In-Depth Review of Enloe State Bank, Cooper, Texas

This is the accessible text file for FDIC OIG report number EVAL-20-007 entitled 'In-Depth Review of Enloe State Bank, Cooper, Texas'. This text file was formatted by the FDIC OIG to be accessible to users with visual impairments. We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version. [FDIC OIG logo] September 2020 EVAL-20-007 In-Depth Review of Enloe State Bank, Cooper, Texas Evaluation Report Program Audits and Evaluations Executive Summary When a bank fails and the Federal Deposit Insurance Corporation’s (FDIC) Deposit Insurance Fund (DIF) incurs a loss under $50 million as a result of the bank failure, Section 38(k)(5) of the Federal Deposit Insurance Act (FDI Act) requires that the Inspector General of the appropriate Federal banking agency conduct a Failed Bank Review (FBR). The purpose of the FBR is to determine the grounds upon which the state or Federal banking agency appointed the FDIC as receiver and whether any unusual circumstances exist that might warrant an In-Depth Review (IDR) of the loss. Section 38(k)(5) also requires Inspectors General to report information about the results of FBRs in their semiannual reports to Congress. When the Inspector General determines that an IDR is warranted, Section 38(k)(5) requires that the Inspector General report on the review to the FDIC and Congress. Enloe State Bank (ESB) was a state-chartered, nonmember bank that operated its sole office in rural Cooper, Texas. On May 31, 2019, the Texas Department of Banking (TDB) closed ESB and appointed the FDIC as receiver. As of July 31, 2020, the FDIC’s Division of Finance estimated the loss from ESB’s failure at approximately $21 million, which is below the $50 million threshold. We found that an IDR was warranted given the extent of the irregular loans identified that contributed to an extraordinarily high estimated loss rate. The objectives of this evaluation were to (1) determine the causes of ESB's failure and the resulting loss to the DIF and (2) evaluate the FDIC’s supervision of the bank, including the FDIC’s implementation of the Prompt Corrective Action (PCA) provisions of Section 38 of the FDI Act. Our review included analysis of key documents, including the FDIC Division of Risk Management Supervision’s Supervisory History and the Division of Resolutions and Receiverships’ Failing Bank Case, and examination and visitation reports the FDIC and TDB prepared from 2011- 2019. Results Causes of Failure and Loss to the DIF Enloe State Bank failed because the President and the senior-level Vice President perpetrated fraud by originating and concealing a large number of fraudulent loans over many years. ESB’s President was a dominant official with significant control over bank operations and limited oversight by the Board of Directors (Board). The bank President used her role as primary lender, with inadequately controlled systems access, to originate millions of dollars in fraudulent agricultural and other commercial loans. She hid them from the Board and regulators with assistance from unnamed co-conspirators. On June 5, 2020, the President entered a guilty plea admitting to executing a scheme to defraud a financial institution by creating fraudulent loans beginning in or about 2009. On August 27, 2020, ESB’s senior-level Vice President entered a guilty plea admitting to executing a scheme to defraud a financial institution by creating fraudulent loans beginning in or about 2014. The bank did not detect the fraud, because it did not maintain adequate internal controls or an effective independent internal audit function or obtain regular and comprehensive external financial and information technology audits. The losses on the fraudulent loans severely diminished the bank’s earnings and depleted capital to a point at which the bank could not recover. The FDIC’s Supervision of Enloe State Bank Between January 2011 and May 2019, the FDIC and TDB conducted six full-scope safety and soundness examinations of ESB, three conducted by the FDIC, two conducted by the TDB, and one joint examination, consistent with FDIC Rules and Regulations Section 337.12 Frequency of Examination. The FDIC and the TDB provided ESB with supervisory recommendations and actions that addressed issues related to the eventual causes of the bank’s failure. However, these recommendations and actions did not persuade the bank’s Board and management to effectively resolve the identified weaknesses, primarily due to fraudulent activities by the bank President and senior-level Vice President and weak Board oversight. We found that the FDIC did not: • Identify the existence and impact of a dominant official in a timely manner; • Consistently identify and follow up on weaknesses in the bank’s audit program; • Conduct additional testing to address unusual loan-related activity, which may have helped identify the fraudulent activity sooner than 2019; and • Perform additional procedures to determine the likelihood of fraud once the examination in 2018 identified a dominant official, unsatisfactory Board oversight, and inadequate internal controls and audits. In the case of ESB, examiners did not identify that fraud might be occurring at the institution until 2019, which was too late to save the bank. With respect to Prompt Corrective Action, as ESB’s capital levels deteriorated, the FDIC took action consistent with PCA provisions. That is, the FDIC notified ESB that it was “critically undercapitalized” and required ESB to take actions necessary to increase capital to become “adequately capitalized” as defined by Section 38 of the FDI Act. Ultimately, the bank’s Board was not able to satisfy that requirement. Recommendations Our report contains eight recommendations for the Director, Division of Risk Management Supervision, to improve examiner guidance and training. Specifically, the FDIC should: (1) Clarify criteria the examiners should use to identify an official as dominant; (2) Train examiners on the importance of understanding and documenting the independence and qualifications of internal auditor(s), and reviewing internal audit work papers and results; (3) Train examiners on the importance of adequate annual external financial audit coverage, and under what circumstances and with what justifications banks may obtain reviews in place of audits; (4) Implement guidance and train personnel on monitoring and following up on State-issued Matters Requiring Board Attention; (5) Train examiners on the importance of ensuring that system user access controls be adequately tested; (6) Enhance case study training to incorporate the lessons learned from Enloe State Bank in regard to performing additional procedures related to the bank’s loanrelated activity; (7) Train examiners to perform additional procedures to determine the likelihood of fraud once a dominant official designation is made at a bank with a weak internal control environment; and (8) Train examiners on indicators of fraud and how individual issues identified during an examination should be considered holistically to facilitate fraud detection. The FDIC concurred with three of the eight recommendations and stated it “partially agreed” with the remaining five recommendations. The corrective actions proposed by the FDIC appear to be sufficient to address the recommendations and, therefore, we consider all eight recommendations to be resolved. BACKGROUND . EVALUATION RESULTS Causes of Failure and Loss to the Deposit Insurance Fund The FDIC’s Supervision of Enloe State Bank Summary of Supervisory Ratings, Recommendations, and Actions The FDIC Did Not Identify the Bank President as a Dominant Official in a Timely Manner The FDIC Did Not Consistently Indentify and Follow up on Weaknesses in the Bank’s Audit Program The FDIC Did Not Conduct Additional Tests to Address Unusual Loan-Related Activity The FDIC Did Not Perform Additional Procedures to Determine the Likelihood of Fraud The FDIC Appropriately Implemented Prompt Corrective Action FDIC COMMENTS AND OIG EVALUATION Appendices 1. Objectives, Scope, and Methodology 35 2. Acronyms and Abbreviations 37 3. FDIC Comments 38 4. Summary of the FDIC’s Corrective Actions 46 Tables 1. Selected Financial Information for Enloe State Bank, December 2011 - 2018 3 2. Supervisory History of ESB, 2011 - 2019 9 3. ESB and Its Peer Group’s Agricultural Loan Concentrations 2011 - 2018 September 30, 2020 Subject In-Depth Review of Enloe State Bank, Cooper, Texas When a bank fails and the Federal Deposit Insurance Corporation’s (FDIC) Deposit Insurance Fund (DIF) incurs a loss under $50 million as a result of the bank failure, Section 38(k)(5) of the Federal Deposit Insurance Act (FDI Act) requires that the Inspector General of the appropriate Federal banking agency conduct a Failed Bank Review (FBR). The purpose of the FBR is to determine the grounds upon which the state or Federal banking agency appointed the FDIC as receiver and whether any unusual circumstances exist that might warrant an In-Depth Review (IDR) of the loss. Section 38(k)(5) also requires that Inspectors General report information about the results of FBRs in their semiannual reports to Congress. When the Inspector General determines that an IDR is warranted, Section 38(k)(5) requires that the Inspector General report on the review to the FDIC and Congress. On May 31, 2019, the Texas Department of Banking (TDB) closed Enloe State Bank (ESB) and appointed the FDIC as receiver. According to the FDIC's Division of Finance, the initial estimated loss to the DIF was $27.6 million, or 75 percent of the bank's $37 million in total assets at failure.1 The FDIC Office of Inspector General’s (OIG) FBR of ESB2 found that an IDR was warranted given the extent of irregular loans identified that contributed to an extraordinarily high estimated loss rate. The objectives of this IDR were to (1) determine the causes of ESB’s failure and resulting loss to the DIF and (2) evaluate the FDIC’s supervision of the institution, including the FDIC’s implementation of the Prompt Corrective Action (PCA) provisions of Section 38 of the FDI Act. The scope of our review included FDIC and TDB examinations and visitations from March 2011 through May 2019, when the bank failed. Reviewing this period allowed us to evaluate significant events, issues, and risks that contributed to the bank’s failure, and how they were addressed by the FDIC. Appendix 1 contains additional details on our objectives, scope, and methodology. BACKGROUND ESB was a state-chartered nonmember3 institution, wholly-owned by Entex Bancshares, Inc. (EBI), a one-bank holding company. ESB was insured by the FDIC in 1934 and operated from a single location in rural Cooper, Texas, which had a population of about 2,000 people, located approximately 80 miles northeast of Dallas, Texas. ESB had a staff of about six to eight employees, including the President and senior-level Vice President,4 during the period 2011 to 2019. Executive bank management is responsible for running the day-to-day operations of the bank in a safe and sound manner and in compliance with applicable laws, rules, and regulations. This responsibility includes implementing appropriate policies and business objectives. The most senior officer of ESB, the President, started in the bank in 1993 and was appointed President in 2003. The bank’s President became the largest shareholder of EBI