File
Annual Report of the Council of Inspectors General on Financial Oversight - July 2019
Report Information
Publish Date
Report sub-type
CIGFO
Report Number
No Report Number
Text Alternative
We have maintained the structural and data integrity of the original printed product
in this text file to the extent possible. Accessibility features, such as descriptions
of tables, footnotes, and the text of the Corporation’s comments, are provided but may
not exactly duplicate the presentation or format of the printed version.
The portable document format (PDF) file also posted on our Web site is an exact
electronic replica of the printed version.
[Cover page]
Council of Inspectors General on Financial Oversight
Annual Report of the Council of Inspectors General on Financial Oversight - July 2019
(CIGFO member agency seals)
[End of Cover page]
Message from the Chair
In keeping with its mission, the Council of Inspectors General on Financial Oversight
(CIGFO), which is authorized to oversee the Financial Stability Oversight Council
(FSOC) operations, continued its work in 2018 and 2019. In its oversight role, it has,
since 2011, established working groups that are comprised of staff from the CIGFO member
Inspector General offices to conduct reviews of FSOC operations—CIGFO relies on these
working groups to fulfill its mission. CIGFO issued an audit report by a Working Group
convened in December 2017 that assessed FSOC’s monitoring of international financial
regulatory proposals and developments. CIGFO also convened the following Working Groups:
• June 2018 – initiated a project to report on management and performance challenges
identified in 2017 across CIGFO agencies. That report, Top Management and Performance
Challenges Facing Financial Regulatory Organizations, was issued in September 2018.
• December 2018 – initiated a project to survey FSOC Federal members’ efforts to support
implementation of the Cybersecurity Information Sharing Act. This project is expected to
be completed in 2019.
• March 2019 – initiated a project to report on management and performance challenges
identified in 2018 across CIGFO agencies. This project is expected to be completed in
2019.
In addition to CIGFO’s oversight activities, it has performed monitoring activities that
included sharing financial regulatory information which enhanced the Inspectors General
knowledge and insight about specific issues related to members’ current and future work.
For example, during its quarterly meetings, CIGFO members discussed efforts to increase
cybersecurity and the resiliency of the financial sector; swaps regulations, including
related reforms under the Dodd-Frank Wall Street Reform and Consumer Protection Act; and
other legislative activities that could impact the financial regulatory system.
In the coming year, CIGFO members will continue, through their individual and joint work,
to help strengthen the financial system by oversight of FSOC and its Federal member
agencies.
/s /
Rich Delmar
Acting Chair, Council of Inspectors General on Financial Oversight
Acting Inspector General, Department of the Treasury
[End of Message from the Chair]
Table of Contents
The Council of Inspectors General on Financial Oversight
Council of Inspectors General on Financial Oversight Reports
Office of Inspector General Board of Governors of the Federal Reserve
System and Bureau of Consumer Financial Protection
Office of Inspector General Commodity Futures Trading Commission
Office of Inspector General Federal Deposit Insurance Corporation
Office of Inspector General Federal Housing Finance Agency
Office of Inspector General U.S. Department of Housing and Urban
Development
Office of Inspector General National Credit Union Administration
Office of Inspector General U. S. Securities and Exchange Commission
Special Inspector General for the Troubled Asset Relief Program
Office of Inspector General Department of the Treasury
Appendix A: Top Management and Performance Challenges Facing Financial
Regulatory Organizations
Appendix B: CIGFO Audit of the Financial Stability Oversight Council’s
Monitoring of International Financial Regulatory Proposals and
Developments
[End of Table of Contents]
[Seal Board of Governors of the Federal Reserve System, Consumer Financial Protection
Bureau]
Office of Inspector General
Board of Governors of Federal Reserve System and Bureau of Consumer Financial
Protection
The Office of Inspector General (OIG) provides independent oversight by conducting
audits, inspections, evaluations, investigations, and other reviews of the programs
and operations of the Board of Governors of the Federal Reserve System (Board) and the
Bureau of Consumer Financial Protection Bureau (Bureau) and demonstrates leadership by
making recommendations to improve economy, efficiency, and effectiveness, and by
preventing and detecting fraud, waste, and abuse.
Background
Congress established the OIG as an independent oversight authority for the Board, the
government agency component of the broader Federal Reserve System, and the Bureau.
Under the authority of the Inspector General Act of 1978, as amended (IG Act), the OIG
conducts independent and objective audits, inspections, evaluations, investigations,
and other reviews related to the programs and operations of the Board and the Bureau.
• We make recommendations to improve economy, efficiency, and effectiveness, and we
prevent and detect fraud, waste, and abuse.
• We share our findings and make corrective action recommendations to the Board and
the Bureau, but we do not have the authority to manage agency programs or implement
changes.
• We keep the Board’s Chair, the Bureau’s Director, and Congress fully informed of
our findings and corrective action recommendations, as well as the agencies’ progress
in implementing corrective action.
In addition to the duties set forth in the IG Act, Congress has mandated additional
responsibilities for the OIG. Section 38(k) of the Federal Deposit Insurance Act (FDI
Act) requires that the OIG review failed financial institutions supervised by the Board
that result in a material loss to the Deposit Insurance Fund (DIF) and produce a report
within 6 months. The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-
Frank Act) amended section 38(k) of the FDI Act by raising the materiality threshold
and requiring the OIG to report on the results of any nonmaterial losses to the DIF
that exhibit unusual circumstances warranting an in-depth review.
Section 211(f ) of the Dodd-Frank Act also requires the OIG to review the Board’s
supervision of any covered financial company that is placed into receivership under
title II of the act and produce a report that evaluates the effectiveness of the
Board’s supervision, identifies any acts or omissions by the Board that contributed
to or could have prevented the company’s receivership status, and recommends
appropriate
administrative or legislative action.
The Federal Information Security Modernization Act of 2014 (FISMA) established a
legislative mandate for ensuring the effectiveness of information security controls
over resources that support federal operations and assets. In a manner consistent
with FISMA requirements, we perform annual independent reviews of the Board’s and
the Bureau’s information security programs and practices, including the effectiveness
of security controls and techniques for selected information systems.
OIG Reports and Other Products Related to the Broader Financial Sector
In accordance with section 989E(a)(2)(B) of the Dodd-Frank Act, the following
highlights the completed and ongoing work of our office, with a focus on issues
that may apply to the broader financial sector.
Completed Work
Major Management Challenges for the Board and the Bureau
Although not required by statute, we annually report on the major management
challenges facing the Board and the Bureau. These challenges identify the areas that,
if not addressed, are most likely to hamper the Board’s and the Bureau’s accomplishment
of their strategic objectives. Among other items, we identified five major management
challenges for the Board that apply to the financial sector in 2018:
• Enhancing Organizational Governance
• Enhancing Oversight of Cybersecurity at Supervised Financial Institutions
• Ensuring an Effective Information Security Program
• Advancing Efforts to Improve Human Capital Management
• Remaining Adaptable to Internal and External Developments While Refining the
Regulatory and Supervisory Framework
Among other items, we identified three major management challenges for the Bureau that
apply to the financial sector in 2018:
• Ensuring That an Effective Information Security Program Is in Place
• Managing the Human Capital Program
• Strengthening Controls and Managing Risks
In Accordance With Applicable Guidance, Reserve Banks Rely on the Primary Federal
Regulator of the Insured Depository Institution in the Consolidated Supervision of
Regional Banking Organizations, but Document Sharing Can Be Improved, OIG Report
2018-SR-B-010, June 20, 2018
The Board is the consolidated supervisor of bank holding companies (BHCs)—entities
that own or control one or more banks. The Board delegates authority to each Reserve
Bank to supervise the BHCs in the Reserve Bank’s District. By law, the Reserve Banks
must rely to the fullest extent possible on the work of the PFR of the BHCs’
subsidiary depository institutions. We conducted this evaluation to assess the
effectiveness of the consolidated supervision of RBOs. We reviewed how Reserve Banks
rely on other federal regulators to conduct consolidated supervision of RBOs—each
with $10–$50 billion in assets.
In accordance with applicable guidance related to consolidated supervision, the
Reserve Banks relied on the respective PFR of RBOs’ insured depository institutions
to supervise the RBOs we sampled. We also noted that the Reserve Banks appear to have
increased their reliance on the PFRs.
We identified an opportunity for the Board to establish general guidelines for reliance
on PFR documents and to ensure that all examiners have access to those documents. In
addition, we found that the Board and the Reserve Banks could improve document-sharing
processes. Finally, several RBO executives noted the potentially avoidable regulatory
burden created because RBO employees sometimes upload the same documentation to multiple
systems in response to Reserve Bank and PFR documentation requests.
Our report contains recommendations designed to improve document sharing among the Board,
the Reserve Banks, and the PFRs. The Board concurred with our recommendations.
The Board’s Currency Shipment Process Is Generally Effective but Can Be Enhanced to Gain
Efficiencies and to Improve Contract Administration, OIG Report 2018-FMIC-B-021,
December 3, 2018
The Board’s Banknote Issuance and Cash Operations section is responsible for the currency
shipment process. This process includes monitoring and forecasting the demand for
currency and planning and executing the issuance of currency to Reserve Bank cash offices.
We assessed the efficiency and effectiveness of the Board’s management of the currency
shipment process and the effectiveness of related contracting activities.
The Board’s currency shipment process is generally effective; however, the process can be
enhanced to gain time and cost efficiencies. Streamlining the currency forecasting process
could save time and minimize the potential for human error. Selecting different
transportation modes for certain currency shipment routes and evaluating alternatives to
transporting shipping equipment could yield transportation cost savings.
Additionally, the Board can improve the administration of its armored carrier contracts
to help ensure that the Board is adequately protected against loss or damage during
shipments, that armored carriers are adequately protecting Board data, and that the
Board is receiving the expected level of service.
Our report contains recommendations designed to help the Board seek additional
efficiencies in the currency shipment process and to improve the administration of
armored carrier contracts. The Board concurred with our recommendations.
Knowledge Management for the Board’s Comprehensive Liquidity Analysis and Review Is
Generally Effective and Can Be Further Enhanced, OIG Report 2018-SR-B-013,
September 5, 2018
Through the CLAR program, the Federal Reserve System conducts a horizontal
supervisory assessment of liquidity risk and risk management practices across Large
Institution Supervision Coordinating Committee (LISCC) firms—the largest, most complex
financial firms under Board supervision. We assessed the System’s knowledge management
processes, practices, and systems in support of the CLAR program.
The CLAR program’s knowledge management practices generally align with many of the
leading practices described in the academic studies and Harvard Business Review articles
we reviewed related to preserving and transferring institutional knowledge. For example,
CLAR leadership has fostered a culture that prioritizes knowledge management; CLAR teams
practice regular, team-based collaboration; and the CLAR program uses an information-
sharing application to capture, store, and share institutional knowledge. As a result,
the CLAR program appears to preserve and maintain institutional knowledge related to
supervisory findings and fosters effective collaboration.
Although the CLAR program has generally effective knowledge management practices, the
practices can be further strengthened by (1) increasing CLAR program employees’ awareness
of management’s office hours, during which they can discuss the rationale for decisions
made during the CLAR letter-writing process; (2) formalizing employee onboarding
procedures; and (3) standardizing the CLAR Steering Committee’s approach to meeting
minutes.
Our report contains recommendations designed to further enhance the CLAR program’s
knowledge management
practices. The Board concurred with our recommendations.
Review of the Failure of Fayette County Bank, OIG Report 2018-SR-B-016,
September 26, 2018
In accordance with the requirements of section 38(k) of the Federal Deposit Insurance
Act, as amended by the Dodd-Frank Act, we conducted an in-depth review of the failure
of Fayette County Bank (FCB) because the failure presented unusual circumstances that
warranted an in-depth review.
FCB failed primarily because of an aggressive growth strategy coupled with ineffective
oversight by its board of directors, leading to declining asset quality and rapid
capital depletion. In addition, the bank’s board of directors was unable to hire and
retain effective management following a long-tenured Chief Executive Officer’s
retirement in December 2012.
The Federal Reserve Bank of St. Louis generally took decisive supervisory action to
address FCB’s weaknesses and deficiencies during the time frame we reviewed, 2011
through 2017, by appropriately downgrading the bank’s CAMELS composite rating
consistent with its risk profile and promptly issuing an emergency supervisory
directive. The Federal Reserve Bank of St. Louis’s supervisory activity included
formal enforcement actions and a recommendation to implement an enforcement
action against an FCB bank official.
Our review resulted in a finding related to enhanced communication between the
Board’s Legal Division and the Federal Reserve Bank of St. Louis. Because our
office has recently issued a recommendation to address that communication issue,
our report contains no new recommendations.
The Bureau Can Improve Its Follow-Up Process for Matters Requiring Attention at
Supervised Institutions, OIG Report 2019-SR-C-001, January 28, 2019
During the examination process, Division of Supervision, Enforcement and Fair
Lending (SEFL) employees may identify corrective actions that a supervised
institution needs to implement to address certain violations, deficiencies, or
weaknesses. These corrective actions include MRAs. We assessed SEFL’s
effectiveness in monitoring MRAs and ensuring that supervised institutions address
them in a timely manner.
SEFL can improve its follow-up process for MRAs. For example, we found that the
Bureau’s approach for measuring how timely it resolves MRAs is prone to
misinterpretation and therefore appeared to overstate the agency’s progress toward
closing these actions. We also determined that some of the underlying data used to
calculate the measurement were not reliable. Additionally, we observed inconsistent
MRA follow-up documentation and workpaper retention practices in certain areas.
Our report contains recommendations designed to further enhance the MRA follow-up
process. The Bureau concurred with our recommendations.
Security Control Review of the Bureau’s Mosaic System, OIG Report 2018-IT-C-012R,
June 27, 2018
Mosaic, a public-facing web application running on a cloud-based platform-as-
a-service, is used by the Bureau to manage consumer complaints related to financial
products and services. It also provides the Bureau with enhanced services and tools
related to workforce and resource management; entity boarding; and the creation and
management of investigative records, company ratings, and surveys. In accordance
with FISMA requirements, we evaluated the effectiveness of specific (1) security
controls for the Mosaic system and (2) components of the planning, development, and
delivery processes used for the system as they relate to the Bureau’s risk
management program.
Overall, we found that the security controls we tested for the Mosaic system were
operating effectively. Further, specific components of the planning, development,
and delivery processes used for the system, as they relate to the Bureau’s risk
management program, were performed effectively. For instance, we found that controls
related to continuous monitoring, vulnerability scanning and remediation, and system
and information integrity were operating effectively. Further, the Bureau developed
a business case, which included an analysis of the benefits and risks, prior to
implementing Mosaic. However, we found that the Bureau can strengthen controls in
the area of identity and access management to ensure that the security control
environment for Mosaic remains effective.
We made a recommendation in the area of identity and access management controls
for Mosaic. The Bureau concurred with our recommendation. In addition, our report
includes matters for management’s consideration in the areas of audit and
accountability, contingency planning, and configuration management.
The Bureau Can Improve Its Risk Assessment Framework for Prioritizing and
Scheduling Examination Activities, OIG Report 2019-SR-C-005, March 25, 2019
The scope of the Bureau’s financial institution oversight authorities covers
depository institutions with more than $10 billion in total assets and thousands
of nondepository institutions. The Bureau seeks to prioritize its examination
activities based on an annual assessment of the risks that the products offered by
these financial institutions present to consumers. We assessed the effectiveness
of SEFL’s risk assessment framework, including the identification, analysis,
and prioritization of specific institution product lines for examination, and we
reviewed each region’s implementation of the results of the prioritization process
through examination scheduling.
We identified opportunities for the Bureau to improve its risk assessment framework
for prioritizing and scheduling examinations. Specifically, SEFL’s approach for
assigning a key risk score to individual institution product lines is not transparent
for some Bureau employees involved in the scoring process; these employees would
benefit from additional training and guidance on that process. We also found that
SEFL can improve its preliminary research on supervised institutions. Finally, we
found that SEFL can improve the internal reporting of changes to the examination
schedule.
Our report contains recommendations designed to improve the Bureau’s risk assessment
framework for prioritizing and scheduling examination activities. The Bureau concurred
with our recommendations.
Ongoing Work
Evaluation of the Effectiveness of the Board’s Cybersecurity Supervision (Phase 2)
We identified cybersecurity oversight at supervised financial institutions as a major
management challenge for the Board on an annual basis from 2015 to 2018. In 2017, we
issued a report focused on cybersecurity supervision of multiregional data processing
servicers and financial market utilities, among other topics. We have initiated the
second phase of our cybersecurity oversight activities focused on assessing the Board’s
cybersecurity supervision of the nation’s largest and most systemically important
financial institutions—those institutions in the Board’s Large Institution Supervision
Coordinating Committee portfolio.
Audit of the Federal Reserve System’s Supervision and Oversight of Designated Financial
Market Utilities
Title VIII of the Dodd-Frank Act grants the Board the authority to supervise certain
financial market utilities designated as systemically important by the Financial
Stability Oversight Council. Title VIII also grants the Board the authority to consult
with federal agencies that supervise other designated financial market utilities. This
project will assess the Federal Reserve System’s (1) process for supervising and
overseeing designated financial market utilities and (2) processes for reviewing
notices of material change from these institutions. We also plan to review the System’s
collaboration with other federal agencies in these areas.
Evaluation of the Efficiency and Effectiveness of the Board’s and the Reserve Banks’
Enforcement Action Issuance and Termination Processes
The Board may take formal enforcement actions against supervised financial institutions
for violations of laws, rules, or regulations; unsafe or unsound practices; breaches of
fiduciary duty; and violations of final orders. The Board also may use a variety of
informal enforcement tools to address deficiencies that are relatively small in number,
are not material to the safety and soundness of the institution, and can be corrected
by the institution’s current management. We are assessing the efficiency and effectiveness
of the Board’s and the Federal Reserve Banks’ processes and practices for issuing and
terminating enforcement actions.
Evaluation of the Board’s and the Reserve Banks’ Enforcement Action Monitoring Practices
An enforcement action generally requires a supervised financial institution to develop
and implement acceptable plans, policies, and programs to remedy the deficiencies that
resulted in the action. Under delegated authority from the Board, the Federal Reserve Banks
conduct supervision activities, including monitoring institutions’ efforts to
address the terms of enforcement actions. We are assessing the effectiveness of the Board’s
and the Reserve Banks’ practices for monitoring open enforcement actions against supervised
financial institutions.
Evaluation of Postemployment Restrictions for Senior Examiners
The Intelligence Reform and Terrorism Prevention Act of 2004 prohibits specific employees
who meet the definition of a senior examiner from knowingly accepting compensation as an
employee, officer, director, or consultant from a depository institution, a depository
institution holding company, or certain related entities that the employee may have
supervised as a Reserve Bank employee. In November 2016, the Board issued new guidance on
these postemployment restrictions that expanded the definition of a senior examiner. We
are assessing the implementation of these updates across the Federal Reserve System and
the effectiveness of controls that seek to ensure compliance with postemployment
restrictions.
Evaluation of the Bureau’s Periodic Monitoring of Supervised Institutions
The Bureau has the authority to supervise depository institutions with more than $10 billion
in total assets and nondepository institutions in certain markets, including credit
reporting agencies. To supplement its onsite examinations of those institutions, the Bureau
conducts periodic offsite monitoring of all the depository institutions within its
supervisory jurisdiction and certain nondepository institutions, including credit reporting
agencies. We plan to evaluate the Division of Supervision, Enforcement and Fair Lending’s
policies and procedures for conducting periodic monitoring. This evaluation will assess the
implementation of these practices across the Bureau’s regional offices and benchmark the
Bureau’s approach to offsite monitoring activities against the monitoring activities of other
financial regulators.
Evaluation of the Bureau’s Processes for Leveraging the Federal Risk and Authorization
Management Program
The Federal Information Security Modernization Act of 2014 requires that we test the
effectiveness of the Bureau’s policies, procedures, and practices for select information
systems. In support of these requirements, we are conducting an evaluation of the Bureau’s
risk management activities with respect to its various cloud computing platforms and
providers, including the agency’s reliance on the Federal Risk and Authorization Management
Program.
Our evaluation objective is to determine whether the Bureau has implemented an effective
life cycle process for deploying and managing its cloud-based systems, including ensuring
that effective security controls are implemented.
Evaluation of the Office of Consumer Response’s Efforts to Share Complaint Data Within the
Bureau
The Office of Consumer Response (Consumer Response) is responsible for sharing
consumer complaint information with internal stakeholders in order to help the Bureau
supervise companies, enforce federal consumer financial laws, and write rules and
regulations. The effective sharing of consumer complaint information can help the Bureau
understand the problems consumers are experiencing in the financial marketplace and
identify and prevent unfair practices from occurring before they become major issues.
This evaluation is assessing the effectiveness of Consumer Response’s complaint-sharing
efforts. Specifically, this project is examining (1) the extent to which Consumer
Response’s consumer complaint-sharing efforts help to inform the work of internal
stakeholders and (2) Consumer Response’s controls over internal access of shared
complaint data, which can contain sensitive consumer information.
Evaluation of the Bureau’s Final Order Follow-Up Activities
This evaluation is assessing the Division of Supervision, Enforcement and Fair
Lending’s final order follow-up processes. The Bureau generally has enforcement
authority over any person or entity that violates federal consumer financial protection
law. In executing that authority, the Bureau can file a civil suit in federal district
court that may result in a federal court order. Alternatively, through the
administrative adjudication process, the Bureau and the relevant entity may agree to a
consent order that includes a series of required corrective actions by that entity. Our
objective is to review the Bureau’s processes for monitoring and conducting follow-up
activities related to final orders.
[Seal - Commodity Futures Trading Commission]
Office of Inspector General
Commodity Futures Trading Commission
The CFTC OIG acts as an independent Office within the CFTC that conducts audits,
investigations, reviews, inspections, and other activities designed to identify fraud,
waste and abuse in connection with CFTC programs and operations, and makes
recommendations and referrals as appropriate.
Background
The CFTC OIG was created in 1989 in accordance with the 1988 amendments to the Inspector
General Act of 1978 (P.L. 95-452). OIG was established as an independent unit to:
• Promote economy, efficiency and effectiveness in the administration of CFTC programs
and operations and detect and prevent fraud, waste and abuse in such programs and
operations;
• Conduct and supervise audits and, where necessary, investigations relating to the
administration of CFTC programs and operations;
• Review existing and proposed legislation, regulations and exchange rules and make
recommendations concerning their impact on the economy and efficiency of CFTC programs
and operations or the prevention and detection of fraud and abuse;
• Recommend policies for, and conduct, supervise, or coordinate other activities carried
out or financed by such establishment for the purpose of promoting economy and efficiency
in the administration of, or preventing and detecting fraud and abuse in, its programs and
operations; and
• Keep the Commission and Congress fully informed about any problems or deficiencies in
the administration of CFTC programs and operations and provide recommendations for
correction of these problems or deficiencies.
CFTC OIG operates independently of the Agency and has not experienced any interference
from the CFTC Chairman in connection with the conduct of any investigation, inspection,
evaluation, review, or audit, and our investigations have been pursued regardless of the
rank or party affiliation of the target.1 The CFTC OIG consists of the Inspector General,
the Deputy Inspector General/Chief Counsel, the Assistant Inspector General for Auditing,
the Assistant Inspector General for Investigations, one Attorney-Advisor, two Auditors,
one Senior Program Analyst, and one parttime consultant. The CFTC OIG obtains additional
audit, investigative, and administrative assistance through contracts and agreements.
Footnote: 1 The Inspector General Act of 1978, as amended, states: “Neither the head of
the establishment nor the officer next in rank below such head shall prevent or prohibit
the Inspector General from initiating, carrying out, or completing any audit or
investigation….” 5 U.S.C. App. 3 sec. 3(a).[End of Footnote]
Role in Financial Oversight
The CFTC OIG has no direct statutory duties related to oversight of the futures, swaps
and derivatives markets; rather, the CFTC OIG acts as an independent Office within the
CFTC that conducts audits, investigations, reviews, inspections, and other activities
designed to identify fraud, waste, and abuse in connection with CFTC programs and operations,
and makes recommendations and referrals as appropriate. The CFTC’s yearly financial statement
and Customer Protection Fund audits are conducted by an independent public accounting firm,
with OIG oversight.
Recent, Current or Ongoing Work in Financial Oversight
In addition to our work on CIGFO projects described elsewhere in this report, CFTC OIG
completed the following projects during the past year:
Inspection & Evaluation: CFTC Stress-Testing Development Efforts (July 2018)
OIG’s Office of Legal and Economic Review completed and published a report titled Inspection
& Evaluation: CFTC Stress-Testing Development Efforts. This inspection was motivated by
allegations of mismanagement in the Risk Surveillance Branch (RSB) of the CFTC Division of
Clearing and Risk (DCR), which was conveyed to us by multiple CFTC whistleblowers. We first
brought the allegations to the attention of the Chairman’s Chief of Staff in July 2017. The
Chairman appointed a new Director of DCR in September 2017, and OIG communicated frequently
with the new DCR Director beginning in October 2017. We circulated a summary memo to the
Chairman in October 2017, followed by a substantially complete version of the report in
December 2017. In January 2018, we met with the Chairman, his staff, and the Director of DCR;
they stated they had no major disagreements with the report. We finalized a discussion draft
in February 2018 and circulated it to the Commission. We accommodated the Chairman’s request
for an extended time to respond to the February 2018 discussion draft. We received no formal
written response or any stated disagreements, and circulated the report as final on July
30, 2018.
We found that leadership in the Division of Clearing and Risk (DCR)’s Risk Surveillance
Branch (RSB) retarded the development of CFTC stress-testing capabilities, undermined efforts
to improve the usability of uncleared swaps data, denied various employees access to certain
information technology resources, and overstated publicly the independence and coverage of its
November 2016 Supervisory Stress Test of Clearing Houses report (November 2016 report). To
complete our inspection and evaluation, we contracted with National Economic Research
Associates, Inc. (NERA). NERA assisted our technical evaluation of two CFTC stress-test
methodologies. NERA issued detailed analysis, including substantive criticism of the
methodology CFTC employed in the November 2016 report. No recommendations were issued by
NERA or OIG.
In our cover memo, we disclosed that, in lieu of a written response, the new DCR Director
verbally informed us that a new Deputy Director of the Risk Surveillance Branch (RSB) would
be named shortly, and this has occurred. In addition, we were told there will be a
reorganization of RSB, including greater integration of the related endeavors of margin model
review and stress-testing; that there will be greater emphasis on technical acumen,
technological development, and automation; and that there will be greater quantitative
analytical support of other business divisions within the CFTC. We understand these
processes are ongoing, and we intend to monitor the issues identified in our report and in
NERA’s report.
Customer Protection Outreach Whitepaper (September 2018)
This whitepaper examined possible locations for targeted CFTC education initiatives based
on the locations of highvolumes of complaints and enforcement filings (“hotspots”), coupled
with the locations of airport hubs and relevant state regulators.
We compared identified hotspots with recent outreach efforts by CFTC’s Office of Customer
Education and Outreach (OCEO), and concluded that OCEO’s educational outreach activities
could better align with existing hotspots, specifically in the Southern and Western United
States, where large hotspots exist that have not been visited by OCEO (or have not been
visited frequently). We noted that CFTC does not have a permanent physical presence in these
regions; CFTC’s furthermost western (and southern) presence is in Kansas City, Missouri. We
believe OCEO should target its efforts where customer education and outreach appears most
needed.
In addition, we addressed factors impacting the feasibility of increased outreach efforts
by OCEO, including: 1) Consumer Protection Funds (CPF) availability and the adequacy of
CFTC’s financial system to track and monitor expenditures; 2) CFTC’s authority to spend
CPF funds on education initiatives; and 3) CFTC’s ability to detail appropriate CFTC staff
to strengthen OCEO on a reimbursable basis. We concluded that CFTC has the current ability
to track and monitor expenditures, and agreed with the Office of General Counsel that CFTC
has the authority to spend CPF funds on education initiatives. Furthermore, we concluded
that CFTC has current funds available to further support education activities, and we
forecast -- based on our analysis of CFTC collections activity -- that funds
availability should continue.
We asked the Commission to consider –
• Establishing OCEO personnel in the CFTC Kansas City regional office;
• Opening additional CFTC field offices or establishing permanent remote OCEO employees
in the hotspots;
• Detailing personnel from other Divisions to OCEO (on a reimbursable basis from the CPF);
and
• Engaging appropriate Federal, State, and local government entities and other relevant
entities located in hotspots to facilitate customer education initiatives.
Management expressed their appreciation for our report and provided detailed comments.
Management’s comments, and our responses, are published with the whitepaper.
Inspection and Evaluation of the February 2018 CFTC-SEC Harmonization Briefing
(October 2018)
Under the Dodd-Frank Act, the CFTC and the Securities and Exchange Commission have
certain joint responsibilities.2 Our report titled Inspection and Evaluation of the
February 2018 CFTC-SEC Harmonization Briefing responded to two outside complaints that
the SEC-CFTC harmonization briefing held on February 27, 2018, might have violated the
Government in the Sunshine Act.3 Lacking a specific allegation of misconduct by any
individual, we determined to conduct an inspection and evaluation of the meeting. After
interviewing all CFTC attendees, as well as reviewing all matters voted on by the
Commission from the date of the meeting until the appointment of a full Commission, we
concluded that CFTC complied with the Government in the Sunshine Act in the conduct of
the meeting.
Footnote: 2 See, e.g., Memorandum of Understanding Between the U.S. Securities and
Exchange Commission and the U.S. Commodity Futures Trading Commission Regarding
Coordination in Areas of Common Regulatory Interest and Information Sharing, July 11,
2018. [End of footnote]
Footnote: 3 The Government in the Sunshine Act, 5 U.S.C. § 552b (1976), requires that
meetings of multi-member federal agencies shall be open to the public, with the exception
of discussions in ten narrowly defined areas. The Sunshine Act defines “meeting” as “the
deliberations of at least the number of individual agency members required to take action
on behalf of the agency where such deliberations determine or result in the joint conduct
or disposition of official agency business” [with exceptions]. Id. [End of footnote]
[Logo - Office of Inspector General, Federal Deposit Insurance Corporation]
Office of Inspector General
Federal Deposit Insurance Corporation
The FDIC OIG mission is to prevent, deter, and detect fraud, waste, abuse, and misconduct
in FDIC programs and operations; and to promote economy, efficiency, and effectiveness at
the agency.
Background
The Federal Deposit Insurance Corporation (FDIC) was created by the Congress in 1933 as
an independent agency to maintain stability in the nation’s banking system by insuring
deposits and independently regulating state-chartered, non-member banks. The FDIC insures
more than $7.5 trillion in deposits at more than 5,400 banks and savings associations, and
promotes the safety and soundness of these institutions by identifying, monitoring, and
addressing risks to which they are exposed. The FDIC is the primary federal regulator for
approximately 3,500 of the insured institutions. An equally important role for the FDIC is
as Receiver for failed institutions; the FDIC is responsible for resolving the institution
and managing and disposing of its remaining assets.
The FDIC Office of Inspector General (OIG) is an independent and objective oversight unit
established under the Inspector General (IG) Act of 1978, as amended. The FDIC OIG mission
is to prevent, deter, and detect fraud, waste, abuse, and misconduct in FDIC programs and
operations; and to promote economy, efficiency, and effectiveness at the agency.
Importantly, also in connection with matters affecting the financial sector, in February
2019, our Office published its assessment of the Top Management and Performance Challenges
Facing the FDIC. This assessment was based on our extensive oversight work and research
relating to reports by other oversight bodies, review of academic and other relevant
literature, perspectives from Government agencies and officials, and information from
private sector entities.
In addition, we conducted significant investigations into criminal and administrative
matters involving complex multi-million-dollar schemes of bank fraud, embezzlement, money
laundering, and other crimes committed by corporate executives and bank insiders. Our cases
reflect the cooperative efforts of other OIGs, U.S. Attorneys’ Offices, FDIC Divisions and
Offices, and others in the law enforcement community throughout the country. These working
partnerships contribute to ensuring the continued safety and soundness of the nation’s
banks and help ensure integrity in the FDIC’s programs and activities.
Finally, over the past year, we continued to coordinate with our financial IG counterparts
on issues of mutual interest. As a member of CIGFO, the FDIC OIG is also participating in
the joint project related to the Financial Stability Oversight Council members’ efforts to
support implementation of the Cybersecurity Information Sharing Act.
Top Management and Performance Challenges Facing the FDIC
The OIG identified the Top Management and Performance Challenges facing the FDIC and
provides its assessment to the Corporation for inclusion in the FDIC’s annual performance
and accountability report. This year, we identified nine areas representing the most
significant challenges for the FDIC, a number of which have implications to the financial
sector, and ways to improve financial oversight. The identification of these challenges
helps the FDIC and other policymakers to identify the primary risks at the agency, and
provides guidance for our Office to focus its attention and work efforts, as shown in the
following summaries of each of these challenges.
Enhancing Oversight of Banks’ Cybersecurity Risk
Cybersecurity continues to be a critical risk facing the financial sector. Cyber risks can
affect the safety and soundness of institutions and lead to the failure of banks, thus
causing losses to the FDIC’s Deposit Insurance Fund. For example, a cybersecurity incident
could disrupt services at a bank, resulting in the exploitation of personal information
in fraudulent or other illicit schemes, and an incident could start a contagion that spreads
through established interconnected banking relationships. Despite increased spending on
cybersecurity, banks are encountering difficulties in getting ahead of the increased
frequency and sophistication of cyberattacks. The FDIC’s IT examinations should ensure
strong management practices within financial institutions and at their service providers.
Adapting to Financial Technology Innovation
FDIC policy-makers and examiners must keep pace with the adoption of new financial
technology to assess safety and soundness of institutions and its impact on the stability
of the banking system. The pace of change and breadth of innovation requires that the
FDIC create agile and nimble regulatory processes, so that it can respond to and adjust
policies, examination processes, supervisory strategies, preparedness and readiness,
and resolution approaches as needed.
Strengthening FDIC Information Security Management
The FDIC maintains thousands of terabytes of sensitive data within its IT systems and has
more than 180 IT systems that collect, store, or process the PII of FDIC employees; bank
officials at FDIC-supervised institutions; and bank customers, depositors, and bank
officials associated with failed banks. FDIC systems also hold sensitive supervisory
data about the financial health of banks, bank resolution strategies, and resolution
activities. The FDIC must continue to strengthen its implementation of governance and
security controls around its IT systems to ensure that information is safeguarded
properly.
Preparing for Crises
Central to the FDIC’s mission is readiness to address crises in the banking system.
The FDIC must be prepared for a broad range of crises that could impact the banking
sector. These readiness activities should help to ensure the safety and soundness of
institutions, as well as the stability and integrity of our nation’s banking system.
Maturing Enterprise Risk Management
Enterprise Risk Management (ERM) is a critical part of an agency’s governance, as it
can inform prudent decisionmaking at an agency, including strategic planning, budget
formulation, and capital investment. ERM program requirements include identifying
risks that could affect the organization (Risk Profile and Inventory), establishing the
amount of risk an organization is willing to accept (Risk Appetite), prioritizing
strategies to address risks in the proper sequence, and responding to and mitigating
the risks. The FDIC established an ERM program office in 2011, but has neither developed
the underlying ERM program requirements nor realized the benefits of a mature ERM program.
Sharing Threat Information with Banks and Examiners
Federal Government agencies and private-sector entities share information about threats
to U.S. critical infrastructure sectors, including the financial sector. Sharing
actionable and relevant threat information among Federal and privatesector participants
protects the financial system by building threat awareness and allowing for informed
decision-making.The FDIC must ensure that relevant threat information is shared with its
supervised institutions and FDIC examiners as needed, in a timely manner, so that actions
can be taken to address the threats. Threat information also provides FDIC examiners with
context to evaluate banks’ processes for risk identification and mitigation strategies.
