon, and analyses conducted in the examination of transactions with affiliates.
DSC's proposed actions in response to our report met the intent of our recommendations.
FDIC Examiner Use of Work Performed by Independent Public
As discussed earlier, the work performed by Independent Public Accountants (IPA) who are engaged by FDIC-supervised financial institutions has elicited increased attention in light of the types of corporate accounting scandals that have occurred in other business areas recently. During the reporting period, we evaluated FDIC examiner use of the work performed by IPAs who are engaged by FDIC-supervised financial institutions.
We determined that FDIC examiners and case managers made reasonable use of the work performed by IPAs by considering IPA reports, management letters, and other available documentation in conjunction with their safety and soundness examinations and in devising the overall supervisory strategy. FDIC examiners expanded their examination testing and review when an IPA uncovered or reported irregularities or problems in an area, and the examiners followed up on the institution's corrective actions. Examiners also effectively resolved differences with IPAs. In addition to the above, for those institutions with examination ratings of 4 or 5, indicating problem areas, examiners also reviewed the IPA's workpapers, thoroughly documenting their review. FDIC examiners reviewed IPA workpapers to gain an understanding of the IPA's scope and results of work performed including, for example, in the areas of internal control, the risk of material misstatement due to fraud, or asset valuation concerns.
Our report did not contain recommendations. DSC's response to our report indicated that the division would continue to be proactive in addressing its evaluations of external audit activity through its own efforts and through interagency initiatives.
The Division of Supervision and Consumer Protection's Reporting on
Issues Related to Problem Banks
The FDIC's Board of Directors needs reliable and timely information related to the safety and soundness of FDIC-insured institutions in order to carry out its Board responsibilities to the Corporation. We undertook an audit to determine the extent and type of information that DSC reported to the FDIC Board of Directors on problem banks. During this audit, we reviewed the reporting process including, but not limited to, the type, sources, frequency, consistency, and distribution of information reported on problem banks, undercapitalized institutions, and Section 38 actions.
We concluded that DSC issues a significant number and variety of reports and maintains folders in Microsoft Outlook to keep the FDIC Board of Directors informed of material supervisory, policy, and administrative issues. These reports and folders include information on financial institutions that DSC classifies as "problem banks" and provide narrative information on the institutions' financial condition. DSC also provides information on other banks that present heightened risk to the deposit insurance funds. However, we reported that DSC could more efficiently and effectively report problem bank information and better secure bank information that it maintains in Outlook folders.
We recommended that the Director, DSC, take actions to assess report recipients' needs and consider consolidating, eliminating, or automating certain reports generated by DSC regional offices; clarify the distinction between its various problem institution lists and other reports on problem institutions; ensure that regional offices report consistently all undercapitalized institutions and Section 38 provisions for all FDIC-insured financial institutions; and revalidate who has access to automated information and ensure that all confidential and sensitive bank data are secured.
DSC management concurred with five of our six recommendations and stated that it had taken steps to address the other recommendation. We consider all recommendations to be resolved.
One of the FDIC's most important corporate responsibilities is planning and efficiently handling the franchise marketing of failing FDIC-insured institutions and providing prompt, responsive, and efficient resolution of failed financial institutions. These activities maintain confidence and stability in our financial system. The Division of Resolutions and Receiverships (DRR) has outlined primary goals for the following four business lines and each is accompanied by significant challenges.
Evaluation of the FDIC's Corporate Readiness Plan
The Corporate Readiness Plan (CRP) is DRR's contingency plan for responding to a series of institution failures exceeding DRR's capacity to address with its own resources. We evaluated the reasonableness of the CRP during the reporting period. We focused on key Plan elements and underlying assumptions. We concluded that the CRP is reasonable and provides sufficient flexibility for the FDIC to handle a relatively wide range of institution failures without causing significant disruption to other aspects of the Corporation's mission.