stock in March 2017, when she increased her ownership to 24.65 percent. She oversaw most aspects of ESB’s operations. The senior-level Vice President joined the bank in 1988. In addition to her duties as cashier, she was a loan officer and was responsible for the bank’s loan review function along with the bank President. The bank had one Internal Auditor, who was the same individual during the period covered by our review. This individual also served as an assistant cashier. According to the FDIC’s Division of Risk Management Supervision (RMS) Manual of Examination Policies (Examination Manual), Section 4.1, Management (April 2018), the Board of Directors (Board) is responsible for formulating sound bank policies and objectives supervising the bank’s affairs, while executive management is responsible for implementing the Board’s policies and objectives in daily bank operations. ESB had eight members on the Board from 2011 to 2017, six of whom were outside directors. From August 2017 to May 2019, ESB had seven members on the Board as one of the outside directors retired in August 2017. The two inside directors included the bank’s President and the senior-level Vice President who was also Board Secretary. ESB historically focused on agricultural lending and residential mortgages, which represented 32 percent and 20 percent of average total loans, respectively, as of March 31, 2019. Commercial and industrial loans had increased since 2017 and represented 24 percent of average total loans as of that date. As of March 31, 2019, the bank had $36.7 million in total assets and $31.3 million in total deposits. Table 1 summarizes selected financial information pertaining to ESB for the years ended December 2011 through 2018, including the bank’s earnings ratio and loan growth that significantly exceeded its peer group for many of those years. For example, the bank’s cumulative loan growth rate for 2011 through 2018 was 54 percent compared to 17 percent for its peer group. Footnote:3 The term, “nonmember,” refers to a financial institution that is not a member of the Federal Reserve System. [Federal Deposit Insurance Act § 3(e)] Footnote:4 The bank had three employees with the title of Vice President as of January 2019. The senior-level Vice President was also the cashier and a director of the bank. Table 1: Selected Financial Information for Enloe State Bank, December 2011 - 2018 Row 1: ; Financial Data($000s): Total Assets; Date 12/31/18: 36,485; Date 12/31/17: 35,154; Date 12/31/16: 31,382; Date 12/31/15: 30,809; Date 12/31/14: 28,494; Date 12/31/13: 26,616; Date 12/31/12: 25,058; Date 12/31/11: 24,660; Row 2: ; Financial Data($000s): Net Loans & Leases; Date 12/31/18: 30,423; Date 12/31/17: 27,631; Date 12/31/16: 25,753; Date 12/31/15: 23,914; Date 12/31/14: 22,187; Date 12/31/13: 19,352; Date 12/31/12: 18,214; Date 12/31/11: 17,738; Row 3: ; Financial Data($000s): Total Deposits; Date 12/31/18: 30,703; Date 12/31/17: 28,011; Date 12/31/16: 28,323; Date 12/31/15: 27,767; Date 12/31/14: 25,502; Date 12/31/13: 23,713; Date 12/31/12: 22,136; Date 12/31/11: 21,744; Row 4: ; Ratios (percent): Net Loans & Leases to Deposits; Date 12/31/18: 99; Date 12/31/17: 99; Date 12/31/16: 91; Date 12/31/15: 86; Date 12/31/14: 87; Date 12/31/13: 82; Date 12/31/12: 82; Date 12/31/11: 82; Row 5: ; Ratios (percent): Net Loans & Leases to Deposits (Peer); Date 12/31/18: 65; Date 12/31/17: 63; Date 12/31/16: 63; Date 12/31/15: 62; Date 12/31/14: 61; Date 12/31/13: 58; Date 12/31/12: 56; Date 12/31/11: 55; Row 6: ; Ratios (percent): Net Income to Average Assets; Date 12/31/18: 1.23; Date 12/31/17: 1.24; Date 12/31/16: 1.26; Date 12/31/15: 1.30; Date 12/31/14: 1.21; Date 12/31/13: 1.01; Date 12/31/12: .75; Date 12/31/11: .81; Row 7: ; Ratios (percent): Net Income to Average Assets (Peer); Date 12/31/18: .84; Date 12/31/17: .75; Date 12/31/16: .80; Date 12/31/15: .77; Date 12/31/14: .77; Date 12/31/13: .72; Date 12/31/12: .51; Date 12/31/11: .54; Row 8: ; Ratios (percent): Net Loans & Leases Growth Rate a; Date 12/31/18: 10.10; Date 12/31/17: 7.29; Date 12/31/16: 7.69; Date 12/31/15: 7.78; Date 12/31/14: 14.65; Date 12/31/13: 6.25; Date 12/31/12: 2.68; Date 12/31/11: -2.30; Row 9: ; Ratios (percent): Net Loans & Leases Growth Rate (Peer)b; Date 12/31/18: 1.98; Date 12/31/17: 2.72; Date 12/31/16: 2.55; Date 12/31/15: 4.06; Date 12/31/14: 5.30; Date 12/31/13: 3.28; Date 12/31/12: .44; Date 12/31/11: -3.33; [End of table] Source: OIG prepared from Uniform Bank Performance Reports (UBPR) for Enloe State Bank. a The cumulative growth rate for the 8-year period was 54 percent, equal to the sum of the growth rates for each year. b The cumulative growth rate for the 8-year period was 17 percent, equal to the sum of the growth rates for each year. EVALUATION RESULTS Causes of Failure and Loss to the Deposit Insurance Fund Enloe State Bank failed because the President and the senior-level Vice President perpetrated fraud by originating and concealing a large number of fraudulent agriculture and other commercial loans over many years. The estimated loss from the fraudulent lending scheme totaled approximately $16.8 million (or approximately 52 percent of the dollar value of loans on the bank records prior to closing) which depleted the bank’s capital and led to the bank’s failure. The dominant bank President and the senior-level Vice President shared all daily management duties and had access to all bank systems and records. Starting as early as 2009, the President took advantage of the bank’s weak internal control environment by using her inadequately controlled systems access and role as primary lender to originate and modify fraudulent loans to avoid detection by the Board and examiners. Beginning in or about 2014, the senior-level Vice President began originating fraudulent loans. Collectively, the two officials created more than 100 fictitious loans. According to examiners, all but 11 of these fictitious loans were originated by the President. In 2019, examiners determined that approximately $16.35 million of the $16.8 million losses from the fraudulent lending (97 percent of such losses) related to loans originated by the President, with the remaining amount related to loans originated by the senior-level Vice President. The fraudulent loans were originated in the names of fictitious borrowers or in the names of existing customers without their knowledge. The President and seniorlevel Vice President used proceeds from the fraudulent loans to benefit themselves and others, including family members. For example, the President purchased a vehicle, paid off family member loans, and put funds in family member bank accounts. Additional fraudulent loans were originated to make principal and interest payments on other fraudulent loans, to keep them from showing up as past due. These actions inflated interest income and therefore the bank’s reported earnings. For example, TDB examiners found that, in April 2019, more than $1.2 million of capitalized interest5 was removed from the accrued interest account and capitalized into suspicious loans, with the amount representing about 66 percent of the bank’s reported interest income for 2018. As a shareholder in EBI, the President further benefitted from dividends paid by the holding company based on the bank’s inflated earnings. FDIC examiners concluded that, in order to conceal the fraud, the President kept many fraudulent loans below the threshold limit of $150,000, because the President believed that amount was a cutoff for examiner review. In cases where examiners selected loans for review that were fraudulent, the President would provide documentation that led examiners to believe the loans had been paid off or were otherwise legitimate. In addition, the President extended the maturity date and recorded principal and interest payments on fraudulent loans to keep the loans from becoming past due, and therefore potentially subject to examiner review. These actions jeopardized the overall safety and soundness of the bank. Footnote: 5 Capitalized interest is interest that is added to a loan balance. [Examination Manual Section 3.2, Loans (September 2019)] Further, minutes of the Directors Loan and Oversight Committee (Loan Committee)6 and the Board excluded information about some of the fraudulent loans. In addition, loan trial balances, statements of condition, and other supporting records provided to the examiners were manipulated to hide information related to the fraudulent loans. TDB examiners concluded in 2019 that the ESB Board members had limited banking knowledge or business experience. In addition, both the President and senior-level Vice President had been with the bank for many years, and FDIC and TDB officials informed us that the outside directors trusted the President. Therefore the President, as a dominant official, had significant influence over the Board. Consequently, the Board failed to establish adequate oversight of bank management activities, relying on the dominant bank President to ensure adequate audit and internal control programs7 were in place. For example: • The Board did not ensure that the bank received frequent, comprehensive external financial audits and external information technology (IT) audits. Over the 8-year period from 2011 through 2019, the bank did not obtain an external financial audit and it obtained only one agreed-upon-procedures engagement8 in 2013.9 The President initiated the agreed-upon-procedures engagement and the procedures were only applied to selected accounting records and transactions of the bank rather than a full-scope financial statement audit. During the same period, the bank obtained an external IT audit four times, in 2011, 2013, 2016, and 2018. The President was responsible for initiating these engagements as well. Ultimately, none of these external reviews uncovered the fraudulent activity or the inadequate controls over the President’s access to computer systems. Footnote: 6 The bank’s Loan Committee performed the internal loan review function. The bank’s Loan Policy stated that “the primary objective of the loan review function is to determine the collectability of the bank’s loan portfolio on an ongoing basis.” Footnote: 7 Internal control programs should be designed to ensure organizations operate effectively, safeguard assets, produce reliable financial records, and comply with applicable laws and regulations. [RMS Manual of Examination Policies, Section 4.2, Internal Routine and Controls (March 2015)] Footnote: 8 An engagement involving procedures specified by the Board or Audit Committee that does not include a report on the fairness of the institution's financial statements or attest to the effectiveness of the internal control structure over financial reporting. [Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations (October 1999)] Footnote: 9 A second agreed-upon procedures engagement began in April 2019; however, the external audit firm did not complete the report prior to the bank’s failure. • The Board did not ensure the bank had an effective internal control environment that provided for adequate segregation of duties10 and effective internal audits. For example, the President oversaw bank operations and was responsible for financial reporting as well as originating and approving loans. She was also the IT officer and for many years had inadequately controlled access