Managing Human Capital
The FDIC relies on skilled personnel to fulfill its mission, and 68 percent of the FDIC’s
operating budget for 2019 ($1.8 billion) was for salaries and associated benefits for
employees. Forty-two percent of FDIC employees are eligible to retire within 5 years, which
may lead to knowledge and leadership gaps. To ensure mission readiness, the FDIC should
find ways to manage this impending shortfall. In addition, the FDIC should seek to hire
individuals with the advanced technical skills needed for IT examinations and supervision
of large and complex banks.
Administering the Acquisitions Process
The FDIC relies heavily on contractors for support of its mission, especially for IT and
administrative support services. The average annual expenditure by the FDIC for contractor
services over the past 5 years has been approximately $587 million. The FDIC should maintain
effective controls to ensure proper oversight and management of such contracts and should
conduct regular reviews of contractors. In addition, the FDIC should also perform due
diligence to mitigate security risks associated with supply chains for goods and services.
Improving Measurement of Regulatory Costs and Benefits
Before issuing a rule, the FDIC should ensure that the benefits accrued from a regulation
justify the costs imposed. The FDIC should establish a sound mechanism to measure both costs
and benefits at the time of promulgation, and it should continue to evaluate the costs and
benefits of a regulation on a regular basis, even after it has been issued. Additional
information on these Challenges can be found in the full Top Management and Performance
Challenges report, available on our Website, www.fdicoig.gov. These Challenges align with
those facing the financial regulatory community as a whole, as discussed in the CIGFO report
entitled Top Management and Performance Challenges Facing Financial Regulators.
FDIC OIG Audits and Evaluations Made Significant Recommendations for
Improvements to the FDIC
During the 12-month period ending March 31, 2019, the FDIC OIG issued 14 audit, evaluation,
and other reports and made 53 recommendations to strengthen controls in FDIC programs and
operations. Our work covered diverse topics such as information security, processing of
consumer complaints, and the FDIC’s Forward-Looking Supervision program, among others.
The FDIC’s Forward-Looking Supervision Program
The goals of the FDIC’s Forward-Looking Supervision initiative are to identify and assess
risk before it impacts a financial institution’s financial condition and to ensure early
risk mitigation. Prior to the financial crisis of 2008-2011, examiners often identified weak
risk management practices at financial institutions, but they delayed taking supervisory
action until the institution’s financial performance declined. Forward-Looking Supervision
seeks to avoid this result.
Our evaluation objective was to determine whether the Forward- Looking Supervision
approach achieved its outcomes—the Division of Risk Management Supervision pursued
supervisory action upon identifying risks and the financial institutions implemented
corrective measures. Our review showed that examiners substantially achieved the
intended outcomes of the Forward-Looking Supervision approach for our sampled
institutions. Examiners applied Forward-Looking Supervision concepts during their
financial institution examinations, rated institutions based on risk,
and recommended corrective actions based on their risk assessments. Also, the
financial institutions committed to implement the corrective actions.
We found that:
• The FDIC did not have a comprehensive policy guidance document on Forward-Looking
Supervision and should clarify guidance associated with its purpose, goals, roles,
and responsibilities;
• Examiners typically documented their overall conclusions regarding the financial
institutions’ concentration risk management practices; however, they did not always
document certain Forward-Looking Supervision concepts in pre-examination planning
documents and when reporting examination results;
• Examiners typically reported or elevated identified overall concentration risk
management conclusions and concerns; however, a greater number of these concerns
should have appeared in the report section that includes issues requiring the
attention of the institution’s board; and
• Examiners generally identified concentration risk management concerns on a timely
basis; however, in certain instances, they identified concentration risk management
concerns that had not been identified during the prior examination cycle.
We made four recommendations to the FDIC to: (1) issue a comprehensive policy
guidance document defining Forward-Looking Supervision; (2) issue guidance to
reinforce how and where examiners should be documenting concentrations and an
institution’s concentration risk management practices in the Report of Examination;
(3) provide additional case studies on Forward-Looking Supervision to strengthen
training for examiners; and (4) conduct recurring retrospective reviews to ensure
examiners are documenting the concentration risk management analysis.
The full report is available on our Website, www.fdicoig.gov.
Federal Information Security Modernization Act (FISMA) Audit – 2018
We evaluated the effectiveness of the FDIC’s information security program and
practices. A strong information security program is needed for the protection of
sensitive information the FDIC collects in conducting is work, including sensitive
bank data and personal information of borrowers. The IG FISMA Reporting Metrics
require IGs to assess the effectiveness of their agencies’ information security
programs and practices on a maturity model spectrum. We found that the FDIC’s
overall information security program was operating at a Maturity Level 3
(Consistently Implemented) on a scale of 1 to 5, which is an improvement from
2017 but not considered effective under the metrics.
We found that the FDIC established a number of information security program
controls and practices that complied or were consistent with standards and
guidelines, and took steps to strengthen controls following the 2017 FISMA
report. However, ongoing security control weaknesses limited the effectiveness
of the FDIC’s information security program and practices and placed the
confidentiality, integrity, and availability of the FDIC’s information systems
and data at risk. In many cases, these security control weaknesses were
identified by other OIG audits or through security control assessments completed
by the FDIC. Although the FDIC was working to address these previously identified
control weaknesses, the FDIC had not yet completed corrective actions at the time
of the audit. Accordingly, the security control weaknesses continued to pose risk
to the FDIC. The highest risk weaknesses included:
• Information Security Risk Management. The FDIC had not fully defined or
implemented an enterprise-wide and integrated approach to identifying, assessing,
and addressing the full spectrum of internal and external risks, including those
related to cybersecurity and the operation of information systems. This limits
the ability of FDIC Divisions and Offices to make effective risk management
decisions, and prevents the FDIC from ensuring it is effectively prioritizing
resources toward addressing risks with the most significant potential impact on
achieving strategic objectives.
• Enterprise Security Architecture. Our 2017 FISMA audit noted that the FDIC had
not established an enterprise security architecture, which is considered a
fundamental component of an effective information security program and describes
the structure and behavior of an organization’s security processes, systems,
personnel, and subunits and shows their alignment with the organization’s mission
and strategic plans. In July 2018, the FDIC provided the OIG with documentation
describing its enterprise security architecture. The OIG is reviewing this
documentation, along with other information related to the enterprise security
architecture provided by the FDIC, to determine whether it is responsive to the
recommendation in our FISMA audit report issued in 2017. The lack of effective
enterprise security architecture increased the risk that the FDIC’s information
systems would be developed with inconsistent security controls that are costly to
maintain.
• Security Control Assessments. In separate OIG audit work, we identified instances
in which contractorperformed security control assessments did not include testing
of security control implementation, when warranted. Instead, assessors relied on
narrative descriptions of the controls in FDIC policies, procedures, and system
security plans and/or interviews of FDIC or contractor personnel. Without testing,
assessors did not have a basis for concluding on the effectiveness of security
controls. Inadequate FDIC oversight of security control assessments contributed to
this weakness. Because the FDIC relies on the results of the assessments
to support a number of important risk management activities, the FDIC must ensure
that personnel perform security control assessments at an appropriate level of
depth and coverage.
• Patch Management. The FDIC’s patch management processes were not always
effective in ensuring that the FDIC implemented patches within FDIC-defined
timeframes. Unpatched systems increase the risk of exposing the FDIC’s network
to a security incident.
• Backup and Recovery. Our 2017 FISMA report noted that the FDIC’s IT restoration
capabilities were limited and that the FDIC had not taken timely action to address
known limitations with respect to its ability to maintain or restore critical IT
systems and applications during a disaster. In December 2017, the FDIC’s Board of
Directors authorized a multi-year Backup Data Center Migration Project to ensure
that designated IT systems and applications supporting mission-essential functions
can be recovered within targeted timeframes. While the FDIC established governance
over this project, assurance that the FDIC can maintain and restore mission-
essential functions during an emergency within applicable timeframes will be
limited until the scheduled completion of the project in 2019.
We made four recommendations to improve the effectiveness of the FDIC’s information
security program controls and practices.
The publicly-releasable Executive Summary of this report is available on our Website,
www.fdicoig.gov.
Our ongoing audit and evaluation reviews are addressing the FDIC’s:
• Enterprise Risk Management Program;
• Cost-Benefit Analysis Process for Rulemaking;
• Anti-Sexual Harassment Program;
• Readiness for Crises;
• Contract Oversight Management Program; and
• Privacy Program.
These ongoing reviews are also listed on our Website, www.fdicoig.gov, and, when
completed, their results will be posted there.
FDIC OIG Special Inquiry Report Made Significant Recommendations Regarding Breach
Response, Reporting, and Interactions with Congress
In addition to the audit and evaluation reports listed above, the OIG issued a multi-
disciplinary Special Inquiry report in April 2018.
During late 2015 and early 2016, the FDIC experienced eight information security
incidents as departing employees improperly took sensitive information shortly before
leaving the FDIC. Seven of the eight incidents involved Personally Identifiable
Information (PII), including Social Security Numbers, and thus constituted breaches.
In the eighth incident, the departing employee took highly sensitive components of
resolution plans submitted by certain large systemically important financial
institutions without authorization.
In April and May 2016, the Committee on Science, Space, and Technology of the House
of Representatives (SST Committee) examined the FDIC’s handling of these incidents,
its data security policies, and reporting of the “major incidents.” As part of its
investigation, the SST Committee requested pertinent documents from the FDIC about the
incidents. The SST Committee held two hearings in May and July 2016 about the incidents
at the FDIC and issued an interim report on the matter. During the hearings and in its
interim report, as well in correspondence with the FDIC, the SST Committee expressed
concerns about the FDIC’s information security program, the accuracy of certain FDIC
statements, and the completeness of the FDIC’s document productions.
On June 28, 2016, the then-Chairman of the Senate Committee on Banking, Housing, and
Urban Affairs requested that our Office examine issues at the FDIC related to data
security, incident reporting, and policies, as well as the representations made by
FDIC officials.
The FDIC OIG conducted a Special Inquiry in response to that request. We examined the
circumstances surrounding the eight information security incidents. The FDIC initially
estimated that the incidents involved sensitive information that included the PII of
approximately 200,000 individual bank customers related to approximately 380 financial
institutions, as well as the proprietary and sensitive data of financial institutions.
Based on additional analysis, the FDIC later revised the number of affected individuals
to 121,633.
Our work revealed certain systemic weaknesses that hindered the FDIC’s ability to
handle multiple information security incidents and breaches efficiently and effectively;
contributed to untimely, inaccurate, and imprecise reporting of information to the
Congress; and led to document productions that did not fully comply with Congressional
document requests. We also identified shortcomings in the performance of certain
individuals in key leadership positions as they handled the incidents and related
activities.
Importantly, in its handling of the information security incidents, the FDIC did not
fully consider the range of impacts on bank customers whose information had been
compromised or consider customer notification as a separate decision from whether it
would provide credit monitoring services. As a result, the FDIC delayed notifying
consumers and thus precluded them from taking proactive steps to protect themselves.
Also of note, when reporting incidents to the Congress, the FDIC used broad
characterizations and referenced mitigating factors that were sometimes inaccurate and
imprecise, and tended to diminish the potential risks. Despite several opportunities
to clarify or correct the record regarding the nature of the incidents, the FDIC did
not provide the Congress with accurate and complete information about the incidents.
Finally, with regard to document production, the SST Committee had requested that the
FDIC produce relevant documents and information. The FDIC did not initially respond to
these requests in a complete manner and should have been clear in its communications
with the Committee as to its approach and progress in complying with the document
production requests. Later, the FDIC took steps to better identify and provide
responsive records.
Throughout and subsequent to our Special Inquiry, the FDIC took steps to address prior
recommendations pertaining to incident and breach response. In addition, we made 13
recommendations in this Special Inquiry report to address the systemic issues
associated with the FDIC’s incident response and reporting and interactions with the
Congress.
FDIC OIG Investigations Seek to Ensure Integrity in the Banking Sector
OIG investigations over the past months continued to complement our audit and
evaluation work. Our investigative results over the 12 months ending March 31, 2019,
included the following: 64 indictments; 35 arrests; 43 convictions; and potential
monetary recoveries (fines, restitution, and asset forfeitures) of over $354 million.
Our current cases involve fraud and other misconduct on the part of senior bank
officials, and include money laundering, embezzlement, bank fraud, and other
financial crimes. The perpetrators of such crimes can be those very individuals
entrusted with governance responsibilities at the institutions—directors and bank
officers. In other cases, parties providing professional services to the banks and
customers, others working inside the bank, and customers themselves are principals
in fraudulent schemes. The FDIC OIG also investigates significant matters of
wrongdoing and misconduct relating to FDIC employees and contractors.
Our Office is committed to partnerships with other OIGs, the Department of Justice
(DOJ), and other state and local law enforcement agencies in pursuing criminal acts
in open and closed banks and helping to deter fraud, waste, and abuse. The OIG also
actively participates in many financial fraud working groups nation-wide to keep
current with new threats and fraudulent schemes that can undermine the integrity of
the FDIC’s operations and the financial services industry as a whole.
The FDIC OIG’s Office of Investigations also continues to identify emerging financial
fraud schemes that affect FDICsupervised and insured institutions. Our relationships
with DOJ’s Money Laundering and Asset Recovery Section, and DOJ’s Fraud Section and
Anti-Trust Division, have allowed us to play a lead role in money laundering and
foreign currency exchange rate manipulation investigations. We also work with other
agencies, including the Small Business Administration, to identify fraud in the
guaranteed loan portfolios of FDIC-supervised institutions. These investigations
are important, as large-scale fraud schemes can significantly affect the financial
industry and the financial condition of FDIC-insured institutions.
Former Senior Employee at FDIC Convicted of Stealing Confidential Documents
On December 11, 2018, a former senior employee in the FDIC’s Office of Complex
Financial Institutions (OCFI) was convicted of two thefts of government property in
the possession of the FDIC. OCFI was created after passage of the Dodd-Frank Wall
Street Reform and Consumer Protection Act to oversee and conduct, if necessary, an
orderly bankruptcy of the world’s largest banks and financial institutions. Each of
these banks and financial institutions is required to file resolution plans, referred
to as “living wills,” with the FDIC. The plans contain confidential information
about the bank, including its assets, business operations, data center locations,
critical vendors, agreements with other banks, and potential weaknesses or other
deficiencies that pose risk during a time of financial crisis.
In August 2015, the then-FDIC employee used her office computer to review listings for
and apply for jobs with financial institutions that filed living wills with the FDIC.
On August 27, 2015, one day after being contacted about a possible position at one of
the banks, she logged on to a secure FDIC database and printed living will information
for that bank. On September 16, 2015, she resigned her position at the FDIC. A review
of FDIC Data Loss Prevention software revealed that on her last day of work, the then-
FDIC employee copied numerous electronic files from the FDIC network to external USB
drives, including living wills for U.S. banks where she had been seeking employment.
Former Bank President Sentenced to Prison and Ordered to Pay $137 Million
On December 14, 2018, the former president and CEO of The Bank of Union in El Reno,
Oklahoma, was sentenced to 4 years in federal prison followed by 2 years of supervised
release for making a false statement to the FDIC. He had previously pled guilty to this
charge in 2017. The sentence requires the former president to pay over $137 million in
restitution, over $97 million of which is owed to the FDIC.
State banking regulators closed The Bank of Union in 2014 because of the bank’s loan
losses, and the FDIC was appointed as receiver. According to a 2016 indictment, the
former president defrauded the bank in several ways: (1) by issuing loans with
insufficient collateral and falsifying financial statements for several high-dollar bank
borrowers; (2) by originating nominee loans to circumvent the bank’s legal lending limit;
(3) by concealing the bank’s true financial condition from the Board of Directors; (4)
by soliciting a fraudulent investment; and (5) by falsely representing the bank’s true
status to the FDIC.
Over a 4-year period, the former president conspired with borrowers by issuing them
millions of dollars in loans secured by collateral they did not have and issuing them new
loans to keep them off of overdraft reports. The former president misled the Board of
Directors by falsely stating the borrowers were paying down their loans. The former
president also defrauded a partial owner and investor in the bank by convincing him to
wire nearly $40 million. The former president falsely represented to the investor that
the bank was growing rapidly and performing well and that his investment would not be at
risk, despite knowing that the bank was on the brink of failure and needed an immediate
capital infusion.
Finally, the former president was charged with falsely representing the bank’s loan
status to the FDIC. Between September 2012 and September 2013, he continued to renew
certain unpaid loans by capitalizing unpaid interest. Pursuant to a 2013 FDIC examination,
he allegedly falsely represented that he had not renewed or extended any loans without
full collection of the interest due during that time period. He also falsely represented
in writing that the bank had total equity capital of more than $36 million in July 2013,
when he knew the bank’s equity capital was significantly less.
The partial owner who wired money for the bank’s benefit is due $40 million of the
restitution amount, and the remaining $97 million is due to the FDIC, which lost money
when it assumed the bank’s liabilities as receiver in January 2014.
South Florida Resident Convicted of $100 Million International Fraud Scheme that Led
to Collapse of One of Puerto Rico’s Largest Banks
On February 4, 2019, the former chairman and CEO of a pharmaceutical company was
convicted of eight counts of wire fraud affecting a financial institution after a three-
week trial in the Southern District of Florida. The former CEO’s scheme triggered a series
of events leading to the insolvency and collapse of Westernbank of Puerto Rico.
According to evidence presented at trial, from 2005 to 2007, the individual served as
chairman and CEO of Inyx, Inc., a publicly-traded multinational pharmaceutical
manufacturing company. Beginning in early 2005, the then-CEO caused Westernbank to enter
into a series of loan agreements in exchange for a security interest in Inyx’s assets.
Under the loan agreements, Westernbank agreed to advance money based on Inyx’s customer
invoices from “actual and bona fide” sales.
However, the then-CEO orchestrated a scheme to defraud Westernbank by causing numerous
Inyx employees to make tens of millions of dollars’ worth of fake customer invoices
purportedly payable by customers in the United Kingdom, Sweden, and elsewhere. The then-
CEO caused these invoices to be presented to Westernbank as valid invoices and made false
representations to Westernbank about purported repayments from lenders in order to lull
Westernbank into continuing to lend money to Inyx. He also fraudulently represented to
Westernbank executives that he had additional collateral, including purported mines in
Mexico and Canada worth hundreds of millions of dollars, to induce Westernbank to lend
additional funds.
The then-CEO caused Westernbank to lend approximately $142 million and diverted tens of
millions of dollars for his own personal benefit, including to buy a private jet, luxury
homes and cars, luxury hotel stays, and extravagant jewelry and clothing expenditures.
In or around June 2007, Westernbank declared the loan in default and ultimately suffered
losses exceeding $100 million. These losses later triggered a series of events leading to
Westernbank’s insolvency and ultimate collapse. At the time of its collapse, Westernbank
had approximately 1,500 employees and was one of the largest banks in Puerto Rico.
In addition, the then-CEO knowingly deposited a $3 million check at Mellon Bank from the
purported sale of his private jet. At the time of its deposit, he knew that the check was
worthless; he had actually agreed to sell his plane to a different buyer. After receiving
a provisional credit for the check from Mellon Bank, the then-CEO wired out all of the
provisional credit, including a $1 million wire to his personal account in Canada. Upon
Mellon Bank’s request to reverse this $1 million wire, he refused to do so, resulting in
at least a $1 million loss to Mellon Bank.
[Seal - Federal Housing Finance Agency]
Office of Inspector General
Federal Housing Finance Agency
Created by the Housing and Economic Recovery Act of 2008 (HERA), the Federal Housing
Finance Agency (FHFA or Agency) supervises and regulates (1) the Federal National
Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation (Freddie
Mac) (together, the Enterprises), (2) the Federal Home Loan Banks (FHLBanks) (collectively,
the regulated entities), and (3) the FHLBanks’ fiscal agent, the Office of Finance. Since
September 2008, FHFA has also served as conservator for the Enterprises. As of year-end
2018, the Enterprises collectively reported approximately $5.4 trillion in assets. The
FHLBanks collectively reported roughly $1.1 trillion in assets.
Also created by HERA, the FHFA Office of Inspector General (OIG) conducts, supervises, and
coordinates audits, evaluations, investigations, and other activities relating to the
programs and operations of FHFA. OIG promotes economy, efficiency, and effectiveness and
protects FHFA and the entities it regulates against fraud, waste, and abuse, contributing
to the liquidity and stability of the nation’s housing finance system. We accomplish this
mission by providing independent, relevant, timely, and transparent oversight of the Agency
to promote accountability, integrity, economy, and efficiency; advising the Director of the
Agency and Congress; informing the public; and engaging in robust enforcement efforts to
protect the interests of American taxpayers.
Background
FHFA serves as supervisor of the Enterprises and the FHLBanks, and as conservator of the
Enterprises. FHFA’s conservatorships of the Enterprises, now in their 11th year, are of
unprecedented scope, scale, and complexity. FHFA’s dual roles continue to present novel
challenges. Consequently, OIG must structure its oversight program to examine FHFA’s
exercise of its dual responsibilities, which differ significantly from the typical
federal financial regulator. Beginning in Fall 2014, OIG determined to focus its resources
on programs and operations that pose the greatest financial, governance, and/or
reputational risk to the Agency, the Enterprises, and the FHLBanks to best leverage its
resources to strengthen oversight.
Our annual Audit, Evaluation, and Compliance Plan describes FHFA’s and OIG’s roles and
missions, explains our riskbased methodology for developing this plan, provides insight
into particular risks within four areas, and generally discusses areas where we will focus
our audit, evaluation, and compliance resources. In addition to our risk-based work plan,
OIG completes work required to fulfill its statutory mandates.
An integral part of OIG’s oversight is to identify and assess FHFA’s top management and
performance challenges and to align our work with these challenges. On an annual basis,
we assess FHFA’s major management and performance challenges. In October 2018, we
identified four challenges (all of which carried over from prior years) and a
management concern. In our view, these are the most serious management and performance
challenges facing FHFA for the foreseeable future and, if not addressed, could adversely
affect FHFA’s accomplishment of its mission. (See OIG, Fiscal Year 2019 Management and
Performance Challenges (October 15, 2018)). During this reporting period, OIG continued
to focus much of its oversight activities on identifying vulnerabilities in these areas
and recommending positive, meaningful actions that the Agency could take to mitigate
these risks and remediate identified deficiencies.
These challenges and the management concern are:
Supervision of the Regulated Entities – Upgrade Supervision of the Enterprises and
Continue Robust Supervision of the FHLBanks
As supervisor of the Enterprises and the FHLBanks, FHFA is tasked by statute to ensure
that these entities operate safely and soundly so that they serve as a reliable source
of liquidity and funding for housing finance and community investment. Examinations of
its regulated entities are fundamental to FHFA’s supervisory mission. Within FHFA, the
Division of Federal Home Loan Bank Regulation (DBR) is responsible for supervision of
the FHLBanks, and the Division of Enterprise Regulation (DER) is responsible for
supervision of the Enterprises.
As a former FHFA Director observed, Fannie Mae and Freddie Mac would be Systemically
Important Financial Institutions (SIFIs), but for the conservatorships, and are subject
to the heightened supervision requirements for SIFIs, except that they are supervised
by FHFA, not the Federal Reserve. Because the asset size of the FHLBanks and Office of
Finance, together, is a fraction of the asset size of the Enterprises and because the
Enterprises are in conservatorship, we determined that the magnitude of risk is
significantly greater for the Enterprises. Since the Fall of 2014, the majority of our
work on supervision issues has focused on FHFA’s supervision of the Enterprises.
Based on our assessments of different elements of DER’s supervision program, over the
past few years, we identified four recurring themes, which were explained in a roll-up
report issued during FY 2017.4 Those themes are:
1. FHFA lacks adequate assurance that DER’s supervisory resources are devoted to
examining the highest risks of the Enterprises.
2. Many supervisory standards and guidance issued by FHFA and DER lack the rigor of
those issued by other federal financial regulators.
3. The flexible and less prescriptive nature of many requirements and guidance
promulgated by FHFA and DER has resulted in inconsistent supervisory practices.
4. Where clear requirements and guidance for specific elements of DER’s supervisory
program exist, DER examiners-in-charge and subordinate examiners have not consistently
followed them.
In that roll-up report, we cautioned that “[w]ithout prompt and robust Agency attention
to address the shortcomings we have identified,” the “safe and sound operation of the
Enterprises cannot be assumed from FHFA’s current supervisory program.” The findings
from subsequent audits, evaluations, and compliance reports regarding FHFA’s
supervision program for the Enterprises identified additional shortcomings. In light
of the observation that the Enterprises would be SIFIs, but for the conservatorships,
FHFA must make a heightened and sustained effort to improve its supervision of the
Enterprises.
We also looked at elements of FHFA’s supervision program for the FHLBanks. While our
reports of that work identified some shortcomings, they did not identify significant
weaknesses. Like any other federal financial regulator, FHFA faces challenges in
appropriately tailoring and keeping current its supervisory approach to the FHLBanks.
Conservatorship Operations – Improve Oversight of Matters Delegated to the Enterprises
and Strengthen Internal Review Processes for Non-Delegated Matters
As conservator of the Enterprises since September 2008, FHFA has expansive authority
to oversee and direct operations of two large, complex financial institutions that
dominate the secondary mortgage market and the mortgage securitization sector of the
U.S. housing finance industry. Under HERA, FHFA, as conservator, possesses all rights
and powers of any stockholder, officer, or director of the Enterprises and is vested
with express authority to operate the Enterprises and conduct their business
activities. Given the taxpayers’ enormous investment in the Enterprises, the unknown
duration of the conservatorships, the Enterprises’ critical role in the secondary
mortgage market, and their uncertain ability to sustain future profitability, FHFA’s
administration of the conservatorships remains a major risk.
Footnote: 4 See OIG, Safe and Sound Operation of the Enterprises Cannot Be Assumed
Because of Significant Shortcomings in FHFA’s Supervision Program for the Enterprises
(OIG-2017-003, Dec. 15, 2016). [End of footnote]
FHFA has delegated authority for many matters, both large and small, to the
Enterprises. FHFA, as conservator, can revoke delegated authority at any time (and
retains authority for certain significant decisions).
Since the Fall of 2014, OIG’s body of work has found that FHFA has limited its
oversight of delegated matters largely to attendance at Enterprise internal
management and board meetings as an observer and to discussions with Enterprise
managers and directors. Read together, our findings in these reports show that,
for the most part, FHFA, as conservator, has not assessed the reasonableness of
Enterprise actions pursuant to delegated authority, including actions taken by the
Enterprises to implement conservatorship directives, or the adequacy of director
oversight of management actions. FHFA also has not clearly defined the Agency’s
expectations of the Enterprises for delegated matters and has not established the
accountability standard that it expects the Enterprises to meet for such matters.
Our work has identified internal control systems at the Enterprises that fail to
provide directors with accurate, timely, and sufficient information to enable them
to exercise their oversight duties. Likewise, we have identified a lack of rigor
by some directors in seeking information from management about the matters for
which they are responsible. We have also identified instances in which corporate
governance decisions generally reserved to the board of directors
have been delegated to management.
As the Enterprises’ conservator, FHFA is ultimately responsible for actions taken
by the Enterprises, pursuant to authority it has delegated to them. FHFA’s
challenge, therefore, is to improve the quality of its oversight of matters it
has delegated to the Enterprises.
Generally, FHFA has retained authority (or has revoked previously delegated
authority) to resolve issues of significant monetary and/or reputational value.
FHFA has established written internal review and approval processes for non-
delegated matters, designed to provide a consistent approach for analyzing and
resolving such matters and for providing decision-makers with all relevant facts
and existing analyses. FHFA faces challenges in ensuring that its established
processes are followed.
Information Technology Security – Enhance Oversight of Cybersecurity at the
Regulated Entities and Ensure an Effective Information Security Program at FHFA
Cybersecurity, as defined by the National Institute of Standards and Technology
(NIST), is the process of protecting information by preventing, detecting, and
responding to attacks. In May 2017, President Trump issued an executive order to
strengthen the cybersecurity of federal networks and critical infrastructure.
The Financial Stability Oversight Council (FSOC) has identified cybersecurity
oversight as an emerging threat for increased regulatory attention. The Council
reported that cybersecurity-related incidents create significant operational
risk, impacting critical services in the financial system, and ultimately
affecting financial stability and economic health.
As cyberthreats and attacks at financial institutions increase in number and
sophistication, FHFA faces challenges in designing and implementing its
supervisory activities for the financial institutions it supervises. These
supervisory activities may be made increasingly difficult by FHFA’s continuing
need to attract and retain highly-qualified technical personnel, with expertise
and experience sufficient to handle rapid developments in technology.
Computer networks maintained by federal government agencies have proven to be a
tempting target for disgruntled employees, hackers, and other intruders. Over
the past few years, cyber attacks against federal agencies have increased in
frequency and severity. As cyber attacks continue to evolve and become more
sophisticated and harder to detect, they pose an ongoing challenge for virtually
every federal agency to fortify and safeguard its internal systems and operations.
As conservator of and supervisor for the Enterprises and supervisor for the
FHLBanks, FHFA collects and manages sensitive information, including personally
identifiable information (PII), that it must safeguard from unauthorized access
or disclosure. Equally important is the protection of its computer network
operations that are part of the nation’s critical financial infrastructure. FHFA,
like other federal agencies, faces challenges in enhancing its information
security programs, ensuring that its internal and external online collaborative
environments are restricted to those with a need to know, and ensuring that its
third-party providers meet information security program requirements.
Counterparties and Third Parties – Enhance Oversight of the Enterprises’
Relationships with Counterparties and Third Parties
The Enterprises rely heavily on counterparties and third parties for a wide array
of professional services, including mortgage origination and servicing. That
reliance exposes the Enterprises to counterparty risk, including the risk that
the counterparty will not meet its contractual obligations, and the risk that a
counterparty will engage in fraudulent conduct. FHFA has delegated to the
Enterprises the management of their relationships with counterparties and
reviews that management largely through its supervisory activities.
Our publicly reportable criminal investigations include inquiries into alleged
fraud by different types of counterparties, including real estate brokers and
agents, builders and developers, loan officers and mortgage brokers, and title
and escrow companies.
In light of the financial, governance, and reputational risks arising from the
Enterprises’ relationships with counterparties and third parties, FHFA is
challenged to effectively oversee the Enterprises’ management of risks related
to their counterparties.
Management Concern: Sustain and Strengthen Internal Controls Over Agency and
Enterprise Operations FHFA’s programs and operations are subject to legal and
policy requirements common to federal agencies. Satisfying such requirements
necessitates the development and implementation of, and compliance with,
effective internal controls within the Agency.
In January 2019, there was a leadership change with the appointment of an
acting FHFA Director, while the Senate considered the President’s nominee for
the next FHFA Director (who was subsequently confirmed and took office in April
2019). Key senior positions within FHFA have been filled on an acting capacity
for a long period of time (e.g., Chief Operating Officer and, until recently,
the Deputy Director of the Division of Conservatorship). Our work demonstrates
that FHFA is challenged to ensure that its existing controls, including its
written policies and procedures, are sufficiently robust, and its personnel are
adequately trained on these internal controls and comply fully with them.
Both Enterprises have also experienced significant leadership changes. For
example, in late March 2019, Fannie Mae appointed a new Chief Executive Officer
(CEO); that individual had been serving as Interim CEO with the departure of the
previous CEO in October 2018. In addition, Freddie Mac announced that its CEO
will retire with its current President to take over as CEO in July 2019. Among
other things, changes in leadership can lead to lack of attention to internal
controls.
Examples of OIG’s Oversight Accomplishments: Audit, Evaluation, and Compliance
Activities
Supervision of the Regulated Entities
FHFA’s Housing Finance Examiner Commissioning Program: $7.7 Million and Four
Years into the Program, the Agency has Fewer Commissioned Examiners
(COM-2018-006, issued September 6, 2018)
In 2011, FHFA acknowledged that the efficiency and effectiveness of its
examination program was impeded by the limited number of commissioned examiners
then in its employ, totaling 46. The Agency agreed to develop a Housing Finance
Examiner commission program (HFE Program) with the stated objectives of providing
examiners with “broadbased knowledge to conduct successful risk-based examinations”
and qualifying them “to lead the examination of a major risk area at Fannie Mae,
Freddie Mac, and the Federal Home Loan Banks.”
Previously, we issued four reports on FHFA’s efforts to increase the size of its
corps of commissioned examiners and two assessments of the HFE Program. During this
semiannual period, we conducted a study to assess whether the HFE Program had
increased the number of commissioned examiners on the FHFA staff and to determine
how FHFA deployed its commissioned examiners and reported our findings. We found
that the Agency has not achieved its goal of increasing the number of commissioned
examiners nor is it on track to do so. Since the Agency began awarding HFE
commissions in 2014, the total number of its commissioned examiners has decreased
from 59 (as of June 2014) to 58 (as of June 2018). Almost seven years after the
Agency committed to develop and implement a commissioning program and $7.7 million
later, the Agency’s examination program continues to be hindered by an insufficient
number of commissioned examiners.
We found the HFE Program suffers from a high non-completion rate. Of the 66
examiners who enrolled when the HFE Program first began in 2013, only 6 completed
the HFE Program and passed its final examination. By June 2018 more than half (36)
were no longer enrolled in the HFE Program. The remaining 24 continued to be enrolled
as of June 1, 2018, almost five years into the approximately four-year program, and
one-third (8) had completed less than 75% of the Program’s requirements after five
years. Since 2014, only 9 individuals have graduated from the HFE Program and
passed the final examination.
We also assessed the Agency’s deployment of its commissioned examiners. FHFA, in its
2013 Performance and Accountability Report, explained that the main objective of the
HFE Program was to produce commissioned examiners who are “qualified to lead”
examinations of major risk areas at the entities supervised by FHFA. However, that
objective has not been fulfilled in practice. DBR records reflect that, for each
of the last three supervisory cycles, commissioned examiners led roughly 75% of annual
DBR exams. DER records show that, for the 2016 and 2017 annual supervisory cycles, DER
initiated a total of 53 targeted examinations (defined by FHFA as “a deep or
comprehensive assessment” of areas of high importance or risk) and none of these 53
targeted exams was led by an HFE commissioned examiner.
Based on our prior reports and the fieldwork for our September 2018 report, we hold
the view that the multiple failures in FHFA’s administration of its HFE Program have
derailed efforts to produce the HFE commissioned examiners that the Agency claimed to
need. We questioned the $7.7 million in costs to develop, implement, and staff the HFE
Program in light of the failure of that Program to yield the anticipated results.
Conservatorship Operations
Special Report on the Common Securitization Platform: FHFA Lacked Transparency and
Exercised Inadequate Oversight Over a $2.13 Billion, Seven-Year Project (OIG-2019-005,
issued March 29, 2019)
In 2012, FHFA directed the Enterprises to build a Common Securitization Platform (CSP
or Platform) to replace their current separate “back-office” systems and to issue a
single mortgage-backed security (single security). As originally envisioned, the CSP
wasintended to facilitate issuance of mortgage-backed securities (MBS) by multiple
market participants in a future housing finance system. In May 2014, the then-FHFA
Director decided to limit the current scope of the Platform to working “for the
benefit of Fannie Mae and Freddie Mac” and committed to transparency in its
development.
The first phase of CSP development, Release 1, was rolled out in November 2016.
Release 1 allowed Freddie Mac to use the CSP to issue single-family fixed-rate MBS.
Under the second phase, Release 2, both Enterprises will use the CSP to issue the
new single security. Release 2 is now scheduled for completion by June 2019.
In December 2016, we reported that FHFA had not fully met its commitment to
transparency around the development of the CSP. We found that the Agency publicly
disclosed only the actual costs incurred to develop and test the CSP; represented
to Congress that, as of the first quarter of 2016, the actual and projected costs
to develop and test the CSP through 2018 totaled $696 million; and did not disclose
to Congress or the public what it knew about the Enterprises’ actual and projected
integration costs. We also found that FHFA had not publicly disclosed the risks to
successful development and implementation of the CSP.
During this reporting period, we conducted a review to determine whether (1) FHFA
honored its commitment to transparency about the CSP by disclosing updated
projections for the total cost (development and integration) of the CSP and its
internal assessment of the risks of this project after December 2016; and (2) FHFA
exercised adequate oversight of the CSP project. We found that: (1) FHFA was not
transparent; and (2) its oversight of the CSP project was inadequate.