OIG Work Addresses Continuing Interest in Privacy
We issued a report on the FDIC's control over the use and protection of social security numbers (SSN). We conducted our work in response to congressional interest regarding the widespread sharing of personal information and occurrences of identity theft. The FDIC OIG along with other Offices of Inspector General performed reviews on behalf of the President's Council on Integrity and Efficiency. We limited our review to the FDIC Division of Resolutions and Receiverships' (DRR) use and protection of SSNs during the marketing of failing financial institutions, marketing of assets from failed financial institutions, and bid process.
We concluded that the FDIC's control over the use and protection of SSNs was not fully adequate. Specifically, SSN and other personal information was made readily available over several Web sites used in marketing and selling the remaining assets from failed financial institutions to parties external to the FDIC that were not subject to a pre-approval process or access control. Moreover, FDIC contractors were given access to SSN fields so they could carry out system maintenance responsibilities on several internal FDIC systems, and their access to and use of such data was not adequately controlled and monitored.
Our report contained four recommendations intended to improve DRR's handling of SSNs and other sensitive data. DRR agreed to take action in response to all four recommendations in our report.
The Division of Resolutions and Receiverships' Controls Over Data
Input to the Service Costing System
As referenced previously, the FDIC uses the Service Costing System to bill FDIC receiverships for services performed by the Corporation on behalf of the receiverships. In a report issued during the reporting period, we presented the results of our assessment of whether adequate controls existed to ensure the accuracy, timeliness, and completeness of DRR data used by the Service Costing System. We limited our review to the controls related to data submissions from DRR systems to the Service Costing System that are used by the Division of Finance (DOF) to calculate receivership billings.
We concluded that DRR controls to ensure the timeliness of data provided to the Service Costing System were adequate; however, controls to ensure the accuracy and completeness of data used by the Service Costing System could be improved. Specifically,
The FDIC has implemented the Service Costing System as a means to comply with applicable laws and regulations related to appropriately billing expenses to receiverships. However, the FDIC had not achieved full compliance because procedures for ensuring complete data processing and reporting to the Service Costing System were not adequate. In its dual role as insurer and receiver, the Corporation should avoid even the appearance of an inequitable distribution of expenses between the Corporation and receiverships. The data completeness control deficiencies we identified limited the Corporation's ability to avoid such an appearance and ensure compliance with applicable laws and regulations.
We made a total of seven recommendations that were intended to enhance the accuracy, timeliness, and completeness of the data used in the Service Costing System. The Directors of DRR and DOF concurred with the recommendations.
Information technology (IT) continues to play an increasingly greater role in every aspect of the FDIC mission. As corporate employees carry out the FDIC's principal business lines of insuring deposits, examining and supervising financial institutions, and managing receiverships, they rely on information and corresponding technology as an essential resource. Information and analysis on banking, financial services, and the economy form the basis for the development of public policies and promote public understanding and confidence in the nation's financial system. IT is a critical resource that must be safeguarded.
Accomplishing IT goals efficiently and effectively requires sound IT planning and investment control processes. The Corporation's 2003 IT budget is approximately $171.9 million. The Corporation must constantly evaluate technological advances to ensure that its operations continue to be efficient and cost-effective and that it is properly positioned to carry out its mission. While doing so, the Corporation must continue to respond to the impact of laws and regulations on its operations. Management of IT resources and IT security have been the focus of several laws, such as the Paperwork Reduction Act, the Government Information Security Reform Act (GISRA), and most recently, the Federal Information Security Management Act of 2002 (FISMA). Similar to the requirements of GISRA, under FISMA, each agency is required to report on the adequacy and effectiveness of information security policies, procedures, and practices and compliance with information security requirements of FISMA.
The Corporation has worked to implement many sound information system security controls but has not yet fully integrated these into an entity-wide program. Additionally, efforts to identify sensitive data, plan for and fund essential security measures, incorporate security requirements in FDIC contracts, enhance software configuration management, and measure the overall performance of the information security program need continued attention. Frequently, security improvements at the FDIC were the result of a reaction to specific audit and review findings, rather than the result of a comprehensive program that provided continuous and proactive identification, correction, and prevention of security problems. As reiterated in the Inspector General's opening statement to this semiannual report, the Corporation is working to appoint a permanent Chief Information Officer (vacant since September 2001) to strengthen accountability and authority in the FDIC's information security program and to ensure that other key positions in the Division of Information Resources Management are filled permanently.