to bank computer systems. In addition, the President was a shareholder, a Board member, and a Loan Committee member. Moreover, as early as 2016 the bank’s Internal Auditor had the authority to review and approve bank general ledger system entries. This responsibility impaired her ability to perform independent internal audits of the bank’s internal control environment, as she had the ability to audit entries with which she was involved. Additionally, an FDIC examiner concluded that the Internal Auditor performed IT audits without having adequate technical training. • Further, the bank’s controls over loans were inadequate. In 2019, examiners identified over 100 fictitious loans at ESB without a note or standard loan files. In 2012, 2015, and 2016, examiners also found that the bank generally did not obtain borrower credit reports and in 2011, 2012, 2013, 2015, and 2018, found that the bank did not consistently retain adequate evidence of borrower financial analysis in the loan files. Over the 8-year period from 2011 through 2019, the Board did not ensure that independent external loan reviews were conducted over the bank’s loan portfolio to aid in the identification of problem loans. Such an external review may have helped identify fraudulent loans, some of which were excluded from the internal loan review process without detection. Collectively, these weaknesses allowed the President and senior-level Vice President to commit fraud over many years without detection by the Board and examiners. On February 11, 2020, the bank’s President admitted that she “created more than one hundred (100) fraudulent loans on the Enloe State Bank’s books and worked to actively conceal such loans from regulators.”11 On July 28, 2020, the bank’s senior-level Vice President admitted that during the course of the conspiracy, she participated in the creation of fictitious loans that benefitted herself and her family members.12 Footnote: 10 A segregation of duties occurs when two or more individuals are required to complete a transaction. It allows one person’s work to verify that transactions initiated by another employee are properly authorized, recorded, and settled. One person should not dominate a transaction from inception to completion. For example, IT personnel should not initiate and process transactions. [RMS Manual of Examination Policies, Section 4.2, Internal Routine and Controls (March 2015)] Footnote: 11 The admission is included in a Factual Basis filed on June 5, 2020 in the United States District Court for the Eastern District of Texas Sherman Division. Footnote: 12 This admission is included in a Factual Basis filed on August 27, 2020 in the United States District Court for the Eastern District of Texas Sherman Division. The FDIC’s Supervision of Enloe State Bank We found that the FDIC Division of Risk Management Supervision and the TDB conducted timely examinations in accordance with requirements. The FDIC and the TDB provided ESB with supervisory recommendations and actions that addressed issues related to the eventual causes of the bank’s failure. However, these recommendations and actions did not persuade the bank’s Board and management to effectively resolve the identified weaknesses, primarily due to fraudulent activities by the bank President and senior-level Vice President and weak Board oversight. We found that the FDIC did not: • Identify the existence and impact of a dominant official in a timely manner; • Consistently identify and follow up on weaknesses in the bank’s audit program; • Conduct additional testing to address unusual loan-related activity, which may have helped identify the fraudulent activity sooner than 2019; and • Perform additional procedures to determine the likelihood of fraud once the examination in 2018 identified a dominant official, unsatisfactory Board oversight, and inadequate internal controls and audits. The following sections detail ESB’s supervisory history, and the FDIC’s supervisory response to key risks and implementation of PCA. Summary of Supervisory Ratings, Recommendations, and Actions According to the Examination Manual, Section 1.1, Basic Examination Concepts and Guidelines (December 2018), “onsite examinations help ensure the stability of insured depository institutions by identifying undue risks and weak risk management practices.” Insured depository institutions are rated in accordance with the Uniform Financial Institutions Rating System (UFIRS). Pursuant to UFIRS, examiners evaluate six areas of performance and give each area a numerical CAMELS13 rating of “1” through “5” with “1” representing the least degree of supervisory concern and “5” representing the greatest degree of supervisory concern. Examiners also assign an overall composite rating of “1” through “5” to the institution as well. Footnote: 13 The six performance areas identified by the CAMELS acronym are Capital adequacy, Asset quality, Management capabilities, Earnings sufficiency, Liquidity position, and Sensitivity to market risk. Footnote: 14 The minimum requirements of a full-scope examination are defined as the procedures necessary to complete the mandatory pages of the Uniform Report of Examination and evaluate all components of the UFIRS. Between January 2011 and May 2019, the FDIC and TDB conducted six full-scope safety and soundness examinations14 of ESB, three conducted by the FDIC, two conducted by TDB, and one joint examination, consistent with regulatory requirements on the frequency of examinations.15 The FDIC also conducted three visitations16 and TDB conducted two IT examinations, one interim risk examination, and one targeted review of suspicious activity during this period. As part of the examination process, examiners use Matters Requiring Board Attention (MRBA) to communicate, in the Report of Examination (ROE), concerns that require the attention of the Board or senior management. MRBA are a subset of supervisory recommendations and signal supervisory concern.17 A Memorandum of Understanding18 (MOU) is a supervisory action that communicates to a bank an even greater level of supervisory concern than an MRBA. An MOU, also referred to as an informal enforcement action, represents a voluntary commitment by the Board of a financial institution that is neither publicly available nor legally enforceable.19 When a bank has an MOU in place, the bank is usually rated a composite “3” to indicate supervisory concern in one or more of the component areas. MRBA and MOUs are subject to appropriate follow-up20 by supervisory staff and/or examiners through quarterly progress reports, an interim contact, on-site visitation, offsite follow-up, and the next examination to assess the bank’s implementation of corrective measures. Table 2 summarizes ESB’s supervisory history, including the resulting supervisory ratings, recommendations, and actions. As depicted in Table 2, examinations from 2013 through 2018 gave the bank either a “1” or “2” composite UFIRS rating, meaning that the bank was operating in a satisfactory manner and had low supervisory concern. During the period covered by our review (March 2011 through May 2019), examiners issued multiple supervisory recommendations and one supervisory action that addressed issues related to the eventual causes of the bank’s failure. For example, examiners issued MRBA in six examinations, of which four (2011, 2012, 2016, and 2018) contained recommendations related to deficiencies in the bank’s audit program and two (2011 and 2013) contained recommendations related to credit administration and underwriting and loan review. Footnote: 15 The FDIC’s frequency of examination provision requires the FDIC “to conduct a full-scope, on-site examination of every insured state nonmember bank and insured State savings association at least once during each 12-month period.” 12 C.F.R. 337.12(a) (2019) However, for certain small institutions, the FDIC may conduct a full-scope, on-site examination at least once during each 18- month period. [12 C.F.R. § 337.12(b) (2019)] Footnote: 16 The term, “visitation,” may be defined as any review that does not meet the minimum requirements of a full-scope examination. Examiners may conduct the reviews for a variety of reasons, such as to assess changes in an institution’s risk profile or to monitor compliance with corrective actions. Footnote: 17 Supervisory recommendations are FDIC communications with a bank that are intended to inform the bank of the FDIC’s views about changes needed in practices, operations, or financial condition. [FDIC Regional Directors Memorandum 2017-012-RMS Supervisory Recommendations, including Matters Requiring Board Attention (June 2017)]. Footnote: 18 A memorandum of understanding is an informal agreement between the institution and the FDIC, which is signed by both parties. The State Authority may also be party to the agreement. MOUs are designed to address and correct identified weaknesses in an institution’s condition. Footnote: 19 A financial institution’s failure to implement the corrective measures detailed in an informal agreement may lead to formal enforcement actions, which are publicly available and legally enforceable. [FDIC’s RMS Manual of Examination Policies, Section Footnote: 13.1, Informal Actions and FDIC Formal and Informal Actions Procedures Manual (FIAP)]. 20 FDIC Regional Directors Memorandum 2017-012-RMS, Supervisory Recommendations, including Matters Requiring Board Attention (June 2017) states that “MRBA will be tracked as part of the FDIC’s examination follow-up supervisory activities or at a subsequent examination.” The FDIC’s Case Manager Procedures Manual Section 8, Enforcement Actions (2016), describes the process for timely review and follow-up on quarterly MOU progress reports from the bank. The FDIC’s Case Manager Procedures Manual Section 5.1, Routine Correspondence, describes the process for timely review and follow-up on MRBA. Table 2: Supervisory History of ESB, 2011 - 2019 Row: 1; Examination Start Date: March 7, 2011; Examination or Visitation: IT Examination TDB; Supervisory Ratings (UFIRS): N/A; Supervisory Recommendation or Action: MRBA to obtain regular external IT audits; Row: 2; Examination Start Date: May 16, 2011; Examination or Visitation: Examination TDB; Supervisory Ratings (UFIRS): 3; Supervisory Recommendation or Action: MRBA to improve Board oversight of lending, credit administration and underwriting, staffing, loan review, and other loan-related concerns Joint FDIC and TDB MOU (dated September 8, 2011) addressed the same concerns as the MRBA; Row: 3; Examination Start Date: December 5, 2011; Examination or Visitation: Visitation FDIC; Supervisory Ratings (UFIRS): 3; Supervisory Recommendation or Action: Reviewed compliance with provisions of the MOU; Row: 4; Examination Start Date: May 14, 2012; Examination or Visitation: Examination FDIC; Supervisory Ratings (UFIRS): 3; Supervisory Recommendation or Action: Reviewed compliance with provisions of the MOU MRBA to obtain external financial audit and address loan-related concerns; Row: 5; Examination Start Date: December 3, 2012; Examination or Visitation: Interim Risk Examination TDB; Supervisory Ratings(UFIRS): 3; Supervisory Recommendation or Action: Reviewed compliance with provisions of the MOU; Row: 6; Examination Start Date: December 3, 2012; Examination or Visitation: Visitation FDIC; Supervisory Ratings(UFIRS): 3; Supervisory Recommendation