FHFA issued a public update in March 2017, in which it projected a total of $1.12
billion in CSP development costs. However, FHFA did not disclose the projected
$955 million cost to integrate the Enterprises’ IT systems into the CSP. Because
it had conducted a thorough review of the program in late 2016, FHFA was aware
that the CSP development was “off track” with a significant risk of untimely
completion and additional costs. However, it disclosed no known issues or risks
in its March 2017 update. It announced that Release 1 had been implemented but
reported that Release 2 would be delayed by six months, until the second quarter
of 2019.
Since March 2017, FHFA has provided no further cost information in public updates.
Our review of internal FHFA documents found that, as of February 2019, FHFA
projected that Platform development costs and Enterprise integration costs through
Release 2 will total $2.13 billion by June 30, 2019. Although the Agency has
asserted that the Platform was developed using standard industry technology and
interfaces, it acknowledged to us that it has yet to develop plans, establish a
timetable, and determine the costs for use of the Platform by any third party.
FHFA’s Approval of Senior Executive Succession Planning at Freddie Mac Acted to
Circumvent the Congressionally Mandated Cap on CEO Compensation (EVL-2019-002,
issued March 26, 2019) and FHFA’s Approval of Senior Executive Succession
Planning at Fannie Mae Acted to Circumvent the Congressionally Mandated Cap on
CEO Compensation (EVL-2019-001, issued March 26, 2019)
During this reporting period, we issued two reports that evaluated FHFA oversight
of the Enterprises’ boards of directors’ succession planning efforts.
Under HERA, FHFA is empowered to operate the Enterprises “with all the powers of
the shareholders, the directors, and the officers” while the Enterprises remain in
conservatorship. FHFA delegated responsibility to the respective boards of
directors to develop a succession plan for the CEO and President positions and
select candidates for vacant CEO and President positions, and the selections are
subject to review by FHFA as conservator. According to FHFA, it has, as a
practical matter, chosen to approve such selections after review. FHFA has
retained the responsibility to
approve compensation actions for senior executive officers.
FHFA reported to us that the then-FHFA Director raised the need for succession
planning with the Fannie Mae Board Chair in 2018, following the CEO’s notice of
his likely departure. In June 2018, the Board Chair submitted the Board’s
written proposed transition plan for directors and senior executive leadership
(Board Transition Plan) to FHFA for approval. The Fannie Mae Board Transition
Plan represented that the statutory cap of $600,000 on compensation for
Enterprise CEOs imposed by the Equity in Government Compensation Act of 2015
created challenges to recruit internal and external qualified candidates for
the CEO position.
To address these challenges, the Board Transition Plan recommended a change to
Fannie Mae’s management structure by filling the positions of President and
CEO with separate individuals. (Since 2008, those positions had been held by
one individual.) Under the Fannie Mae Board Transition Plan, certain
responsibilities previously executed by the individual holding the CEO and
President positions would be assigned to the position of President. The Fannie
Mae Board proposed that the annual compensation for the President position
should be no less than Fannie Mae’s most highly compensated Fannie Mae officer,
which was then $3.25 million. The then-FHFA Director approved the Board
Transition Plan in July 2018.
We found that FHFA’s approval of the Fannie Mae Board Transition Plan acted to
circumvent the congressionally mandated cap of $600,000 on CEO compensation. By
authorizing Fannie Mae to fill the positions of CEO and President with two
separate individuals and transfer substantial responsibilities from the CEO and
President to the President position, FHFA permitted Fannie Mae to compensate its
President at a level more than five times greater than the statutory cap. After
the current President had served in the position for less than seven weeks, the
Board approved an 11% increase in the President’s target compensation, raising
it to $3.6 million per year, which FHFA approved in October 2018. Fannie Mae is
now compensating its interim CEO and President a total of $4.2 million to
execute the same responsibilities for which it had previously paid $600,000.
In addition, we found that the then-FHFA Director overrode internal controls
for processing, tracking, and monitoring requests for conservator approval, which
he was authorized to do, when he determined to review the Fannie Mae Board
Transition Plan directly, without any staff analysis or recommendation. The
decision by the then-FHFA Director to override established FHFA internal controls
for conservator review and approval of an Enterprise request created an
information vacuum within the Division of Conservatorship (DOC) and rendered
it unable to execute its responsibilities.
To address these shortcomings, we recommended that FHFA (1) re-assess the
appropriateness of the annual compensation award of $3.6 million to the Fannie
Mae President; and (2) establish a process for maintaining and monitoring
sensitive conservator requests in its tracking system. FHFA disagreed with
our first recommendation and agreed with our second recommendation.
In a companion report, we focused on FHFA oversight of the Freddie Mac Board
of Directors. FHFA reported that Freddie Mac’s CEO, who has served as CEO
since May 2012, advised the Freddie Mac Board that he intends to retire
during the second half of 2019. In May 2018, the Freddie Mac Board Chairman
provided the then-FHFA Director with a Board Transition Plan that included
recommendations to address this transition. The Freddie Mac Board Transition
Plan stated that the statutory cap on the compensation of Enterprise CEOs of
$600,000 created challenges to Freddie Mac’s ability to recruit qualified
external candidates and an external search could be disruptive to existing
internal leadership. The then-FHFA Director responded in writing to the Board
Transition Plan, advising the Freddie Mac Board that the plan “strikes us
as being very reasonable” and concurred with the Board’s request to forego
an external search. Over the following months, the Freddie Mac Board
Transition Plan was refined to include: designation of the senior executive
who would succeed the CEO after his retirement; creation of a “Deputy CEO”
position to be filled by this designated senior executive for one year;
mentorship of the Deputy CEO by the CEO until his retirement; and a
proposed compensation package for the Deputy CEO position at a level no
less than the highest paid executive who
reported to the CEO (then $3.25 million).
Acting upon a written staff recommendation, the then-FHFA Director approved
this executive compensation package
of $3.25 million for the Deputy CEO position on August 15, 2018. Despite
FHFA’s earlier response to Freddie Mac that the Board Transition Plan was
reasonable, FHFA notified Freddie Mac after August 15, 2018, that the
Enterprise would need to conduct an external search for a CEO and title the
new position “President,” rather than Deputy CEO. FHFA approved creation of
the position of President with the understanding that the individual in that
position would serve as the “understudy” to the CEO and execute only those
responsibilities previously executed by the CEO and now delegated to him over
a one-year period.
We found that FHFA’s approval of a $3.25 million compensation package for the
Deputy CEO position (which was never created) and subsequent approval of the
same compensation for the President position, acted to circumvent the
congressionally mandated cap of $600,000 on CEO compensation. As a result
of FHFA’s approval, Freddie Mac provided a total of $3.85 million in
compensation for the same set of CEO responsibilities for which it
previously paid $600,000. We recommended that FHFA re-assess the
appropriateness of the Freddie Mac President’s $3.25 million compensation.
FHFA disagreed with our recommendation.
Fannie Mae Purchased Single-Family Mortgages, Including those Purchased
through Master Agreements, in Accordance with Selected Credit Terms Set
Forth in its Selling Guide for 2015 – 2017 (AUD-2019-006, issued March 27,
2019)
Fannie Mae manages the quality of its mortgage purchases by requiring
mortgage sellers to comply with its Selling Guide. The Selling Guide sets
forth Fannie Mae’s underwriting standards and eligibility guidelines, as
well as its policies and procedures related to sales of single-family
mortgages to it. Fannie Mae’s underwriting standards are developed, in part,
based on risk-based criteria which enables it to evaluate a borrower’s
willingness and capacity to repay a mortgage and the value of the property
to ensure that it provides adequate collateral for the mortgage. Riskbased
criteria relating to a borrower’s willingness and capacity include the debt-
to-income (DTI) ratio, loan-to-value (LTV) ratio, and credit score while
collateral value is assessed through property valuation. None of these
criteria are considered in a vacuum but are considered together to build a
snapshot of the potential risk level of the mortgage.
Historically, many mortgage sellers sought to sell mortgages to Fannie Mae
that did not meet the underwriting standards and/or eligibility requirements
in the Selling Guide. Fannie Mae captured these negotiated terms, referred
to as variances, with its mortgage sellers in a document called a “master
agreement.” Each master agreement supplemented the general requirements of
the Selling Guide and set forth the additional negotiated terms under
which Fannie Mae agreed to purchase mortgages from the mortgage seller.
We completed an audit in which we sought to assess FHFA’s oversight of
Fannie Mae’s master agreements with its single-family mortgage sellers from
2015 through 2017 (review period). As part of the audit, we analyzed master
agreements for Fannie Mae’s top three single-family mortgage sellers and
found no variation between the terms in the master agreements for DTI ratio,
LTV ratio, credit score, and property valuation method from the terms for the
same element set forth in the Selling Guide.
We also obtained information from FHFA and Fannie Mae and analyzed loan-
level data in FHFA’s Mortgage Loan Integrated System (MLIS) for all single-
family mortgage sellers to determine whether the credit terms for DTI ratio,
LTV ratio, credit score, and property valuation methods for the mortgages
purchased by Fannie Mae differed from those credit terms in the governing
Selling Guide. For the single-family mortgages purchased by Fannie Mae
during the review period (nearly 6.46 million mortgages with a total unpaid
principal balance of $1.49 trillion), through our analysis, we identified
some differences with these credit terms, but those differences were not
material (less than one-tenth of one percent of the mortgages purchased by
Fannie Mae during the review period).
We did, however, identify issues with the reliability of certain data fields
in MLIS. Specifically, we found instances where data fields for our selected
credit terms were either missing information or were shown as “unknown.”
particularly with respect to the data field for property valuation method.
FHFA agreed with our recommendation to address this MLIS data field.
Information Technology Security
External Penetration Test of FHFA’s Network and Systems During 2018 (AUD-
2019- 003, issued February 11, 2019) To support our ongoing oversight of
FHFA’s implementation of the Federal Information Security Modernization
Act of 2014 (FISMA), we completed an audit during this period to determine
whether FHFA’s security controls were effective to protect its network and
systems against external threats.
We found that FHFA’s security controls successfully prevented us from
gaining unauthorized access to its systems via the internet, wireless
access points, or phishing email. Through a vulnerability scan of the
Internet Protocol addresses registered to FHFA, we identified two medium
severity vulnerabilities related to an outdated encryption protocol
and web cookies; however, we were not able to exploit these vulnerabilities
to gain unauthorized access to FHFA’s systems. Upon receiving our
vulnerability scan reports, FHFA management reported that a plan was
underway to replace systems with an outdated encryption protocol and FHFA
took action to address the web cookie vulnerability.
We also performed a test that revealed FHFA employees were susceptible to
email phishing. FHFA agreed with our three recommendations to address these
matters.
Counterparties and Third Parties
FHFA Should Re-evaluate and Revise Fraud Reporting by the Enterprises to
Enhance its Utility (EVL-2018-004, issued September 24, 2018)
HERA requires the Enterprises to establish and maintain procedures designed
to discover and report instances of fraud and possible fraud. In 2010, FHFA
promulgated a regulation to implement HERA’s fraud reporting requirements.
This regulation requires each Enterprise to report to the FHFA Director
instances of fraud and possible fraud relating to the purchase or sale of
fraudulent loans or financial instruments. In addition, FHFA Advisory
Bulletin 2015-02, Enterprise Fraud Reporting, directs the Enterprises to
submit monthly and quarterly fraud status reports. FHFA provided standardized
templates for specifying the information the Enterprises should include in
their monthly and quarterly reports. Similarly, under the Bank Secrecy Act,
the Enterprises are required to report fraud and other suspicious activities
to the Financial Crimes Enforcement Network, a Treasury bureau.
FHFA is responsible for examining and monitoring the Enterprises’ fraud risk
management practices and overseeing the Enterprises’ compliance with FHFA
fraud reporting requirements. FHFA recognizes that timely fraud reporting to
the Agency is essential to maintain the Enterprises’ safe and sound condition.
We reviewed the applicable requirements and guidance governing the Enterprises’
obligations to detect and report fraud, the Enterprises’ fraud detection and
reporting practices, and FHFA’s use of the Enterprises’ fraud reports. We found
that FHFA does not make any documented, systematic use of the content of the
Enterprises’ fraud reports. FHFA advised us that it recently began to analyze
trends of the information in the Enterprises’ fraud reports. While FHFA has
considered using that information for risk analysis, it has not developed any
framework in which to assess that information.
Because Congress required the Enterprises to prepare fraud reports and FHFA has
directed them to submit detailed monthly and quarterly reports to meet this
statutory requirement, we recommended that FHFA re-evaluate the fraud
information it requires from the Enterprises and revise, as appropriate, its
existing reporting requirements to enhance the utility of these reports with
the goal of using these reports to inform its supervisory activities with
respect to the risk that fraud poses to the Enterprises. FHFA agreed with our
recommendation.
Examples of OIG Investigative Accomplishments
OIG is vested with statutory law enforcement authority that is exercised by
its Office of Investigations (OI). OI conducts criminal and civil
investigations into those, whether inside or outside of government, who
waste, steal, or abuse in connection with the programs and operations of the
Agency and the regulated entities. OI is staffed with special agents (SAs),
investigative counsel, analysts, and attorney advisors who work in field
offices across the nation. OI has offices located within several federal
judicial districts that lead the nation in reported instances of mortgage
fraud: the Southern District of Florida; the Northern District of Illinois;
the District of New Jersey; and the Central District of California.
OI specializes in deterring and detecting fraud perpetrated against the
Enterprises. OI’s focus on fraud committed against the Enterprises is
essential to the well-being of the secondary mortgage market. Collectively,
Fannie Mae and Freddie Mac hold more than $5 trillion worth of mortgages on
their balance sheets. Each year the Enterprises acquire millions of
mortgages worth several hundreds of billions of dollars. The potential for
fraud in these circumstances is significant.
Civil Cases
OI continued to participate in residential mortgage backed securities (RMBS)
investigations and other civil investigations by working closely with U.S.
Attorneys’ offices to investigate allegations of fraud committed by financial
institutions and individuals.
The Royal Bank of Scotland Agrees to Pay $4.9 Billion for Financial Crisis-Era
Misconduct
In August 2018, the Department of Justice (DOJ) announced a $4.9 billion
settlement with The Royal Bank of Scotland Group plc (RBS Group) resolving
federal civil claims that RBS Group’s subsidiaries in the United States (RBS)
misled investors in the underwriting and issuing of RMBS between 2005 and 2008.
The penalty is the largest imposed by DOJ for financial crisis-era misconduct
at a single entity.
Using recordings of contemporaneous calls and emails of RBS executives, the
settlement includes a statement of facts alleged by DOJ (but not admitted or
agreed to by RBS) that details how RBS routinely made misrepresentations to
investors about significant risks it failed to disclose about its RMBS.
For example, RBS’s reviews of loans backing its RMBS (known as “due diligence”)
confirmed that loan originators had failed to follow their own underwriting
procedures, and that their procedures were ineffective at preventing risky
loans from being made. As a result, RBS routinely found that borrowers for the
loans in its RMBS did not have the ability to repay and that appraisals for the
properties guaranteeing the loans had materially inflated the property values
RBS’s RMBS contained, as its Chief Credit Officer put it, “total [expletive
deleted] garbage” loans with “random” and “rampant” fraud that was “all
disguised to, you know look okay kind of . . . in a data file.” RBS never
disclosed that these material risks both existed and increased the likelihood
that loans in its RMBS would default.
RBS’s due diligence practices did not remove fraudulent and high-risk loans
from its RMBS. In fact, RBS executives internally discussed how RBS’s due
diligence process was “just a bunch of [expletive deleted].”
To develop and maintain business relations with originators, RBS agreed to
limit the number of loans it could review (due diligence caps) and/or limit
the number of materially defective loans it could remove from an RMBS (kick-out
caps). As a result, RBS securitized tens of thousands of loans that it
determined or suspected were fraudulent or had material problems without
disclosing the nature of the loans to investors.
Through its scheme, RBS earned hundreds of millions of dollars, while
simultaneously ensuring that it received repayment of billions of dollars it
had lent to originators to fund the faulty loans underlying the RMBS. RBS used
RMBS to push the risk of the loans, and tens of billions of dollars in
subsequent losses, onto unsuspecting investors across the world, including non-
profits, retirement funds, and federally-insured financial institutions. As
losses mounted, and after many mortgage lenders who originated those loans had
gone out of business, RBS executives showed little regard for this misconduct
and made light of it. For example, after RBS’s Head Trader received an e-mail
from a friend stating “[I’m] sure your parents never imagine[d] they’d raise a
son who [would] destroy the housing market in the richest nation on the planet,”
the Head Trader answered, “I take exception to the word ‘destroy.’ I am more
comfortable with ‘severely damage.’”
According to OIG’s Associate Inspector General Jennifer Byrne: “The actions of
RBS resulted in significant losses to investors, including Fannie Mae and Freddie
Mac, which purchased the Residential Mortgage-Backed Securities backed by
defective loans.”
Criminal Cases
11 Individuals and 3 Businesses Charged in National Foreclosure Relief Scheme,
Ohio
In March 2019, 11 people from across the country and three businesses were
indicted for their roles in a scheme to defraud distressed homeowners by falsely
representing that they could help the victims save their homes.
According to the 26-count indictment, the co-conspirators took advantage of
homeowners’ desperation to save their homes and used money from homeowner victims
to personally enrich themselves. It is alleged that co-conspirators were involved
in a multilevel marketing scheme, which promised affiliates commissions by
recruiting distressed homeowners to companies they controlled, including MVP Home
Solutions, LLC, Bolden Pinnacle Group Corp., and Silverstein & Wolf Corp. They
used multiple ways to recruit affiliates, including conference calls and direct
mailings. For example, some co-conspirators hosted weekly conference calls where
participants from across the country dialed in to hear details of the scheme and
share sales strategies. During the calls, co-conspirators encouraged affiliates
to recruit homeowners to their companies on the promise of easy money.
Some co-conspirators also allegedly promoted, organized, and attended conferences
in which affiliates came to hear details of the scheme in person. For example,
some co-conspirators organized and participated in a national conference in
Columbus, Ohio, in April 2015 in which they provided “deep impact training” and
techniques for affiliates to convince homeowners to enroll in Bolden Pinnacle
Group Corp. and Silverstein & Wolf Corp. programs.
Affiliates were encouraged to be aggressive in recruiting homeowners. Affiliates
used online databases and court records to identify vulnerable, financially
distressed homeowners who had recently received notice of foreclosure on their
home.
According to the indictment, some co-conspirators mailed more than 22,000
postcards promising that they could “stop foreclosure” or “stop the sheriff sale”
for a fixed fee. Co-conspirators also reached out to homeowners using
Craigslist ads, websites, emails, and social media platforms.
On the promise of reducing or eliminating mortgage obligations in exchange for a
fee, initial recruiters would collect payments from homeowners and refer the
victims to the co-conspirator’s companies.
Among other things, the referral programs promised to negotiate with mortgage
lenders on the homeowners’ behalf for the purchase of the mortgage notes at a
discount, negotiate the sale of their home and release of their mortgage loans
through a short sale and/or deed in lieu of foreclosure sale, stop an imminent
foreclosure sale, remove the mortgage lien via a tender offer, and achieve
short sale prices at a fraction of the value of the outstanding lien/note.
Further, co-conspirators represented that they had “proprietary” methods or
“legal tactics” to help homeowners stall or completely avoid foreclosure. In
actuality, the indictment says co-conspirators persuaded homeowners to file
chapter 13 bankruptcies in order to delay foreclosure actions.
Co-conspirators allegedly filed skeletal bankruptcy petitions that they called
“pump fakes.” These petitions intentionally failed to disclose the
co-conspirators as preparers and named the homeowners as filing pro se. Any
relief from foreclosure delay was temporary until the bankruptcy court
dismissed the proceeding.
In 2014 alone, one co-conspirator allegedly prepared and filed petitions for
30 homeowners without their knowledge.
The Enterprises suffered losses because of this scheme.
Vice President of Real Estate Management Company and Managing Director of
Commercial Real Estate Financing Firm Pled Guilty in Multi-Million Dollar
Mortgage Fraud Scheme, New York
Between December 2018 and March 2019, Kevin Morgan and Patrick Ogiony were
charged by information and pled guilty to conspiracy to commit bank fraud.
According to court documents, Kevin Morgan and Ogiony, along with
co-defendants Todd Morgan, Frank Giacobbe, and others, conspired to defraud
financial institutions and the Enterprises. Kevin Morgan was employed as a
Vice President at Morgan Management, LLC, a real estate management company
that managed more than 200 multifamily properties. Todd Morgan also was
employed by Morgan Management as a Project Manager. Kevin and Todd Morgan
worked with Frank Giacobbe, who owned and operated Aurora Capital Advisors,
LLC, a mortgage brokerage company, and Patrick Ogiony, an Aurora employee,
to secure financing for properties managed by Morgan Management or certain
principals of Morgan Management.
Kevin Morgan, Ogiony, and others created and provided false information to
lenders, the Enterprises, and servicers, including reporting inflated
revenues and reduced expenses for the properties managed by Morgan
Management.
This resulted in the financial institutions issuing loans for larger
amounts than they would have authorized had they been provided with truthful
information.
The co-defendants misled the financial institutions regarding the occupancy of
properties. For example, Kevin Morgan and Ogiony conspired to provide false
rent rolls to lenders and appraisers on a variety of dates, overstating
either the number of renters in a property and/or the rent paid by occupants;
conspired to provide false and inflated income statements for the properties;
and worked with others to deceive inspectors into believing that unoccupied
apartments were, in fact, occupied.
In one such instance, Kevin Morgan, Ogiony, and others provided false
information to Berkadia Commercial Mortgage LLC and Freddie Mac, in connection
with Rochester Village Apartments at Park Place, a multi-family residential
community owned by certain Morgan Management principals. The false information
included inflated income derived from storage unit rentals, parking revenue,
and apartment leases. Additionally, during the construction phase, apartments
were reported to lenders as “occupied” prior to the issuance of the certificates
of occupancy. At another property, radon testing procedures were falsified to
secure financing.
In addition, Kevin Morgan, Ogiony, and others made misrepresentations to the
lending institutions to conceal the unauthorized use of loan proceeds by Morgan
Management and its principals. Loan funding was used to maintain or improve other
properties managed by Morgan Management, and to satisfy debts associated with
other properties managed by Morgan Management. For example, the defendants
included a fictitious $2.5 million debt in a loan application, purportedly owed
to a Morgan Management controlled entity and created a fabricated payoff letter
for that debt to increase the amount of the loan in connection with a property
known as Autumn Ridge.
Charges are pending against Giacobbe and Todd Morgan. The investigation revealed
fraud in at least 23 loans issued for over $500 million, secured by at least 21
different properties.
Loss calculations are ongoing. Some loans involved in this scheme were purchased
or securitized by the Enterprises.
Ex-Fannie Mae Employee Found Guilty and Fannie Mae Real Estate Owned (REO) Broker
Pled Guilty in Multi-Million Dollar Scheme Involving Property Listings and
Approval of Below-Market Sales, California
In February 2019, Shirene Hernandez was found guilty at trial on charges of wire
fraud and deprivation of honest services involving a scheme where she received
bribes and kickbacks from brokers in exchange for Fannie Mae real estate listings
and for approving the discounted sales of Fannie Mae-owned properties.
According to the evidence presented at a five-day trial, Hernandez was a sales
representative at Fannie Mae. As part of its operations, Fannie Mae acquires
properties through foreclosures and other methods, and then it manages and
sells those properties for Fannie Mae’s benefit. Since at least 2012, Fannie
Mae’s profits have gone to the U.S. Treasury
for the benefit of U.S. taxpayers.
As a sales representative, Hernandez assigned Fannie Mae-owned properties to
real estate brokers and approved sales of the properties based on offers the
brokers submitted. In violation of Fannie Mae rules and federal law, Hernandez
approved sales of Fannie Mae-owned properties at discounted prices to herself
and to the brokers who paid her kickbacks. She also received bribes – mostly
in cash payments – in return for listing opportunities and commissions that
brokers earned on real estate sales.
Hernandez also assigned listings to family members who earned nearly $2 million
in commissions in less than three years. Other brokers who paid kickbacks
earned millions more. For her part in the scheme, Hernandez received more than
$1 million in benefits, including the cash kickbacks that she received, and the
value of a property that she obtained with kickback money.
As part of the scheme, Hernandez purchased a Fannie Mae-owned property in
Sonoma, California, that she was responsible for selling, and she rejected higher,
market-priced offers in favor of her own below-market price. Hernandez purchased
the Sonoma property through intermediaries and affiliates that she controlled,
selling it first to a company affiliated with a broker who was bribing her, then
directing the broker to transfer the property to her sister-in-law, who paid for
the property with a duffel bag filled with $286,450 in cash from Hernandez – far
below the market price. The Sonoma property was rented out and Hernandez received
the rent proceeds.
In a related case, in January 2019, Peter Michno, a broker, was charged and pled
guilty to conspiracy to commit wire fraud involving deprivation of honest services
for his role in this scheme.
According to the plea agreement, Michno was a Fannie Mae-approved REO broker
entitled to receive a commission from the sale of REO properties as compensation
for his services. Michno was not authorized to purchase Fannie Mae REO properties
for himself or for his friends, relatives, and associates or permitted to pay
referral fees, bribes, or kickbacks to Fannie Mae employees.
Michno paid co-conspirators, employed by Fannie Mae, cash bribes and kickbacks in
exchange for the assignment of listings and the approval of below-market sales of
Fannie Mae REO properties to him and his affiliates. Michno then transferred some
of these properties to his co-conspirators as a kickback for the performance of
their official duties.
Former Business Owner Convicted in Federal Court for Over $49 Million Bank Fraud,
Maryland
In August 2018, Mark Gaver was convicted by a federal jury on charges of bank
fraud and money laundering arising from a scheme in which he obtained over $49
million in bank financing for his company Gaver Technologies, Inc. (GTI), using
false and fraudulent financial statements, balance sheets, and certifications of
outstanding accounts receivable.
According to the evidence presented at his seven-day trial, Gaver formed GTI, an
information technology company based in Frederick, Maryland. Gaver submitted
materially false financial documents to Santander Bank, a federally insured bank,
including fraudulent audit reports and contract status reports, to establish and
obtain successive increases in the line of credit from the lender for GTI. Based
upon the false documentation submitted by Gaver, the lender ultimately extended
$50 million in financing to GTI.
The evidence showed that some of the funds obtained from the lender were used by
Gaver to cover regular business expenses and thereby keep GTI open, but Gaver also
diverted half of the loan proceeds—approximately $15 million—to his own personal
use. For example, Gaver used loan proceeds to pay rental fees of private planes that
he used for non-business purposes, as well as to pay for personal pleasure trips to
France, Germany, Mexico, Jamaica, and the Bahamas. Gaver also used the funds to
purchase vacation homes, including a 4,000-square foot condominium with a view of
the Gulf of Mexico in Bonita Springs, Florida, a 2012 Maserati Gran Turismo, a 2011
Mercedes Benz SL Roadster, and a private membership at an exclusive golf club.
Gaver obtained a home equity line of credit that was pledged to the FHLBank of
Pittsburgh. The estimated loss to Santander, a member bank of the FHLBank of
Pittsburgh, is $49 million.
In December 2018, Gaver was sentenced to 17 years in prison, 3 years of supervised
release, and ordered to pay $48,774,308 in restitution and $49,215,606 in forfeiture.
[Seal - Office of Inspector General, U.S. Department of Housing and Urban Development]
Office of Inspector General
U.S. Department of Housing and Urban Development
The HUD OIG conducts independent audits, evaluations, investigations, and other reviews
of HUD operations and programs to promote economy, efficiency, and effectiveness, and
protect HUD and its component entities from fraud, waste, and abuse.
Background
While organizationally located within HUD, the OIG operates independently with separate
budget authority. Its
independence allows for clear and objective reporting to HUD’s Secretary and Congress.
HUD’s mission is to create strong, sustainable, inclusive communities and quality
affordable homes for all. HUD is working to strengthen the housing market to bolster
the economy and protect consumers, meet the need for quality affordable rental homes,
and use housing as a platform for improving quality of life. Its programs are funded
through more than $50 billion in
annual congressional appropriations.
Within HUD are two entities that have major impact on the Nation’s financial system:
the Federal Housing Administration (FHA) and Government National Mortgage Association
(Ginnie Mae). FHA provides mortgage insurance for single-family homes, multifamily
properties, nursing homes, and hospitals. FHA is the largest insurer of mortgages in
the world, having insured more than 47.5 million loans since its inception in 1934.
FHA mortgage insurance provides lenders with protection against losses as the result
of homeowners defaulting on their mortgage loans. In fiscal year 2018, FHA generated
more than $1.3 trillion in insured loans. FHA receives limited congressional
funding and is primarily self-funded through mortgage insurance premiums.
Ginnie Mae is a self-financing, wholly owned U.S. Government corporation within HUD.
It is focused on providing investors a guarantee backed by the full faith and credit
of the United States for the timely payment of principal and interest on mortgage-
backed securities (MBS) secured by pools of government home loans, which are insured
or guaranteed by FHA, HUD’s Office of Public and Indian Housing, the U.S. Department
of Veterans Affairs (VA), and the U.S. Department of Agriculture (USDA). The
purchasing, packaging, and reselling of mortgages in a security form frees
up funds that lenders use to provide more loans.
Ginnie Mae has an outstanding portfolio of MBS securities valued at more than $2
trillion. A majority of the MBS securities consist of FHA-insured mortgages. Ginnie
Mae offers the only MBS securities carrying the full faith and credit guaranty of the
U.S. Government, which means that its investors are guaranteed payment of principal
and interest in full and on time. If an issuer of MBS securities fails to make the
required pass-through payment of principal and interest to investors, Ginnie Mae is
required to assume responsibility for it by defaulting the issuer and assuming
control of the issuer’s MBS securities pools and the servicing of the loans in those
pools.
HUD’s Top Management Challenges
OIG continually looks for ways to meet the needs of HUD’s beneficiaries and to
protect taxpayer dollars. OIG’s oversight efforts focus on identifying and addressing
HUD’s most serious management challenges, several of which relate to financial
oversight:
• Ensuring the Availability of Affordable Housing that is Decent, Safe, Sanitary, and
in Good Repair
• Protecting the FHA Mortgage Insurance Fund
• Administering Disaster Recovery Assistance
• Instituting Sound Financial Management
Identifying these challenges helps HUD and Congress mitigate the primary risks that
hinder HUD in meeting its mission and being able to put taxpayer dollars to the best
use. OIG uses these challenges to target its oversight efforts, as demonstrated in the
following summaries.
Ensuring the Availability of Affordable Housing that is Decent, Safe, Sanitary, and in
Good Repair
Part of HUD’s mission is to create quality, affordable homes for all. The housing that
HUD insures and funds must be decent, safe, sanitary, and in good repair. Economic and
demographic factors, as well as aging housing stock, have created an extreme shortage of
housing that is affordable and safe. HUD’s challenge is to adapt existing programs to
address ever-increasing housing pressures on the Nation’s lowest income residents.
One of HUD’s financial strategies to address affordable housing is to encourage public
housing agencies (PHAs) to transition public housing units to a private-public partnership
model. HUD developed its Rental Assistance Demonstration Program (RAD) to give PHAs a tool
to preserve and improve public housing properties and address the $26 billion nationwide
backlog of deferred maintenance. For fiscal year 2018, Congress increased to 455,000 the
number of public housing units that may participate in RAD. OIG audited a number of PHAs
in fiscal year 2018 to assess their conversion to the RAD program, and is continuing to
conduct PHA RAD audits nationwide in fiscal year 2019. For example:
The Housing Authority of the City of Evansville, IN, Did Not Follow HUD’s and Its Own
Requirements for Units Converted Under the Rental Assistance Demonstration
The Authority of the City of Evansville, IN, did not follow HUD’s and its own requirements
for the units converted under RAD. Specifically, it (1) did not ensure that units complied
with HUD’s housing quality standards before it entered into a housing assistance payments
contract, (2) failed to obtain the services of a HUD-approved independent third party to
perform housing quality standards inspections for units owned by entities it substantially
controlled, and (3) did not apply the correct contract rents for the converted units. As a
result, the Authority could not support the eligibility of more than $1 million in housing
assistance payments to the entities and more than $10,000 in program funds paid to a
contractor for housing quality standards inspection services. Further, the application of
incorrect rents led to the underpayment of housing assistance to the entities, so these
funds were not available for the administration of the Authority’s Project-Based Voucher
Program. OIG made multiple recommendations to correct the identified deficiencies. (Audit
Report: 2018-CH-1003)
Protecting the FHA Mortgage Insurance Fund
HUD is challenged in protecting the FHA mortgage insurance fund, which insures approximately
25 percent of all mortgages in the United States. Through the Mutual Mortgage Insurance
(MMI) fund,5 FHA insures participating lenders against losses when borrowers default on
loans, which allows lenders to make loans to higher risk borrowers. From April 2017 through
March 2018, the MMI fund paid out almost $14 billion in reimbursements for defaulted
loans. For those claims for which the lender conveyed the property to HUD and HUD resold the
property, HUD recovered only about 54 percent of the funds paid out.
Without sufficient controls, oversight, and effective rules, FHA’s MMI fund is at risk of
unnecessary losses. Further, if insurance fees collected from borrowers cannot support the
fund, additional funding from the U.S. Department of the Treasury is required, as authorized
for Federal credit programs.
In protecting the FHA and Ginnie Mae programs, HUD is confronted with
• a lack of sufficient safeguards in FHA’s mortgage insurance program,
• large losses to the insurance fund due to home equity conversion mortgages,
• an increase in Ginnie Mae’s nonbank issuers, and
• potential emerging risks related to a market shift toward an entirely digital mortgage
life cycle.
For more than a decade, OIG has reported the need for more safeguards to protect the FHA
insurance program, and fiscal year 2018 was no exception. For example:
FHA Insured $1.9 Billion in Loans to Borrowers Barred by Federal Requirements
OIG audited FHA insured loans from calendar year 2016 to determine whether FHA insured
loans to borrowers with delinquent Federal debt or who were subject to Federal
administrative offset for delinquent child support.
FHA insured an estimated 9,507 loans, worth more than $1.9 billion, which were not
eligible for insurance because they were made to borrowers with delinquent Federal debt
or who were subject to Federal administrative offset for delinquent child support. OIG
recommended that FHA put more than $1.9 billion to better use by developing a method for
using the U.S. Treasury Do Not Pay portal to identify delinquent Federal debt and
delinquent child support to prevent future FHA insured loans to ineligible borrowers.
(Audit Report: 2018-KC-0001)
HUD Paid an Estimated $413 Million for Unnecessary Preforeclosure Claim Interest and
Other Costs Due to Lender Servicing
Delays
OIG audited FHA’s preforeclosure sale claim process to determine the amount of
unnecessary
preforeclosure claim
interest and other costs that resulted from lender noncompliance with HUD’s loan-
servicing timeframe requirements. HUD paid more than $413 million in unnecessary interest
and other costs for 27,634 preforeclosure claims because lenders failed to complete
servicing actions for defaulted loans within established timeframes. Although the
unnecessary amounts were caused by lenders’ inaction, HUD reimbursed lenders for these
added costs through FHA insurance claims. As a result, the FHA insurance fund incurred
unnecessary and unreasonable costs, and fewer funds were available to pay other claims
or apply toward reducing FHA borrower mortgage insurance premiums. OIG recommended that
HUD implement a change to regulations at 24 CFR (Code of Federal Regulations) Part 203 to
require curtailment of preforeclosure interest and other costs caused by lender servicing
delays, resulting in more than $413 million in funds to be put to better use. (Audit
Report: 2018-LA-0007)
Footnote: 5 The MMI fund is a Federal fund that insures mortgages guaranteed by FHA. The
MMI fund supports both FHA mortgages used to buy homes and reverse mortgages used by
seniors to extract equity from their homes. [End of footnote]
HUD Failed to Enforce the Terms of a Settlement Agreement With Fifth Third Bank Because It
Did Not Record Indemnified Loans in Its Tracking System
OIG worked with HUD to resolve outstanding matters related to two September 2015 agreements
with Fifth Third Bank (FTB) and its principal subsidiary, Fifth Third Bancorp, a bank holding
company. HUD had failed to properly record required indemnifications in its FHA Connection
system; therefore, it did not hold FTB accountable to the terms of the settlement agreements.