The FDIC's progress in addressing the security weaknesses identified in our 2001 Security Act evaluation report were offset by the emergence of new information security weaknesses identified during our 2002 evaluation, as well as the FDIC's internal evaluation completed on January 10, 2003. Thus, management and security of IT resources continue to warrant management attention. For its part, the OIG is in the process of reviewing these issues as part of our FISMA-related work for 2003.
Integration of Information Security into the Capital Planning and
Investment Control Process
The OIG and Office of Internal Control Management conducted a joint review to evaluate the FDIC's progress in integrating information security into the capital planning and investment control process (CPICP) since the OIG's first GISRA report was issued in September 2001. That report identified CPICP as an area that may warrant reporting as an individual material weakness. Our objective was to evaluate the extent to which the FDIC integrates security into that process.
We determined that the FDIC was continuing efforts to improve its overall IT capital planning process, but more progress was needed. The FDIC had not fully established or implemented the three management controls associated with the CPICP related to security, i.e., an enterprise architecture that specifically addresses security requirements, consideration of information security in capital IT investment decisions, and system life cycle security management. Although the Corporation was progressing, until these key management controls are fully established and implemented, corporate level decision makers cannot be assured that security is appropriately integrated in FDIC systems commensurate with the level of risk associated with those systems. Furthermore, while this report focused on the integration of information security in the FDIC's CPICP, the overall importance of establishing and fully implementing the enterprise architecture cannot be overlooked. An enterprise architecture must be in place before investment decisions can be made in a structured way.
The Acting Chief Information Officer, CFO, and Chief Operating Officer provided a written response to our report indicating their concurrence with all six of the recommendations in the report. They subsequently provided specific actions and milestones for the six recommendations. We are continuing to monitor the Corporation's implementation of the corrective actions in response to this review and will also re-address the issues identified in our upcoming FISMA work.
Phase II Network Operations Vulnerability
PricewaterhouseCoopers Consulting (PwC), an independent professional services firm, was engaged by the OIG to perform a vulnerability assessment of the FDIC's network operations. The FDIC has invested heavily in defending its network perimeter by implementing preventive and detective controls. The implementation of firewalls, zoning of Internet facing servers, and monitoring of scans against these servers by the FDIC contributes to a more secure external perimeter. PwC's testing confirmed that these controls were operating effectively. PwC's external testing did identify one high-risk and one moderate vulnerability, in response to which the Corporation took action. Except for the two noted instances, PwC reported that the FDIC's network perimeter defenses were effective.
PwC identified other areas for improvement and recommended a number of actions to strengthen the FDIC's internal network controls. The Corporation committed to take action to address the concerns raised by PwC.
The Government Performance and Results Act (Results Act) of 1993 was enacted to improve the efficiency, effectiveness, and accountability of federal programs by establishing a system for setting goals, measuring performance, and reporting on accomplishments. The Results Act requires most federal agencies, including the FDIC, to prepare a strategic plan that broadly defines each agency's mission, vision, and strategic goals and objectives; an annual performance plan that translates the vision and goals of the strategic plan into measurable annual goals; and an annual performance report that compares actual results against planned goals.
The Corporation's strategic plan and annual performance plan lay out the agency's mission and vision and articulate goals and objectives for the FDIC's three major program areas of Insurance, Supervision, and Receivership Management. The plans focus on four strategic goals that define desired outcomes identified for each program area: (1) Insured Depositors Are Protected from Loss Without Recourse to Taxpayer Funding, (2) FDIC-Supervised Institutions Are Safe and Sound, (3) Consumers' Rights Are Protected and FDIC-Supervised Institutions Invest in Their Communities, and (4) Recovery to Creditors of Receiverships Is Achieved. Through its annual performance report, the FDIC is accountable for reporting actual performance and achieving these strategic goals.
The Corporation has made significant progress in implementing the Results Act and needs to continue to address the challenges of developing more outcome-oriented performance measures, linking performance goals and budgetary resources, implementing processes to verify and validate reported performance data, and addressing crosscutting issues and programs that affect other federal financial institution regulatory agencies.