or Action: Reviewed compliance with provisions of the MOU; Row: 7; Examination Start Date: July 22, 2013; Examination or Visitation: Examination Joint, TDB Lead; Supervisory Ratings(UFIRS): 2; Supervisory Recommendation or Action: Joint transmittal letter issuing the 2013 ROE terminated the MOU (dated August 30, 2013) MRBA to improve credit administration and underwriting, loan review, and the budgeting process; Row: 8; Examination Start Date: January 12, 2015; Examination or Visitation: Examination FDIC; Supervisory Ratings(UFIRS): 1; Supervisory Recommendation or Action: None; Row: 9; Examination Start Date: June 13, 2016; Examination or Visitation: IT Examination TDB; Supervisory Ratings(UFIRS): N/A; Supervisory Recommendation or Action: None; Row: 10; Examination Start Date: August 1, 2016; Examination or Visitation: Examination TDB; Supervisory Ratings(UFIRS): 1; Supervisory Recommendation or Action: MRBA to develop an external audit program; Row: 11; Examination Start Date: April 9, 2018; Examination or Visitation: Examination FDIC; Supervisory Ratings(UFIRS): 2; Supervisory Recommendation or Action: MRBA to obtain full-scope external financial audit, and external IT audit, and to improve internal audit and controls, capital and strategic planning, and cybersecurity preparedness; Row: 12; Examination Start Date: May 13, 2019; Examination or Visitation: Targeted Review TDB; Supervisory Ratings(UFIRS): 5; Supervisory Recommendation or Action: TDB closed the bank on May 31, 2019.; Row: 13; Examination Start Date: May 16, 2019; Examination or Visitation: Visitation FDIC; Supervisory Ratings(UFIRS): 5; Supervisory Recommendation or Action: Critically Undercapitalized PCA Directive TDB closed the bank on May 31, 2019.; [End of table] In 2011 and 2012, examiners reviewed bank compliance with provisions of the MOU (2011) that addressed, among other things, provisions related to Board oversight of the lending function, improving credit administration and underwriting, and improving loan review. The FDIC and the TDB terminated the MOU in 2013, and addressed the remaining weaknesses related to credit administration and underwriting and loan review in the examination (2013) MRBA. The FDIC examination (2018) was the first to identify the presence of a dominant official, and the ROE stated “to mitigate the risks posed by a dominant official, the Board should implement effective controls and strengthen the audit programs.” The MRBA (2018) incorporated this recommendation. While the examinations of ESB identified weaknesses and recommendations for improvement, the FDIC’s supervision did not identify and address the severity of the internal control weaknesses in a timely manner. These weaknesses created an environment where significant loan fraud went undetected for more than 9 years. The FDIC examiners did not: • Identify the existence and impact of a dominant official in a timely manner; • Consistently identify and follow up on weaknesses in the bank’s audit program; • Conduct additional testing to address unusual loan-related activity, which may have helped identify the fraudulent activity sooner than 2019; and • Perform additional procedures to determine the likelihood of fraud once the examination in 2018 identified a dominant official, unsatisfactory Board oversight, and inadequate internal controls and audits. The FDIC Did Not Identify the Bank President as a Dominant Official in a Timely Manner Examiners did not identify the bank President as a dominant official in a timely manner. We believe this occurred due to unclear and inconsistent language in the FDIC’s guidance to examiners. Examiners could have designated the bank President as a dominant official before 2018. As early as 2012, when she was reappointed as the IT officer of the bank, she had many of the key responsibilities she had in 2018. A dominant official designation earlier than 2018 may have prompted additional scrutiny of internal controls by examiners, and may have placed additional emphasis on the bank obtaining appropriate external audit coverage21 prior to 2018. Footnote: 21 External audit coverage may include an audit of the financial statements or an acceptable alternative, such as a well-planned Directors' Examination, an independent analysis of internal controls or other areas, a report on the balance sheet, or specified auditing procedures by an independent auditor. [FDIC Statement of Policy Regarding Independent External Auditing Programs of State Nonmember Banks (June 1996)] The FDIC’s Regional Directors Memorandum 2011-014 Identifying and Assessing Dominant Officials or Policymakers (June 2011) (RD Memo 2011-014) states that: A dominant official or policymaker is defined as an individual, family, or group of persons with close business dealings, or otherwise acting in concert, that appears to exert an influential level of control or policymaking authority, regardless of whether the individual or any other members of the family or group have an executive officer title or receive any compensation from the institution… [A] dominant official is often found in a “One Man Bank” wherein the institution's principal officer and shareholder dominates virtually all phases of the bank's policies and operations. However, a dominant official can be found at institutions of various sizes, structures, and without regard to organizational charts. In 2015, the FDIC issued Regional Directors Memorandum 2015-016-RMS Identifying and Assessing Dominant Officials or Policymakers (December 2015) (RD Memo 2015-016) “to reinforce, clarify, and re-issue examination guidance on identifying and assessing the influence of dominant bank officials or policymakers.” RD Memo 2015-016 rescinded and replaced RD Memo 2011-014, but the definition of a dominant official had not substantially changed and both RD Memos 2011-014 and 2015-016 required the examiners to identify dominant officials using the definition above and assess the influence of such officials. We found the definition of a dominant official in the RD Memos to be unclear and believe it caused confusion to the examiners of ESB. The RD Memos do not define “an influential level of control or policymaking authority” nor do they explain how examiners should identify it. It is not clear if “an influential level of control or policymaking authority” is determined by the roles and responsibilities of the official. It is also not clear if the level of control is related to bank operations, policies, or both. The examples provided in the RD Memos also do not help to explain “an influential level of control or policymaking authority.” One example states that “a dominant official is often found in a “One Man Bank” wherein the institution’s principal officer and shareholder dominates virtually all phases of the bank’s policies and operations.” [emphasis added] However, this example is limited to a specific type of dominant official. Another example provided in RD Memo 2011-014 states that “when a dominant officer or policymaker exerts a disproportionate level of influence over the board of directors and the affairs of the bank to such extent that the board of directors over-relies on the dominant individual or group in its strategy, policy, membership selection, and other decision-making processes, the institution may be exposed to potential abuse and/or poor risk selection.” The RD memo, however, does not explain how examiners should identify such over-reliance. Our conclusion is supported by statements made by those involved in the examinations of ESB. The nine individuals we spoke to provided different explanations for why the President was not identified as a dominant official earlier than 2018. Two individuals stated the President should have been considered a dominant official earlier; three stated she was not considered a dominant official until she became the largest shareholder (which the definition does not indicate is a required criterion); and one stated that although the President had a lot of duties, it did not seem like she controlled policy (although the definition states “influential level of control or policymaking authority.”) Finally, even though the definition of a dominant official did not change substantially between 2012 and 2018, four individuals stated that the reinforced guidance22 and training provided to examiners after the 2015 examination of ESB placed increased attention on the concept of a dominant official and was a reason why the President was identified as a dominant official in 2018. We believe this wide range of answers supports that the examiners did not have a consistent understanding of the definition of a dominant official and that the guidance, as written, is not clear. Examiners did not identify the President as a dominant official until 2018, although she had significant control of bank operations years before then and the definition of a dominant official had not substantially changed. The ROE (2012) identified that the President was also a lending officer, a Board member, a shareholder, a Loan Committee member, and had recently been reappointed to the bank’s IT officer role. These roles indicated that she could exert an influential level of control as she had the authority, responsibility, and access to conduct numerous activities. We believe that the unclear and inconsistent language in the guidance was a factor in the examiners’ untimely identification of the bank President as a dominant official. Although the more recent training may have placed increased attention on the concept of a dominant official, without clear guidance, RMS cannot ensure examiners will consistently apply guidance and properly identify dominant officials, especially in situations similar to ESB. Assessment of Internal Controls Designating a bank official as dominant triggers a requirement that examiners make further assessments of the bank’s internal control environment. The Examination Manual Section 4.1, Management (April 2018) states that “if examiners identify dominant officials at an institution, they should assess the official’s level of influence… along with other risk factors and risk management controls designed to mitigate these risks.” It further states, “operational risks inherent in these situations include the circumventing of internal controls by a dominant official.” Footnote: 22 In April 2018, the FDIC updated Examination Manual Section 4.1 Management to incorporate substantially the same definition of a Dominant Official included in RD Memo 2015-016. In October 2018, the FDIC issued Regional Directors Memo 2018-025-RMS, Lessons Learned From Post-Crisis Bank Failures: Risk-Focused, Forward-Looking Supervision Strategies to Target Root Causes of Deficiencies (October 2018), which provided examples of scenarios involving dominant officials with insufficient compensating controls. For example, the RD Memo states, “such individuals controlled the flow of information to the board of directors, had excessive lending authorities, engaged in transactions that were conflicts of interest, controlled examiner discussions with bank personnel, and attributed examiner criticisms to examiner inexperience or lack of understanding.” Nevertheless, it is unclear how these examples assist examiners in identifying a dominant official. A main tenet of internal controls is segregation of duties. At smaller banks like ESB, segregation of duties