OIG recommended that HUD require FTB to reimburse HUD nearly $312,000 for two loans, for which
HUD incurred losses when it sold the properties, and 15 loans for which FHA insurance had been
terminated and HUD had paid loss mitigation claims to FTB. OIG also recommended that HUD record
in FHA Connection the remaining indemnified loans, avoiding more than $47 million in estimated
losses, and that HUD develop and implement controls to ensure that indemnification agreements
that result from legal settlements have been properly recorded in FHA Connection. Finally, OIG
recommended that HUD take appropriate administrative action against FTB for violations of the
settlement agreement. (Memorandum: 2018-CF-0802)
OIG also conducted a civil fraud review of a professional services firm that provides auditing
services to clients throughout the United States.
Deloitte & Touche, LLP, Settled Allegations That It Failed To Conduct Taylor, Bean & Whitaker
Mortgage Corporation’s Audits in Conformance With Generally Accepted Auditing Standards
OIG and the U.S. Attorney’s Office conducted a civil fraud review of Deloitte & Touche, LLP,
a professional services firm that provides auditing services to clients throughout the United
States. Deloitte provided auditing services to its client, Taylor, Bean & Whitaker Mortgage
Corporation (TBW). TBW was an FHA-approved direct endorsement lender and as such, was required
to submit to HUD annual audited financial statements to maintain its status as a direct
endorsement lender. Deloitte served as TBW’s independent outside auditor and submitted audit
reports on TBW’s financial statements for its fiscal years ending April 30, 2002, through
April 30, 2008. Deloitte stated in its reports that it had conducted its audits of TBW in
accordance with generally accepted auditing standards.
Deloitte & Touche, LLP, entered into a settlement agreement with the Federal Government,
agreeing to pay $149.5 million, of which $115 million was to be paid to HUD. Deloitte denied
but settled allegations of alleged conduct in connection with its role as TBW’s independent
outside auditor for fiscal years that ended April 30, 2002, through April 30, 2008. The
settlement agreement was neither an admission of liability by Deloitte nor a concession by
the United States that its claims were not well founded. (Memorandum: 2018-FO-1802)
OIG has several planned and ongoing audits focused on protecting the FHA mortgage insurance
fund. For example, one ongoing audit has the objective of determining whether FHA insured
loans made to borrowers that were ineligible due to delinquent Federal tax debt. OIG expects
to issue this report in fiscal year 2019. Another audit that recently began focuses on whether
FHA insured loans that did not meet the underwriting requirements for special flood hazard
areas. OIG expects to issue this report in fiscal year 2020.
In addition, OIG continues to pursue resolution to concerns reported in previous years. OIG
reported one of its highest concerns in October 2016, which was that OIG projected that HUD
paid claims for nearly 239,000 properties that servicers did not foreclose upon or convey on
time. As a result, HUD paid an estimated $2.23 billion in unreasonable and unnecessary holding
costs over a 5-year period. These excessive costs were allowed to occur because HUD regulations
do not establish a maximum period for filing a claim and do not place limitations on holding
costs when servicers do not meet all deadlines. OIG recommended HUD make regulatory changes to
establish a maximum claim filing period and sufficient limitation on holding costs after
services missed deadlines. To date, HUD has not completed the regulatory changes and our
recommendation remains open. These significant, excessive costs will continue to negatively
affect the MMI fund until the regulatory changes are completed.
OIG also fears continued large losses to the FHA insurance fund due to home equity conversion
mortgages (HECM). HECM is a reverse mortgage program that enables eligible homeowners age 62
and older to borrow funds using the equity in their homes. FHA’s fiscal years 2015 through
2018 annual reports on the status of the MMI fund showed an overall trend of large
fluctuations in the value of the HECM portfolio and consistently negative net cash flows
ranging from negative $1.6 billion to negative $4.5 billion. In total, the HECM program
consumed $13 billion in MMI fund assets and $7 billion in General Insurance fund6 assets over
the 4-year period of fiscal years 2015 through 2018.
OIG is currently conducting an audit with an objective to determine whether HUD designed the
HECM program to control the risk of loss related to assignment claims and ensure program
viability. Our subobjectives are to (1) identify the full cost of the HECM program and
determine whether HUD reported that cost, (2) identify inherent program risks
and existing or potential controls to mitigate risks and control costs, and (3) determine
whether the HECM program can function as a stand-alone program without a Federal subsidy.
OIG expects to issue this report in fiscal year 2019.
HUD is also challenged by the significant increase in the number of nonbanks issuing MBS
pools that Ginnie Mae guarantees. In fiscal year 2018, nonbank issuers accounted for 78
percent of Ginnie Mae’s single-family MBS issuance volume for the year, up from 51 percent
in June 2014 and from 18 percent in fiscal year 2010. As OIG and Ginnie Mae have reported,
the increase in the number of nonbank issuers and their complexity continues to present an
unmitigated challenge for monitoring efforts. As Ginnie Mae wrote in its 2018 Annual Report,
“[a]s more non-banks issue Ginnie Mae’s securities, the cost and complexity of monitoring
increases as the majority of these institutions involve more third parties in their
transactions, making oversight more complicated. In contrast to traditional bank issuers,
non-banks rely more on credit lines, securitization involving multiple players, and more
frequent trading of [mortgage servicing rights].”
In addition, the mortgage industry is moving toward an entirely electronic loan process.
FHA and Ginnie Mae intend to do the same. However, HUD, particularly FHA, has well-known
technology challenges. Risks include information security, data transfers and platform
integration, and system functionality, all of which could lead to fraudulent activities.
OIG continues to have concerns that an increase in demand on the FHA and VA programs will
have collateral implications for the integrity of the Ginnie Mae MBS program, including
the potential for increased fraud. Of particular concern is VA loan churning, in which
lenders encourage veterans to repeatedly refinance their loans, which can result in the
borrower incurring ever increasing fees on their loan. If the fees get too high, the
veteran could lose his or her home. The churning produces profits for the lenders at the
expense of the veterans, which means that lenders, at times, use deceptive practices to
encourage repeated refinances. Since September 2017, the Ginnie Mae – VA Loan Churn Task
Force has been working to address these concerns. Ginnie Mae has notified issuers that
are outliers among market participants to develop corrective action plans. The action
plans are aimed to prevent a few bad actors from raising the cost of homeownership for
millions of Americans. A Ginnie Mae executive said “We expect issuers receiving these
notices to respond quickly, produce a corrective action plan and come into compliance
with our program.”
OIG also helps protect the FHA insurance fund by conducting investigations of alleged
fraud against the fund, and securing recoveries to the fund. OIG completed 126 single-
family investigations of fraud against the FHA insurance fund in fiscal year 2018.
A majority of the investigations focused on loan origination fraud, for both forward and
reverse mortgages. Recoveries from these cases totaled nearly $500 million. For example:
• The co-owner of a mortgage company was sentenced in U.S. District Court in connection
with a guilty plea to 24 counts of wire fraud, 6 counts of bank fraud, and 3 counts of
filing a false tax return. The defendant was sentenced to 60 months incarceration,
followed by 5 years of probation, and ordered to pay $12.7 million in restitution. The
co-owner and three other defendants defrauded numerous lenders into purchasing
refinanced FHA and refinanced conventional mortgages that the mortgage company originated,
for which the first mortgages were not paid off at the time of closing. The defendants
used the closing escrow funds for their personal benefit. OIG, the U.S. Attorney’s Office,
the Federal Bureau of Investigation (FBI), and the Internal Revenue Service Criminal
Investigation division conducted the investigation.
Footnote: 6 The General Insurance fund (GI) provides a large number of specialized
mortgage insurance activities, including insurance of loans for property improvements,
cooperatives, condominiums, housing for the elderly, land development, group practice
medical facilities, nonprofit hospitals, and reverse mortgages. To comply with the FHA
Modernization Act of 2008, activities related to most single-family programs, including
HECM, endorsed in fiscal year 2009 and going forward, are in the MMI fund. The single-
family activities in the GI fund from fiscal year 2008 and prior remain in the GI fund.
[End of footnote]
• A former accountant for a Ginnie Mae-approved loan servicing company was sentenced in
U.S. District Court in connection with a guilty plea to an Information charging the
defendant with reporting false transactions to HUD. The Court sentenced the former
accountant to one year of supervised release and ordered her to pay HUD more than $108,000
in restitution. Over a period of about 18 months, the defendant helped the former owner of
the loan servicing company divert millions of dollars in mortgage payments to an account
that the former owner used for other business and personal expenses. The payments should
have been made to Ginnie Mae investors. The former accountant and former company owner
then falsely reported to Ginnie Mae that the defrauded borrowers had not made those
mortgage payments. Given the shortfall in payments to investors, as well as tax and
insurance payments that were supposed to have been escrowed for borrowers but were not,
Ginnie Mae was forced to reimburse investors and borrowers, resulting in an approximate
$2.8 million loss to HUD. OIG, the U.S. Attorney’s Office, the USDA OIG, the VA OIG, and
the FBI conducted this investigation.
Administering Disaster Recovery Assistance
HUD has taken on significant leadership responsibilities in the area of disaster recovery
assistance. Congress has appropriated more than $84 billion in supplemental funding to HUD
for disaster recovery since 2001. This amount includes $35.8 billion appropriated by
Congress in supplemental appropriations to HUD in 2017 and 2018 for recovery from Hurricanes
Harvey in Texas; Irma in Florida, Georgia, South Carolina, and the U.S. Virgin Islands; Maria
in Puerto Rico and the Virgin Islands; and Nate in Mississippi. These disasters resulted in
the loss of many human lives and massive property destruction. Further, as the Federal
Emergency Management Agency noted, economic recovery is a critical and integral part of
disaster recovery. Disasters not only damage property, but also entire markets for goods and
services. Considerable Federal funds are contributed to State, local, and Tribal economic
recovery as well as to other areas of recovery that necessarily strengthen the economy.
The nature of disaster recovery is inherently risky and susceptible to fraud, given the
complexity and range of challenges experienced when recovering from disasters. Disaster
recovery appropriation funds may take decades to spend, as their purpose is for long-term
recovery, which includes rebuilding homes and communities. HUD awards grants to States and
units of local government for disaster recovery efforts. Over the years, HUD has gained more
experience and made progress in assisting communities recovering from disasters, but it
continues to face these challenges in administering and overseeing these grants:
• codifying the Community Development Block Grant - Disaster Recovery (CDBG-DR) program,
• ensuring that expenditures are eligible and supported,
• ensuring and certifying that grantees are following Federal procurement regulations,
• addressing concerns that citizens encounter when seeking disaster recovery assistance, and
• preventing fraud in disaster recovery assistance.
OIG reported on these areas in recent years, including fiscal year 2018. For example:
HUD’s Office of Block Grant Assistance Had Not Codified the Community Development Block Grant
Disaster Recovery Program OIG audited HUD’s disaster recovery program to determine whether HUD
should codify the CDBG-DR funding as a program in the CFR. Although HUD had managed billions
in CDBG-DR funds since 2002, it has not codified the program because it believed it did not
have the authority under the Robert T. Stafford Disaster Relief and Emergency Assistance Act
and had not determined whether it had the authority under the Housing and Community
Development Act of 1974, as amended. It also believed a Presidential Executive order presented
a barrier to codification, as it required HUD to identify two rules to eliminate before
creating a new codified rule. OIG believes HUD has the authority under the Housing Act of 1974
and it should codify the program. HUD’s use of multiple Federal Register notices to operate the
CDBG-DR program presented challenges to the grantees. For example, 59 grantees with 112 active
CDBG-DR grants, which totaled more than $47.4 billion as of September 2017, had to follow
requirements contained in 61 different Federal Register notices to manage the program. Further,
codifying the CDBGDR program would (1) ensure that a permanent framework is in place for future
disasters, (2) reduce the volume of Federal Register notices, (3) standardize the rules for all
grantees, and (4) ensure that grants are closed in a timely manner. OIG recommended that HUD
work with its Office of General Counsel to codify the CDBG-DR program. (Audit Report:
2018-FW-0002)
The City of New York, NY, Did Not Always Use Disaster Recovery Funds Under Its Program for
Eligible and Supported Costs
OIG audited the City of New York, NY’s Infrastructure Rehabilitation and Reconstruction of
Public Facilities Program to determine whether the City used CDBG-DR funds under its program
for eligible and supported costs. The City did not always use CDBG-DR funds under its
program for eligible and supported costs. Specifically, for one of two projects reviewed, the
City did not (1) have sufficient documentation to show that the use of salary multipliers for
overhead and profit, resulting in more than $594,000 in additional costs, was supported and
eligible; (2) maintain adequate documentation to show compliance with requirements of the
Davis-Bacon Act and related acts; and (3) identify billing and payroll errors made by
subcontractors. As a result, HUD did not have assurance that the City used nearly $598,000
in CDBG-DR funds as intended for matching requirements for other federally funded
infrastructure projects, and HUD could not be assured that funds were disbursed for only
eligible and supported costs that complied with applicable Federal requirements. OIG
recommended that HUD require the City to adequately support identified expenditures or
reimburse its program from non-Federal funds, and strengthen its controls to ensure
compliance with applicable expenditure requirements. (Audit Report: 2018-NY-1007)
Grantees carry out the disaster recovery activities supported by CDBG-DR funding. The
ability of these grantees to accomplish recovery from disasters and do so in an efficient
and effective manner is critical to the recovery of the affected communities. To help HUD
ensure that grantees have this ability, OIG conducts capacity reviews to determine whether
these entities have the capability to administer their CDBG-DR grants in accordance with
applicable regulations and requirements, particularly with regard to financial management,
procurement, monitoring, and reporting. In fiscal year 2018, OIG conducted capacity reviews
of the State of Florida’s Department of Economic Opportunity (2018-AT-1010) and the State
of Texas’ General Land Office (2018-FW-1003). In fiscal year 2019, OIG has planned and
ongoing capacity reviews and compliance audits of Puerto Rico’s Department of Housing,
the U.S. Virgin Island’s Housing Authority, and the State of Texas’ General Land Office,
among others. OIG expects to begin reporting on these audits starting in fiscal year 2019.
OIG is also currently conducting an audit of HUD to determine whether it is adequately
prepared to respond to upcoming natural and man-made disasters. The audit focuses on
disaster policies and procedures regarding interaction with external partners and disaster
survivors, as well as for receiving and distributing disaster funds. OIG is coordinating
this audit with several other Federal agencies and expects to issue a report in fiscal
year 2019 or 2020.
Instituting Sound Financial Management
Over the last several years, HUD’s financial management has been operating at “inadequate”
or “basic” levels of maturity7 due to (1) a weak governance structure, including the lack
of a confirmed Chief Financial Officer for a number of years; (2) ineffective internal
controls; and (3) an antiquated financial management system consisting of legacy systems
and manual processes that have precluded HUD from producing reliable and timely financial
reports As a result, HUD has been unable to achieve an unmodified audit opinion8 on its
financial statements for the last 6 years and has received a disclaimer of opinion for
the last 5 years.
Footnote: 7 U.S. Department of the Treasury, Bureau of the Fiscal Service, Federal
Financial Management Maturity Model. The Maturity Model is a business tool that helps a
CFO self-assess his or her organization’s level of financial management discipline,
effectiveness, and efficiency. A copy of the model can be found at https://www.fiscal.
treasury.gov/fsservices/gov/fit/MaturityModelHandout2017-05-10.pdf. [End of footnote]
One of HUD’s component entities, Ginnie Mae, has also been unable to achieve an
unmodified opinion and has received a disclaimer of opinion for the last 5 years due to
poor governance and a weak internal control framework. Ginnie Mae has been unable to
appropriately account for and support several financial statement line items in accordance
with generally accepted accounting principles, including its nonpooled loan asset
portfolio, which totaled as much as $6 billion at one point. HUD’s unstable financial
management environment weakens public confidence in the government programs HUD
administers and prevents HUD’s stakeholders from being able to rely on HUD’s financial
position.
[Seal - Office of Inspector General, National Credit Union Administration]
Office of Inspector General
National Credit Union Administration
The NCUA OIG promotes the economy, efficiency, and effectiveness of NCUA programs and
operations and detects and deters fraud, waste and abuse, thereby supporting the NCUA’s
mission of providing, through regulation and supervision, a safe and sound credit union
system that promotes confidence in the national system of cooperative credit.
Agency Overview
The National Credit Union Administration (NCUA) is responsible for chartering, insuring,
and supervising Federal credit unions and administering the National Credit Union Share
Insurance Fund (Share Insurance Fund). The agency also manages the Operating Fund,9 the
Community Development Revolving Loan Fund,10 and the Central Liquidity Facility.11
Credit unions are member-owned, not-for-profit cooperative financial institutions formed
to permit members to save, borrow, and obtain related financial services. NCUA charters
and supervises federal credit unions, and insures accounts in federal and most state-
chartered credit unions across the country through the Share Insurance Fund, a federal
fund backed by the full faith and credit of the United States government.
The NCUA’s mission is to provide through regulation and supervision, a safe and sound
credit union system that promotes confidence in the national system of cooperative
credit and its vision is to protect consumer rights and member deposits. NCUA further
states that it is dedicated to upholding the integrity, objectivity, and independence
of credit union oversight. The agency implements initiatives designed to meet these
goals.
Major NCUA Programs
Supervision
NCUA supervises credit unions through annual examinations, regulatory enforcement,
providing guidance in regulations and letters, and taking supervisory and
administrative actions as necessary. The agency’s Office of National Examinations and
Supervision (ONES) oversees examination and supervision issues related to consumer
credit unions with assets greater than $10 billion and all corporate credit unions,
which provide services to consumer credit unions (also known as natural person credit
unions). Due to the relative size of their insured share base, they are deemed
systemically important to the Share Insurance Fund. In addition, the Dodd-Frank Act
gave the Consumer Financial Protection Bureau (CFPB) the authority to examine
compliance with certain consumer laws and regulations by credit unions with assets
over $10 billion.
Footnote: 9 The Operating Fund was created by the Federal Credit Union Act of 1934.
It was established as a revolving fund in the United States Treasury under the
management of the NCUA Board for the purpose of providing administration and service
to the federal credit union system. A significant majority of the Operating Fund’s
revenue is comprised of operating fees paid by federal credit unions. Each federal
credit union is required to pay this fee based on its prior year asset balances and
rates set by the NCUA Board. [End of footnote]
Footnote: 10 The NCUA’s Community Development Revolving Loan Fund, which was
established by Congress, makes loans and Technical Assistance Grants to low-income
designated credit unions. [End of footnote]
Footnote: 11 The Central Liquidity Facility is a mixed-ownership government
corporation the purpose of which is to supply emergency loans to member credit
unions. [End of footnote]
Insurance
NCUA administers the Share Insurance Fund, which is capitalized by credit unions
and provides insurance for deposits held at federallyinsured credit unions nationwide.
The insurance limit is $250,000 per depositor.
Credit Union Resources and Expansion
NCUA’s Office of Credit Union Resources and Expansion (CURE) supports credit union
growth and development, including providing support to low-income, minority, and any
credit union seeking assistance with chartering, charter conversions, by-law amendments,
field of membership expansion requests, and low-income designations. CURE also provides
access to online training and resources, grants and loans, and a program for preserving
and growing minority institutions.
Consumer Protection
NCUA’s Office of Consumer Financial Protection (OCFP) is responsible for consumer
protection in the areas of fair lending examinations, member complaints, and financial
literacy. OCFP consults with the CFPB, which has supervisory authority over credit
unions with assets of $10 billion or more. CFPB also can request to accompany NCUA on
examinations of other credit unions. In addition to consolidating consumer protection
examination functions within the agency, OCFP responds to inquiries from credit unions,
their members, and consumers involving consumer protection and share insurance matters.
Additionally, the office processes member complaints filed against federal credit unions.
Asset Management
NCUA’s Asset Management and Assistance Center (AMAC) conducts credit union liquidations
and performs management and recovery of assets. AMAC assists agency regional offices with
the review of large complex loan portfolios and actual or potential bond claims. AMAC also
participates extensively in the operational phases of conservatorships and records
reconstruction. AMAC’s purpose is to minimize costs to the Share Insurance Fund and to
credit union members.
Office of Minority and Women Inclusion
NCUA formed the Office of Minority and Women Inclusion in January 2011, in accordance with
the Dodd-Frank Act. The office is responsible for all matters relating to measuring,
monitoring, and establishing policies for diversity in the agency’s management, employment,
and business activities, and with respect to the agency’s regulated entities, excluding the
enforcement of statutes, regulations, and executive orders pertaining to civil rights.
Office of Continuity and Security Management
The Office of Continuity and Security Management evaluates and manages security and
ontinuity programs across NCUA and its regional offices. The office is responsible for
continuity of operations, emergency planning and response, critical infrastructure and
resource protection, cyber threat and intelligence analysis, insider threats and
counterintelligence, facility security, and personnel security.
The NCUA Office of Inspector General
The 1988 amendments to the Inspector General Act of 1978 (IG Act) established IGs in
33 designated federal entities (DFEs), including the NCUA.12 The NCUA Inspector General
(IG) is appointed by, reports to, and is under the general supervision of a three-member
presidentially appointed Board. OIG staff consists of ten employees: the IG, the Deputy
IG/Assistant IG for Audit, the Counsel to the IG/Assistant IG for Investigations, the
Director of Investigations, five auditors, and an office manager. OIG promotes the
economy, efficiency, and effectiveness of agency programs and operations, and detects
and deters fraud, waste, and abuse, thereby supporting the NCUA’s mission of facilitating
the availability of credit union services to all eligible consumers through a regulatory
environment that fosters a safe and sound credit union system. OIG supports this mission
by conducting independent audits, investigations, and other activities, and by keeping
the NCUA Board and the Congress fully and currently informed of its work.
Recent Work
We coordinated with our counterparts in CIGFO on issues of mutual interest, including
on the Top Management and Performance Challenges Facing Financial Regulatory
Organizations report that CIGFO issued in September 2018. This report noted that
cybersecurity was the most frequently identified cross-cutting challenge among CIGFO
members and included our observation that the NCUA must continue to strengthen the
resiliency of the credit union system to cyber threats.
In that regard, we currently are conducting an audit of the NCUA’s Information
Systems and Technology Examination Program to determine whether the NCUA provides
adequate oversight of the cybersecurity programs of federal credit unions with
assets of $10 billion or more and all corporate credit unions. This audit follows
our September 2017 audit focusing on the NCUA’s oversight of cybersecurity programs
of credit unions with assets between $250 and $10 billion. Both of these audits
could be instructive for the broader financial sector.
Footnote: 12 5 U.S.C. app. § 8G [End of footnote]
[Seal - U. S. Securities and Exchange Commission]
Office of Inspector General
U. S. Securities and Exchange Commission
The U.S. Securities and Exchange Commission (SEC or agency) Office of Inspector
General (OIG) promotes the integrity, efficiency, and effectiveness of the critical
programs and operations of the SEC and operates independently of the agency to help
prevent and detect fraud, waste, and abuse in those programs and operations, through
audits, evaluations, investigations, and other reviews.
Background
The SEC’s mission is to protect investors; maintain fair, orderly, and efficient
markets; and facilitate capital formation. The SEC strives to promote capital markets
that inspire public confidence and provide a diverse array of financial opportunities
to retail and institutional investors, entrepreneurs, public companies, and other
market participants. Its core values consist of integrity, excellence, accountability,
teamwork, fairness, and effectiveness. The SEC’s goals are focusing on the long-term
interests of Main Street investors; recognizing significant developments and trends
in evolving capital markets and adjusting agency efforts to ensure the SEC is
effectively allocating its resources; and elevating the SEC’s performance by
enhancing its analytical capabilities and human capital development.
The SEC is responsible for overseeing the nation’s securities markets and certain
primary participants, including broker-dealers, investment companies, investment
advisers, clearing agencies, transfer agents, credit rating agencies, and securities
exchanges, as well as organizations such as the Financial Industry Regulatory
Authority, Municipal Securities Rulemaking Board, Public Company Accounting
Oversight Board, Securities Investor Protection Corporation, and the Financial
Accounting Standard Board. Under the Dodd-Frank Wall Street Reform and Consumer
Protection Act of 2010 (Dodd-Frank Act), the agency’s jurisdiction was expanded
to include certain participants in the derivatives markets, private fund advisers,
and municipal advisors.
The SEC’s headquarters are in Washington, DC, and the agency has 11 regional
offices located throughout the country. The agency’s functional responsibilities
are organized into 5 divisions and 25 offices, and the regional offices are
primarily responsible for investigating and litigating potential violations of
the securities laws. The regional offices also have examination staff to inspect
regulated entities such as investment advisers, investment companies, and
broker-dealers. In fiscal year 2018, the SEC employed 4,483 full-time equivalents.
The SEC OIG was established as an independent office within the SEC in 1989 under
the Inspector General Act of 1978, as amended (IG Act). The SEC OIG’s mission is
to promote the integrity, efficiency, and effectiveness of the SEC’s critical
programs and operations. The SEC OIG prevents and detects fraud, waste, and abuse
through audits, evaluations, investigations, and other reviews related to SEC
programs and operations.
The SEC OIG Office of Audits conducts, coordinates, and supervises independent
audits and evaluations of the SEC’s programs and operations at its headquarters
and 11 regional offices. These audits and evaluations are based on risk and
materiality, known or perceived vulnerabilities and inefficiencies, and
information received from the Congress, SEC staff, the U.S. Government
Accountability Office, and the public.
The SEC OIG Office of Investigations performs investigations into allegations
of criminal, civil, and administrative violations involving SEC programs and
operations by SEC employees, contractors, and outside entities. These
investigations may result in criminal prosecutions, fines, civil penalties,
administrative sanctions, and personnel actions. The Office of Investigations
also identifies vulnerabilities, deficiencies, and wrongdoing that could
negatively impact the SEC’s programs and operations.
In addition to the responsibilities set forth in the IG Act, Section 966 of
the Dodd-Frank Act required the SEC OIG to establish a suggestion program
for SEC employees. The SEC OIG established its SEC Employee Suggestion
Program in September 2010. Under this program, the OIG receives, reviews
and considers, and recommends appropriate action with respect to such
suggestions or allegations from agency employees for improvements in the
SEC’s work efficiency, effectiveness, and productivity, and use of its
resources, as well as allegations by employees of waste, abuse, misconduct,
or mismanagement within the SEC.
SEC OIG Work Related to the Broader Financial Sector
In accordance with Section 989E(a)(2)(B)(i) of the Dodd-Frank Act, below is
a discussion of the SEC OIG’s completed and ongoing work, focusing on issues
that may apply to the broader financial sector.
Completed Work
Evaluation of the EDGAR System’s Governance and Incident Handling Processes,
Report No. 550, September 21, 2018
On September 20, 2017, the Chairman of the SEC publicly disclosed that an
incident—specifically, a software vulnerability in a component of the
agency’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system—
previously detected in 2016, resulted in unauthorized access to non-public
information. On September 23, 2017, the Chairman, who began his service in
May 2017 and was notified of the incident in August 2017, requested that the
OIG review the agency’s handling of, and response to, the 2016 incident.
In response, the OIG initiated an evaluation. In July 2018, the OIG presented
the Chairman and other SEC Commissioners with the non-public results of its
evaluation relative to the 2016 EDGAR intrusion. Report No. 550 presents the
OIG’s findings related to the information security practices applicable to
the EDGAR system between fiscal years (FYs) 2015 and 2017.
EDGAR is at the heart of the agency’s mission of protecting investors;
maintaining fair, orderly, and efficient markets; and facilitating capital
formation. The availability of accurate, complete, and timely information from
EDGAR is essential to the SEC’s mission and the investing public. Without
adequate controls to ensure the SEC identifies, handles, and responds to
EDGAR system incidents in a timely manner, threat actors could gain
unauthorized access to the system, which could lead to illicit trading,
negative impacts to the economy and public access to filings, and loss of
public confidence in the SEC.
We determined that, between FYs 2015 and 2017, the EDGAR system lacked
adequate governance commensurate with the system’s importance to the SEC’s
mission. In addition, we determined that certain preventive controls did
not exist or did not operate as designed. Moreover, between September 2015
and September 2016, the SEC wasted at least $83,000 on a tool for which the
SEC derived little, if any, benefit. Finally, we found that the SEC lacked
an effective incident handling process. These weaknesses potentially
increased the risk of EDGAR security incidents, and impeded the SEC’s
response efforts. The SEC has since strengthened EDGAR’s system security
posture, including the handling of and response to vulnerabilities. Among
other actions, in August 2017, the agency established a Cyber Initiative
Working Group to oversee and lead a number of priority cyber initiatives
such as an EDGAR security uplift. As this and other work continues,
opportunities for further improvement exist.
We issued our final report on September 21, 2018, and made 14
recommendations to improve the SEC’s EDGAR system governance, security
practices, and incident handling processes. We also noted that open
recommendations from prior OIG work should address some of our
observations, and we encouraged management to implement agreed-to
corrective actions. Management concurred with the recommendations,
which will be closed upon completion and verification of corrective
action.
Because the underlying report contains sensitive information about the
SEC’s information security program, we prepared this summary with
information releasable to the public. An executive summary is also
available on our website at https://www.sec.gov/files/Eval-of-the-EDGAR-
Systems-Governance-and-Incident-Handling-Processes.pdf.
TCP Established Method to Effectively Oversee Entity Compliance With
Regulation SCI but Could Improve Aspects of Program Management, Report
No. 551, September 24, 2018
In recent years, several factors, including a significant number of
systems issues at exchanges and other trading venues, increased concerns
over “single points of failure” in U.S. securities markets. These
concerns contributed to the SEC’s decision to address technological
vulnerabilities and improve agency oversight of the core technology
of key U.S. securities markets entities. In November 2014, the SEC
adopted Regulation Systems Compliance and Integrity (SCI), under which
the agency monitors the security and capabilities of U.S. securities
markets’ technological infrastructure. The SEC’s Office of Compliance
Inspections and Examinations’ (OCIE) Technology Controls Program
(TCP) is responsible for ensuring entities comply with Regulation
SCI and for evaluating whether entities have established, maintained,
and enforced written policies and procedures reasonably designed to
ensure the capacity, integrity, resiliency, availability, and security
of their Regulation SCI systems. We initiated an evaluation to assess
OCIE’s TCP and determine whether the program provided effective oversight
of entities’ compliance with Regulation SCI.
TCP has an established method to effectively oversee entity compliance
with Regulation SCI. The program assesses compliance through its
CyberWatch program and through TCP examinations. However, we
identified opportunities to improve aspects of TCP program management.
Specifically, we found that TCP’s examination manuals in effect at the
outset of our evaluation were outdated, management had not identified or
documented TCP risks and control activities in OCIE’s internal risk and
control matrix, and TCPs’ development of the Technology Risk-Assurance,
Compliance, and Examination Report (TRACER) system—the program’s system
of record—was not well-planned or documented.
• Examination Manuals. The TCP Examination Manual and draft TRACER
Examination User Manual in effect at the outset of our evaluation were
outdated and did not align with TCP examination practices. Management was
in the process of revising the TCP Examination Manual and, on June 25,
2018, released an updated version.
• Risks and Control Activities. TCP management had not identified or
documented the program’s risks and corresponding control activities in
OCIE’s risk and control matrix. Although TCP examinations appear to have
similar risks and controls as other OCIE examinations, documentation we
reviewed did not clearly identify comparable documented control activities
specific to TCP examination processes for all identified risks.
• TRACER Development. Between September 2015 and January 2018, TCP
continued development of the SEC’s TRACER system at a cost of nearly
$780,000. As the system’s business owner during that time, TCP oversaw
frequent (sometimes weekly) system updates, but did not properly plan or
document its development efforts. TRACER’s purpose and functions evolved
over time as TCP was considering continued development of the system or
migration to an existing OCIE system known as the Tracking and Reporting
Examinations National Documentation System (TRENDS). Certain planned
system capabilities were not realized and it is unclear, based on a lack
of documentation, how TCP assessed or managed system requirements. On
May 4, 2018, TCP management decided to discontinue developing TRACER and
transition its examination program to TRENDS, which is expected to yield
operational and cost savings benefits.
We also identified two other matters of interest for management’s
consideration. First, a majority of TCP staff who responded to a survey we
administered indicated that they either did not receive adequate training
or only sometimes received adequate training. TCP management has completed
a 3-year training plan. We encouraged management to continue to review TCP
staff training to ensure staff members have the knowledge and skills
necessary to perform TCP examinations. Secondly, we identified a gap
in the Office of Acquisitions’ process for reviewing CORs’ files. We suggest
that Acquisitions consider establishing follow-up procedures to address this
gap.
At the outset of our evaluation, TCP management identified ongoing improvement
initiatives and began implementing changes. We issued our final report on
September 24, 2018, and, to further improve TCP program management, we
recommended that OCIE: (1) ensure TCP management updates the TCP Examination
Manual in a timely manner following TCPs’ transition to TRENDS; (2) identify
and document the risks and controls related to TCP operations, and update
OCIE’s risk and control matrix accordingly; and (3) ensure TCP management
properly plans and documents TCP’s transition to TRENDS, and retains all
relevant materials in a central location. Management concurred with the
recommendations, which will be closed upon completion and verification of
corrective action. Because the underlying report contains non-public
information, we prepared this summary with information releasable to the
public. Also, a redacted public version is available on our website at
https://www.sec.gov/files/TCPEstablished-Method-to-Effectively-Oversee-
Entity-Compliance-with-Reg-SCI--But-Could-Improve.pdf.
Although Highly Valued by End Users, DERA Could Improve Its Analytics
Support by Formally Measuring Impact, Where Possible, Report No. 553,
April 29, 2019
The SEC increasingly relies on data and analytics to guide its strategic
and operational activities and to make more informed, effective decisions.
Based on FY 2017 budget information, the SEC spends about $120 million
annually on data management and about $20 million annually on analytics.
Furthermore, the SEC’s Strategic Plan for FY 2018 through FY 2022 and FY
2020 Annual Performance Plan emphasize the agency’s goal of enhancing and
expanding its use of analytics.
The SEC’s Division of Economic and Risk Analysis (DERA) assists the agency
in executing its mission by integrating sophisticated, data-driven analytics
and economic analysis into the work of the SEC. Analytics provided by DERA’s
Office of Risk Assessment (ORA) and Office of Research and Data Services
(ORDS) support exam planning and other agency oversight programs related to
issuers, broker-dealers, investment advisers, exchanges, and other trading
platforms. To assess DERA’s controls over integration of data analytics
into the core mission of the SEC, we initiated an evaluation.
We determined that, although end users highly valued DERA’s analytics
support and believed such analytics were indispensable for risk scoping,
investor protection, detecting illegal conduct, allocating resources more
efficiently, and helping the SEC achieve its mission, ORA and ORDS
management generally did not formally measure the quantitative or
qualitative impact of either office’s analytics support. Management noted
that it tracked end user requests for analytics support, considered repeat
customers as evidence analytics are valued, and identified potential metrics
for measuring impact (such as efficiency gains and end user satisfaction);
however, management had not formalized such metrics.
DERA management and end users of DERA’s analytics acknowledged that it might
be difficult to devise meaningful impact measurement metrics for some
analytics projects. For example, even though ORA analytics identified outliers
that led to at least one Division of Enforcement investigation, not all
analytics produce such directly measurable outcomes. Management was also
apprehensive about burdening end users with requests for feedback regarding
analytics’ impact. However, by not measuring, where possible, the impact of
ORA’s and ORDS’ analytics support, DERA risks limiting its ability to assess
its organizational performance, increase awareness of its analytics
capabilities (including through outreach efforts), and fully integrate
analytics into the work of the SEC in accordance with the agency’s strategic
goals and objectives.