OIG Reviews FDIC 2003 Annual Performance Plan and 2002 Annual
During this reporting period, the OIG reviewed and provided advisory comments to management on the FDIC's draft 2003 Annual Performance Plan and 2002 Annual Report. The purpose of our reviews was to provide suggestions for enhancing the Corporation's performance plan and annual report based on our knowledge and work related to the Results Act. In addition, we reviewed the plan and report to determine whether they were in compliance with the Results Act and related Office of Management and Budget guidance. We also provided an OIG "Comfort Letter" on the Management Controls Section of the Corporation's Annual Report.
As discussed in the Adequacy of Corporate Governance in Insured Depository Institutions write-up of this section, we reviewed the Corporation's draft consolidated report and suggested that the report include a discussion of the risks associated with bank corporate governance (including the quality of bank financial reporting and auditing) and the challenges of Sarbanes-Oxley Act implementation. In consideration of our suggestion, the Corporation included a brief discussion of corporate governance (see page 11).
During 2002, the Corporation established a desk officers program to enhance its management and monitoring of the Internal Control and Risk Management Program. As part of the desk officers program, individual analysts are designated as points of contact for both advising certain divisions or offices on program-related issues and for monitoring program compliance. Each division and office now consults one analyst having detailed knowledge of its operations and its implementation of the Internal Control and Risk Management Program.
As noted in our advisory comments on the Annual Report and our Comfort Letter, the appendix of the FDIC Consolidated 2002 Annual Report includes a brief description of the OIG's views of the most significant management and performance challenges facing the FDIC. Including OIG views is a positive step in full accountability and is consistent with the Reports Consolidation Act of 2000. The annual report notes that management is committed to addressing these issues identified by the OIG.
The OIG will continue to help ensure that the FDIC's Results Act-related efforts fully conform to the spirit and intent of the Act. We plan to continue to work with the Corporation to improve the FDIC's performance measurement and reporting. In this process, we will give particular attention to various methodologies for assessing performance, including the implications and relevance of the President's Management Agenda and the Office of Management and Budget's Program Assessment Rating Tool. The OIG will also continue to monitor and review legislation proposed in the Congress to amend the Results Act and will actively participate to refine appropriate OIG Results Act roles, responsibilities, and activities through the President's Council on Integrity and Efficiency and the interagency groups it sponsors.
On September 30, 2002, the FDIC executed a multiyear contract to replace its core financial systems and applications with a commercial-off-the-shelf software package. The FDIC Board had previously approved contract expenditure authority for the New Financial Environment (NFE) project totaling approximately $28.8 million. At the time the Board case was approved, the FDIC estimated the total life cycle cost of NFE, including FDIC staff time, to be approximately $62.5 million over 8 years. NFE is a major corporate initiative to enhance the FDIC's ability to meet current and future financial management and information needs.
Although NFE offers the FDIC significant benefits, it also presents significant challenges. These challenges will test the Corporation's ability to (1) maintain unqualified opinions on the FDIC's annual financial statements through the system implementation and associated business process reengineering; (2) manage contractor resources, schedules, and costs; and (3) coordinate with planned and ongoing system development projects related to NFE.
Overall, the FDIC needs to ensure that the NFE Project team successfully implements modern and reliable systems to improve financial business processes and support current and future financial management and information needs, while controlling costs for the new environment to the maximum extent possible.
Audits of the New Financial Environment Project
Two reviews that we completed during the reporting period related to the NFE project. The first was an agreed-upon procedures to review and comment on certain procedures and documentation related to the solicitation for a commercial off-the-shelf software solution and associated system development life cycle services (i.e., a "new financial environment") to replace the Corporation's current financial management system. We provided our results to the Division of Administration for its use.
We also completed an audit of the FDIC's NFE project control framework. This audit was the first in a series of reviews that we intend to conduct at critical milestones or decision points during the development and implementation of the NFE. We concluded that the FDIC had established key controls for ensuring the delivery of a quality system that meets corporate requirements and user needs in a timely and cost-effective manner. However, we identified opportunities for the FDIC to better integrate key NFE project controls, strengthen project communications, and improve risk response planning on the project.