can be difficult because of the limited number of staff. Therefore, in such situations, IT system access controls and internal and external audits become important mitigating controls. Examiners reviewed the bank’s internal control program in every examination. The examination in 2012 identified that the bank had a small staff, with just two managers sharing all daily management duties, and we found that the personnel working at the bank did not change significantly between 2012 and 2018. The limited number of personnel would have made adequate segregation of duties challenging. The ROE (2018) concluded that segregation of duties internal controls were inadequate, stating that “[t]he centralization of several key responsibilities under [the] President . . . is an additional risk factor which the Board should consider when developing the external audit program.” The ROE (2018) also noted inadequate segregation of duties for the senior-level Vice President and the Internal Auditor. Ultimately, in 2019, examiners determined that poor internal controls and an ineffective audit program provided the President unrestricted computer system access, which allowed her the ability to create and modify fictitious loans. Recommendation: We recommend that the Director, Division of Risk Management Supervision: (1) Clarify criteria the examiners should use to identify an official as dominant. The FDIC Did Not Consistently Identify and Follow up on Weaknesses in the Bank’s Audit Program The Board of Directors is responsible for ensuring that the bank has an effective internal audit function23 and external audit program,24 which tests the bank’s financial, operational, and IT controls. For ESB, the audit program included internal audits, external financial reviews, and external IT audits. The FDIC examination (2018) indicated that effective audits were important for ESB to mitigate the risks related to limited segregation of duties and the presence of a dominant official. Effective independent internal audit coverage and appropriate independent external audit coverage of ESB may have identified the fraudulent activity. Footnote: 23 Interagency Policy Statement on Internal Audit Function and Outsourcing (March 2003). Footnote: 24 Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations (October 1999). The FDIC Did Not Adequately Address ESB’s Internal Audit Function in the 2015 Examination The Examination Manual Section 4.2, Internal Routine and Controls (March 2015) states that “[e]xaminers should evaluate audit and control procedures as part of their overall assessment of a bank’s internal control program.” Examination Manual Section 4.1 Management (December 2004) adds that when examiners encounter situations that involve dominant management officials, they should “assess whether a qualified, experienced, and independent internal auditor is in place” and “a proper segregation of the internal audit function is achieved from operational activities.” FDIC Rules & Regulations, 12 C.F.R. Part 364 Appendix A - Interagency Guidelines Establishing Standards for Safety and Soundness (12 C.F.R. Part 364 Appendix A) provides, in part, that an institution should have an internal audit system that is appropriate for the size of the institution and the nature and scope of its activities and that provides for, independence and objectivity; adequate testing and review of information systems; and adequate documentation of tests and findings and any corrective actions.” The bank had the same Internal Auditor during the 8-year period covered by our review and examiners identified concerns with her independence, qualifications, and depth of review in the examinations conducted in August 2016 and April 2018 as follows: • The examination report identified that the Internal Auditor also had the authority to review and approve general ledger entries, thus compromising internal audit independence; and cited the need to improve independence to ensure the accuracy of financial reporting. (August 2016) • The examination report repeated the 2016 concern of lack of independence and also cited the bank for nonconformance with the regulation on safety and soundness standards (12 C.F.R. Part 364, Appendix A). (April 2018) • Examination work papers stated that “[i]n 2017 the bank’s Internal Auditor prepared IT Audit reports for the Board; however, she could not explain the scope of her review or describe the test controls she performed to assess the IT program.” The work papers also concluded that the Internal Auditor lacked “independence and qualification to perform IT audits,” and that the 2017 internal IT audit report did not indicate any scope of work or test of controls. (April 2018) We found that the 2015 and 2016 internal IT Audit reports were exactly the same as the 2017 internal IT audit report, indicating similar issues existed in 2015 and 2016. Included in the examination report of 2018 was an MRBA recommending that the Board ensure the internal audit function is “independent in order to mitigate the centralization of managerial responsibilities” and ensure “appropriate segregation of duties.” The MRBA also recommended that the Board engage “a qualified auditor to assess the IT function” and that “the audit scope should contain a test of key controls.” The ROE (2015) concluded that “[t]he audit and internal control programs are adequate.” However, the examination work papers indicated that the Internal Auditor was not available for discussion with examiners as she was out of the office on leave. Therefore, examiners would not have been able to ask the auditor questions about her independence, qualifications, or the results of the internal control and IT audits performed. Nevertheless, the ROE (2015) and examination work papers did not comment on the auditor’s independence in regards to internal control and IT audits, qualifications to perform IT audits, or indicate whether internal audit work papers were reviewed. We also noted that the examination work papers in 2015 did not document the scope and results of the internal loan audit and the internal IT audit. Considering the significance of these areas to the bank and the lack of annual external financial and IT audits, the examination work papers should have documented the scope and results of these internal audits. We also found that the examiners did not criticize the bank’s Safety and Soundness and Compliance Risk Assessment in 2015, which the bank used to guide the audit program. However, the bank used the same Risk Assessment in 2018, and examiners found it deficient as it was primarily IT-focused and did not include all operational areas. Had the FDIC more thoroughly documented the assessment of the internal auditor’s independence and qualifications, and the scope and results of internal audits in the examination from 2015, examiners may have identified internal audit program deficiencies earlier than the examination from 2018. Identifying these weaknesses at an earlier point in time would have led the FDIC to place greater emphasis on the bank obtaining annual comprehensive external financial and IT audits, which may have allowed the bank and examiners to identify the underlying fraud prior to 2019. Recommendation: We recommend that the Director, Division of Risk Management Supervision: (2) Train examiners on the importance of understanding and documenting the independence and qualifications of internal auditor(s), and reviewing internal audit work papers and results. The FDIC Did Not Adequately Address ESB’s External Financial Audit Coverage Annual external financial statement audits25 are not required for small banks such as ESB,26 but interagency guidance emphasizes their importance. The Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations (October 1999) (Interagency Policy) indicates that the Board should annually consider the level of external audit coverage needed. The Interagency Policy states that an external auditing program is designed for an independent auditor to test and evaluate high-risk areas of a bank's business and adds that “[e]xternal auditing programs should include specific procedures designed to test at least annually the risks associated with the loan and investment portfolios.” [emphasis added] FDIC policy27 states “[t]he highest risk areas in banks generally include, but are not necessarily limited to, the valuation of collectability of loans (including the reasonableness of the allowance for loan losses), investments, and repossessed and foreclosed collateral; internal controls; and insider transactions.” The Examination Manual Section 4.2, Internal Routine and Controls (December 2004), adds that “[i]f the audit committee or board, after due consideration, determines not to engage an independent public accountant to conduct an annual audit of the financial statements, the reason(s) for the conclusion to use one of the acceptable alternatives or to have no external auditing program should be documented in the written meeting minutes. . . . The examiner should determine whether the alternative selected by the bank adequately covers the bank’s high-risk areas and is performed by a qualified auditor who is independent of the bank.” During the 8-year period covered by our review, ESB did not receive an external audit of its financial statements. Instead, it received an external financial review, called a Directors’ Examination28 in June 2013 which did not cover certain high-risk areas, as recommended by Interagency and FDIC Policy statements. We found that during the examination in 2015, the FDIC examiners should have recommended that the bank implement an external financial audit program that focused on the bank’s risks, consistent with Interagency and FDIC guidance. Footnote: 25 An audit is “[a]n examination of the financial statements, accounting records, and other supporting evidence of a bank performed by an independent certified or licensed public accountant in accordance with generally accepted auditing standards and of sufficient scope to enable the auditor to express an opinion on the bank's financial statements as to their presentation in accordance with generally accepted accounting principles (GAAP).” [FDIC Statement of Policy Regarding Independent External Auditing Programs of State Nonmember Banks (June 1996)] Footnote: 26 FDIC Rules and Regulations, 12 C.F.R. Part 363, require an annual external financial statement audit for financial institutions with total assets of $500 million or more. Therefore, this requirement did not apply to ESB because the bank had less than $500 million in assets. TDB officials indicated in May 2020 that approximately 31 states had requirements for mandatory external audits, but stated that Texas is not one of those states. Footnote: 27 FDIC Statement of Policy Regarding Independent External Auditing Programs of State Nonmember Banks (June 1996). Footnote: 28 A Directors' Examination is a review by an independent third party that has been authorized by the bank's board of directors and is performed in accordance with the board's analysis of potential risk areas. Certain procedures may also be required as a result of state law. A Directors’ Examination usually involves the performance of agreed-upon procedures and does not constitute a fullscope audit of the bank’s financial statements. [FDIC Statement of Policy Regarding Independent External Auditing Programs