In addition, we reviewed available usage data for two analytics tools that
incorporated ORA analytics and found that end users used and valued both
tools. Although DERA did not regularly review the usage data for one tool
and usage data for the other tool was incomplete, we determined that DERA’s
review of such data would not significantly help the Division meet agency
goals and objectives.
We also assessed DERA’s interactions with the SEC’s other divisions and
offices, including its coordination and outreach efforts, and determined
that staff in other divisions and offices generally viewed interactions with
DERA favorably; duplicative analytics work across the SEC was not apparent;
and DERA proactively engaged in outreach.
However, a majority of respondents to a question in a survey we administered
(22 of 37, or almost 60 percent) expressed an interest in further DERA
outreach. Respondents believed that promoting the nature and benefits (that
is, impact) of DERA analytics and systems could be useful to the SEC’s other
divisions and offices.
Finally, we identified one other matter of interest related to data management.
Although we did not assess the SEC’s data management practices and are not
making any recommendations regarding data management at this time, we noted that
data management is the foundation of analytics. Therefore, it is important to
verify completion of the SEC’s plans to improve in this area. We will continue
to monitor the agency’s plans and progress related to data management.
We issued our final report on April 29, 2019, and to improve its ability to
assess its organizational performance, increase awareness of its analytics
capabilities, and fully integrate analytics into the work of the SEC in
accordance with the agency’s strategic goals and objectives, we recommend that
DERA (1) work with end users of its analytics projects to develop metrics, where
possible, for formally measuring analytics support impact; (2) modify existing
internal tracking processes to include, where possible, analytics impact
measurement; and (3) incorporate the results of analytics impact measurements in
the Division’s outreach efforts. Management concurred with the recommendations,
which will be closed upon completion and verification of corrective action.
This report is available on our website at https://www.sec.gov/files/Although-
Highly-Valued-by-End-Users-DERA-Could-Improve-Report-No-553_0.pdf.
Final Management Letter: Update on the SEC’s Progress Toward Redesigning the
EDGAR System
In September 2017, we reported observations about controls over the SEC’s EDGAR
system enhancements and redesign efforts.13 We noted that the SEC’s EDGAR Redesign
(ERD) program is a multi-year, cross-agency initiative and, since 2014, the SEC
had taken steps to develop and implement a new electronic disclosure system that
meets agency needs, including spending about $10.6 million on related contracts.
Since issuing our September 2017 report, we have continued to monitor the SEC’s
progress toward redesigning the EDGAR system. We did not conduct an audit or
evaluation in conformance with generally accepted government auditing standards
or the Council of the Inspectors General on Integrity and Efficiency’s Quality
Standards for Inspection and Evaluation. However, based on the work performed,
on May 23, 2019, we reported concerns that warrant management’s attention.
Specifically, we determined that:
• The agency’s approach to redesigning the EDGAR system is unclear;
• ERD program cost and schedule estimates presented to agency decision makers
and senior officials were not based on best practices; and
• The EDGAR Business Office (EBO) created a Grand Functional Requirements
Document (Grand FRD) for the redesigned EDGAR system, but did not include
sufficient detail about the system’s security requirements.
On May 7, 2019, we provided SEC management with a draft of our management letter
for review and comment. In its May 17, 2019, response, management concurred with
our overall observations and stated that it remains committed to modernizing and
improving the security, functionality, and maintainability of the EDGAR system.
Although management did not use cost and schedule estimates based on best practices
for its deliberations about the appropriate high-level strategy for the EDGAR system,
management anticipates preparing more detailed estimates, based on best practices,
later in the process. Also, although the Grand FRD did not describe in detail
security requirements for redesigning EDGAR, management anticipates it will obtain
detailed security requirements in a future phase of the project. Finally, management
expects that completed and ongoing work will modernize much of the EDGAR system,
achieve many of the goals of the original EDGAR redesign project, and position the
system for further modernization.
Footnote: 13 U.S. Securities and Exchange Commission, Office of Inspector General,
Audit of the SEC’s Progress in Enhancing and Redesigning the Electronic Data Gathering,
Analysis, and Retrieval System, Report No. 544; September 28, 2017. [End of footnote]
To help us determine whether further action by the OIG is warranted, we requested that,
no later than June 6, 2019, management provide to the OIG the SEC’s approach to
redesigning the EDGAR system and its planned or ongoing actions to (a) manage the ERD
program using reliable cost and schedule estimates based on established methods
and valid data; (b) integrate “functional requirements” with “non-functional
requirements,” including those for security, recoverability, testability, and
maintainability, with sufficient detail that future offerors can propose viable
solutions and designs as part of a future competitive procurement; and (c) further
manage the existing EDGAR system.
The final management letter contains non-public information about the agency’s
efforts to redesign the EDGAR system. We redacted the non-public information to
create this public summary. Our public version of the letter is also available on
our website at https://www.sec.gov/files/Final-Mgmt-Ltr-Update-on-the-SECs-Progress-
Toward-Redesigning-EDGAR.pdf.
Ongoing Work
Evaluation of the Division of Trading and Markets’ Office of Broker-Dealer Finances
The SEC prescribes broker-dealer net capital and risk assessment reporting
requirements through various rules, overseen by the Division of Trading and Markets’
Office of Broker-Dealer Finances (OBDF). On June 10, 2019, we initiated an evaluation
of OBDF’s efficiency and effectiveness. Specifically, we will determine whether OBDF
(1) ensures efficient use of government resources to help achieve organizational
goals and objectives, and (2) provides effective oversight of broker-dealer
compliance with capital and risk reporting requirements, in accordance with
applicable rules and guidance. We expect to issue a report summarizing our
findings during 2020.
Evaluation of the SEC’s Delinquent Filer Program
In 2004, the SEC initiated the delinquent filer program, administered jointly
by the Division of Enforcement and the Division of Corporation Finance, to bring
administrative proceedings under Exchange Act Section 12(j) to revoke the Exchange
Act registrations of securities of issuers that are more than 1-year delinquent in
their Exchange Act reports and have been unresponsive to SEC requests for
compliance.14 At the same time, the Division of Enforcement seeks Commission
approval for trading suspensions under Section 12(k) to suspend trading of the
securities of the non-filing issuers under certain circumstances. On June 10, 2019,
we initiated an evaluation of the SEC’s delinquent filer program to assess the SEC’s
process for identifying, tracking, and notifying delinquent filers and issuing related
revocation orders and/or trading suspensions in accordance with applicable laws,
rules, and regulations. As part of the evaluation, we will also review the Division
of Enforcement’s efforts to decentralize the delinquent filer process. We expect to
issue a report summarizing our findings during 2020.
Footnote: 14 According to a 2004 advice memo, an enhanced delinquent filings
program for issuers was needed because publicly traded companies that are delinquent
in filing Exchange Act reports deprive investors of accurate financial information
upon which to make informed investment decisions. Further, these entities are often
vehicles
for fraudulent stock manipulation schemes. [End of footnote]
[Seal - Special Inspector General for the Troubled Asset Relief Program]
Special Inspector General for the Troubled Asset Relief Program
The Special Inspector General for the Troubled Asset Relief Program (SIGTARP) has
the duty, among other things, to conduct, supervise, and coordinate audits and
investigations of the purchase, management, and sale of assets under the Troubled
Asset Relief Program (TARP) or as deemed appropriate by the Special Inspector
General.
Background
SIGTARP is primarily a Federal law enforcement agency protecting the interests
of the American people by investigating crime at financial institutions that
received TARP funds or at other TARP recipients in housing programs. All TARP
programs are intended to promote financial stability.
When first created, SIGTARP found that financial institution fraud had evolved
from the insider self-dealing fraud that marked the savings and loan crisis, to
escape detection from traditional fraud identification methods of self-reporting
and regulator referrals. SIGTARP created an intelligence-driven approach and
leveraged technological solutions to discover insider crimes at banks that
previously went undetected. Now, as a result of SIGTARP investigations, 105
bankers have been criminally charged and 74 have been sentenced to prison with
more bankers awaiting trial and sentencing.
SIGTARP is applying its intelligence-driven approach to search for crime in
TARP housing and foreclosure prevention programs. TARP recipients include
large mortgage servicers in the Making Home Affordable (MHA) Program, like
Wells Fargo, Bank of America, and JPMorgan Chase.
SIGTARP assesses that the top threat in TARP today is unlawful conduct by
any of the 152 banks and other financial institutions that received $20.1
billion or will continue to receive $3.7 billion for foreclosure prevention
in TARP’s MHA Program. With an uptick in enforcement actions against
financial institutions in MHA, SIGTARP has shifted resources to counter
this threat.
The Most Serious Management and Performance Challenges & Threats of Fraud,
Waste, & Abuse Facing the Government in TARP
SIGTARP identifies the most serious management and performance challenges
and threats facing the Government in TARP. Our selection is based on the
significance and duration of the challenge/threat to the mission of TARP and
to Government interests; the risk of fraud or other crimes, waste or abuse;
the impact on agencies in addition to Treasury; and Treasury’s progress
in mitigating the challenge/threat.
Risk of Fraud, Waste, and Abuse by Large Banks and Others in the Making
Home Affordable Program (Until Sep. 2023)
Unlawful conduct by any of the 152 banks or institutions that received
$20.1 billion or will continue to receive $3.7 billion in TARP’s MHA
program is the top threat in TARP. Treasury will pay up to $3.1 billion
to Ocwen, Wells Fargo, JPMorgan Chase, Bank of America, Nationstar, Select
Portfolio Servicing, CitiMortgage, OneWest/CIT, Bayview Loan Servicing,
and Specialized Loan Servicing along with 131 institutions. These TARP
payments require compliance with the law and Treasury’s rules for the
institutions assisting the 834,206 consumers in all 50 states. Wells
Fargo recently
disclosed in two SEC filings its wrongful denial of homeowners for
admission to the program. Despite enforcement actions and other
wrongdoing by many of these financial institutions, Treasury has
significantly scaled back its compliance reviews. The risk of fraud,
waste, and abuse also jeopardizes the GSEs, FHA, and Veterans Affairs
that participate in MHA.
Risk of Waste and Misuse of TARP Dollars by State Agencies for Their
Own Administrative Expenses in the Hardest Hit Fund (Until Dec. 2021)
Treasury has budgeted $1.1 billion in TARP dollars for administrative
expenses of 19 state agencies to distribute HHF assistance. In March
2019, SIGTARP issued an audit that found state agencies violated
federal cost regulations by charging more than $400,000 in prohibited
travel and conference costs to the Hardest Hit Fund. SIGTARP found
waste, a lack of internal controls at state agencies, and lack of
effective oversight by Treasury. State agencies did not have the
documentation required by Federal regulations to charge the travel
and conferences to HHF. The audit also identified outright waste,
including TARP funds spent on luxury hotels, conferences and
extravagant dinners and receptions. In 2016 and 2017, SIGTARP
identified $11 million in wasteful and unnecessary spending by state
housing agencies, including, for example, catered barbeques, parties,
country club events, leasing a Mercedes, cash bonuses, gym
memberships, gifts, free parking, settlements and legal fees in
discrimination cases, other costs not associated with HHF, and more.
In 2018, SIGTARP issued an audit that found that while Treasury
anticipates millions of dollars in spending on lawyers, accountants,
auditors, consultants, information technology, communications, risk
management, training, and marketing, there is no Federal requirements
for competition.
Risk of Corruption, Anticompetitive Actions, and Fraud in the Hardest
Hit Fund Blight Elimination Program (Until Dec. 2021)
There is a risk of corruption, anticompetitive acts, and fraud as TARP
funds the demolitions of abandoned homes and apartments. The number of
municipalities in the program increased to 378 cities or counties. There
have already been criminal indictments for corruption in HHF.
Risk of Asbestos Exposure, Contaminated Soil, and Illegal Dumping in the
Hardest Hit Fund Blight Elimination Program (Until Dec. 2021)
In November 2017, based on the U.S. Army Corps of Engineers’ findings, SIGTARP
warned that the standard protections in demolition are not present in the TARP
program. The Army Corps found missing industry standard safeguards that protect
against the risk of asbestos exposure, illegal dumping of debris, and
contaminated material filling the hole. Treasury did not implement SIGTARP’s
recommendations, even to require basic documentation of proper asbestos abatement,
certain inspections, landfill receipts for dumping, and receipts showing the
purchase of clean dirt. SIGTARP’s investigation into a demolition contractor for
illegal dumping of contaminated soil in Fort Wayne, Indiana was resolved for over
$800,000 through remediation and a settlement by DOJ under the False Claims Act.
TARP may expand even further in this area: The Economic Growth, Regulatory Relief,
and Consumer Protection Act authorizes Treasury to use TARP dollars to remediate
lead and asbestos hazards in residential properties.
No Complete List or Data Identifying All Contractors and Others Doing Work in the
Hardest Hit Fund Blight Subprogram and What They Were Paid
Treasury and the state agencies do not know, and cannot provide to SIGTARP a
complete list of contractors receiving TARP dollars in the program. SIGTARP and
Treasury cannot conduct oversight over contractors and other entities that are
unknown. Treasury rejected SIGTARP’s 2015 recommendation to maintain a list and
accounting of payments in HHF. SIGTARP’s proactive analysis has identified 2,210
land banks or other partners, contractors, or subcontractors that have done or are
contracted to do work in the program—but given the missing data, we believe the
actual numbers may be much higher. State agency data is incomplete. The data
provided by state agencies to SIGTARP also provides limited detail about the $510.5
million that has been spent in the Blight Elimination Program beyond the first-level
recipient. As a result, there may be hundreds, or perhaps thousands, of additional
unknown subcontractors doing work in the program. Without complete records and
accounting, the program and taxpayers are vulnerable.
Risk of Waste from Weakened Oversight by Treasury of State Agencies in the Hardest
Hit Fund
Starting in October 2018, Treasury has allowed state agencies to shift HHF dollars
between programs and removed caps on administrative expenses (by the greater of
five percent or $50,000). Treasury also decreased oversight in the HHF program in
2018 by reducing OFS personnel charged with providing oversight of the HHF program
by 30%. These Treasury changes increase risk of fraud, waste and abuse because state
agencies can move more TARP money to higher risk subprograms. These changes also have
weakened Treasury oversight of state administrative spending after SIGTARP has proven
waste and misuse of TARP dollars by state agencies. Additionally, GAO found in a
December 2018 study that “Treasury is missing an opportunity to ensure that HFAs are
appropriately assessing their risk.”
SIGTARP’s Investigations Approach
SIGTARP gained expertise in investigating large institutions which resulted in
significant DOJ enforcement actions against Goldman Sachs, Bank of America, JPMorgan
Chase, Morgan Stanley, Ally Financial, Wilmington Trust, Sun Trust Bank, Fifth Third
Bank, Jefferies & Co., and RBS Securities.
SIGTARP’s law enforcement counters threats to public safety and Government interests
by investigating criminal actors and working with the Justice Department to prosecute
those criminal actors. With 278 people sentenced to prison resulting from a SIGTARP
investigation, at an average prison sentence of nearly five years, the threat these
crimes pose is significant. SIGTARP’s ongoing criminal investigations of recipients of
TARP dollars in TARP housing programs promote free and fair trade by improving the
overall condition for competition, and counter threats to public safety and Government
interests, including financial institution fraud, public corruption, antitrust (unfair
competition), contract fraud, and organized crime. Recent DOJ charges, pleas and false
claim settlements continue to demonstrate that these threats are current and real.
Financial Institution Fraud: SIGTARP’s highest priority is investigating banks and other
financial institutions receiving TARP dollars in the Making Home Affordable Program. Our
investigations into TARP banks have already resulted in 104 bankers criminally charged
and 73 sentenced to prison. Many await trial. Our remaining investigative work in
this area focuses on supporting the Justice Department in its efforts to prosecute TARP
bankers. SIGTARP’s work on financial institution fraud supports Justice Department
prosecutions of individuals investigated by SIGTARP, such as international money
laundering charges related to a TARP bank, that help identify and reduce vulnerabilities
in the financial system while stopping abuses by illicit actors.
Public Corruption: The corruption of local officials threatens public safety and fair
competition. State and local officials award contracts under the more than $760 million
Hardest Hit Fund blight demolition program.
Antitrust Violations: Unfair competitive practices in TARP housing programs including
contract steering, bid rigging and price fixing, threatens the quality of work, harms
public safety, threatens fair competition, and results in higher
costs.
Contract Fraud, False Claims/Theft or Bribery in TARP Programs: Demolition contractors
and State agencies play key roles in administering HHF programs. Fraud in any of these
risk areas harm Government interests and fair competition. Organized Crime: Organized
crime in the over $760 million blight demolition program or in TARP banks threatens
public safety, fair competition and harms Government interests.
Selected SIGTARP’s Investigations Results (April 1, 2018 to March 31, 2019)
Wilmington Trust Corporation
In December 2018 and January 2019, a federal court sentenced seven former Wilmington
Trust bankers to prison terms of up to six years. As a result of a SIGTARP investigation,
the bank’s former president, chief financial officer, chief credit officer and controller
were convicted of securities fraud after a trial. Wilmington Trust Bank received a $330
million TARP bailout. As the conspiracy was ongoing and while in TARP, the bank collapsed
and was acquired by M&T Bank at a discount of approximately 46% from the bank’s share
price the prior trading day.
SIGTARP’s investigation uncovered a scheme by bank insiders to conceal the total quantity
of past due loans on its books from the Federal Reserve, the Securities and Exchange
Commission and the investing public. After the trial, a jury convicted former president
Robert Harra, former chief financial officer David Gibson, former chief credit officer
William North, and former controller Kevyn Rakowski of hiding more than $300 million in
loans that were 90 days past due.
At their sentencing, U.S. District Judge Richard G. Andrews said the investigation
uncovered the “the biggest financial crime in Delaware, at least in the past 35 years.”
The court sentenced former president Harra and former chief financial officer Gibson to
six years in prison and ordered them to pay $300,000 each. The court sentenced former
chief credit officer North to four and half years in prison and ordered him to pay
$100,000 and former controller Rakowski to three years in prison. The court separately
sentenced three other Wilmington Trust officers: former head of commercial real estate
Delaware Brian Baily to two and half years, former vice president for commercial real
estate for Delaware
Joseph Terranova to one year and nine months and former commercial real estate
relationship manager for Delaware Peter Hayes to one year and three months.
In October 2017, as part of a criminal investigation Wilmington Trust admitted
wrongdoing and agreed to pay $60 million. Wilmington Trust was the only TARP bank
indicted by the Justice Department.
SIGTARP was joined in the investigation by the Federal Bureau of Investigation, the
Internal Revenue Service-Criminal Investigation, and the Federal Reserve Bank-Office
of Inspector General. The U.S. Attorney’s Office for the District of Delaware
prosecuted the case.
Sonoma Valley Bank of California
In August 2018, a federal court sentenced both the Sonoma Valley Bank CEO Sean
Cutting and Chief Loan Officer Brian Melland to eight years and four months in prison,
and the attorney of a bank borrower to six years and eight months in prison. SIGTARP’s
investigation uncovered that leading up to and during the time Sonoma Valley Bank was
in TARP, the bank officers conspired to commit fraud that would contribute to the
failure of the bank and a complete loss to TARP of $8.6 million. They made millions
in illegal bank loans to “straw” borrowers, knowing the proceeds would go to one bank
borrower who was a real estate developer. They then tried to cover up the scheme by
falsifying the bank’s books and lying to the bank’s regulators.
During the fraud, the bank applied for TARP, with the CEO describing TARP as a “cookie
jar” and saying it only made sense for the bank to take some. After a Federal jury
trial in December 18, 2017, the jury found Cutting and Melland guilty of conspiracy,
bank fraud, wire fraud, attempted obstruction of justice, and other offenses. The real
estate developer was indicted but died prior to the trial when his car drove over a
cliff on Highway 1. The court ordered $19 million in restitution and forfeiture of a
condominium complex involved in the fraud.
SIGTARP was joined in the investigation by the Federal Housing Finance Agency Office
of Inspector General, the Federal Deposit Insurance Corporation Office of Inspector
General, the Marin County Sheriff’s Office, the Sonoma County Sheriff’s Office, and
the Santa Rosa Police Department. The U.S. Attorney’s Office for the Northern District
of California prosecuted the case.
Southern Bancorp
As a result of a SIGTARP investigation, in February 2019, a federal court sentenced
bank officer Michael J. Erickson to two years in prison after he was convicted of
embezzling funds from Southern Bancorp. The court ordered Erickson to pay $1.4
million to Southern Bancorp. Taxpayers lost $2.3 million on the investment; the bank
received a $33.8 million bailout from TARP.
In its investigation, SIGTARP uncovered a scheme where Erickson stole thousands of
dollars for his own personal enrichment from a commercial loan he managed. SIGTARP
was joined in the investigation by the Federal Bureau of Investigation. The U.S.
Attorney’s Office for the Northern District of Mississippi prosecuted the case.
Saigon National Bank
In February 2019, a federal court sentenced Vivian Tat to two years in federal
prison for laundering tens of thousands of dollars in cash. This case is the result
of Operation “Phantom Bank,” targeting TARP recipient Saigon National Bank, which
resulted in six indictments that charge a total of 25 defendants. SIGTARP was
joined in the investigation by the FBI and the IRS Criminal Investigation. The U.S.
Attorney’s Office for the Central District of California prosecuted the case.
First Legacy Community Credit Union of North Carolina
In March 2019, President and CEO of First Legacy Community Credit Union (FLCCU)
Saundra Torrence was sentenced to six months in prison and ordered to pay
$187,066 in restitution for making or causing false entries. SIGTARP’s investigation
uncovered that Scales falsified the credit union’s books, misapplied and stole funds
from the credit union, and fraudulently used the identity of at least one third
party victim to obtain a loan from FLCCU. Torrence’s wrongdoing caused significant
losses to the credit union. The fraudulent entries she made to conceal her
wrongdoing caused the credit union’s reported financial results to be inaccurate.
SIGTARP was joined in the investigation by the FBI. The U.S. Attorney’s Office for
the Western District of North Carolina prosecuted the case.
First State Bank
In October 2018, former First State Bank CEO Joseph Natale, financier Albert
Gasparro, and business owner Gary Ketchum were indicted for their roles in a scheme
to defraud the now defunct First State Bank, which attempted to obtain TARP funds.
The defendants are charged with conspiracy to mislead the FDIC and First State Bank,
conspiracy to commit bank fraud and bank fraud. Former First State Bank legal counsel
Donna Conroy, a conspirator, pleaded guilty in May 2017 and is awaiting sentencing.
SIGTARP was joined in the investigation by the FBI and the FDIC Office of Inspector
General. The U.S. Attorney’s Office for New Jersey is prosecuting the case.
Lone Star Bank
Following a SIGTARP investigation, in September 2018, a Federal court sentenced Lone
Star Bank loan officer Ricky Hajdik to 20 months in prison and sentenced co-conspirator
Hugo Lafuente to 25 months in prison for a conspiracy to defraud the bank out of $1.3
million in loans. Hajdik knew that Lafuente’s income would not qualify for a
construction loan. Hajdik conveyed to loan broker Leonard Tyson an inflated and untrue
income number that LaFuente needed to qualify for the construction loan. Lafuente then
directed Mark Zylker to prepare fraudulent income tax returns that inflated his income,
which Hajdik used for the bank to make the loan. When Lafuente defaulted on this loan
and a Small Business Administration Loan, the bank suffered losses $735,758. TARP
suffered a $1.2 million loss on the bank and the bank missed dividend payments of
$2.2 million.
SIGTARP was joined in the investigation by the Federal Deposit Insurance Corporation
Office of Inspector General. The U.S. Attorney’s Office for the Southern District of
Texas prosecuted the case.
SIGTARP’s Audit Approach
SIGTARP conducts audits over TARP housing programs, helping promote financial
stewardship by the Government. Much of SIGTARP’s audit work is at the request of
members of Congress. SIGTARP specializes in forensic audits that follow the money,
analyzing general ledgers, credit card statements, invoices, and receipts.
SIGTARP assists Treasury in these efforts by auditing and evaluating housing programs
to determine whether the Government is receiving fair value for its money and that
recipients are spending TARP funds appropriately to accomplish the stated goals. To
promote financial stewardship, SIGTARP reports on fraud, waste, and abuse and makes
recommendations to Treasury (which has oversight of all TARP programs) to recover
wasteful spending and prevent future fraud, waste, and abuse.
Travel and Conference Charges to the Hardest Hit Fund that Violated Federal Regulations
In a March 2019 audit, SIGTARP uncovered that state agencies violated federal cost
regulations by charging HHF $411,658 in prohibited travel and conference costs. Remarking
on the findings, Special Inspector General Goldsmith Romero said, “Flying around the
country, staying at luxury hotels, attending conferences beachside and at other vacation
destinations are not ‘must have’ costs for a local foreclosure prevention program.”
SIGTARP’s Recoveries from Audits and Investigations
SIGTARP continues to assess current and future operations to fulfill its mission and
reduce spending, while supporting financial stewardship by providing recoveries to assist
in funding the Government at the least cost over time. SIGTARP’s investigations and audits
have recovered $10 billion. Fiscal Year 2018 recoveries of more than $314 million,
including more than $294 million recovered for the government, are a 9 times return on
investment from the Fiscal Year 2018 appropriated budget. Already in Fiscal Year 2019,
SIGTARP has recovered $804 million, including more than $336 million paid to the government,
a 35 times annual return on investment from the Fiscal Year 2019 appropriated budget.
[Seal - Office of Inspector General, Department of the Treasury]
Office of Inspector General
Department of the Treasury
The Department of the Treasury Office of Inspector General performs independent, objective
reviews of specific Treasury programs and operations with oversight responsibility for one
federal banking agency – the Office of the Comptroller of the Currency. That federal banking
agency supervises approximately 1,260 financial institutions.
Introduction
The Department of the Treasury (Treasury) Office of Inspector General (OIG) was established
pursuant to the 1988 amendments to the Inspector General Act of 1978. The Treasury Inspector
General is appointed by the President, with the advice and consent of the Senate. Treasury
OIG performs independent, objective reviews of Treasury programs and operations, except for
those of the Internal Revenue Service (IRS) and the Troubled Asset Relief Program (TARP),
and keeps the Secretary of the Treasury and Congress fully informed. Treasury OIG is comprised
of four divisions: (1) Office of Audit, (2) Office of Investigations, (3) Office of Counsel,
and (4) Office of Management. Treasury OIG is headquartered in Washington, DC, and has an
audit office in Boston, Massachusetts, and investigative offices in Greensboro, North Carolina;
Houston, Texas; and Jacksonville, Florida.
Treasury OIG has oversight responsibility for the Office of the Comptroller of the Currency
(OCC). OCC is responsible for approximately 891 national banks, 316 federal savings
associations, and 57 federal branches of foreign banks. The total assets under supervision are
$12.5 trillion. Treasury OIG also oversees four offices created by the Dodd-Frank Wall Street
Reform and Consumer Protection Act (Dodd-Frank) which are (1) the Office of Financial Research
(OFR), (2) the Federal Insurance Office, (3) the Office of Minority and Women Inclusion within
Treasury’s Departmental Offices (DO), and (4) the Office of Minority and Women Inclusion within
OCC. Additionally, Treasury OIG oversees Treasury’s role related to the financial solvency of
the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage
Corporation (Freddie Mac) under the Housing and Economic Recovery Act of 2008 (HERA), to
include Treasury’s Senior Preferred Stock Purchase Agreements established for the purpose of
maintaining the positive net worth of both entities.
Treasury Management and Performance Challenges Related to Financial
Regulation and Economic Recovery
In accordance with the Reports Consolidation Act of 2000, the Treasury Inspector General
annually provides the Secretary of the Treasury with his perspective on the most serious
management and performance challenges facing the Department. In a memorandum to the Secretary
dated October 15, 2018, the Inspector General reported three management and performance
challenges that were directed towards financial regulation and economic recovery.
Those challenges are: Operating in an Uncertain Environment, Cyber Threats, and Anti-Money
Laundering and Terrorist Financing/Bank Secrecy Act Enforcement.15
Operating in an Uncertain Environment
The proposed budget cuts and new requirements imposed by Executive Order (EO) 13781,
Comprehensive Plan for Reorganizing the Executive Branch (March 13, 2017) create an uncertain
environment that affect Treasury’s operations. In its implementation of EO 13781 the Office of
Management and Budget (OMB) required agencies to submit Agency Reform Plans to OMB, which
included long-term workforce plans that are in alignment with their strategic plans. These
plans were to include proposals in four categories: eliminate activities; restructure or merge;
improve organizational efficiency and effectiveness; and workforce management. In June 2018,
after consideration of all Agency Reform Plans, OMB developed it comprehensive “Government-
wide Reform Plan and Reorganization Recommendations” (Government-wide Reform Plan) to
reorganize the Executive Branch.
The Government-wide Reform Plan includes a recommendation to transfer alcohol and tobacco
responsibilities from the Bureau of Alcohol, Tobacco, Firearms and Explosives within the
Department of Justice to Treasury’s Alcohol and Tobacco Tax and Trade Bureau (TTB) in order
to leverage the expertise of TTB. Other potential impacts on Treasury include OMB
recommendations to increase coordination and avoid duplication of agency’s roles in the areas
of small business programs, the housing finance market, and financial literacy and education.
Until OMB and agencies begin discussions with Congress to prioritize and refine the proposals
in the Government-wide Reform Plan, there is looming uncertainty as to the plan’s impact.
Nonetheless, the Department must plan for the potential long-term restricting of certain
functions or offices/bureaus and expected budget cuts.
Cyber Threats
Cybersecurity continues to be a long-standing and serious challenge facing the Nation today.
A reliable critical infrastructure, including information systems and networks, is vital to
our national security and economic stability. Cyber threats are a persistent concern as
Treasury’s information systems are critical to the core functions of government and the
Nation’s financial infrastructure. As cyber threats continue to evolve and become more
sophisticated and subtle, they pose an ongoing challenge for Treasury to fortify and safeguard
its internal systems and operations and the financial sector it oversees.
Attempted cyber attacks against Federal agencies, including Treasury, and financial
institutions are increasing in frequency and severity, in addition to continuously evolving.
Such attacks include distributed denial of service attacks, phishing or whaling attacks,
fraudulent wire payments, malicious spam (malspam), and ransomware. Organized hacking groups
leverage published and unpublished vulnerabilities and vary their methods to make attacks hard
to detect and even harder to prevent. Criminal groups and nation-states are constantly seeking
to steal information; commit fraud; and disrupt, degrade, or deny access to information systems.
Effective public-private coordination continues to be required to address the cyber threat
against the Nation’s critical infrastructure. In this regard, Treasury is looked upon to provide
effective leadership to financial institutions in particular, and the financial sector in
general, to strengthen awareness and preparedness against cyber threats. Anti-Money Laundering
and Terrorist Financing/Bank Secrecy Act Enforcement Identifying, disrupting, and dismantling
the financial networks that support terrorists, organized transnational crime, weapons of mass
destruction proliferators, and other threats to international security continue to be a challenge.
Treasury’s Office of Terrorism and Financial Intelligence (TFI) is dedicated to countering the
ability of terrorist organizations to support such activities through intelligence analysis,
sanctions, and international private-sector cooperation that identify donors, financiers, and
facilitators funding terrorist organizations.
Footnote: 15 The Treasury Inspector General’s memorandum included one other challenge not
directly related to financial regulation and economic recovery: Efforts to Promote Spending
Transparency and to Prevent and Detect Improper Payments. The memorandum also discussed concerns
about two matters: currency and coin production and excise tax reform. [End of footnote]
Disrupting terrorist financing depends on a whole-of-government approach and requires
collaboration and coordination within Treasury and with other Federal agencies. Effective
coordination and collaboration and TFI’s ability to effectively gather and analyze intelligence
information on financial crimes and terrorism requires a stable cadre of staff. TFI filled long
standing vacancies such as the Assistant Secretary of Intelligence and Analysis, which is a key
leadership position that had been vacant for approximately 2 years. Stability, experienced
leadership, and coordination within TFI is imperative to enhance information gathering and
intelligence analysis and increase efficiency.
Completed and In-Progress Work on Financial Oversight
OFR’s Procurement Activities – Contracts
We initiated an audit of OFR’s procurement activities. We reported that OFR effectively and
efficiently acquired goods and services to accomplish its mission and those acquisitions were
made in compliance with applicable procurement regulations. We did not make any recommendations
as a result of our audit; however, in light of OFR’s recent workforce restructuring efforts, we
encouraged the Acting Director to ensure the files of OFR’s contracting officer representatives
are maintained and accessible in the event of any changes in contracting officer representatives’
responsibilities.
OCC’s Supervision of Federal Branches of Foreign Banks (In Progress)
We initiated an audit of OCC’s supervision of federal branches of foreign banks. The objective of
this audit is to assess OCC’s supervision of federal branches and agencies of foreign banking
organizations operating in the United States.
OCC’s Supervision of Wells Fargo Bank (In Progress)
We initiated an audit of OCC’s supervision of Wells Fargo Bank’s sales practices. The objectives
of this audit are to assess (1) OCC’s supervision of incentive-based compensation structures within
Wells Fargo and (2) the timeliness and adequacy of OCC’s supervisory and other actions taken
related to Wells Fargo sales practices, including the opening of accounts.
OCC’s Supervision Related to De-risking by Banks (In Progress)
We initiated an audit of OCC’s supervisory impact on the practice of de-risking16 by banks. The
objectives of this audit are to determine (1) whether supervisory, examination, or other staff of
the OCC have indirectly or directly caused banks to exit a line of business or to terminate a
customer or correspondent account, and (2) under what authority OCC plans to limit, through
guidance, the ability of banks to open or close correspondent or customer accounts, including a
review of laws that govern account closings and OCC’s authority to regulate account closings.
OFR’s Hiring Practices (In Progress)
We initiated an audit of OFR’s hiring practices. The objective for this audit is to determine
whether OFR’s hiring practices are in accordance with Office of Personnel Management, Treasury,
OFR, and other Federal requirements.
OCC’s Controls over Purchase Cards (In Progress)
We initiated an audit of OCC’s controls over purchase cards. The objective for this audit is to
assess the controls in place over OCC’s purchase card use and identify any potential illegal,
improper, or erroneous transactions.
Footnote 16: The Financial Action Task Force defines de-risking as the termination or
restriction, by financial institutions, of business relationships with categories of customers.
[End of footnote]
OCC Human Capital Policies and Planning (In Progress)
We initiated an audit of OCC’s human capital policies and resource planning. The objective for
this audit is to determine whether OCC’s human capital policies and planning align with its
mission and strategic goals.
Failed Bank Reviews
In 1991, Congress enacted the Federal Deposit Insurance Corporation Improvement Act (FDICIA)
amending the Federal Deposit Insurance Act (FDIA). The amendments require that banking
regulators take specified supervisory actions when they identify unsafe or unsound practices
or conditions. Also added was a requirement that the Inspector General for the primary federal
regulator of a failed financial institution conduct a material loss review when the estimated
loss to the Deposit Insurance Fund is “material.” FDIA, as amended by Dodd-Frank, defines
the loss threshold amount to the Deposit Insurance Fund triggering a material loss review as
a loss that exceeds $50 million for 2014 and thereafter (with a provision to temporarily raise
the threshold to $75 million in certain circumstances). The act also requires a review of all
bank failures with losses under these threshold amounts for the purposes of (1) ascertaining
the grounds for appointing Federal Deposit Insurance Corporation (FDIC) as receiver and
(2) determining whether any unusual circumstances exist that might warrant a more in-depth
review of the loss. As part of the material loss review, OIG auditors determine the causes of
the failure and assess the supervision of the institution, including the implementation of
the prompt corrective action provisions of the act.17 As appropriate, OIG auditors also make
recommendations for preventing any such loss in the future.
From 2007 through March 2019, FDIC and other banking regulators closed 538 banks and federal
savings associations. One hundred and forty-two (142) of these were Treasury-regulated
financial institutions; in total, the estimated loss to FDIC’s Deposit Insurance Fund for
these failures was $36.4 billion. Of the 142 failures, 58 resulted in a material loss to
the Deposit Insurance Fund, and our office performed the required reviews of these failures.