We recommended that the DOF and the NFE project team: develop and approve a charter for the NFE Steering Committee that defines its responsibilities, membership, and operating guidelines; document an integrated control framework that explains, at a minimum, the roles, relationships, and reporting structures among key project players on the NFE project; promptly complete and approve a formal communications management plan; consult with the NFE risk manager and the contractor involved to establish clear measures for determining when project risks classified as significant occur or are about to occur; and develop contingency plans, as appropriate, for risk factors categorized as significant before they become a reality. The Director, DOF agreed to take action in response to all recommendations.
The FDIC has been in a downsizing mode for the past 10 years as the workload from the banking and thrift crises of the late l980s and 1990s has been accomplished. Over the past months, a number of division mergers and reorganizations took place and the Corporation concluded its 2002 buyout/retirement incentive programs. These most recent incentive programs achieved a reduction of 699 staff and $80 million projected savings in future operating costs. Additional downsizing efforts are ongoing. In total, over the past 10+ years, the workforce (combined from the FDIC and the Resolution Trust Corporation) has fallen from approximately 23,000 in 1992 to approximately 5,400 as of March 31, 2003.
By July 2003, the Corporation hopes to substantially complete required downsizing, identify an appropriate skills mix, and correct any existing skills imbalances. To do so, the Corporation continues to carry out other features of its comprehensive program such as solicitations of interest, reassignments, retraining, outplacement assistance, and possible reductions-in-force. The Corporation has also predicted that almost 20 percent of FDIC employees will be eligible to retire within the next several years. As the Corporation adjusts to a smaller workforce, it must continue to ensure the readiness of its staff to carry out the corporate mission.
The Corporation must also work to fill key vacancies in a timely manner, engage in careful succession planning, and continue to conserve and replenish the institutional knowledge and expertise that has guided the organization over the past years. A need for additional outsourcing may arise and hiring and retaining new talent will be important. Hiring and retention policies that are fair and inclusive must remain a significant component of the corporate diversity plan. Designing, implementing, and maintaining effective human capital strategies are critical priorities and must be the focus of centralized, sustained corporate attention.
A significant element of this performance and management challenge relates to organizational leadership at the FDIC Board of Directors level, specifically with respect to the current make-up of the Board. The Board is a body whose strong leadership is vital to the success of the agency and to the banking and financial services industry. The Board is comprised of five directors, including the FDIC Chairman, two other FDIC directors, the Comptroller of the Currency, and the Director of the Office of Thrift Supervision. In order to ensure that the balance between various interests implicit in the Board's structure is preserved, the Board should operate at full strength. However, the Board has been operating with an FDIC Director vacancy since September 1998. Accordingly, we have urged that vacancies on the Board be filled as promptly as practicable in order to afford the FDIC the balanced governance and sustained leadership essential to the agency's continued success. Again in the Inspector General's opening statement to this semiannual report, concern over the Board vacancy is expressed.
As steward for the Bank Insurance Fund and Savings Association Insurance Fund, the FDIC seeks ways to limit the use of those funds. As such, the Corporation must continue to identify and implement measures to contain and reduce costs, either through more careful spending or assessing and making changes in business processes to increase efficiency. Many of the efforts described above as part of other management and performance challenges (e.g., New Financial Environment, service costing, corporate downsizing) attest to the Corporation's ongoing efforts to do so.
A key challenge to containing costs relates to the contracting area. To assist the Corporation in accomplishing its mission, contractors provide services in such areas as information technology, legal matters, loan servicing, and asset management. To achieve success in this area, the FDIC must ensure that its acquisition framework-that is, its policies, procedures, and internal controls-is marked by sound planning; consistent use of competition; fairness; well-structured contracts designed to produce cost-effective, quality performance from contractors; and vigilant contract management and oversight.