of State Nonmember Banks (June 1996) and Interagency Policy (October 1999)] The FDIC Did Not Recommend Annual External Financial Audit Coverage in the 2015 Examination In the FDIC examination in 2012, examiners found that the ESB audit program was inadequate as the bank had not received “any external financial audit coverage since the December 2007 Directors’ Examination.” [emphasis added] The ROE stated that the Board should ensure that the bank receive “some external audit coverage at least annually.” [emphasis added] Given the 4-year period since the bank’s last external review, examiners could have better defined what they expected from the bank in regard to “some external audit coverage” to address the weaknesses identified. Although not required, an external financial audit provides greater assurance than a Directors’ Examination according to FDIC policy. The FDIC visitation in December 2012 stated that a Directors’ Examination is scheduled for April 2013 and the President “agreed to have all key functional areas reviewed, including a loan review and a thorough analysis of the ALLL [allowance for loan and lease losses] methodology.” The bank obtained a Directors’ Examination from an independent auditor in June 2013 and the Joint ROE (2013) stated that the “draft report noted no material findings.” We did not find evidence in the Joint ROE (2013) that examiners documented whether this alternative to an audit adequately covered all high-risk areas. This assessment is important because a Directors’ Examination gave the President the opportunity to exclude coverage of activities that might have detected fraudulent loan activity. We concluded that this external review did not constitute adequate external audit coverage, as it did not address certain high-risk areas The Directors’ Examination (2013) report stated that “[w]e were not requested to, and did not evaluate the collectability of loans, the adequacy of collateral, or the reasonableness of the allowance for loan losses.” Further, despite the FDIC recommendation in 2012, the bank also did not obtain any external audit coverage in 2014, and the Board minutes did not contain an explanation for why the bank had no external audit work performed that year. In the FDIC examination in 2015, examiners also reviewed the Directors’ Examination (2013) report, concluding it contained no material findings. Examiners accepted the explanation that “Management schedules a Directors’ Examination every other year,” even though that practice was not consistent with Interagency Policy or the FDIC recommendation in 2012, nor did the Board minutes explain the rationale for this decision as recommended in Examination Manual Section 4.2. The FDIC examiners also relied on bank management assurance that “[t]he next Directors’ Examination is planned for late 2015 with the same firm.” Considering the bank’s lack of external financial audits, the FDIC should have recommended in 2015 that the Board obtain annual external financial audit coverage that focused on the bank’s risks. For example, examiners could have recommended that the planned Directors’ Examination include appropriate coverage of the loan portfolio, as one of the high-risk areas of the bank’s business. The FDIC also should have recommended that the bank adequately document in the Board minutes the rationale for the level of annual audit coverage. Moreover, the FDIC should have requested the bank to provide the engagement letter, start date, and scope of the “planned” external financial review in 2015 to obtain assurance the bank would follow through on its commitment to obtain a Directors’ Examination in 2015. The FDIC Did Not Follow-up on External Financial Audit-Related Recommendations in a Timely Manner The FDIC did not follow up on external audit-related recommendations in the TDB (2016) and FDIC (2018) examinations in a timely manner. Specifically, the MRBA in the TDB ROE (2016) recommended that bank management and the Board develop an external audit program and formalize it in the audit policy. The MRBA stated that “[g]iven the inherent risk associated with the centralization of responsibilities, the Board should determine an appropriate timeframe between external audits. Should the Board determine that no form of external audit is necessary in a given year; the rationale for this decision should be documented within the board minutes.” Considering the bank’s history, and that it had been 3 years since the previous external review, implementation of this recommendation was urgent and important. However, the FDIC did not have a process for tracking its follow-up on the bank’s efforts to address State-issued MRBA at that time. As a result, the FDIC did not identify until just before the FDIC examination in 2018 that bank management had failed to respond timely to the State’s 2016 examination findings and had not obtained any external financial audit coverage. In the examination in 2018, the FDIC included an MRBA with stronger wording than in the MRBA from 2016, stating that “the Board should ensure that the external audit scheduled for 2018 be a full financial statement audit with an attestation of the bank's internal routines and controls.” The ROE (2018) also stated that “[t]he Board approved an external audit to be conducted in 2018; however, no specific scope has been developed.” The FDIC followed up with the bank on August 29, 2018, 2 months after the FDIC issued the ROE, to ask for the audit report when completed. At the time, the FDIC did not ask for the engagement letter, which would have confirmed the audit scope and start date. ESB responded on October 2, 2018, that it would forward the financial statement audit to the FDIC “when completed,” still with no mention of a start date. Although the FDIC expected the audit to be conducted in 2018, it did not follow up on the recommendation again until March 26, 2019, requesting that the bank provide the financial statement audit report by April 30, 2019. Ultimately, the President engaged an external firm to conduct a Directors’ Examination rather than a financial statement audit and delayed the start of that work until April 2019.29 Had the FDIC more strongly encouraged the bank to obtain the audit in 2018 as agreed to by the Board, by requesting an engagement letter or other evidence of the start date and scope, additional suspicious funds transfers and loan payoffs may have been prevented. FDIC examiners identified approximately $1.08 million of suspicious funds transfers and loan payoffs for the period December 31, 2018 through May 31, 2019 that appeared to directly benefit the President, senior-level Vice President, and their related interests. Existing FDIC guidance30 requires clarity in FDIC MRBA provisions, and timely coordination and follow-up. FDIC personnel also stated that “[i]n 2018 and 2019, Commissioned Examiners and Case Managers received training on MRBA and other topics to improve the quality of ROEs and supervisory responses.” Prior to the OIG’s IDR, RMS identified that its current policy does not require tracking of the monitoring and follow-up activity on State-issued MRBA, and stated that RMS is developing policy and a procedure on that topic as a result of its review of ESB supervision. Recommendations: We recommend that the Director, Division of Risk Management Supervision: (3) Train examiners on the importance of adequate annual external financial audit coverage, and under what circumstances and with what justifications banks may obtain reviews in place of audits. (4) Implement guidance and train personnel on monitoring and following up on State-issued Matters Requiring Board Attention. Footnote: 29 The external audit firm did not complete the report on this work prior to the bank’s failure in May 2019. Footnote: 30 FDIC Regional Directors Memorandum 2017-012-RMS, Supervisory Recommendations, including Matters Requiring Board Attention (June 2017); FDIC Regional Directors Memorandum 2018-025-RMS, Lessons Learned From Post-Crisis Bank Failures: Risk-Focused, Forward-Looking Supervision Strategies to Target Root Causes of Deficiencies (October 2018); and FDIC Regional Directors Memorandum 2020-003-RMS, Updates to the Risk Management Manual of Examination Policies and Case Manager Procedures to Implement Exam Workstream Project Recommendations (January 2020). The FDIC Did Not Strongly Recommend Adequate External IT Audit Coverage in the 2015 Examination FDIC Rules & Regulations, 12 C.F.R. Part 364 Appendix B - Interagency Guidelines Establishing Information Security Standards (12 C.F.R. Part 364 Appendix B) states that: Each institution shall: Regularly31 test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the institution's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs. Because ESB did not have independent internal staff experienced in IT controls testing, regular and effective external IT audits would have been necessary for ESB to comply with this requirement. Examiners reviewed ESB’s IT controls, including the adequacy of internal and external IT audits, in conjunction with each safety and soundness examination. During the 8-year period covered by our review, the bank received an external IT audit four times (September 2011, April 2013, May 2016, and November 2018). However, the external IT audit work performed did not detect the President’s abuse of her inadequately controlled access to the bank’s information systems. The FDIC did not strongly recommend in 2015 that the bank obtain timely external IT audits that adequately address system user access controls. Examiners noted in 2011 that “[a]n independent, full scope IT audit needs to be performed no less than every 12 to 18 months. The last independent and comprehensive IT audit was performed in 2006.” The examination report contained an MRBA recommending “[a]n independent, full scope IT audit needs to be performed regularly.” The ROE (2012) stated that the bank obtained an external IT audit in September 2011 with an appropriate scope, and added that the President had recently been reappointed IT officer after the departure of an employee who handled the duties. The President stated she would recommend that the Board continue with an annual external IT audit “to assure the function remains compliant given her numerous duties.” [emphasis added.] The ROE (2013) indicated that the bank obtained a detailed IT audit in April 2013, and concluded that management had corrected the weaknesses noted in that audit report. Footnote: 31 12 C.F.R. Part 364 Appendix B does not define the term “regularly” in regards to control testing. The Federal Financial Institutions Examination Council (FFIEC) Audit IT Examination Handbook (April 2012) indicates that bank management should ensure that key controls are tested annually. We noted discrepancies in the examiner’s analysis of ESB’s external IT audits in the next examination in 2015. • The examination work papers did not include or refer to an IT audit report from 2013 and instead stated that the bank’s last external IT audit was in September 2011. • The examination work papers indicated that IT audit coverage included assessing users and system services access rights; however, our review of the 2011 and 2013 external IT audit reports found that they did not identify any results related to system user access controls for bank personnel. • The ROE (2015) stated that “given management’s