During the period covered by this annual report, we completed a material loss review of
Washington Federal Bank for Savings (Washington Federal) located in Chicago, Illinois, whose
failure in December 2017 resulted in a loss to the Deposit Insurance Fund estimated at
$82.6 million. We determined that Washington Federal failed because of fraud18 in the bank’s
loan activity perpetrated by bank employees. The fraudulent activity depleted the bank’s
capital, with the result that the bank was insolvent and in an extremely unsafe or unsound
condition to transact business. Regarding supervision, we found that OCC generally performed
examinations of Washington Federal in accordance with laws, regulations and guidance; however,
we identified weaknesses in the execution of OCC’s supervision of the bank that led to missed
opportunities for timely enforcement actions related to the bank’s loan portfolio.
Specifically, we identified the following supervisory weaknesses: (1) the Supervisory Office
and Examiners-in-Charge (EIC) did not provide sufficient supervision of examination staff
comprised mainly of first-time Assistant Examiners-in-Charge (AEIC) and examiners with limited
experience; (2) examiner conclusions were contradicted by documentation in the OCC work papers;
(3) examiners did not act promptly to address significant weaknesses in the loan portfolio
reporting capability of the bank’s management information system; (4) examiners missed red
flags related to Washington Federal’s loan portfolio and resultantly did not timely expand the
core assessment minimum procedures; (5) examiners did not identify and did not report unsafe
or unsound practices that were contrary to agency guidance and bank policy related to the
appraisal program; and (6) examiners did not identify a lack of independence in the bank’s
lending or loan review function.
We recommended the Comptroller of the Currency: (1) assess the need for additional guidance
related to the supervision of non-commissioned examiners by the EIC and the Supervisory
Office including the need to require that supervision be documented; (2) revise examination
guidance to clarify the roles and responsibilities of an EIC in supervising an examination
team, with an emphasis on reviewing work papers and confirming that conclusions in work papers
are supported by the documentation; (3) reinforce to examiners and provide training where
necessary to ensure they understand: (a) the requirements of OCC Bulletin 2000-20 and the
importance of the bank maintaining sufficient loan portfolio reporting for extensions,
deferrals, renewals, and rewrites of closed-end loans; (b) that bank assurances made to
examiners regarding deficiencies being resolved should be viewed with skepticism unless
support for the assurances is provided and the examiner validates the effectiveness of the
bank’s corrective actions, especially when the deficiencies result in noncompliance with
regulation or law; (c) that expanded procedures are recommended when an examination team is
comprised of examiners in training positions and those with limited experience, including
AEICs; (d) that expanded procedures are recommended for banks, or examination areas, that
are consistently considered low risk; (e) the need to identify and report appraisal exceptions
as required by the Interagency Appraisal and Evaluation Guidelines; and (f ) the need to
identify and address issues of independence in small banks where employees or board members
are participating in more than one function or committee.
Footnote 17: Prompt corrective action is a framework of supervisory actions for insured
institutions that are not adequately capitalized. It was intended to ensure that action is
taken when an institution becomes financially troubled in order to prevent a failure or
minimize the resulting losses. These actions become increasingly severe as the institution
falls into lower capital categories. The capital categories are well-capitalized, adequately
capitalized, undercapitalized, significantly undercapitalized, and critically undercapitalized.
[End of footnote]
Footnote 18: The use of this term “fraud” comes from OCC’s finding in its Supervisory
Memorandum. As of the date of the issuance of this material loss review report (November 7,
2018), no criminal or civil judicial finding of fraud has been made and applied to the bank’s
activities[End of footnote]
[Cover page]
Council of Inspectors General on Financial Oversight
Top Management and Performance Challenges Facing Financial Regulatory Organizations
Approved July 2019
[Images of OIG seals: Board of Governors of the Federal Reserve System Consumer Financial
Protection Bureau, Commodity Futures Trading Commission, Federal Deposit Insurance
Corporation, Federal Housing Finance Agency, United States Department of Housing and
Urban Development, National Credit Union Administration, U.S. Securities and Exchange
Commission, Troubled Asset Relief Program, Treasury]
Top Management and Performance Challenges Facing Financial-Sector Regulatory Organizations
Council of Inspectors General on Financial Oversight
[End of Cover page]
EXECUTIVE SUMMARY
Purpose
The purpose of this report is to consolidate and provide insight into cross-cutting
management and performance challenges facing Financial-Sector Regulatory Organizations in
2019, as identified by members of CIGFO.
Approach
Following a review of 10 TMPC reports issued by CIGFO members, we synthesized the primary
areas of concern facing Financial-Sector Regulatory Organizations. We sought to identify
common insights within the financial sector.
CIGFO Members
• Department of the Treasury (Chair)
• Federal Deposit Insurance Corporation
• Federal Housing Finance Agency
• Commodity Futures Trading Commission
• Department of Housing and Urban Development
• Board of Governors of the Federal Reserve System and the Bureau of Consumer
Financial Protection
• National Credit Union Administration
• Securities and Exchange Commission
• Special Inspector General for the Troubled Asset Relief Program
The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd- Frank Act)
established the Council of Inspectors General on Financial Oversight (CIGFO) to
oversee the Financial Stability Oversight Council (FSOC) and suggest measures to
improve financial oversight. FSOC has a statutory mandate that created collective
accountability for identifying risks and responding to emerging threats to U.S.
financial stability.
The Inspectors General within CIGFO report annually on the Top Management and
Performance Challenges (TMPC) facing their respective Financial-Sector Regulatory
Organizations. This is CIGFO’s second report reflecting the collective input from
the Inspectors General in CIGFO and identifying cross-cutting Challenges facing
multiple Financial-Sector Regulatory Organizations. This report reiterates the
six challenges from our 2018 report and includes an additional challenge for 2019
– Improving Contract and Grant Management.
• Enhancing Oversight of Financial Institution Cybersecurity
• Managing and Securing Information Technology at Regulatory Organizations
• Sharing Threat Information
• Ensuring Readiness for Crises
• Strengthening Agency Governance
• Managing Human Capital
• Improving Contract and Grant Management
It is important to address the Challenges in this report because financial- sector
activities – such as consumer and commercial banking, and funding, liquidity and
insurance services – were identified by the Department of Homeland Security,
Cybersecurity and Infrastructure Security Agency, as National Critical Functions.
Those functions are so vital to the United States that any disruption, corruption,
or dysfunction would have a debilitating effect on U.S. security, the national
economy, and/or public health and safety.
Although Financial-Sector Regulatory Organizations have individual missions, this
report emphasizes the importance of addressing challenges holistically through
coordination and information sharing. Considering issues on a whole-of-Government
approach versus a siloed, agency-by-agency basis allows for more effective and
efficient means to address Challenges through a coordinated approach.
By consolidating and reporting these Challenges, CIGFO aims to inform FSOC,
regulatory organizations, Congress, and the American public of the cross-cutting
Challenges facing the financial sector.
[End of EXECUTIVE SUMMARY]
TABLE OF CONTENTS
BACKGROUND AND OBSERVATIONS
CHALLENGE 1: ENHANCING OVERSIGHT OF FINANCIAL INSTITUTION CYBERSECURITY
CHALLENGE 2: MANAGING AND SECURING INFORMATION TECHNOLOGY AT REGULATORY ORGANIZATIONS
CHALLENGE 3: SHARING THREAT INFORMATION
CHALLENGE 4: ENSURING READINESS FOR CRISES
CHALLENGE 5: STRENGTHENING AGENCY GOVERNANCE
CHALLENGE 6: MANAGING HUMAN CAPITAL
CHALLENGE 7: IMPROVING CONTRACT AND GRANT MANAGEMENT
CONCLUSION
APPENDIX 1: ABBREVIATIONS AND ACRONYMS
APPENDIX 2: METHODOLOGY .
[End of TABLE OF CONTENTS]
BACKGROUND AND OBSERVATIONS
The Dodd-Frank Act established CIGFO to oversee FSOC and suggest measures to
improve financial oversight. FSOC has a statutory mandate that established
collective accountability for identifying risks and responding to emerging
threats to U.S. financial stability.
CIGFO meets regularly to facilitate the sharing of information among Inspectors
General, with a focus on concerns that affect the financial sector and ways to
improve financial oversight. CIGFO publishes an annual report that describes
the concerns and recommendations of each Inspector General and a discussion of
ongoing and completed oversight work. Additionally, Congress authorized CIGFO
to convene working groups to evaluate FSOC’s effectiveness and internal
operations.
CIGFO members include the Inspectors General of the Department of the Treasury,
the Federal Deposit Insurance Corporation, the Commodity Futures Trading
Commission, the Department of Housing and Urban Development, the Board of
Governors of the Federal Reserve System and the Bureau of Consumer Financial
Protection, the Federal Housing Finance Agency, the National Credit Union
Administration, the Securities and Exchange Commission, and the Special
Inspector General for the Troubled Asset Relief Program. CIGFO members
oversee one or more Financial-Sector Regulatory Organizations, as shown in
Figure 1.
Figure 1: CIGFO Membership & Oversight Responsibilities
Table
Row 1;
CIGFO MEMBERSHIP: Department of the Treasury (Chair);
OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: • Department of the
Treasury • Office of the Comptroller of the Currency;
Row 2;
CIGFO MEMBERSHIP: Federal Deposit Insurance Corporation;
OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: Federal Deposit
Insurance Corporation;
Row 3;
CIGFO MEMBERSHIP: Commodity Futures Trading Commission;
OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: Commodity Futures
Trading Commission;
Row 4;
CIGFO MEMBERSHIP: Department of Housing and Urban Development;
OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: Department of Housing
and Urban Development;
Row 5;
CIGFO MEMBERSHIP: Board of Governors of the Federal Reserve System and Bureau of
Consumer Financial Protection;
OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: • Board of Governors of
the Federal Reserve System • Bureau of Consumer Financial Protection;
Row 6;
CIGFO MEMBERSHIP: Federal Housing Finance Agency;
OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: Federal Housing Finance
Agency;
Row 7;
CIGFO MEMBERSHIP: National Credit Union Administration;
OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: National Credit Union
Administration;
Row 8;
CIGFO MEMBERSHIP: Securities and Exchange Commission;
OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: Securities and Exchange
Commission;
Row 9;
CIGFO MEMBERSHIP: Special Inspector General for the Troubled Asset Relief Program;
OVERSIGHT OF FINANCIAL- SECTOR REGULATORY ORGANIZATIONS: Special Inspector General
for the Troubled Asset Relief Program;
[End of table]
[End of Figure 1: CIGFO Membership & Oversight Responsibilities]
The Inspectors General within CIGFO, as well as the Inspectors General of other
agencies, annually identify what they consider to be the TMPCs facing their
agency. Each Inspector General’s TMPCs generally appear in the host Agency’s
annual performance and accountability report under the Reports Consolidation
Act of 2000.
On March 26, 2019, CIGFO approved a motion to compile a report identifying the top
Challenges facing Financial-Sector Regulatory Organizations. The Federal Deposit
Insurance Corporation (FDIC) Office of Inspector General (OIG) led the working
group to conduct this analysis and compile this report.
This CIGFO report reflects the collective input from the nine CIGFO Member
Inspectors General and identifies cross-cutting Challenges facing multiple
Financial-Sector Regulatory Organizations. The report reiterates the six
challenges from our September 2018 report, Top Management and Performance
Challenges Facing Financial Regulatory Organizations, with an additional
Challenge for 2019 – Improving Contract and Grant Management.
• Enhancing Oversight of Financial Institution Cybersecurity
• Managing and Securing Information Technology at Regulatory Organizations
• Sharing Threat Information
• Ensuring Readiness for Crises
• Strengthening Agency Governance
• Managing Human Capital
• Improving Contract and Grant Management
This report identifies significant financial-sector cybersecurity challenges.
Financial-Sector Regulatory Organizations are faced with responsibilities to
protect the information held by their respective agencies against cyber attacks,
and to ensure that financial institutions and their third-party service providers
have processes in place to mitigate cyber risks. Financial-Sector Regulatory
Organizations must take a holistic, financial sector-wide view to address
cybersecurity threats because a security incident for any participant has the
possibility of infecting the entire financial sector.
Identifying threats, such as cyber risk and other vulnerabilities, requires the
sharing of information among Government agencies and throughout the entire
financial sector. Financial-Sector Regulatory Organizations face challenges to
ensure effective gathering, analysis, and sharing of timely and actionable threat
information. Absent such threat information, financial sector participants may
not have a full understanding of the risks. This could result in informational
gaps that can negatively impact risk mitigation and supervisory strategies and/or
the financial sector. Financial-Sector Regulatory Organizations must also mitigate
risks and stand ready when necessary to address threats that may escalate into a
crisis. This report observes that Financial-Sector Regulatory Organizations must
ensure that plans and resources are in place to address such crises.
Financial-Sector Regulatory Organizations also face Challenges to govern their
internal operations. Controls should be in place to manage Financial-Sector
Regulatory Organizations appropriately, including ensuring a sufficient workforce
with skillsets to achieve organization missions. Further, controls should be in
place to manage contract and grant funding so that organizations receive
appropriate goods and services and grantees use funds as prescribed by statute
and regulation.
Although Financial-Sector Regulatory Organizations have individual missions, this
report emphasizes the importance of addressing challenges holistically through
coordination and information sharing. Considering issues on a whole-of-Government
approach versus a siloed, agency-by-agency basis allows for more effective and
efficient means to address challenges through a coordinated approach. By
consolidating and reporting these Challenges, CIGFO aims to inform FSOC,
regulatory organizations, Congress, and the American public of the cross-
cutting Challenges facing the financial sector.
[End of BACKGROUND AND OBSERVATIONS]
CHALLENGE 1: ENHANCING OVERSIGHT OF FINANCIAL INSTITUTION CYBERSECURITY
Cybersecurity continues to be a critical risk facing the financial sector. FSOC
recognized in its December 2018 Annual Report that as financial institutions
increase their reliance on technology, there is an increased risk that a
cybersecurity event could have “severe negative consequences, potentially
entailing systemic implications for the financial sector and the U.S. economy.”1
The Office of the Comptroller of the Currency (OCC) echoed this sentiment in its
Semiannual Risk Perspective (Fall 2018), finding that cybersecurity threats
“target operational vulnerabilities that could expose large quantities of
personally identifiable information (PII)2 and proprietary intellectual property,
facilitate misappropriation of funds and data at the retail and wholesale levels,
corrupt information, and disrupt business activities.”3
Footnote 1: The Dodd-Frank Wall Street Reform and Consumer Protection Act of
2010 established FSOC, which has responsibility for identifying risks and
responding to emerging threats to financial stability. FSOC brings together
the expertise of Federal financial regulators, an independent insurance expert,
and state regulators. [End of footnote]
Footnote 2: According to OMB Memorandum 07-16, Safeguarding Against and
Responding to the Breach of Personally Identifiable Information, the term
PII refers to information that can be used to distinguish or trace an
individual's identity, such as their name, Social Security Number, biometric
records, etc. alone, or when combined with other personal or identifying
information that is linked or linkable to a specific individual, such as
date and place of birth, mother’s maiden name, etc. [End of footnote]
Footnote 3: OCC Semiannual Risk Perspective (Fall 2018). [End of footnote]
In February 2018, the White House Council of Economic Advisors estimated that
the United States economy loses between $57 and $109 billion per year to
malicious cyber activity. Cyberattacks—such as distributed denial of service
and ransomware—may be global in nature and have disrupted financial services
in several countries around the world.4 Verizon Communications’ 2019 annual
review of global data breaches across multiple sectors, including the
financial sector, reported that there were more than 41,000 security incidents
and 2,000 data breaches across 65 countries between April 2018 and April
2019.5 This review also found that cyberattacks happen very quickly, with
breaches occurring within seconds, and breach discovery taking months.
Footnote 4: World Bank Group, Financial Sector’s Cybersecurity: Regulations
and Supervision (2018). [End of footnote]
Footnote 5: Verizon Communications Inc., 2019 Verizon Communications Data
Breach Investigations Report, 11th Edition (April 2019). [End of footnote]
A 2018 study by the U.S. Chamber of Commerce and FICO (Fair Isaac
Corporation) evaluated the cyber risk at 2,574 U.S. firms across 10
sectors, including the financial sector. This study provided cybersecurity
ranking scores from 300 (high risk) to 850 (low risk) for each sector as
well as a national average. The cyber risks faced by the finance and banking
sector exceeded eight other sectors and the national average, as shown in
Figure 2.
Figure 2: Cyber Risk Scores Across Ten Sectors
Agriculture & Food 671,
Business Services 704,
Construcion 764,
Energy & Utilities 707,
Finance and Banking 642,
Transportation 709,
Retail and Consumer Services 697,
Media Telecom Tech 619,
Materials & Manufacturing 672,
Health Care 679.
[End of Figure 2: Cyber Risk Scores Across Ten Sectors]
Financial-Sector Regulatory Organizations are responsible for examining financial
institutions to identify Information Technology (IT) risks. The Interagency
Guidelines Establishing Information Security Standards for bank regulators
states that an insured financial institution must “implement a comprehensive
written information security program that includes administrative, technical,
and physical safeguards appropriate to the size and complexity of the institution
and the nature and scope of its activities.”6 Most Financial-Sector Regulatory
Organizations7 conduct IT examinations using the Uniform Rating System for
Information Technology created by the Federal Financial Institutions Examination
Council (FFIEC).8 The primary purpose of the rating system is to assess risks
introduced by IT at institutions and service providers, and to identify those
institutions requiring supervisory attention.9 When examinations identify risks
and weak management practices at institutions, regulators may use enforcement
procedures to address such risks.
Footnote 6: See 12 C.F.R. Part 364, Appendix B and 12 C.F.R. Part 748. The FDIC,
OCC, and Board of Governors of the Federal Reserve issued the Interagency
Guidelines Establishing Information Security Standards. [End of footnote]
Footnote 7: The National Credit Union Administration does not use the Uniform
Rating System for Information Technology. [End of footnote]
Footnote 8: The FFIEC was established on March 10, 1979, pursuant to title X
of the Financial Institutions Regulatory and Interest Rate Control Act of 1978,
Public Law 95-630. The Council is an interagency body empowered to prescribe
uniform principles, standards, and report forms for the federal examination of
financial institutions by the Board of Governors of the Federal Reserve System,
the FDIC, the National Credit Union Administration, the OCC, and the Bureau of
Consumer Financial Protection and to make recommendations to promote uniformity
in the supervision of financial institutions.[End of footnote]
Footnote 9: FFIEC, Uniform Rating System for Information Technology, 64 Fed.
Reg. 3109 (January 20, 1999). [End of footnote]
CIGFO members identified Challenges to keep pace with the changing cybersecurity
landscape. The Federal Housing Finance Agency (FHFA) OIG identified that the
FHFA will be challenged to design and implement supervisory activities for the
financial institutions it supervises. Specifically, the FHFA must ensure that
cybersecurity examination modules are updated in response to changes in the
cybersecurity environment. The FHFA must also recruit and retain a complement
of examiners with the experience and expertise needed to conduct IT examinations,
and ensure those examiners have ongoing training. Similarly, the Board of
Governors of the Federal Reserve System (Federal Reserve Board) and Bureau of
Consumer Financial Protection (Bureau) OIG noted that the Federal Reserve Board
is challenged to ensure that supervised financial institutions manage and
mitigate the risks and vulnerabilities of cyberattacks. The Federal Reserve
Board should ensure that its supervisory approaches keep pace with evolving
cybersecurity threats.
The FDIC OIG also identified cybersecurity as a significant challenge to FDIC-
supervised institutions. The FDIC must ensure the effectiveness and efficiency
of its IT examination work programs. One example would be using data to review
and understand cybersecurity risks across all institutions. The FDIC is also
challenged to have the appropriate number of IT examiners and to keep its
examination staff skillsets up-to-date given the increasing complexity and
sophistication of IT environments at banks. Similarly, the National Credit
Union Administration (NCUA) OIG also noted cybersecurity as a continued and
significant challenge to the stability and soundness of the credit union
industry. The NCUA OIG believes the NCUA must acquire and deploy resources
to enhance its oversight capabilities to maintain safety and soundness.
Financial institutions face increased cybersecurity risk through inter-
connections with financial technology companies. The Group of Twenty’s
Financial Stability Board defined financial technology as “innovation that
could result in new business models, applications, processes, or products
with an associated material effect on financial markets and institutions
and the provision of financial services.”10 Financial technology innovation
includes, for example, mobile wallets, digital currencies, and digital
financial advice.11 The rapid pace of financial technology is being driven
by capital investment, demand for speed and convenience, and
digitization.12 According to the Department of the Treasury (Treasury
Department), from 2010 to 2017, more than 3,330 new technology companies
were formed to serve the financial industry.13 The Treasury Department
also estimated that one-third of online U.S. consumers use at least two
financial technology services—including financial planning, savings and
investment, online borrowing, or some form of money transfer and
payment.14 Further, KPMG estimated that global investment in financial
technology was $57.9 billion in just the first 6 months of 2018.15
Footnote 10: Financial Stability Implications from FinTech, Supervisory
and Regulatory Issues That Merit Authorities’ Attention, (June 27, 2017).
The Financial Stability Board (FSB) was chartered by the Group of Twenty
(G20) on September 25, 2009. The G20 Members include Argentina, Australia,
Brazil, Canada, China, France, Germany, India, Indonesia, Italy, Japan,
Republic of Korea, Mexico, Russia, Saudi Arabia, South Africa, Turkey,
the United Kingdom, the United States, and the European Union (plus Hong
Kong, Singapore, Spain, and Switzerland). The FSB charter aims to promote
global financial stability by coordinating the development of regulatory,
supervisory and other financial-sector policies and conducts outreach to
non-member countries. The G20 members represent about two-thirds of the
world’s population, 85 percent of global gross domestic product, and over
75 percent of global trade. [End of footnote]
Footnote 11: Basel Committee on Banking, Sound Practices – Implications
of Fintech Developments for Banks and Bank Supervisors (February 2018).
[End of footnote]
Footnote 12: Department of the Treasury, A Financial System that Creates
Economic Opportunities: Nonbank Financials, Fintech, and Innovation (July
2018); Basel Committee on Banking, Sound Practices – Implications of
Fintech Developments for Bank and Bank Supervisors (February 2018). [End
of footnote]
Footnote 13: A Financial System That Creates Economic Opportunities:
Nonbank Financials, Fintech, and Innovation (July 2018). [End of footnote]
Footnote 14: A Financial System That Creates Economic Opportunities:
Nonbank Financials, Fintech, and Innovation (July 2018). [End of footnote]
Footnote 15: KPMG, The Pulse of Fintech 2018: Biannual Global Analysis of
Investment in Fintech (July 2018). KPMG is a professional services company.
[End of footnote]
Financial technology companies are interconnected with IT systems at banks,
yet these technology companies may not be subjected to regulatory requirements
for safety and soundness and may not be examined by financial regulators.
Certain banks reported that between 20 and 40 percent of online banking
logins are attributable to financial technology companies, and many banks
represented that they cannot distinguish among computer logins, as to whether
they originate from consumers, data aggregators, or even malicious actors.16
IT system interconnections may provide a pathway for a cybersecurity incident
at a financial technology company to infect the banking system.
Footnote 16: Lael Brainard, Member, Board of Governors of the Federal Reserve
System, Where Do Banks Fit in the Fintech Stack? Remarks delivered at the
Northwestern Kellogg Public-Private Interface Conference on “New Developments
in Consumer Finance: Research & Practice” (April 29, 2017). [End of footnote]
Additionally, when financial institutions have multiple financial technology
services and relationships, they face ambiguity and uncertainty as to the
applicability of certain privacy rules, the Bank Secrecy Act provisions and
regulations, and Anti-Money Laundering standards. Banks and credit unions
may be unsure as to whether they or the service provider must comply with
rules, regulations, and requirements. Moreover, financial institutions face
challenges to have sufficient skilled staff and capabilities to monitor
these risks and operations of financial technology companies.
The FDIC OIG stated that the FDIC faces challenges to ensure that banks have
proper governance and risk management practices around these technologies.
The FDIC may need to increase training and adjust staffing to ensure that
examiners have the skills to effectively supervise the risks involved with
new technology. Further, the FDIC may need to modify examination policies
and procedures that pre-date financial innovation to improve supervision of
financial innovation risk. The NCUA OIG stated that the NCUA faces
significant challenges with technology-driven changes in the financial
landscape that could potentially impact the safety and soundness of the
credit union system and the Share Insurance Fund. The NCUA OIG believes
it is imperative that the NCUA’s examination and supervision program
continues to evolve with emerging financial technologies that represent
not only risks, but also opportunities to the credit union system.
Mitigating Third-Party Service Provider Risk
Banks and credit unions frequently hire third-party Technology Service
Providers (TSP) to perform operational functions on behalf of the financial
institution—such as IT operations and business product lines. TSPs may
further sub-contract services to other vendors. According to the OCC, banks
are increasingly reliant upon TSPs and sub-contractors, and such dependence
creates a high level of risk for the banking industry.17 The OCC indicates
that TSPs are increasingly targets for cybercrimes and espionage and may
provide avenues for bad actors to exploit a bank’s systems and operations.
For example, on December 20, 2018, the Department of Justice announced that
two Chinese nationals were charged with computer intrusion offenses harming
more than 45 service providers whose clients included the banking and finance
industry and the U.S. Government. The hackers targeted service providers in
order to gain unauthorized access to the computer networks of their clients
and steal intellectual property and confidential business information.18
Footnote 17: The FFIEC described the term TSP to include “independent third
parties, joint venture/limited liability corporations, and bank and credit
union service corporations that provide processing services to financial
institutions.” Supervision of Technology Service Providers, FFIEC IT
Examination Handbook InfoBase. [End of footnote]
Footnote 18: Department of Justice Press Release, Two Chinese Hackers
Associated With the Ministry of State Security Charged with Global Computer
Intrusion Campaigns Targeting Intellectual Property and Confidential
Business Information (December 20, 2018). [End of footnote]
A financial institution must manage the interconnections, system interfaces,
and systems access of TSPs and sub-contractors and must implement appropriate
controls.19 Significant consolidation among TSPs caused large numbers of banks
to rely on a few large service providers for core systems and operations
support.20 As a result, a cybersecurity incident at one TSP has the potential
to affect multiple financial institutions.21 A financial institution’s Board
of Directors and senior managers are responsible for the oversight of
activities conducted by a TSP on their behalf to the same extent as if the
activity were handled within the institution.22
Footnote 19: OCC Semiannual Risk Perspective (Spring 2018). [End of footnote]
Footnote 20: OCC Semiannual Risk Perspective (Spring 2018). [End of footnote]
Footnote 21: OCC Semiannual Risk Perspective (Spring 2018). [End of footnote]
Footnote 22: Financial Institution Letter 44-2008, Guidance for Managing
Third-Party Risk (June 6, 2008). [End of footnote]
The Federal Reserve Board and Bureau OIG identified the need for the Federal
Reserve Board to enhance its oversight of firms that provide technology
services to supervised institutions. Specifically, the Federal Reserve Board
can enhance its oversight by implementing an improved governance structure
and providing additional guidance to examination teams on the supervisory
expectations for such firms. The FDIC OIG also noted challenges with FDIC-
supervised institutions’ oversight of the TSPs with whom they do business.
The FDIC must ensure that supervised financial institutions assess TSP
cybersecurity risks, including due diligence of cybersecurity contract terms.
Financial-Sector Regulatory Organizations play a vital role in addressing
financial institutions’ cybersecurity risk which, if left unchecked, could
threaten the safety and soundness of institutions as well as the stability
of the financial system. Financial-Sector Regulatory Organizations must
ensure that IT examinations assess how financial institutions manage cyber-
security risks, including risks associated with TSPs and new financial
technology, and address such risks through effective supervisory strategies.
[End of CHALLENGE 1: ENHANCING OVERSIGHT OF FINANCIAL INSTITUTION CYBERSECURITY]
CHALLENGE 2: MANAGING AND SECURING INFORMATION TECHNOLOGY AT REGULATORY
ORGANIZATIONS
In March 2019, the Government Accountability Office (GAO) identified
securing Federal systems and information as a high-risk area in need of
significant attention.23 An Office of Management and Budget (OMB) and
Department of Homeland Security (DHS) review of Federal cybersecurity
capabilities at 96 civilian agencies across 76 metrics found that 74
percent (71 agencies) had cybersecurity programs that were either “At
Risk” or “High Risk.24 Further, the Government sector represented a
total of 56 percent of the over 41,000 cybersecurity incidents
identified by Verizon Communications in its 2019 annual review of
global data breaches across multiple sectors.25
Footnote 23: U.S. Government Accountability Office, High-Risk Series:
Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas,
GAO-19-157SP (March 2019). [End of footnote]
Footnote 24: Federal Cybersecurity Risk Determination Report and Action
Plan (May 2018). “At Risk” meant that some essential policies, processes,
and tools were in place to mitigate overall cybersecurity risk, but
significant gaps remained; while “High Risk” meant that fundamental cyber-
security policies, processes, and tools were either not in place or not
deployed sufficiently. [End of footnote]
Footnote 25: Verizon Communications Inc., 2019 Verizon Communications Data
Breach Investigations Report, 11th Edition (April 2019). [End of footnote]
Financial-Sector Regulatory Organizations’ IT systems house commercially
valuable and market sensitive information. For example, the Securities and
Exchange Commission (SEC) OIG reported that the SEC’s e-Discovery program
alone is approaching one petabyte of data.26 Financial-Sector Regulatory
Organizations may also house significant amounts of personally identifiable
information for bank and credit union officials, depositors, and borrowers.
Without proper safeguards, those IT systems are vulnerable to individuals
and groups with malicious intentions who can intrude and use their access
to obtain sensitive information, commit fraud and identify theft, disrupt
operations, or launch attacks against other computer systems and networks.
Further, interconnections among Financial-Sector Regulatory Organizations
and other Federal and state government agencies or private-sector
institutions increase the likelihood of contagion in which a cybersecurity
incident occurring anywhere within the systems may negatively impact the
entire financial system.27
Footnote 26: One petabyte of data is roughly the equivalent to the amount
that can be stored in about 20 million four-drawer filing cabinets. U.S.
Government Accountability Office, Military Base Realignments and Closures:
The National Geospatial-Intelligence Agency’s Technology Center Construction
Project, GAO-12-770R, (June 29, 2012). [End of footnote]
Footnote 27: Financial Services Sector-Specific Plan 2015 issued jointly
among the Department of the Treasury, Department of Homeland Security,
and the Financial Services Sector Coordinating Council. [End of footnote]
Securing IT from Evolving Threats
According to the GAO, risks to Federal IT systems are increasing.28 Threats
to Federal IT systems include those from witting or unwitting employees as
well as global threats from nation states.29 Federal agencies must develop,
document, and implement department- and agency-wide information security
programs to protect information and information systems.30 Federal agencies
use a common framework developed by the National Institute of Standards and
Technology to manage their cyber risk.31
Footnote 28: GAO, Cybersecurity Challenges Facing the Nation – High Risk
Issue. [End of footnote]
Footnote 29: Worldwide Threat Assessment of the US Intelligence Community,
January 29, 2019 [End of footnote]
Footnote 30: Federal Information Security Modernization Act of 2014,
Public Law No. 113-283. [End of footnote]
Footnote 31: Executive Order 13800, Strengthening the Cybersecurity of
Federal Networks and Critical Infrastructure, May 11, 2017. [End of footnote]
The Department of Housing and Urban Development (HUD) OIG recognized that
HUD faces challenges in the management and oversight of its IT systems. HUD
has demonstrated an inability to incorporate Federally mandated requirements
and key practices into effective operational management of its IT systems.
Persistent IT management challenges have affected HUD’s ability to manage and
oversee key programs. As a result, IT systems vulnerabilities that could lead
to breaches exist within HUD’s IT environment. Since 2007, HUD OIG has made
483 recommendations to HUD management to address IT challenges and 197 of
those recommendations remain open or unresolved.
The FDIC OIG found that the FDIC must continue to strengthen its
implementation of governance and security controls around its IT systems to
ensure proper safeguarding of information. The FDIC OIG identified security
control weaknesses that limited the effectiveness of the FDIC’s information
security program and practices and placed the confidentiality, integrity,
and availability of the FDIC’s information systems and data at risk. For
example, the FDIC had not fully defined or implemented an enterprise-wide
and integrated approach to identifying, assessing, and addressing the full
spectrum of internal and external risks, including those related to cyber
-security and the operation of information systems.
The Federal Reserve Board and Bureau OIG noted that the Federal Reserve
Board’s decentralized IT services results in an incomplete view of security
risks facing the agency as a whole, which impacts the implementation of
an effective information security program. The Federal Reserve Board also
faces challenges in implementing agency-wide processes for managing
vulnerabilities and software inventories. The Federal Reserve Board and
Bureau OIG also found that the Bureau faces challenges in centralizing
and automating processes to better manage insider risks; ensuring that
automated feeds from all systems, including contractor-operated systems,
feed into the Bureau’s security information and event management tool; and
aligning its information security program, policies, and procedures with
the agency’s evolving enterprise risk management program.
The Treasury Department OIG noted challenges with the mitigation of
risks to the Treasury Department’s IT systems posed by interconnection
agreements with other Federal, State, and local agencies as well as third-
party cloud service providers. Similarly, the FHFA OIG found that the
FHFA needs to ensure that access to its internal and external online
collaborative environment is restricted to those with a need for the
information.
The SEC OIG also noted that the SEC must mature its IT security programs
to minimize risks of unauthorized disclosure, modification, use, and
disruption of the SEC’s non-public information. Specifically, the SEC can
improve its management of IT risks, including access, continuous monitoring,
and incident management. Further, the SEC could better manage information
security risks of outside expert services contractors who have access to
sensitive, non-public information.
Modernizing IT Systems
Some Financial-Sector Regulatory Organizations are relying on systems that
are outdated, cannot be adapted to handle increasingly complex tasks, and
are no longer supported by vendors. According to the GAO, use of such systems
increases the vulnerability of unauthorized access to the information within
those systems.32
Footnote 32: U.S. Government Accountability Office, Information Security:
SEC Improved Control of Financial Systems but Needs to Take Additional Actions,
GAO-17-469 (July 2017). [End of footnote]
HUD OIG reported that HUD is using aging technology for most of its
operations – technology that was implemented dating back to 1974. Many of
HUD’s systems remain at risk of failure or exploitation because critical
vendor fixes or updates are no longer available. That situation increases
the risk of possible HUD data breaches. Further, HUD’s legacy systems are
very costly to maintain because of the specialized skills and support needed
to operate them. Over the last 5 years, HUD spent on average 70 to 95 percent
of its $280 million annual IT budget on operations and maintenance.
Similarly, the U.S. Commodity Futures Trading Commission (CFTC) OIG
identified that the CFTC faces challenges because it has not formalized IT
capital planning. Specifically, the CFTC has not established accountabilities
to eliminate manual-intensive legacy systems, reduce high-cost IT functions,
and adopt a modern IT infrastructure. CFTC OIG noted that IT modernization
efforts could yield cost savings and technological efficiencies during
periods of fiscal austerity.
The Treasury Department OIG also noted the impact of uncertain budgetary
funding on the Treasury Department’s IT modernization efforts. The Treasury
Department is challenged to balance cybersecurity requirements with
expenditures for the modernization and maintenance of existing Treasury
Department IT systems.
Enhancing the IT Security Workforce
According to the GAO, “a key component of mitigating and responding to cyber
threats is having a qualified, well-trained cybersecurity workforce.”33 The
GAO has identified, however, that there are cybersecurity workforce skills
gaps across the Federal Government.34
Footnote 33: U.S. Government Accountability Office, Cybersecurity Workforce:
Agencies Need to Improve Baseline Assessments and Procedures for Coding
Positions, GAO-18-466 (June 2018). [End of footnote]
Footnote 34: U.S. Government Accountability Office, High-Risk Series:
Substantial Efforts Needed to Achieve Greater Progress on High-Risk Areas,
GAO-19-157SP (March 2019). [End of footnote]
CIGFO members identified mission challenges related to cybersecurity skills
gaps. The Treasury Department OIG found that many IT security measures lacked
adequate cybersecurity resources and/or management oversight. Similarly, HUD
OIG noted that the maintenance of many of HUD’s systems requires specialized
skills. HUD OIG further noted that turnover among senior leadership and
resource constraints hindered the completion of three IT modernization
projects totaling approximately $370 million.