The Corporation has taken a number of steps to strengthen internal control and effective oversight. However, our work in this area continues to show that further improvements are necessary to reduce risks such as the consideration of contractor security in acquisition planning, incorporation of information security requirements in FDIC contracts, and oversight of contractor security practices. Other risks include corporate receipt of billings for such items as unauthorized subcontractors, unallowable subcontractor markups, incorrect timesheets, unreasonable project management hours billed, conflicts of interest, and unauthorized labor categories. The combination of increased reliance on contractor support and continuing reductions in the FDIC workforce presents a considerable risk to the effectiveness of contractor oversight activities. Additionally, large-scale procurements, such as Virginia Square II (a $111 million construction project to house FDIC staff for the most part now working in leased space in the District of Columbia) and the New Financial Environment, necessitate continued emphasis on contractor oversight activities.
OIG Responds to Congressional Inquiry from Senator MikulskiDuring the reporting period the OIG responded to a letter from Senator Barbara A. Mikulski dated July 26, 2002. In that letter, Senator Mikulski requested that the OIG review allegations made by FDIC employees that the FDIC had presented incorrect information to the Congress regarding its plans to outsource mainframe production control and computer operations (Data Center) positions. In response, we undertook a review to determine whether the information that the FDIC provided to the Congress was adequately supported. To perform our analysis, we grouped the statements that the FDIC had made to the Congress into four areas: (1) the FDIC's downsizing and 2002 buyout program, (2) the cost benefit analysis performed to determine the cost effectiveness of outsourcing, (3) the independent arbitrator's decision, and (4) the contractor selection. We then examined the FDIC's support for each of these areas. We communicated our results in a letter to Senator Mikulski, concluding that the information that the FDIC had provided to the Congress was adequately supported.
The Corporation's Procurement Credit Card Program
We conducted a review of the FDIC's procurement credit card program during the reporting period, largely in response to congressional interest on the part of Senator Charles Grassley. We found that the FDIC's internal control over its procurement credit card program was not fully effective. In line with the U.S. General Accounting Office's (GAO) standards for internal control, the FDIC took action to foster an environment for proper use of procurement cards by establishing and communicating formal policies, procedures, and approval processes to reduce the risk of improper use of the card. However, we determined that FDIC employees were not always fully complying with established policies, procedures, and control activities, and in some cases the policies and procedures needed reinforcement, modification, or clarification. It is important to note that individual deficiencies were not material; however, collectively, they represented systemic weaknesses that increased the risk of misuse.
In some cases, procurement credit cards and numbers were not properly safeguarded, employees were able to circumvent purchase limits, some purchases lacked supporting documentation, and employees at times incurred sales taxes although the FDIC Acquisition Policy Manual specifically instructs cardholders to attempt to avoid paying these charges. We found that, in the absence of clear policies and procedures, at times extravagant meals were purchased with procurement credit cards, as well as other purchases that may not qualify as "official business." Finally, FDIC policies did not restrict alcoholic beverage purchases with the cards.
With respect to monitoring and overseeing the effectiveness of the procurement card program, the FDIC did not have effective procedures for canceling the cards for employees departing the FDIC, and in several cases, former employees continued to have credit card privileges even after their departure from the Corporation. In addition, the FDIC did not perform routine analyses to determine whether cardholders were using the procurement credit card and had a business need for the card. Some employees in our sample were issued cards but rarely used them, increasing the risk of misuse or undetected loss of the procurement credit card. Procurement cardholders in some cases had spending limits that exceeded their normal purchase activity, and limits were not reviewed to ensure they reflected the extent of spending that users were likely to incur. As a result, the FDIC procurement credit card program was more vulnerable to fraud and misuse.
Finally, the Corporation had not conducted a formal risk analysis, another suggested component of GAO's standards for internal control, to identify specific types of vulnerabilities and steps to address them.
Our report contained eight recommendations intended to improve the Division of Administration's controls over the procurement credit card program. Actions are currently ongoing or planned to address all of our concerns.
Review of FFIEC Call Report Modernization Cost Benefit
At the request of several Corporation senior managers, the OIG completed a review of the cost benefit analysis (CBA) and assumptions supporting the draft request to the FDIC's Board of Directors for funding the Federal Financial Institutions Examination Council (FFIEC) Call Report Processing Central Data Repository, dated January 23, 2003. The Task Force on Reports and Call Modernization Steering Committee requested approval of $44 million for a 10-year, multi-phased contract to be awarded on behalf of the FDIC, Federal Reserve Board, and Office of the Comptroller of the Currency to build and operate a shared facility for managing data collected under the federal bank regulatory requirements.