reliance on the external auditor, the IT department would benefit from more frequent audit procedures” and “[the] President… stated that she plans to increase the frequency of IT audits to an 18-month cycle.” We found that this frequency was actually a reduction from what the examiners recommended in 2011 and the President’s commitment in 2012 to obtain annual testing. • Examiners did not highlight that it had already been over 18 months since the April 2013 external IT audit identified in the ROE (2013). Therefore, the FDIC should have prepared a stronger response to this delay. An MRBA could have been an effective tool to encourage the bank to promptly obtain appropriate external IT audit coverage annually. Although the ROE (2015) states that “[t]he Board intends to schedule the next IT audit with a different firm in 2015,” the bank waited more than a year to obtain another external IT audit. The FDIC examination in 2018 noted that the Board approved in its May 2016 meeting a firm to perform an annual external IT audit, and the bank obtained an external IT audit in May 2016. However, FDIC examiners concluded that the audit in 2016 “did not contain any test of controls for information security.”32 The FDIC examination (2018) was the first to raise significant regulatory concerns about controls over the bank’s information systems. FDIC examiners used the Information Technology Risk Examination (InTREx) Program33 to identify the weakness in the bank’s information system user access controls.34 Footnote: 32 The bank did not obtain an external IT audit in 2017. Footnote: 33 FDIC Regional Directors Memorandum 2016-009-RMS Information Technology Risk Examination (InTREx) Program (June 2016). This guidance was effective for all IT examinations starting on or after September 22, 2016. Footnote: 34 The OIG plans to conduct an audit of the InTREx Program as part of a future assignment. • The 2018 ROE stated that “[t]he Board has generally adopted a very low cybersecurity risk profile . . .; however, this decision also allows management to bypass complete segregation of duties among personnel, and a policy of least privilege35 is not in place. All users have access to all systems.” • The work papers from the FDIC examination in 2018 added that the President’s remote access into the bank’s systems “has never been audited which is a serious concern.” Examiners cited the bank for nonconformance with the FDIC regulations on information security standards (12 C.F.R. Part 364 Appendix B) requiring regular tests of key controls and staff training to implement the bank’s information security program. • The examination also included an MRBA recommending that the Board engage “a qualified auditor” to assess the IT function and that “the audit scope should contain a test of key controls.” While the bank subsequently obtained an external IT audit in November 2018, it was from the same firm that performed the 2016 audit. The November 2018 external IT audit report did not identify any significant internal control concerns regarding access to the bank’s information systems. In retrospect, the 2018 MRBA could have been more specific to require the bank to promptly provide the FDIC an engagement letter, identifying the firm, scope and planned start date, for the 2018 external IT audit. A stronger FDIC recommendation in 2015 for the bank to obtain timely external IT audits that adequately evaluated bank information system user access controls may have helped the bank and the FDIC identify sooner than 2018 the President’s inadequately controlled systems access. Recommendation: We recommend that the Director, Division of Risk Management Supervision: (5) Train examiners on the importance of ensuring that information system user access controls be adequately tested. The FDIC Did Not Conduct Additional Tests to Address Unusual Loan-Related Activity According to the Examination Manual Section 4.2, Internal Routine and Controls (December 2004) “[t]ime constraints and optimum resource utilization do not permit a complete audit during bank examinations, nor would the benefits derived from such efforts generally be warranted. Nevertheless, in those cases where the examiner perceives the need, the examination may be expanded to include the use of more audit techniques and procedures.” Audit techniques that examiners may consider using when appropriate include: • Loans: Test check interest computations on a sampling of loans. • General Ledger Accounts: Determine the reason for any unusual or abnormal variations between the various general ledger accounts. • Suspense Accounts: Review suspense accounts for large or unusual items. In addition, the FDIC maintains Examination Documentation modules that provide examination procedures for examiners to consider. The module titled Loan Operations Review (September 2014) contains core analysis procedures that include the following relevant procedures: • Determine if loan approvals are properly documented, and verify that loan terms are consistent with officer, committee, and board approvals. • Determine how new and renewed loans are approved and booked and whether loan officers are able to renew and extend loans without an independent review. • Determine if there are loans on which interest is not being collected in accordance with the terms of the note, such as loans that have been renewed without full collection of interest, with interest being rolled into principal, or interest paid from the proceeds of a separate note. • Determine the adequacy of reconciliations between subsidiary loan records and the general ledger. Consider the frequency of reconciliations, the disposition of reconciling amounts, and the separation of duties for personnel involved. • Ascertain if items held in suspense accounts clear in a timely manner. • Determine if management appropriately identifies, measures, monitors, controls, and reports concentration risks of credit by industry, type, person, etc. We identified unusual loan-related activities at ESB using information in the 2015 and 2018 FDIC examination work papers, bank records we gathered from the FDIC Business Data Services system, and other records. Specifically, we identified: (1) Loans meeting review thresholds that were not reviewed by the Loan Committee as required (2018); (2) Loans that were paid off subsequent to examiner selection for review, and that were paid off within months after origination or had significant amounts of accrued interest (2015, 2018); (3) Loan account balances and changes that were not adequately reconciled or explained (2015, 2018); and (4) An agricultural loan concentration that was increasing in conjunction with unusual loan growth and was significantly higher than the bank’s peer group that the bank did not adequately monitor (2015). We found that the examiners did not perform additional procedures to identify, or if identified assess, these unusual loan-related activities during the indicated examinations. While not required, had examiners conducted such additional tests, they may have identified the fraudulent activity sooner than 2019 and reduced the loss to the DIF. The FDIC Did Not Perform Additional Procedures Related to the Bank’s Loan Review Process A bank’s loan review process provides the basis for funding the Allowance for Loan and Lease Losses and identifying problem assets in need of workout plans. ESB loan reviews were performed by the Loan Committee, comprised of the President, senior-level Vice President, and three outside directors. Due to the bank’s limited staffing, examiners in 2011, 2012, and 2013 recommended that the bank obtain an external loan review. However, during the FDIC visitation in December 2011, the bank President stated that an external loan review was not necessary given the bank’s small local portfolio, and that all loan reviews would continue to be performed internally. Examiners reported weaknesses in ESB’s loan review function in the TDB (2011) and FDIC (2012) examinations, and the MOU (2011) required that “[t]he Bank shall ensure that all borrowing relationships of $50,000 and above are reviewed initially and annually thereafter.” In the Joint Examination (2013), examiners concluded that the loan review program had improved and subsequent examinations did not identify significant concerns about the loan review function. Nevertheless, in 2019, examiners identified more than 100 fictitious loans, most of which a Board member determined were not brought before the Loan Committee for review and approval. In the ROE (2013), examiners had concluded that the loan “[r]eviews are conducted annually for all relationships over $50,000.” However, we reviewed the 47 borrowers with a loan of more than $50,000 on the commercial loan trial balance as of the June 28, 2013 loan cutoff date for the Joint Examination (2013), and we found 30 borrowers (64 percent) that did not appear in the Loan Committee minutes for the years 2011 through 2013. The principal balance of the loans over $50,000 for these 30 borrowers totaled $3.66 million on June 28, 2013. Further, ESB Loan Policy required Loan Committee approval of all loans over $30,000. During our review of the FDIC examination (2018) work papers, we found that examiners did not identify that four sampled loans met the Loan Committee approval or annual review thresholds but had not been documented in the Loan Committee minutes. All four were reported as being paid off during the examination in 2018. In 2019, examiners concluded that these loans were fraudulent. While not required, had examiners tried to trace these sampled loans to the Loan Committee minutes, they would have likely requested more information about those loans, possibly identifying they were fraudulent in 2018. The FDIC Did Not Perform Other Additional Procedures on Sampled Loans In addition, we found that the examiners did not perform the following additional procedures when reviewing loans or information that reflected unusual activity: • Examiners did not review files for loans that were paid off in the loan system after examiners had selected the loans for review. In the examination of 2018, 5 of the 19 examiner-sampled borrower relationships (26 percent) had paid off loans. Examiners relied on payment documentation that bank management fraudulently prepared and provided to them, such as manually prepared general ledger tickets and wire transfer forms. Examiners did not review further the source of funds supporting the loan payoff. • Examiners did not question the approximately 2 to 4 years of accrued interest on four loans that were paid off during the 2018 examination, which examiners in 2019 found to be fraudulent loans. Had examiners reviewed the interest calculations and payment histories of these loans, they would have seen modifications to maturity dates without payment of interest. • Examiners did not obtain an explanation for why two sampled loans were paid off within 2 months after origination, both posting on the Friday before the start of the 2015 examination. While not required of examiners, conducting these additional loan review procedures would have provided more information on the unusual loan activity at ESB that could have helped examiners identify the fraudulent activities of the bank President and senior-level Vice President sooner than 2019. The FDIC Did Not Perform Additional Loan Account Reconciliation Procedures Examiner