Cybersecurity threats against Government agencies continue to increase.
Financial-Sector Regulatory Organizations must remain vigilant in their
efforts to institute necessary controls and properly protect the information
entrusted to them.
[End of CHALLENGE 2: MANAGING AND SECURING INFORMATION TECHNOLOGY AT
REGULTORY ORGANIZATIONS]
CHALLENGE 3: SHARING THREAT INFORMATION
On November 16, 2018, the President signed into law the Cybersecurity and
Infrastructure Security Agency Act of 2018 (Act). The Act established the
Cybersecurity and Infrastructure Security Agency (CISA) within the DHS to,
among other things, make the United States cyber and physical infrastructure
more secure by sharing information at all levels of Government and the
private and non-profit sectors.35
Footnote 35: Cybersecurity and Infrastructure Security Act of 2017, House
Report 115-454, 115th Congress, December 11, 2017. [End of footnote]
On April 30, 2019, the CISA published a list of National Critical Functions,
which were defined as, “[t]he functions of government and private sector so
vital to the United States that their disruption, corruption, or dysfunction
would have a debilitating effect on security, national economic security,
national public health or safety, or any combination thereof.”36 The provision
of consumer and commercial banking, funding and liquidity services,
and insurance services were included on the list of National Critical
Functions.37 Rather than relying on prior, sector-specific or asset-based
risk identification, the National Critical Functions construct looks across
sectors to provide a holistic approach to capture risks and dependencies within
and across sectors.38 As shown in Figure 3, the National Critical
Functions are presented in four overarching areas – connect, distribute,
manage, and supply.
Footnote 36: National Critical Functions – An Evolved Lens for Critical
Infrastructure and Security Resilience, DHS Cybersecurity and Infrastructure
Security Agency, April 30, 2019. [End of footnote]
Footnote 37: National Critical Functions – An Evolved Lens for Critical
Infrastructure and Security Resilience, DHS Cybersecurity and Infrastructure
Security Agency, April 30, 2019. [End of footnote]
Footnote 38: National Critical Functions – An Evolved Lens for Critical
Infrastructure and Security Resilience, DHS Cybersecurity and Infrastructure
Security Agency, April 30, 2019. [End of footnote]
Figure 3: National Critical Functions
National Critical Functions Set
Critical Function - CONNECT:
• Operate Core Network
• Provide Cable Access Network Services
• Provide Internet Based Content, Information, and Communication Services.
• Provide Internet Routing, Access, and Connection Services
• Provide Positioning, Navigation, and Timing Services
• Provide Radio Broadcast Access Network Services
• Provide Satellite Access Network Services
• Provide Wireless Access Network Services
• Provide Wireline Access Network Services
Critical Function - DISTRIBUTE:
• Distribute Electricity
• Maintain Supply Chains
• Transmit Electricity
• Transport Cargo and Passengers by Air
• Transport Cargo and Passengers by Rail
• Transport Cargo and Passengers by Road
• Transport Cargo and Passengers by Vessel
• Transport Materials by Pipeline
• Transport Passengers by Mass Transit
Critical Function - MANAGE:
• Conduct Elections
• Develop and Maintain Public Works and Services
• Educate and Train
• Enforce Law
• Maintain Access to Medical Records
• Manage Hazardous Materials
• Manage Wastewater
• Operate Government
• Perform Cyber Incident Management Capabilities
• Prepare for and Manage Emergencies
• Preserve Constitutional Rights
• Protect Sensitive Information
• Provide and Maintain Infrastructure
• Provide Capital Markets and Investment Activities
• Provide Consumer and Commercial Banking Services
• Provide Funding and Liquidity Services
• Provide Identity Management and Associated Trust Support Services
• Provide Insurance Services
• Provide Medical Care
• Provide Payment, Clearing, and Settlement Services
• Provide Public Safety
• Provide Wholesale Funding
• Store Fuel and Maintain Reserves
• Support Community Health
Critical Function - SUPPLY:
• Exploration and Extraction Of Fuels
• Fuel Refining and Processing Fuels
• Generate Electricity
• Manufacture Equipment
• Produce and Provide Agricultural Products and Services
• Produce and Provide Human and Animal Food Products and Services
• Produce Chemicals
• Provide Metals and Materials
• Provide Housing
• Provide Information Technology Products and Services
• Provide Materiel and Operational Support to Defense Research and Development
• Supply Water
Source: Cybersecurity and Infrastructure Security Agency
[End of Figure 3: National Critical Functions]
One key focus of the CISA and the National Critical Functions is collecting
and sharing information, including informing intelligence collection
requirements.39 FSOC noted, in its 2018 Annual Report, the critical
importance to the financial sector of sharing timely and actionable
threat information among the Federal Government and the private sector.
FSOC stated that Federal agencies should consider how to share information
and when possible “declassify (or downgrade classification) of information
to the extent practicable, consistent with national security needs.”40
The GAO also identified various sources of threat information that could
be shared with financial institutions. Figure 4 illustrates how the GAO
captured threat information flows from multiple sources.
Footnote 39: National Critical Functions – An Evolved Lens For Critical
Infrastructure Security and Resilience, Cybersecurity and Infrastructure
Security Agency, National Risk Management Center, April 30, 2019. [End of
footnote]
Footnote 40: FSOC 2018 Annual Report. [End of footnote]
Figure 4: Sources of Threat Information for Financial Institutions
Figure 1: Sources of Threat information for Financial Institutions
[Figure depicting information flow to and/or from Depository Institution]
Entity: Blogs Information Source: Open Information Flow: To
Entity: Media Reports Information Source: Open Information Flow: To
Entity: Security Researchers Information
Source: Open Information Flow:
To Depository Institution
Entity: RSS aggregators Information
Source: Open Information Flow: To
Depository Institution
Entity: Bulletin baords/forums Information
Source: Open Information Flow:
To Depository Institution
Entity: Technology Service Providers Information
Source: Private
Information Flow: To Depository Institution
Entity: Trade Associations Information
Source: Private Information Flow:
To Depository Institution
Entity: SSANS Institute Information
Source: Private Information Flow:
To Depository Institution
Entity: National Cyber-Forensics and Training Alliance Information
Source: Private Information Flow: To Depository Institution
Entity: Payment Processors Information Sharing Council Information
Source: Public/Private Information Flow: To Depository Institution
Entity: Financial Services Sector Coordinating Council Information
Source: Public/Private Information Flow: To Depository Institution
Entity: Federal Bureau of Investigation Inter-Agency information flow:
to - Department of the Treasury Information
Source: Government
Information Flow: To Depository Institution
Entity: National Security Agency Inter-Agency information flow: to -
Department of the Treasury Information Source: Government Information
Flow: To Depository Institution
Entity: Central Intelligence Agency Inter-Agency information flow:
to - Department of the Treasury Information
Source: Government
Information Flow: To Depository Institution
Entity: U.S. Secret Service, Department of Homeland Security Inter-
Agency information flow: to - Department of the Treasury Information
Source: Government Information Flow: To Depository Institution
Entity: US Computer Emergency Readiness Team, Department of Homeland
Security Inter-Agency information flow: to - Department of the
Treasury Information Source: Government Information Flow: To Depository
Institution
Entity: NCIC, National Cybersecurity and Communications Integration
Center, Department of Homeland Security Inter-Agency information flow:
to - Department of the Treasury Information Source: Government
Information Flow: To Depository Institution
Entity: Department of the Treasury Information
Source: Government
Inter-Agency information flow: to - FS-ISAC, Financial Services
Information Sharing and Analysis Center Information Flow: To Depository
Institution
Entity: FS-ISAC, Financial Services Information Sharing and Analysis
Center Information Source: Public/Private Inter-Agency information flow:
To/From - Office of the Comptroller of the Currency
Inter-Agency information flow: To/From - Federal Deposit Insurance
Corporation Inter-Agency information flow: To/From - Federal Reserve
Inter-Agency information flow: To/From - National Credit Union
Administration Information Flow: To/From Depository Institution
Entity: Office of Comptroller of the Currency Information
Source: Government (Member of the Federal Financial Institution
Examination Council) Inter-Agency information flow: To/From - Office
of the Comptroller of the Currency
Inter-Agency information flow: To/From - Federal Deposit Insurance
Corporation Inter-Agency information flow: To/From - Federal Reserve
Inter-Agency information flow: To/From - National Credit Union
Administration Information Flow: To/From Depository Institution
Entity: Federal Deposit Insurance Corporation Information
Source: Government (Member of the Federal Financial Institution
Examination Council)
Inter-Agency information flow: To/From - Office of the Comptroller
of the Currency
Inter-Agency information flow: To/From - Federal Deposit Insurance
Corporation Inter-Agency information flow: To/From - Federal Reserve
Inter-Agency information flow: To/From - National Credit Union
Administration Information Flow: To/From Depository Institution
Entity: Federal Reserve Information
Source: Government (Member of the Federal Financial Institution
Examination Council)
Inter-Agency information flow: To/From - Office of the Comptroller
of the Currency Inter-Agency information flow: To/From - Federal
Deposit Insurance Corporation
Inter-Agency information flow: To/From - Federal Reserve Inter-
Agency information flow: To/From - National Credit Union
Administration Information Flow: To/From Depository Institution
Entity: National Credit Union Administration Information
Source: Government (Member of the Federal Financial Institution
Examination Council)
Inter-Agency information flow: To/From - Office of the Comptroller
of the Currency
Inter-Agency information flow: To/From - Federal Deposit Insurance
Corporation
Inter-Agency information flow: To/From - Federal Reserve
Inter-Agency information flow: To/From - National Credit Union
Administration Information Flow: To/From Depository Institution
Source: GAO + GAO - 15 - 509
[End of Figure 4: Sources of Threat Information for Financial Institutions]
Sharing Threat Information Throughout the Financial Sector
Financial institutions must be prepared to address many threats, and
Financial-Sector Regulatory Organizations must ensure through supervisory
processes that financial institutions are ready to mitigate those risks.
According to the FFIEC, financial institutions should have business
continuity plans that “[a]nalyze threats based upon the impact to the
institution, its customers, and the financial market it serves.”41 Further,
the FFIEC notes that financial institutions should have “a means to collect
data on potential threats that can assist management in its identification
of information security risks.”42
Footnote 41: FFIEC, Business Continuity Planning Booklet, Risk Assessment,
(Available on the FFIEC website). [End of footnote]
Footnote 42: FFIEC IT Examination Handbook Infobase, Information Security
Booklet, II, Information Security Program Management (Available on the FFIEC
website). [End of footnote]
In November 2014, the FFIEC members encouraged financial institutions to
join the Financial Services Information Sharing and Analysis Center (FS-ISAC),
through its Statement on Cybersecurity Threat and Vulnerability Monitoring
and Sharing (Cybersecurity Sharing Statement).43 FS-ISAC is a group of
7,000 member organizations whose purpose is to share timely, relevant, and
actionable security threat information. The Cybersecurity Sharing Statement
also suggested using other resources such as the Federal Bureau of
Investigation’s (FBI) InfraGard,44 U.S. Computer Emergency Readiness Team,45
and Secret Service Electronic Crimes Task Force.46 Threat awareness is
important because financial institutions are links in the chain of financial
services system interconnections; an incident involving one community bank
has the potential to affect the broader financial sector.47 Therefore, as
part of the supervisory examination process, Financial-Sector Regulatory
Organizations must ensure that supervised institutions can receive and
access threat information, and that they have business continuity plans to
address such threats.
The Treasury Department leads financial sector readiness efforts. The
Treasury Department OIG recognized the Department’s challenge to provide
financial-sector leadership, ensure effective public-private coordination,
and strengthen awareness and preparedness against cyber threats. The FDIC
OIG identified challenges for the FDIC to ensure that relevant threat
information is shared with its supervised institutions and examiners as
needed, in a timely manner, to prompt responsive action to address the
threats. Threat information provides FDIC examiners with context to
evaluate banks’ processes for risk identification and mitigation strategies.
Sharing Information to Combat Terrorist Financing, Money Laundering, and
Other Financial Crimes
According to the Director of the Financial Crimes Enforcement Network,
“Financial institutions are often the first to detect and block illicit
financing streams, combat financial crimes and related crimes and bad
acts, and manage risk.”48 Providing the financial sector with information
about illicit activity can help sector participants identify and report such
activities; this assists law enforcement in disrupting money
laundering and other financial crimes.49 Such information is especially
important with the use of virtual currencies to identify illicit actors who
use virtual currency to “… facilitate criminal activity such as human
trafficking, child exploitation, fraud, extortion, cybercrime, drug
trafficking, money laundering, terrorist financing, and to support rogue
regimes and facilitate sanctions evasion.”50
Footnote 50: Financial Crimes Enforcement Network, Advisory on Illicit
Activity Involving Convertible Virtual Currency (May 9, 2019). [End of
footnote]
The Treasury Department OIG reported challenges affecting the Department’s
ability to effectively gather and analyze intelligence information.
Specifically, the Treasury Department must do more to collaborate and
coordinate with other Federal agencies to identify and disrupt financial
networks that support terrorist organizations. The Treasury Department also
faces staffing challenges threatening its ability to ensure effective
gathering and analysis of intelligence information. The Department requested
approximately 100 new analyst positions for Fiscal Year 2019. Those positions
are difficult to fill, however, because of required expertise and the length
of time to process security clearance for such personnel.
Threat information can be considered by financial institutions and Financial-
Sector Regulatory Organizations in developing and examining bank and credit
union mitigation strategies and continuity plans. Absent such threat information,
financial institutions and examiners may lack a full understanding of the risks
facing banks and credit unions, and thus, risk mitigation and supervisory
strategies might have gaps which could affect the safety and soundness of
institutions.
[End of CHALLENGE 3: SHARING THREAT INFORMATION]
CHALLENGE 4 ENSURING READINESS FOR CRISES Source: Federal Emergency Management
Agency
The financial sector is a vital component of the infrastructure of the United
States.
As noted by DHS, “large-scale power outages, recent natural disasters, and an
increase in the number and sophistication of cyberattacks demonstrate the wide
range of potential risks facing the sector.”51
Footnote 51: Department of Homeland Security, CISA, Financial Services Sector
available on the DHS website. [End of footnote]
Financial-Sector Regulatory Organizations support the financial sector by
identifying and mitigating potential systemic problems. When supervisory
mitigation cannot stem risks or economic events overtake such efforts,
Financial-Sector Regulatory Organizations, in conjunction with other Federal
and state regulators, must be ready to stabilize financial markets and provide
disaster aid.
Crisis readiness requires advanced preparation, regardless of whether the
crisis results from financial disruption in the markets, economic turmoil,
a cyber attack, natural disaster, or other event. “When the unexpected,
enterprise-threatening crisis strikes, it is too late to begin the planning
process. Events will quickly spin out of control, further adding to the loss
of reputation and avoidable costs necessary to survive and recover with minimal
damage.”52
Footnote 52: Hastings Business Law Journal, The Board’s Responsibility for
Crisis Governance (Spring 2017). [End of footnote]
Although crises may be different in their cause or complexity, implementation
of fundamental principles allows Financial-Sector Regulatory Organizations,
to plan and prepare for such events. Figure 5 illustrates the Crisis
Management Preparedness Cycle, which includes the following five components:53
Footnote 53: Federal Emergency Management Agency National Incident Management
System. [End of footnote]
• Plan – Supports effective operations by identifying objectives, describing
organizational structures, assigning tasks to achieve objectives, identifying
responsibilities to accomplish tasks, and contributing to the goals.
• Organize – Identifies necessary skillsets and technical capabilities.
• Train – Provides personnel with the knowledge, skills, and abilities to
respond to a crisis.
• Exercise – Identifies strengths and weaknesses through an assessment of gaps
and shortfalls with plans, policies, and procedures to respond to a crisis.
• Evaluate and Improve – Compiles lessons learned, develops improvement plans,
and tracks corrective actions to address gaps and deficiencies identified.
Figure 5: Crisis Management Preparedness Continuous Cycle
Preparedness Cycle.
Step 1 - Plan
Step 2 - Organize/Equip
Step 3 - Train
Step 4 - Exercise
Step 5 - Evaluate/Improve
Source: Federal Emergency Management Agency
[End of figure 5]
Preparing for Potential Financial Institution Disruptions and Failures
It has been more than a decade since Financial-Sector Regulatory Organizations
were called upon to address the financial crisis. An FDIC study described the
financial crisis as two interconnected and overlapping crises.54 The first phase
of the crisis involved systemic threats to the financial system as a whole
through the failure of large financial and non-financial institutions during
2008-2009. The second overlapping phase involved a rapid increase in the number
of smaller troubled and failed banks between 2008-2013. As noted by FDIC Chairman
Jelena McWilliams on April 3, 2019, “[t]here were regulatory gaps leading up to the
crisis—perhaps none more important than the inadequate planning for potential
failure of the largest banks and their affiliates.” 55 As described by Chairman
McWilliams, the lessons learned from the crisis are that large and small banking
institutions must be able to fail “without taxpayer bailouts and without
undermining the market’s ability to function.” 56
Footnote 54: FDIC, Crisis and Response, An FDIC History, 2008-2013 (November 30,
2017). [End of footnote]
Footnote 55: FDIC Chairman Jelena McWilliams, Bank Resolution: A Global Perspective,
International Banker (April 3, 2019). [End of footnote]
Footnote 56: FDIC Chairman Jelena McWilliams, Bank Resolution: A Global Perspective,
International Banker (April 3, 2019). [End of footnote]
Financial-Sector Regulatory Organizations, in conjunction with other Federal and
state regulators, must be prepared to mitigate financial institution risks and, when
necessary, resolve failed banks and credit unions. The Dodd-Frank Act introduced
significant changes since the crisis. The Dodd-Frank Act required that bank holding
companies plan for potential resolution through bankruptcy. The Dodd-Frank Act also
provided new resolution authority to orderly liquidate financial companies in extreme
cases during severe financial crisis. In addition, the FDIC instituted regulations
requiring that insured depository institutions with more than $50 billion in assets
also prepare resolution plans addressing how the FDIC could resolve the institution
under the Federal Deposit Insurance Act. These steps clarify resolution authority,
but Financial-Sector Regulatory Organizations must be able to execute those
resolutions.
The FDIC OIG identified challenges with the FDIC’s readiness to fulfill its
mission to manage receiverships. According to the FDIC, the events of the financial
crisis unfolded more quickly than the FDIC expected and were more severe than the
FDIC’s planning efforts anticipated.57 For example, in July 2008, the FDIC resolved
IndyMac, the most expensive FDIC failure, estimated to cost about $12.3 billion, and
in September 2008, Washington Mutual, the sixth-largest FDIC-insured institution,
also failed. The FDIC had not planned for several large and small banks to fail at
the same time, and these failures occurred at a quicker pace than in previous crises.
The FDIC OIG stated that the FDIC is challenged to ensure that it has the ability
to on-board the staff needed to address escalating crisis workloads. For example,
during the crisis, the FDIC authorized funding for additional personnel but faced
challenges expediting the hiring process to on-board needed staff.
Footnote 57: FDIC, Crisis and Response, An FDIC History, 2008-2013 (November 30,
2017). [End of footnote]
Further, the FDIC faced challenges dealing with the increased volume of contracts
required during the time of crisis. During the financial crisis, the FDIC awarded
over 6,000 contracts totaling more than $8 billion. The size of the FDIC
acquisition staff was initially insufficient, which resulted in delays to modify
existing contracts and award new contracts. The FDIC needed to rapidly hire and
train personnel to oversee the contracts. The FDIC is also challenged to ensure
that it has plans in place to react and respond quickly to a crisis, irrespective
of its cause, nature, magnitude, or scope; ensure those plans are current and
up-to-date; and incorporate lessons learned from past crises and the related
bank failures.
The NCUA OIG also noted several challenges faced by the NCUA pertaining to risks
to the safety and soundness of credit unions and the protection of the National
Credit Union Share Insurance Fund which, similar to the Deposit Insurance Fund,
insures credit union member accounts against losses up to $250,000.58 These risks
include: significant threats posed by cyberattacks, competitive challenges to
credit unions posed by new technology-driven financial products; increasing
competition in the financial services industry; and continuing consolidation
among depository institutions. The NCUA needs to: strengthen the resiliency of
the credit union systems and the agency; work with credit unions to manage risks
of new financial products and services; and continue to monitor consolidation
trends among depository institutions.
Footnote 58: Created by Congress in 1970, NCUA administers the Share Insurance Fund
and insures individual credit union member accounts against losses up to $250,000
and a member’s interest in all joint accounts combined up to $250,000. The Deposit
Insurance Fund is administered by the FDIC and insures account holder deposits in
FDIC insured banks and provides funds to resolve failed banks. [End of footnote]
Preparing to Administer Disaster Aid
HUD plays a substantial role in national disaster recovery initiatives and often
receives more disaster recovery funding than any other Federal agency. After a
national disaster, Congress may authorize additional funding to HUD for the Community
Development Block Grant Program (Community Development Grants) for significant unmet
needs for long-term recovery.59 Since 2001, Congress has awarded HUD more than $84.6
billion for disaster recovery. HUD awards Community Development Grants to state and
local governments who, in turn, may grant money to state agencies, non-profit
organizations, economic development agencies, citizens, and businesses. The state
and local governments provide these funds for disaster relief, long-term recovery,
restoration of infrastructure, housing, and economic revitalization.
Footnote 59: Community Development Block Grant Disaster Recovery Fact Sheet.
[End of footnote]
HUD OIG noted that, by their nature, Community Development Grants pose a risk as
they are provided at a time when a community is recovering from a disaster. HUD
OIG identified that HUD’s Community Development Grant requirements are not codified
in the Federal Register. Instead, HUD issues multiple requirements and waivers for
each disaster in Federal Register notices, which leads to confusion among program
grantees. For example, HUD OIG noted that 59 grantees with 112 active Community
Development Grants totaling more than $47.4 billion were required to follow 61
different Federal Register notices to manage the program. Further, HUD OIG
identified continuing risks to HUD concerning the more than $18 billion in
disaster recovery sent to Puerto Rico during a time when Puerto Rico was close
to filing for bankruptcy.
HUD OIG also reported that HUD is challenged to ensure that grantees have the
capacity to administer Community Development Grants and ensure the funds are
used for eligible and supported items. Since 2006, HUD OIG has completed 120
audits and 6 evaluations of the Community Development Block Grant Program,
identifying $477.4 million in ineligible costs, $906.5 million in unsupported
costs, and $5.5 billion in funds that could be put to better use.
HUD also faces challenges to ensure that grantees follow Federal procurement
regulations. HUD OIG identified that state disaster recovery programs may not
align with Federal procurement requirements. As a result, products and services
obtained through grant funds may not have been purchased competitively at fair
and reasonable prices. HUD OIG also identified challenges in HUD’s ability to
expedite disaster assistance grants while also maintaining adequate safeguards
to deter and detect fraud.
Additionally, HUD OIG found that Americans face challenges in attempting to
receive assistance from HUD and other disaster relief agencies. Citizens face
a circuitous path to receive disaster recovery assistance depending on how,
when, and where they enter the disaster relief process. As a result, citizens
may face significant delays in processing their applications for assistance,
delays in receiving funding, and possible duplication of benefits.
Financial-Sector Regulatory Organizations protect the financial sector and
American citizen when crises strike. Crises in the financial sector may come
from many sources and at any time. Financial-Sector Regulatory Organizations
must plan, prepare, train, exercise, and maintain readiness for scenarios
that could lead to crises.
[End of CHALLENGE 4: SHARING THREAT INFORMATION]
CHALLENGE 5 STRENGTHENING AGENCY GOVERNANCE
According to OMB Circular No. A-123, Management’s Responsibility for Enterprise
Risk Management and Internal Control, (OMB Circular A-123), Federal agencies
face internal and external risks to achieving their missions, including
“economic, operational, and organizational change factors, all of which
would negatively impact an Agency’s ability to meet goals and objectives
if not resolved.”60 To address those risks, Federal leaders and managers
generally must establish a governance structure to direct and oversee
implementation of a risk management and internal control process.61 Enterprise
Risk Management (ERM) and internal controls are components of this governance
framework. OMB defines ERM “as an enterprise-wide, strategically-aligned
portfolio view of organizational challenges that provides better insight
about how to most effectively prioritize resource allocations to ensure
successful mission delivery.”62
Footnote 60: Office of Management and Budget Circular No. A-123, Management’s
Responsibility for Enterprise Risk Management and Internal Control (July 15,
2016). [End of footnote]
Footnote 61: Office of Management and Budget Circular No. A-123, Management’s
Responsibility for Enterprise Risk Management and Internal Control (July 15, 2
016). [End of footnote]
Footnote 62: Office of Management and Budget Appendix A to OMB Circular A-123,
Management Reporting and Data Integrity Risk (June 6, 2018). [End of footnote]
Establishing Enterprise Risk Management
ERM focuses specifically on the identification, assessment, and management
of risk, and it should include these elements:
• A risk management governance structure;
• A methodology for developing a risk profile; and
• A process, guided by an organization’s senior leadership, to consider risk
appetite and risk tolerance levels that serves as a guide to establish strategy
and select objectives.
Figure 6: Enterprise Risk Management Program
Enterprise Risk Management
Strategic Decisions (OMB A-11):
-Mission/Vision, Performance Goal Setting/Metrics, Objective Setting, Establish
Risk Thresholds
Budget Decisions(OMB A-11):
-Policy, President's Budget, Congressional Justification
Program Management (OMB A-11):
-Cross Agency Priority Goals, Agency Priority Goals, Agency Program Reviews
CXO Operations Support (OMB A-123):
- Operational Control Objectives, Report Control Objectives, Comliance Control
Objectives, Risk Assessments
Source: CFO Playbook: Enterprise Risk Management for the U.S. Federal Government.
[End of Figure 6]
OMB urges agencies to adopt an enterprise-wide view of ERM—a “big picture”
perspective— thus synthesizing the management of risks into the very fabric of
the organization; it should not be viewed in “silos” among different divisions
or offices. As shown in Figure 6, ERM should integrate risk management into the
agency’s processes for budgeting, including strategic planning, performance
planning, and performance reporting practices.
The Federal Reserve Board and Bureau OIG found that the Federal Reserve Board
has a complex governance system that creates challenges for the Governors to
effectively carry out their roles and responsibilities and to have an enterprise-
wide view of the management of certain administrative functions. For example,
the Federal Reserve Board and Bureau OIG noted that Federal Reserve Board
guidance does not set clear expectations for communication among Governors
and between Governors and Division Directors. Such communication challenges
may result in the Federal Reserve Board Governors being unaware of certain
activities, and Board officials missing opportunities to leverage the Governors’
knowledge and experience. In addition, the decentralization of information
technology among Divisions does not allow for a complete view of IT security
risks and impedes the ability to have an effective information security program.
Additionally, the Federal Reserve Board Chief Human Capital Officer has had
difficulty implementing enterprise-wide succession planning.
Similarly, the FDIC OIG identified challenges in the FDIC’s implementation of
its ERM program. Although the FDIC began ERM implementation efforts in 2010,
the FDIC currently does not have an enterprise-wide and integrated approach to
identifying, assessing, and addressing the full spectrum of internal and external
risks. As a result, the FDIC faces difficulties integrating risk into its budget,
strategic planning, performance reporting, and internal controls. In addition,
FDIC Divisions and Offices are not able to evaluate risk determinations in the
context of the agency’s overall risk levels, tolerance, and profile. For example,
the FDIC could not be sure that its resources were being allocated toward
addressing the most significant risks in achieving strategic objectives.
Ensuring Effective Internal Controls
As described by the GAO, “a key factor in improving accountability in achieving
an entity’s mission is to implement an effective internal control system. An
effective internal control system helps an entity adapt to shifting environments,
evolving demands, changing risks, and new priorities.”63 OMB Circular A-123
emphasizes the need for agencies to coordinate risk management and strong and
effective internal controls into existing business activities as an integral
part of governing and managing an agency.
Footnote 63: U.S. Government Accountability Office, Standards for Internal
Control in the Federal Government, GAO-14-704G, (September 2014). [End of
footnote]
HUD OIG noted HUD’s continuing struggle with effective oversight controls to
monitor operations and programs. HUD faces challenges to effectively manage its
programs that distribute about $48.2 billion annually to state and local government,
organizations, and individuals through grants, subsidies, and other payments. For
example, in 2018, HUD OIG reports identified more than $1.3 billion in ineligible,
unsupported, unnecessary, or unreasonable costs. HUD OIG also noted that HUD’s lack
of compliance with the GAO’s internal control standards has deprived HUD management
of an important monitoring tool that can provide feedback on the effectiveness and
efficiency of departmental operations.
FHFA OIG identified that internal control systems at Fannie Mae and Freddie Mac,
which are under government conservatorship, fail to provide directors with accurate,
timely, and sufficient information to enable them to exercise their oversight duties
that are delegated to them by FHFA as conservator. Further, the FHFA OIG found that
leadership changes in 2018 and 2019 may lead to a lack of attention to internal
controls.
Governance is an important tool for Financial-Sector Regulatory Organizations to
ensure that they fulfill their missions and responsibilities to citizens and taxpayers.
ERM and internal control programs synthesize the management of Financial-Sector
Regulatory Organizations’ risks into an organization’s culture, so that these risks
may be considered and incorporated into budget, strategic planning, performance
reporting, and internal controls for the agency as a whole.
[End of CHALLENGE 5 STRENGTHENING AGENCY GOVERNANCE]
CHALLENGE 6 MANAGING HUMAN CAPITAL
Financial-Sector Regulatory Organizations rely on the skills of over 117,000 employees
to ensure the safety and soundness of the U.S. financial system.64 In March 2019, the
GAO recognized strategic human capital management as a continuing Government-wide area
of high risk.65 The GAO noted the need for Federal agencies to “measure and address
existing mission-critical skills gaps, and use workforce analytics to predict and
mitigate future gaps so agencies can effectively carry out their missions.”66
Footnote 64: CIGFO Working Group analysis of OPM Fedscope data as of March 2018
available at https://www.fedscope.opm.gov. [End of footnote]
Footnote 65: U.S. Government Accountability Office, High-Risk Series: Substantial
Efforts Needed to Achieve Greater Progress on High-Risk Areas, GAO-19-157SP (March
2019). [End of footnote]
Footnote 66: U.S. Government Accountability Office, High-Risk Series: Substantial
Efforts Needed to Achieve Greater Progress on High-Risk Areas, GAO-19-157SP (March
2019). [End of footnote]
Succession Planning to Fill Leadership Gaps
Government-wide retirement eligibility in 2022 is estimated to be 31.6 percent of all
permanent Federal employees.67 According to the GAO, retirements could cause gaps in
leadership and institutional knowledge and exacerbate existing skill gaps. According
to the Office of Personnel Management (OPM), succession planning for such retirements
forms an integral part of workforce planning and helps ensure an ongoing supply of
qualified staff to fill leadership and other key positions.68 Specifically, OPM
requires that the head of each agency, in consultation with OPM, develop a
comprehensive management succession program, based on the agency's workforce
succession plans, to fill agency supervisory and managerial positions. Agency
succession programs should be supported by employee training and development programs.
Footnote 67: U.S. Government Accountability Office, High-Risk Series: Substantial Efforts
Needed to Achieve Greater Progress on High-Risk Areas, GAO-19-157SP (March 2019).
[End of footnote]
Footnote 68: 5 C.F.R. Part 412. [End of footnote]
The Federal Reserve Board and Bureau OIG cited potential leadership and skills gaps as a
result of a projected increase in numbers of Federal Reserve Board employees becoming
eligible for retirement. Similarly, the FDIC OIG found that the percentage of FDIC employees
eligible to retire more than doubles (2.3 times) over the next 5 years, increasing from
18 percent in 2018 to 42 percent in 2023. Further, the FDIC OIG identified potential
leadership gaps resulting from the retirement eligibility of 66 percent of the Executive
Management employees and another 57 percent of Managers between 2018 and 2022.
HUD OIG also identified that leadership gaps have affected HUD’s management of its programs
and operations. Specifically, constant turnover and extended vacancies in HUD’s most
important political and career executive positions led to poor management decisions and
questionable execution of internal business functions. The SEC OIG also noted that, although
the agency’s multi-year strategic plan identified the need to strengthen human capital
management, the SEC lacked a formal succession plan.
Skills Gap Identification and Mitigation
OPM’s Human Capital Framework requires that agencies use comprehensive data analytic methods
to monitor and address skills gaps and develop gap closure strategies.69 CIGFO members
identified challenges in the identification and mitigation of agency skill set gaps
especially in response to new technologies. The Federal Reserve Board and Bureau OIG found
that the Federal Reserve Board remains challenged to identify a diverse workforce with the
necessary technical, managerial, and leadership skills. Continually evolving workforce
expectations and a highly competitive environment for individuals with specialized skills
presents challenges for the Federal Reserve Board. The FDIC OIG found that the FDIC was
challenged to ensure that examination staff skill sets kept pace with the increasing complexity
and sophistication of IT environments at banks as well as the introduction of new financial
technology. The FDIC OIG also identified examiner skillset imbalances among FDIC regional
offices. As a result, senior examiners may be required to travel more frequently in order to
supervise less experienced staff and sign reports of examination.
Footnote 69: See OPM Human Capital Framework Structure and SEC OIG, The SEC Made Progress
But Work Remains to Address Human Capital Management Challenges and Align With the Human
Capital Framework (September 11, 2018), Report No. 549. [End of footnote]
The Federal Reserve Board and Bureau OIG stated that to address vacancies in the Bureau’s
workforce, the agency is reallocating staff resources through reassignments or detail
opportunities. However, some of these vacancies are for highly specialized skillsets, and
the Bureau may face challenges in identifying the necessary skillsets in its current
workforce. The SEC OIG found that, although the SEC began a skill set assessment project
in 2016, the SEC was delayed in implementing the project. Specifically, as of July 2018,
the SEC had not completed competency assessment surveys or similar reviews to identify and
close skill gaps within SEC divisions, offices, and regional offices.
Financial-Sector Regulatory Organizations’ workforce plays a vital role in ensuring mission
success. Mission success is contingent on each organization’s management of human capital
activities – workforce planning, recruitment, on-boarding, compensation, engagement,
succession planning, and retirement programs – to allow for proactive responses to anticipated
changes and maximize human capital efficiency and effectiveness.
[End of CHALLENGE 6 MANAGING HUMAN CAPITAL]
CHALLENGE 7 IMPROVING CONTRACT AND GRANT MANAGEMENT
The Administration recognized the importance of improving Federal Government acquisitions in
finding that such acquisitions “often fail to achieve their goals because many Federal managers
lack the program management and acquisition skills to successfully manage and integrate large
and complex acquisitions into their projects.”70 In addition, the GAO found that Government
contracting officials were carrying heavier workloads, and thus, it was more difficult for
these officials to oversee complex contracts and ensure that contractors adhered to contract
terms.
Footnote 70: The President’s Management Agenda: Modernizing Government for the 21st Century.
[End of footnote]
Grants are an important policy tool to provide funding to state and local governments, and
nongovernmental entities for national priorities. According to the GAO, effective oversight
and internal control is important to provide reasonable assurance to Federal managers and
taxpayers that grants are awarded properly, grant recipients are eligible, and grants are
used as intended according to laws and regulations.71
Footnote 71: U.S. Government Accountability Office, Grants Management: Observations on
Challenges and Opportunities for Reform, GAO-18-676T (July 25, 2018). [End of footnote]
Strengthening Contract Oversight
According to the GAO’s Framework for Assessing the Acquisition Function at Federal Agencies,
agencies should effectively manage their acquisitions process in order to ensure that
contract requirements are defined clearly and all aspects of contracts are fulfilled.72
Agencies must properly oversee contractor performance and identify any deficiencies.