The Institution Data Management project team prepared the CBA on behalf of the Call Modernization Steering Committee of the FFIEC Task Force on Reports. The CBA compared two alternatives on the basis of cost, benefit, risk, and sensitivity.
We concluded that the methodology used in comparing the alternatives was generally consistent with FDIC and Office of Management and Budget guidance for the preparation of a CBA. The Institution Data Management project team obtained and analyzed cost data from several divisions, analyzed the benefits and risks associated with the alternatives, and projected the impact that the cost benefit assumptions could have on the recommended alternative in the sensitivity analysis. However, some of the assumptions and the rationale used to arrive at the amounts included in the cost analysis were not consistently supported or clearly explained. The sensitivity analysis included in the CBA compensated for the risks associated with this weakness.
We suggested that the FDIC consider ensuring that assumptions made in preparing a CBA are fully documented to facilitate the post implementation review of benefits and costs, and requiring each division impacted by alternatives in a CBA review to concur or nonconcur with its contents to establish accountability. Any non-concurrence from an impacted party should also be discussed in the CBA. The CFO and Chief Operating Officer agreed to take action in response to these suggestions.
OIG Issues Report on FDIC Travel, Relocation, and State Income Tax
Withholding Policies and Procedures
We completed an audit of selected FDIC travel, relocation, and state income tax withholding policies and procedures and issued our final report during the reporting period. We conducted the review in response to allegations made by a former FDIC employee. The objective of this audit was to determine whether the FDIC had adequately designed and implemented policies and procedures in specific travel, relocation, and state withholding tax areas where allegations had been made.
We concluded that the FDIC had designed or implemented policies and procedures for most of the operational areas addressed in the allegations. However, additional actions were necessary to enhance certain policies and procedures and remedy prior errors in the following areas: (1) employee spouses' travel, (2) employee personal weekend return trips home while on extended official travel, (3) determination of employee residency for state withholding tax purposes, and (4) certain transactions subject to Title 5 salary cap limitations.
We made seven recommendations to address the issues we identified. The Director of DOF and the Division of Administration (DOA) provided a joint written response to the draft report. DOF and DOA concurred with our findings, and corrective actions have been taken or are planned in response.
The OIG's Post- and Preaward Contract Reviews
With respect to procurement integrity-related reports, we issued four post-award contract audits and two preaward reviews during the reporting period. The objectives of the post-award audits are to determine whether amounts charged to FDIC contracts are allowable, allocable, and reasonable. Preaward reviews focus on the bids received from potential contractors. We can also review the contract award process and contractor controls, as needed.
We reported a total of $1.22 million in monetary benefits as a result of the post-award audits. Management agreed with $20,500 of that amount, disagreed with $106,896, and management decisions were pending for the remainder of the total amount identified as monetary benefits.
As for the preaward reviews, one related to the New Financial Environment referenced previously, and the other to the Virginia Square Phase II Project general contractor.
Agreed Upon Procedures for the Government-wide Financial StatementsWe completed agreed-upon procedures to assist the Department of the Treasury and the GAO in evaluating the FDIC's assertion that the Corporation reconciled intragovernmental activity and balances as of and for the fiscal year ended September 30, 2002 with its trading partners (i.e., other federal government entities with whom the FDIC conducts business activities, such as the U.S. Treasury). We also applied the agreed-upon procedures to evaluate the FDIC's assertion that it compared amounts in the government- wide standard general ledger to the general ledger balances in its financial management system. We found no material differences between amounts in the Corporation's financial records and those contained in either the trading partners' balances or the government-wide standard general ledger.
OIG Efforts Support GAO Financial Statement Audit Work
OIG staff assisted the U.S. General Accounting Office (GAO) by conducting work on two specific audit areas related to the FDIC's financial statement audit: the Receivables from Bank/Thrift Resolutions and Receivership Receipts. To meet accelerated reporting deadlines established by the Corporation, the OIG committed additional resources to determine whether the FDIC had implemented effective internal controls over (1) financial reporting of receivables from failed insured depository institutions and (2) recoveries from the liquidation of failed insured depository institution assets. We provided our results to the GAO for its consideration in evaluating the Corporation's internal control over financial reporting and compliance with applicable laws and regulations.
Additionally, the OIG provided information technology support to the GAO as it conducted the overall financial statement audit. Throughout the year, we provided statistical expertise and conducted cyclic sample selections from corporate payroll, accounts payable, accounts receivable, and allocation activities. We also conducted data integrity evaluations, program code analysis, and file security reviews of corporate systems.
Finally, we assisted the GAO in its wrap-up of the audit fieldwork by conducting automated year-end reconciliations of payroll, accounts payable, and travel. We also automated the account grouping process to facilitate consolidation and verification of the financial accounts into the insurance funds' balance and income statements.
Recovery of Abandoned Assets and Unclaimed Deposits
The FDIC recently honored the Division of Resolutions and Receiverships' Bank Account Control Unit (BACU) with the Chairman's Excellence Award for its efforts related to the recovery of abandoned assets and unclaimed deposits. The OIG joins the FDIC in its recognition and believes BACU's successful recovery of abandoned assets and implementation of steps to reconcile and recover unclaimed deposits are directly related to prior OIG reports. In August 1999, the OIG issued a report to the FDIC entitled Audit of Abandoned Assets Held by States' Unclaimed Property Agencies (Audit Report No. A99-038) in which the OIG reported on unclaimed property agencies that were holding millions of dollars in assets belonging to the FDIC and its receiverships. The OIG recommended that the FDIC take appropriate actions to remove assets held by states' unclaimed property agencies from its finders fee program that the Division of Resolutions and Receiverships operated and make the Division of Finance responsible for recovering those assets. In addition, the OIG shared its methodologies for identifying unclaimed assets in the state unclaimed property databases with FDIC representatives. As a result, as of May 2001, BACU had recovered about $5.3 million dollars and avoided paying finders fees to private individuals and firms for those assets. Further, in recovering those assets, the BACU had established contacts at state unclaimed property agencies that later helped facilitate monitoring FDIC and state-reported unclaimed deposits.
As a followup to our audit on abandoned assets, the OIG issued a report entitled The FDIC's Identification of and Accounting for Unclaimed Deposits Transferred to State Unclaimed Property Agencies (Audit Report No. 01-024). The unclaimed deposits amendments (UDA) to the Federal Deposit Insurance Act contain procedures for owners of unclaimed deposits to file deposit claims against failed financial institutions. UDA provides requirements that affect the manner and time period within which owners of unclaimed deposits may obtain funds from the FDIC, institutions that acquired failed financial institutions, and state unclaimed property agencies. We reported on differences between FDIC and state unclaimed property agencies' totals for accounts related to the UDA, the need to reconcile those differences and monitor those accounts before the 10-year periods during which states should try to locate owners of those deposits began to expire, and the need for an automated system to account for unclaimed deposits transferred to state unclaimed property agencies.
Since issuance of our report, BACU has taken the lead in converting thousands of accounts related to the UDA from seven different data bases to a new system of record-the Dividend Processing System-and implemented outreach processes with other entities, such as the National Association of State Treasurers and Unclaimed Property Administrators to help enhance a smooth recovery of funds escheated and potentially due back to the FDIC. BACU's preliminary estimates of potential recoveries of unclaimed deposits are between $10 million and $20 million from accounts escheated under the UDA process.
In summary, formed in 1996, BACU started the recovery of abandoned funds in November 1999 and, since that time, has recovered a total of about $9.5 million, as of December 31, 2002. During 2002, over 4,000 claims were filed with holding entities and 3,500 recoveries were realized, resulting in $3.5 million in recoveries in 2002 alone. Those claims were based on extensive research using innovative techniques and various sources.
BACU's efforts are deserving of recognition, and the OIG endorses continued attention to recovering unclaimed assets and deposits for the FDIC.
|Last Updated 6/20/2003||Contact the OIG|