Footnote 72: U.S. Government Accountability Office, Framework for Assessing the Acquisition
Function at Federal Agencies, GAO-05-218G (September 2005). [End of footnote]
The Special Inspector General for the Troubled Asset Relief Program (SIGTARP) identified
challenges to Treasury Department’s oversight of Troubled Asset Relief Program (TARP) Funds.
Over 150 banks or other institutions have or can receive $23 billion through agreements
entered under the Making Home Affordable Program (MHA Program). The MHA Program pays TARP
dollars when banks and institutions comply with rules and guidelines to modify mortgages to
help struggling homeowners. SIGTARP found that despite enforcement actions and other wrongdoing
of many financial institutions, the Treasury Department is significantly scaling back on MHA
Program compliance reviews.
HUD OIG identified challenges with HUD’s oversight of IT procurement. According to HUD’s Chief
Procurement Officer, fewer than five people were adequately trained and possessed the expertise
to manage IT projects and contracts. HUD lacked well-documented and fully developed selection
processes to ensure consistent application of selection criteria used for applicants for
contracts. In addition, HUD did not have robust processes for contractor oversight and
evaluating contractor performance against expected outcomes to ensure that its contractors
met their obligations.
According to the FDIC OIG, the FDIC relies heavily on contractors for support of its mission,
especially for IT and administrative support services. The FDIC OIG identified a number of
contract challenges at the FDIC, including defining contract requirements, coordination
between contracting and program office personnel, and establishing implementation milestones.
For example, FDIC personnel did not fully understand and communicate the requirements to
transition a nearly $25 million data management services contract from one contractor to
another.
The Federal Reserve Board and Bureau OIG identified that the Bureau needed to strengthen
controls for contract financing and management. Specifically, for one of its largest
contracts, the Bureau did not comply with the Federal Acquisition Regulation requirements
concerning contract financing requirements and documenting annual blanket purchase agreement
reviews. Additionally, Bureau staff did not verify contractor expenses by obtaining and
reviewing supporting source documents. The Federal Reserve Board and Bureau OIG also noted
contracting challenges for the Federal Reserve Board’s oversight of physical infrastructure
changes. The Federal Reserve Board encountered significant delays, scope changes, and cost
increases for renovations to its William McChesney Martin, Jr. building.
The SEC OIG identified challenges with the SEC’s management and oversight of contracts. For
example, the SEC OIG found that contract oversight personnel did not enforce contract
requirements for experts performing work for the SEC. Further, contract oversight personnel
had limited first-hand knowledge of the sufficiency of contract deliverables and therefore
could not determine whether the invoices accurately reflected work performed.
Improving Grant Management
Grants are typically categorized as (1) categorical grants – which restrict funds to narrow,
specific activities; (2) block grants – which are less restrictive funding for broader
categories of activities; and (3) general purpose grants – which allow the greatest amount
of discretion to be used for government purposes. Oversight and internal control of grants
are important to ensure grants are used by eligible participants for allowable purposes.
SIGTARP identified challenges with the Treasury Department’s oversight of TARP expenses
charged by state housing finance agencies to administer the Hardest Hit Fund (HHF), a
grant-like program. The Treasury Department’s $9.6 billion for HHF provides funding to
state housing finance agencies to assist unemployed homeowners and individuals whose
mortgages are greater than their current home’s value. SIGTARP has issued several reports
on Treasury’s lack of oversight for grantees. Between 2016 and 2017, SIGTARP identified
$11 million in wasteful, abusive, and unnecessary funding by states for items such as gym
memberships, parties, and country club events. Further, SIGTARP reported that there is no
Federal requirement for states to use competition when spending funds on fees for
consultants, accountants, and lawyers.
HUD OIG reported that HUD continues to struggle with effective program management of the
nearly $50 billion in Federal funds that HUD passes to state and local governments,
organizations, and individuals in the form of grants, subsidies, and other payments.
Approximately 16 percent of HUD’s annual appropriations are provided as grants through
the Office of Community Planning and Development. HUD OIG identified that 21 of their
audits performed from 2014-2017 found that there was little or no monitoring of grantees.
As a result, HUD did not have assurances that it correctly identified high-risk grantees
or conducted adequate monitoring to mitigate risks.
Financial-Sector Regulatory Organizations rely on contracts and grants to perform their
respective missions. Strong oversight and controls over contract and grant processes are
critical to ensure proper stewardship over taxpayer funds.
[End of CHALLENGE 7 IMPROVING CONTRACT AND GRANT MANAGEMENT]
CONCLUSION
This is the second report developed by CIGFO members to identify cross-cutting Challenges
faced by Financial-Sector Regulatory Organizations. In this report, we continue to
emphasize to policy makers the importance of considering a whole-of-Government approach to
coordination and information sharing to address these Challenges.
Consistent with the mission of Inspectors General, this report helps inform the public by
providing them with information about the important Challenges facing the financial sector
to which most of the public is directly connected through bank or credit union accounts and
mortgages. This report also informs CIGFO members in their identification of future
Challenges and collaboration on reviews addressing cross-cutting Challenges facing the
financial sector.
APPENDIX 1 ABBREVIATIONS AND ACRONYMS
Bureau - Bureau of Consumer Financial Protection
CFTC - Commodity Futures Trading Commission
Challenges - The CIGFO Top Management and Performance Challenges
identified in this report.
CIGFO - Council of Inspectors General on Financial Oversight
CISA - Cybersecurity and Infrastructure Security Agency
DHS - Department of Homeland Security
Dodd-Frank Act - The Dodd-Frank Wall Street Reform and Consumer
Protection Act
ERM - Enterprise Risk Management
FBI - Federal Bureau of Investigation
FDIC - Federal Deposit Insurance Corporation
Federal Reserve Board - Board of Governors of the Federal Reserve
System
FEMA - Federal Emergency Management Agency
FFIEC - Federal Financial Institutions Examination Council
FHFA - Federal Housing Finance Agency
Financial-Sector Regulatory Organizations - Federal Departments and
Agencies overseen by
CIGFO Inspectors General.
FISMA - Federal Information Security Modernization Act of 2014
FSB - Financial Stability Board
FS-ISAC - Financial Services Information Sharing and Analysis Center
FSOC - Financial Stability Oversight Council
GAO - U.S. Government Accountability Office
HHF - Hardest Hit Fund
HUD - Department of Housing and Urban Development
IT - Information Technology
MHA Program - Making Home Affordable Program
NCUA - National Credit Union Administration
NIST - National Institute of Standards and Technology
OCC - Office of the Comptroller of the Currency
OIG - Office of Inspector General
OMB - Office of Management and Budget
OPM - Office of Personnel Management
SEC - Securities and Exchange Commission
SIGTARP - Special Inspector General for the Troubled Asset Relief
Program
TMPC - Top Management and Performance Challenges
Treasury Department - Department of the Treasury
TSP - Technology Service Provider
[End of APPENDIX 1 ABBREVIATIONS AND ACRONYMS]
APPENDIX 2 METHODOLOGY
Department of the Treasury,
link - https://www.treasury.gov/about/organizational-structure/ig/Agency%20Doc…
Federal Deposit Insurance Corporation,
link - https://www.fdicoig.gov/report-release/top-management-and-performance-challenges-facing-federal-deposit-insurance
Commodity Futures Trading Commission,
link - https://www.cftc.gov/sites/default/files/2018-10/oigmgmtchal082718.pdf
Bureau of Consumer Financial Protection,
link - https://oig.federalreserve.gov/reports/bureau-major-management-challeng…
Department of Housing and Urban Development
link - https://www.hudoig.gov/sites/default/files/2018-11/TMC%20-%20FY%202019…
Board of Governors of the Federal Reserve System
link - https://oig.federalreserve.gov/reports/board-major-management-challenge…
Federal Housing Finance Agency
link - https://www.fhfaoig.gov/Content/Files/FY2019%20Management%20and%20Perfo…
National Credit Union Administration
link - https://www.ncua.gov/files/annual-reports/annual-report-2018.pdf
Securities and Exchange Commission
link - https://www.sec.gov/Inspector-Generals-Statement-on-the-SECs-Mgt-and-Pe…
Special Inspector General for the Troubled Asset Relief Program
link - https://www.sigtarp.gov/Pages/Reports-Testimony-Home.aspx
Footnote: 73 The Special Inspector General for the Troubled Asset Relief
Program issues to the Treasury Department and has published its assessment
of the most serious management and performance challenges and threats
facing the Government in TARP in its Quarterly Report to Congress since
October 2017. [End of footnote]
[End of APPENDIX 2 METHODOLOGY]
CIGFO Audit of the Financial Stability Oversight Council’s Monitoring of
International Financial Regulatory Proposals and Developments
May 2019
CIGFO-2019-01
[CIGFO member OIG agency seals]
Table of Contents
Transmittal Letter
Executive Summary
CIGFO Working Group Audit
Background
Audit Approach
FSOC’s Activities to Monitor International Financial Regulatory Proposals and
Devlopments
FSOC Members Consider the Monitoring
Process Adequate
Conclusion
Appendices
Appendix I: Objective, Scope, and Methodology
Appendix II: Prior CIGFO Reports
Appendix III: FSOC Response
Appendix IV: CIGFO Working Group
[End of Table of Contents]
Abbreviations
CIGFO Council of Inspectors General on Financial Oversight
Dodd-Frank Act Dodd-Frank Wall Street Reform and Consumer Protection Act
FSB Financial Stability Board
FSOC or Council Financial Stability Oversight Council
IOSCO International Organization of Securities Commissions
LIBOR London Interbank Offered Rate
RRC Regulation and Resolution Committee
SRC Systemic Risk Committee
Treasury Department of the Treasury
[End of Abbreviations]
Message from the Chair
Dear Mr. Chairman:
I am pleased to present you with the Council of Inspectors General on
Financial Oversight (CIGFO) report titled, Audit of the Financial Stability
Oversight Council’s Monitoring of International Financial Regulatory Proposals
and Developments.
One of the statutory duties of the Financial Stability Oversight Council
(FSOC) is to monitor domestic and international financial regulatory proposals
and developments, including insurance and accounting issues, and to advise
Congress and make recommendations in such areas that will enhance the integrity,
efficiency, competitiveness, and stability of the U.S. financial markets.
FSOC’s monitoring of international financial regulatory proposals and
developments is conducted in the context of FSOC’s statutory purposes, which
focuses on developments that could pose risks to the stability of the U.S.
financial system.
CIGFO convened a Working Group to assess FSOC’s monitoring of international
financial regulatory proposals and developments. In this resulting audit report,
we concluded that FSOC has a process for monitoring international financial
regulatory proposals and developments. All FSOC members or member
representatives who offered an opinion described FSOC’s monitoring process as
adequate. Although described as adequate, several FSOC members or representatives
offered suggestions for enhancing the process. We encourage FSOC to consider
incorporating into its process the suggestions made by its members to the
extent the suggestions are consistent with FSOC’s focus on identifying and
addressing threats to the stability of U.S. financial system. We are not making
any recommendations to FSOC as a result of this audit.
I would like to take this opportunity to thank the FSOC members for their
support, especially those Department of the Treasury officials who assisted
with this effort.
CIGFO looks forward to working with you on this and other issues. In
accordance with the Dodd-Frank Wall Street Reform and Consumer Protection
Act, CIGFO is also providing this report to Congress.
Sincerely,
/s/
Eric M. Thorson
Chair, Council of Inspectors General on Financial Oversight
[End of Message from the Chair]
Executive Summary
Why and How
We Conducted this Audit
The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act)1
created regulatory and resolution frameworks designed to reduce the likelihood,
and severe economic consequences, of financial instability. The Dodd-Frank Act
established the Financial Stability Oversight Council (FSOC or Council) and
charged it with identifying risks to the nation’s financial stability, promoting
market discipline, and responding to emerging threats to the stability of the
nation’s financial system. Among other duties, Title I of the Dodd-Frank Act
requires FSOC to monitor domestic and international financial regulatory
proposals and developments, including insurance and accounting issues, and to
advise Congress and make recommendations in such areas that will enhance the
integrity, efficiency, competitiveness, and stability of the U.S. financial markets.
The Dodd-Frank Act also created the Council of Inspectors General on Financial
Over-sight (CIGFO), whose members include the Inspectors General with oversight
authority for the majority of FSOC’s member agencies. The Dodd-Frank Act authorizes
CIGFO to convene a Working Group of its members to evaluate the effectiveness and
internal operations of FSOC. In December 2017, CIGFO convened a Working Group to
conduct an audit to assess FSOC’s monitoring of international financial regulatory
proposals and developments for the period of January 2016 to January 2018.2 The
Working Group was led by the Department of the Treasury’s (Treasury) Office of
Inspector General, whose Inspector General is the Chair of CIGFO.
To accomplish the audit objective, the Working Group reviewed the Dodd-Frank
Act to determine FSOC’s statutory purposes and duties. It reviewed FSOC’s governance
documents, annual reports, meeting minutes, and committee meeting agendas. It
also interviewed staff from the FSOC Secretariat at Treasury as well as interviewed
or received responses from FSOC members and member agency representatives to
develop a better understanding of FSOC’s monitoring of international financial
regulatory proposals and developments. The Working Group conducted fieldwork from
February 2018 through June 2018. Appendix I provides additional details about the
objective, scope, and methodology of this audit.
Footnote 1: Public Law No. 111-203, enacted July 21, 2010. [End of footnote]
Footnote 2: See Appendix IV for a listing of Working Group members. [End of footnote]
What We Learned
FSOC monitors international financial regulatory proposals and developments
in several ways. First, FSOC develops and publishes an annual report, which
describes important international financial regulatory proposals and developments,
identifies emerging threats to U.S. financial stability, and can include
recommendations related to these issues. FSOC also follows up on the issues,
threats, and recommendations identified in its annual report. Second, FSOC
members periodically discuss international topics at their meetings, and are
given presentations by experts from relevant member agencies. Third, the staffs
of FSOC member agencies share information on these topics in FSOC’s staff-level
committees, primarily the Systemic Risk Committee (SRC). Finally, some FSOC
member agencies have their own international engagement, which can inform their
participation in FSOC meetings
FSOC members and FSOC member agency representatives expressed their overall
satisfaction with FSOC’s monitoring of international activities and proposals, and
believed that the process was adequate. Several FSOC members offered suggestions for
process enhancements which are included on pages 8 and 9 of this report. We encourage
FSOC to consider incorporating the suggestions made by these members into its
processes to the extent the suggestions are consistent with FSOC’s purposes of
identifying risks to U.S. financial stability, promoting market discipline,
and responding to emerging threats to the stability of the U.S. financial system.
We are not making any recommendations to FSOC as a result of our audit.
FSOC Response
In a written response, Treasury, on behalf of the FSOC Chairperson, acknowledged the
findings and conclusions in this report. The response stated that the suggestions made
by several FSOC members to further enhance the Council’s work will be considered. The
response is provided as Appendix III.
[End of Executive Summary]
CIGFO Working Group Audit
This report presents the results of the CIGFO Working Group’s audit of FSOC’s monitoring
of international financial regulatory proposals and developments. CIGFO is issuing
this report to FSOC and Congress as part of CIGFO’s responsibility to oversee FSOC under
the Dodd-Frank Act. See Appendix II for a listing of previous CIGFO reports.
Background
The Dodd-Frank Act established FSOC to create joint accountability for identifying and
mitigating potential threats to the stability of the nation’s financial system. By creating
FSOC, Congress recognized that protecting financial stability would require the collective
engagement of the entire financial regulatory community. As shown in Figure 1, the
Council consists of 10 voting members and 5 non-voting members and brings together the
expertise of federal financial regulators; state regulators; an insurance expert appointed
by the President, by and with the advice and consent of the Senate; and others.3 The
voting members of FSOC provide a federal financial regulatory perspective as well as
an independent insurance expert’s view. The non-voting members offer different insights
as state-level representatives from bank, securities, and insurance regulators or as the
directors of offices within Treasury — the Office of Financial Research and the Federal
Insurance Office, established in Titles I and V of the Dodd-Frank Act, respectively.
Within Treasury, a dedicated policy office of Treasury staff, led by a Deputy Assistant
Secretary, functions as the FSOC Secretariat and assists in coordinating the work of
the Council among its members and member agencies.
The statutory purposes of FSOC are to:
• identify risks to the financial stability of the U.S. that could arise from the material
financial distress or failure, or ongoing activities, of large, interconnected bank
holding companies or nonbank financial companies, or that could arise outside
the financial services marketplace;
Figure 1: FSOC Council Membership
Federal and Independent Members
• Secretary of the Treasury, Chairperson (v)
• Chairman of the Board of Governors of the Federal Reserve System (v)
• Comptroller of the Currency (v)
• Director of the Bureau of Consumer Financial Protection (v)
• Chairman of the Securities and Exchange Commission (v)
• Chairperson of the Federal Deposit Insurance Corporation (v)
• Chairman of the Commodity Futures Trading Commission (v)
• Director of the Federal Housing Finance Agency (v)
• Chairman of the National Credit Union Administration Board (v)
• Director of the Office of Financial Research
• Director of the Federal Insurance Office
• Independent member with insurance expertise (v)
State Members
State Insurance Commissioner
State Banking Supervisor
State Securities Commissioner
[End of Figure 1: FSOC Council Membership]
• promote market discipline, by eliminating expectations on the part of shareholders,
creditors, and counterparties of such companies that the Government will
shield them from losses in the event of failure; and
• respond to emerging threats to the stability of the U.S. financial system.4
Footnote 4: 12 U.S.C. 5322(a)(1). [End of footnote]
Audit Approach
Our audit objective was to assess FSOC’s monitoring of international financial regulatory
proposals and developments. Our audit scope focused on FSOC’s efforts to monitor
international activities over a 2-year period, January 2016 through January 2018.
To accomplish our objective, participating Offices of Inspector General collected
information from FSOC members and/or FSOC member representatives, through interviews
or self-reporting guided by a questionnaire developed by the CIGFO Working Group,
regarding their perspectives on FSOC’s efforts to monitor international financial
regulatory proposals and developments. In addition, we interviewed officials of the
FSOC Secretariat and reviewed FSOC annual reports and laws applicable to FSOC’s authority
to monitor international financial regulatory proposals and developments. We conducted our
audit fieldwork from February 2018 through June 2018.
FSOC’s Activities To Monitor International Financial Regulatory Proposals And Developments
The Dodd-Frank Act provides that FSOC has the duty to monitor international financial
regulatory proposals and developments, including insurance and accounting issues, and
to advise Congress and make recommendations in such areas that will enhance the integrity,
efficiency, competitiveness, and stability of the U.S. financial markets. FSOC’s monitoring
of international financial regulatory proposals and developments is conducted in the context
of FSOC’s statutory purposes, which focuses on developments that could pose risks to the
stability of the U.S. financial system.
The Dodd-Frank Act does not establish specific guidelines or expectations for how FSOC is to
fulfill its duty to monitor international financial regulatory proposals and developments.
Accordingly, the CIGFO Working Group developed a methodology for reviewing FSOC’s activities
in this regard.
Through our interviews with the FSOC Secretariat and FSOC members and/or representatives
and their responses to the questionnaire developed by the CIGFO Working Group, we
learned that FSOC monitors these activities in several ways: (1) periodic discussion of
international topics at the FSOC principals’5 meetings, including presentations by experts
from relevant member agencies; (2) information sharing at FSOC committee-level meetings;
and (3) the development and publishing of its annual reports, which describe important
international proposals and developments, identify potential emerging threats to U.S.
financial stability, and may include recommendations related to these issues. In
addition, some member agencies have their own international engagement, which can
inform their participation in FSOC meetings.
FSOC Principals and FSOC Committee Meetings
FSOC has a statutory duty to facilitate information sharing and coordination among
its member agencies and other Federal and State agencies.6 Through this role, FSOC
works to address gaps and weaknesses within the regulatory structure that could pose
risks to U.S. financial stability, and to promote a safer and more stable financial
system. FSOC exercises its convening authority both through meetings of FSOC members
and through its staff-level committee structure.
We noted that the principals held 17 meetings
during the audit period and international topics
were discussed at 10 of those meetings.
Footnote 5: Principals are FSOC members, most of whom are heads of federal or state
financial regulatory agencies. [End of footnote]
Footnote 6: 12 U.S.C. 5322(a)(2)(E). [End of footnote]
FSOC operates under a committee structure to promote shared responsibility among its
members and member agencies and to leverage the expertise that already exists at each
agency. These committees consist of senior or staff level representatives from each
of the FSOC members. We identified two primary committees that support the Council’s
monitoring of international activities, FSOC’s Regulation and Resolution Committee (RRC)
and FSOC’s SRC. The RRC is tasked with identifying potential gaps in regulation that
could pose risks to U.S. financial stability, and the SRC is tasked with identifying
risks and responding to emerging threats to the stability of the U.S. financial system.
During the audit period, the RRC held nine meetings to discuss topics that were regulatory
in nature. We were told by an FSOC Secretariat official that most of the topics had
international aspects. Additionally, the SRC held 10 meetings during the audit period
to receive briefings from FSOC member agencies on a range of international topics that
had a bearing or potential bearing on financial stability and to discuss the issues
raised.
Topics discussed during SRC and RRC meetings included: European political and market
developments, the United Kingdom referendum to leave the European Union (known
as Brexit), Basel standards, the European banking sector (including Greece), China’s
economy and potential spillover risks, virtual currency, the London Interbank Offered
Rate (LIBOR), central counterparty supervisory stress tests, and qualified financial
contracts. We determined that many topics discussed at the committee meetings were
raised with the Council and were included, as appropriate, in FSOC’s annual report.
Most FSOC members and/or representatives that we interviewed or coordinated with noted
that the SRC is FSOC’s primary mechanism to monitor international financial regulatory
proposals and developments. The SRC serves as a forum for FSOC members and member
agencies to identify, discuss, and analyze potential risks to U.S. financial stability,
which may extend beyond the jurisdiction of a single agency.
Representatives from one member agency stated that proposals and developments monitored
by these committees are shared with the Deputies Committee,7 sometimes as part of a
committee meeting readout, and sometimes as a standalone presentation. Representatives
from another member agency stated that when there is an international financial
regulatory proposal or development of concern from a financial stability perspective,
the Deputies Committee and/or the Council receive briefings from relevant experts
from FSOC member agencies to inform them about the topic.
Footnote 7: The members of the Deputies Committee are senior officials from each of the
member agencies. This committee coordinates and oversees the work of the other interagency
staff committees. [End of footnote]
In addition, several FSOC members and/or representatives stated that FSOC focuses
more on domestic activities than those of an international nature due to the greater
potential influence of domestic developments on U.S. financial stability. For example,
representatives from one member agency stated that FSOC member agencies that are the
lead on domestic regulatory proposals and developments with financial stability
implications are available to brief FSOC members and/or its committees. Despite the
emphasis on domestic developments, briefings on international financial regulatory
proposals and developments are provided by FSOC member experts.
Annual Reporting
The Dodd-Frank Act requires FSOC to report to Congress annually about: (1) its
activities; (2) significant financial market and regulatory developments; (3) potential
emerging threats to the financial stability of the United States; and (4) recommendations
to: (i) enhance the integrity, efficiency, competitiveness, and stability of U.S.
financial markets; (ii) promote market discipline; and (iii) maintain investor confidence,
among other things. Consistent with this charge, we found that FSOC’s annual reports
described the activities of the Council and its subcommittees, including international
financial regulatory proposals and developments. Most of the FSOC members and/or
representatives we interviewed or coordinated with, told us that FSOC monitors international
financial regulatory proposals and developments through its annual reporting process.
Specifically, many FSOC members and/or representatives participate in FSOC’s annual report
drafting process, which serves as an opportunity for participating members and member
agencies to discuss and provide input about international activities.
FSOC has made no recommendations related to international financial regulatory proposals
and developments in its annual reports, which FSOC has issued to Congress each year since
its inception in 2010. An FSOC Secretariat official told us that should the Council identify
a need to make a recommendation related to an international regulatory proposal or development,
it would likely accomplish this through its annual report.
Individual Member Agencies’ Efforts
Some FSOC member agencies independently monitor international activities within their agencies’
purview and hold discussions with foreign counterparts. The knowledge these member agencies
gain from these activities can be shared among each other and at FSOC meetings. Examples of
agencies’ independent activities include: participation in working groups and committees of
the Financial Stability Board (FSB) and other international organizations,8 and information
sharing with agencies’ international affairs offices. For example, Treasury participates
in the FSB. The Securities and Exchange Commission is active in monitoring international
activities and regulatory developments through a variety of methods, including participation
in international financial regulatory organizations of which it is a member (e.g.,
FSB, International Organization of Securities Commission (IOSCO) and working groups
thereof), and direct engagement with foreign counterparts that are market regulators. The
Commodity Futures Trading Commission conducts its own monitoring of international
financial regulatory proposals through its membership in the IOSCO, the Over-The-
Counter Derivatives Regulators Group, and as an invited guest to working groups and
committees of the FSB. The Federal Deposit Insurance Corporation participates in
international standard-setting bodies and engages in its own discussions with international
supervisors and regulators. The Board of Governors of the Federal Reserve System
monitors international financial developments consistent with its mandate. For example,
the Federal Reserve Board’s Division of International Finance conducts research,
analyzes policies, and reports in the areas offoreign economic activity, U.S. external trade
and capital flows, and developments in international financial markets and institutions.
FSOC Secretariat officials told us that FSOC seeks to avoid duplication or overlap with its
member agencies’ individual efforts in monitoring international developments.
Footnote 8: The FSB was established in April 2009 and serves as an international body that
monitors and makes recommendations about the global financial system. The U.S. member
institutions on the Board are the Board of Governors of the Federal Reserve System, the
U.S. Securities and Exchange Commission, and Treasury. Additional background is available
online at www.fsb.org.
FSOC MEMBERS CONSIDER THE MONITORING PROCESS ADEQUATE
All FSOC members and/or representatives who provided views on this issue described
FSOC’s monitoring of international financial regulatory proposals and developments as
adequate since FSOC’s monitoring process accomplishes its intended purpose, which is
to keep abreast of international issues that may pose risks to the U.S. financial system
and raise awareness of those issues. We note that as a practical matter, FSOC does
not have decision making authority over international financial regulatory proposals
or developments.
A couple of members suggested that FSOC could enhance its monitoring process by
incorporating additional or more focused briefings at its principals and committee
meetings. One of these members suggested that FSOC’s RRC could receive periodic updates
on key international regulatory proposals being considered in various financial sectors
while the SRC could receive periodic updates on international market developments. That
member also suggested that it would be appropriate for the Nonbank Financial Companies
Designations Committee (Nonbank Designations Committee)9 to receive updates regarding the
global systemically important insurers’10 process and/or activities-based approach being
discussed at the International Association of Insurance Supervisors.11 In addition, the
member stated that it would make sense for the principals to receive briefings regarding
the most significant proposals and market developments to the extent that those proposals
and developments may impact U.S. financial stability.
Footnote 9: The Nonbank Designations Committee supports FSOC in fulfilling its
responsibilities to consider, make, and review determinations that nonbank financial
companies shall be supervised by the Board of Governors of the Federal Reserve System and
be subject to enhanced prudential standards, pursuant to the Dodd-Frank Act. [End of
footnote]
Footnote 10: Insurers identified by the FSB as those whose distress or disorderly failure,
because of their size, complexity, and interconnectedness, would cause significant
disruption to the global financial system and economic activity. [End of footnote]
Another member suggested that agencies who participate in international regulatory
coordination and standard-setting bodies could make a greater effort to regularly present
to the SRC, RRC, or other FSOC committees about their coordination efforts with
international regulatory authorities, as appropriate. The member suggested FSOC should
make a greater effort to cover, in committee meetings, the risks posed to systemically
important foreign financial institutions by domestic and international financial regulatory
proposals and developments. According to that member, international topics covered
by the SRC are generally related to international economic or political developments as
opposed to international financial regulatory developments. This member suggested that
FSOC could make a greater effort to connect emerging international risks to international
financial regulatory proposals intended to mitigate those risks. Additionally, this member
stated that greater effort could be made by the SRC to cover international developments
and proposals discussed in FSOC’s annual report.
Additionally, representatives from one FSOC member agency stated that FSOC does not
need to get involved in areas where regulators already exist and should continue monitoring
areas such as risks related to LIBOR, European debt, and the Chinese shadow banking system,
where there is no lead U.S. financial regulatory agency.
Footnote 11: Established in 1994, the International Association of Insurance Supervisors
is the international standard-setting body responsible for developing principles, standards,
and other supporting material for the supervision of the insurance sector and assisting in
their implementation. [End of footnote]
CONCLUSION
We determined that FSOC has a process for monitoring international financial regulatory
proposals and developments. FSOC’s monitoring is evidenced by the discussion of international
topics at FSOC principals’ meetings, information sharing at FSOC committee-level
meetings, and the development and publishing of its annual report.
All FSOC members or member representatives who offered an opinion described FSOC’s process
to monitor international financial regulatory proposals and developments as adequate.
Although they described FSOC’s monitoring process as adequate, several members and/or
representatives offered suggestions for enhancing the process which included, but were
not limited to: (1) asking member agencies who participate in international regulatory
coordination, as well as standard-setting bodies, to regularly present to FSOC’s
committees on coordination efforts with international regulatory authorities; (2)
making a greater effort to cover the risks posed to systemically important foreign
financial institutions by domestic and international financial regulatory proposals
and developments; (3) separating the types of periodic updates received by the SRC and
RRC—specifically, international market updates versus international financial regulatory
proposals, respectively; (4) receiving briefings at principals’ meetings regarding
the most significant international financial regulatory proposals and market developments
to the extent that those activities may impact U.S. financial stability; and (5)
continuing FSOC’s monitoring efforts in areas where no lead financial regulatory
agency exists.
We encourage FSOC to consider incorporating into its process the suggestions made by
its members to the extent the suggestions are consistent with FSOC’s focus on identifying
and addressing threats to the stability of U.S. financial system. We are not making
any recommendations to FSOC as a result of our audit.
FSOC Response
In a written response, Treasury, on behalf of the FSOC Chairperson, acknowledged
its monitoring of international financial regulatory proposals and developments as
outlined in this report. The response stated that the suggestions made by several FSOC
members to further enhance the Council’s work will be considered.
Appendix I:
Objective, Scope, and Methodology
Objective
The audit objective was to assess the Financial Stability Oversight Council’s (FSOC)
monitoring of international financial regulatory proposals and developments.
Scope and Methodology
The scope of this audit included FSOC’s monitoring of international financial regulatory
proposals and developments from January 2016 through January 2018.
To accomplish our objective, we:
• reviewed the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) to
determine FSOC’s statutory purposes and duties;
• interviewed staff from the FSOC Secretariat to determine FSOC’s process of monitoring
international financial regulatory proposals and developments;
• interviewed or coordinated with FSOC members and member agency representatives to obtain
their views and to determine their involvement in FSOC’s process of monitoring international
financial regulatory proposals and developments;
• reviewed past FSOC and Council of Inspectors General on Financial Oversight annual reports,
FSOC’s bylaws, FSOC’s committee charters for the following committees: Data Committee;
Financial Market Utilities and Payment, Clearing and Settlement Activities Committee; Nonbank
Financial Companies Designations Committee; Regulation and Resolution Committee; and the
Systemic Risk Committee;
• reviewed FSOC’s Principals’ meeting minutes, and meeting agendas for FSOC’s Systemic Risk
Committee and Regulation and Resolution Committee (FSOC is not required to prepare meeting
minutes for committee meetings; therefore, we could only review agendas for these groups);
and
• created a questionnaire designed to gather specific information regarding each FSOC member
and member agency’s participation in the monitoring of international financial regulatory
proposals and developments as well as their assessment of FSOC’s work in this area. This
questionnaire was used by each of the Working Group members to facilitate the consistent
collection of information from all interviewees. Several members self-reported their
responses to the questionnaire.
We performed fieldwork from February through June 2018. We conducted this performance
audit in accordance with generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient, appropriate evidence to
provide a reasonable basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
[End of Appendix 1 Objective, Scope, and Methodology]
Appendix II:
Prior CIGFO Reports
The Council of Inspectors General on Financial Oversight (CIGFO) has issued the following
prior reports:
• Audit of the Financial Stability Oversight Council’s Controls over Non-public Information,
June 2012
• Audit of the Financial Stability Oversight Council’s Designation of Financial Market
Utilities, July 2013
• Audit of the Financial Stability Oversight Council’s Compliance with Its Transparency
Policy, July 2014
• Audit of the Financial Stability Oversight Council’s Monitoring of Interest Rate Risk
to the Financial System, July 2015
• Audit of the Financial Stability Oversight Council’s Efforts to Promote Market
Discipline, February 2017
• CIGFO’s Corrective Verification Action on the Audit of the Financial Stability
Oversight Council’s Designation of Financial Market Utilities, May 2017
• Top Management and Performance Challenges Facing Financial Regulatory Organizations,
September 2018
[End of Appendix II: Prior CIGFO Reports]
Appendix III: FSOC Response
December 19, 2018
The Honorable Eric M. Thorson
Chair, Council of Inspectors General
on Financial Oversight (CIGFO)
1500 Pennsylvania Avenue, NW
Washington, D.C. 20220
Re: Response to Draft Audit Report: CIGFO’s Audit of the Financial Stability Oversight
Council’s Monitoring of International Financial Regulatory Proposals and Developments
Dear Mr. Chairman:
Thank you for the opportunity to review and respond to your draft audit report. Audit of
the Financial Stability Oversight Council’s Monitoring of International Financial Regulatory
Proposals and Developments (the Draft Report). The Financial Stability Oversight Council
(FSOC) appreciates the CIGFO working group’s review of the FSOC’s efforts to monitor
international issues consistent with its statutory duties. This letter responds on behalf of
Secretary Mnuchin, as Chairperson of FSOC, to the Draft Report.
As the Draft Report notes, FSOC monitors international financial regulatory proposals and
developments in several ways, including through the development of its annual reports;
discussions at Council and staff-level committee meetings and other staff-level discussions;
and through the direct international engagement of its member agencies that inform their
participation on FSOC. The report noted that FSOC members and their staffs expressed their
overall satisfaction with FSOC’s monitoring in this area and believe the process is adequate.
CIGFO made no recommendations as a result of the working group review. The Draft Report
notes that several FSOC members offered suggestions to further enhance FSOC’s work, which
we will consider in the future.
Thank you again for the opportunity to review and comment on the Draft Report. We value
CIGFO’s input and look forward to continuing our constructive engagement with you.
Sincerely,
/s/
Bimal Patel
Deputy Assistant Secretary for the Financial Stability Oversight Council
[End of Appendix III: FSOC Response]
Appendix IV: CIGFO Working Group
Department of the Treasury Office of Inspector General, Lead Agency
Eric M. Thorson, Inspector General, Department of the Treasury, and CIGFO Chair
Deborah Harker
Lisa Carter
Jeffrey Dye
Vicki Preston
Virginia Shirley
Clyburn Perry III
Board of Governors of the Federal Reserve System and the Bureau of Consumer Financial
Protection Office of Inspector General
Mark Bialek, Inspector General, Board of Governors of the Federal Reserve System and Bureau of
Consumer Financial Protection
Chie Hogenmiller
Melissa Chammas
Commodity Futures Trading Commission Office of Inspector General
A. Roy Lavik, Inspector General, Commodity Futures Trading Commission
Miguel Castillo
Branco Garcia
Federal Deposit Insurance Corporation Office of Inspector General
Jay N. Lerner, Inspector General, Federal Deposit Insurance Corporation
Robert Fry
Federal Housing Finance Agency Office of Inspector General
Laura Wertheimer, Inspector General, Federal Housing Finance Agency
Marla Freedman
Bob Taylor
Jim Lisle
April Ellison
Securities and Exchange Commission Office of Inspector General
Carl W. Hoecker, Inspector General, Securities and Exchange Commission
Rebecca L. Sharek
Carrie Fleming
[End of Appendix IV: CIGFO Working Group]
[End of report]