reconciliations of assets and liability accounts help ensure the accuracy of recorded entries and that subsidiary accounts balance to the general ledger. During the examinations in 2015 and 2018, FDIC examiners reviewed bank-prepared reconciliations of the loan clearing account; however, they did not review the reconciling items in detail, which may have identified the true nature of the loan transactions that made up the account. In 2015, the bank provided examiners a manually prepared reconciliation of the unusually large balance in the loan clearing account. We found no evidence that the examiners documented any observations or concerns related to this reconciliation. However, our review determined that five of the six reconciling items represented either fraudulent or suspicious36 loan transactions, which examiners might have identified if they had followed up on the reconciling items. In 2018, the bank could not adequately reconcile the unusually large balance in the loan clearing account, and examiners identified discrepancies in the supporting documentation provided by the bank. In their review, examiners stated the discrepancies could be due to timing, and that further inquiry would need to be made with the bank in order to reconcile the balances. Nevertheless, examiners did not follow up further on reconciliation of the balances, and the loan clearing account remained unreconciled. Our review determined that 12 of the 16 reconciling items in 2018 represented either fraudulent or suspicious loan transactions that the examiners might have identified if they had followed up further on the reconciling items. Finally, during the examination in 2018 examiners requested loan account information as of March 15, 2018, but the bank provided the information as of April 3, 2018, about 2½ weeks after the requested cut-off date. This substitution should have prompted examiners to conduct further review. Examiners learned in 2019 that the delay tactic allowed the President time to hide $4.98 million in fraudulent loan balances by transferring the amounts from the loan trial balance and related loan accounts to a non-loan general ledger account37 that examiners did not review as of April 3, 2018. Had examiners requested and reviewed support for this large non-loan balance sheet account as of the loan sample cutoff date, examiners would have identified the fraudulent loan-related amounts. Additionally, examiners could have obtained and compared the loan trial balance and loan account reconciliation as of the original request date to the subsequently provided date. Had they done so, they could have identified and followed up on the unusual $3.9 million (13.9 percent) drop in the loan balance between the requested date and the date that the bank provided the loan trial balance. Footnote: 36 We considered a suspicious loan transaction to be one where we found one or more of the following attributes: the loan met the criteria for Loan Committee review but was not presented to the Loan Committee, the loan was originated at the time fraudulent loans were originated; and payments on the loan were irregular or made right before an examination. Footnote: 37 This account was the Excess Balance Account (EBA), which the bank used to earn interest on balances held at the Federal Reserve Bank of Dallas. The FDIC Did Not Request That Management Improve Monitoring and Reporting of the Agricultural Loan Concentration in a Timely Manner38 Financial Institution Letter FIL-39-2014, Prudent Management of Agricultural Credits Through Economic Cycles (July 2014),39 states that risk management practices should include appropriate procedures for identifying, monitoring, and controlling concentrations. In addition, the Examination Manual Section 3.2, Loans (December 2004) adds that management and the Board can consider areas where concentration reductions may be necessary by using accurate concentration reports. Examiners may consider criticizing management if proper monitoring of concentration levels does not occur. Table 3 illustrates that ESB’s agricultural loan concentration40 increased every year through 2017 during the period of our review. In addition, ESB’s agricultural loan concentration was consistently and significantly higher than its peer group.41 Footnote: 38 According to the Examination Manual Section 3.2, Loans (December 2004), “Generally a concentration is a significantly large volume of economically-related assets that an institution has advanced or committed to one person, entity, or affiliated group. These assets may in the aggregate present a substantial risk to the safety and soundness of the institution.” Footnote: 39 FIL-05-2020, Advisory: Prudent Management of Agricultural Lending During Economic Cycles rescinded and replaced FIL-39-2014 on January 28, 2020. However, FIL-39-2014 was in effect during the scope of our review. Footnote: 40 FFIEC UBPR User Guide describes agricultural loan concentration as “loans to finance agricultural production divided by Tier 1 Capital plus Allowance.” Footnote: 41 The UBPRs for ESB describe the bank’s peer group as “Insured commercial banks having assets less than $50 million, with 1 full service banking office and not located in a metropolitan statistical area.” Table 3: ESB and Its Peer Group’s Agricultural Loan Concentrations 2011 - 2018 Row: 1; Agricultural Loan Concentration (Percent): ESB; 12/31/11: 156.45; 12/31/12: 176.46; 12/31/13: 207.95; 12/31/14: 288.64; 12/31/15: 312.38; 12/31/16: 335.58; 12/31/17: 378.96; 12/31/18: 278.22; Row: 1; Agricultural Loan Concentration (Percent): Peer Group; 12/31/11: 41.38; 12/31/12: 36.58; 12/31/13: 94.85; 12/31/14: 102.71; 12/31/15: 93.39; 12/31/16: 89.00; 12/31/17: 87.85; 12/31/18: 83.78; [End of table] Source: OIG prepared from UBPRs for Enloe State Bank. The FDIC had an opportunity in 2015 to encourage ESB to improve reporting to the Board on ESB’s high concentration in agricultural loans. In the 2015 ROE, examiners noted a significant agricultural loan concentration (297 percent of Total Capital), which was well above the bank’s loan policy. The bank’s policy stated that “loans to any one industry amounting to 40% of capital shall be an ‘undue concentration.’” The examination (2015) work papers concluded that concentrations were adequately managed and reported to the Board. However, the work papers did not indicate what procedures examiners performed to come to that conclusion or include any concentration-related reports. In addition, the minutes for the Board and Loan Committee did not include discussion of the agricultural loan concentration. We could not determine how the examiners arrived at the conclusion that the concentrations were adequately managed and reported to the Board. The bank’s policy also stated that “[t]he loan committee shall develop a procedure for monitoring concentrations.” In the FDIC examination of April 2018, examiners criticized ESB’s management of its significant and increasing concentration in agricultural loans by stating that “management does not have procedures in place to adequately measure, monitor, and control concentrations” and “does not have any concentration-related reports.” The ROE concluded that “while this concentration is not unreasonable due to the bank’s market location and customer base, it should be appropriately monitored, managed, and reported to the Board.” The ROE for the examination of 2015 stated that “[l]oan portfolio growth was unusually high, totaling nearly 15 percent over the past year” and indicated the growth was unexpected. Examiners making a timely request in 2015 for management to improve concentration reporting to the Board may have helped the Board obtain more information on the bank’s agricultural loan concentration and the reasons behind the unusual loan growth. In July 2019, the FDIC completed a Supervisory Review of ESB, which identified lessons learned and related recommendations for improving examination processes and guidance. The review concluded that the FDIC should have conducted additional transactional reviews or verifications as part of the 2018 examination. We concluded that the examination from 2015 also warranted additional procedures, due to lack of external audits in 2014 and unusual lending activities identified in the examination work papers. The FDIC took corrective actions to implement the lessons learned recommendations contained in the Supervisory Review of ESB. These actions included expanding the guidance in the Examination Manual Section 3.2, Loans (September 2019) to incorporate additional procedures for testing loan-related transactions in situations like ESB. For example, the FDIC now requires examiners to verify proceeds for a sample of loans that are paid off during or just prior to an examination. The FDIC also expanded guidance to require additional portfolio analysis in the pre-examination planning process. Further, in October 2019, the FDIC developed case studies for Case Managers and Commissioned Examiners which included training on responding to institutions with dominant officials and weak internal controls. Recommendation: We recommend that the Director, Division of Risk Management Supervision: (6) Enhance case study training to incorporate the lessons learned from Enloe State Bank in regard to performing additional procedures related to the bank’s loanrelated activity. The FDIC Did Not Perform Additional Procedures to Determine the Likelihood of Fraud FDIC examiners did not assess the likelihood that fraud may have occurred at the bank, once they identified the dominant official and inadequate internal control environment in 2018. Examination Manual Section 4.1, Management, indicates that the presence of a dominant official should not be construed as a supervisory concern in and of itself. Rather, the presence of a dominant official coupled with other risk factors is a supervisory concern. Examination Manual Section 4.2 Internal Routine and Controls states, “[u]ncovering fraud is not the primary reason examinations are conducted; however, examiners must be able to recognize fraudulent or abusive actions.” The Examination Manual lists multiple situations that, individually, could indicate fraud and therefore the need for more comprehensive audit procedures. The list includes the following situations, which the FDIC also identified for ESB during the FDIC examination (2018): • An institution has one officer with dominant control over a bank’s operations. • Audit programs are inadequate. • Internal control deficiencies are evident, such as weak vacation policies or ineffective segregation of duties. • Records are poorly maintained or carelessly handled. • Close supervision by the board of directors or senior management is inadequate, especially where rapid growth has occurred. • A bank has grown substantially in a short time period. Further, Examination Manual Section 4.2 states that “[e]xaminers should consult with the regional office if fraud-related examination procedures appear warranted.” RMS guidance on dominant officials also references Examination Manual Section 9.1, Bank Fraud and Insider Abuse (April 1998), which states that “[t]he early detection of apparent fraud and insider abuse is an essential element in limiting the risk to the FDIC’s deposit insurance funds and uninsured depositors. It is essential for examiners to be alert for irregular or unusual activity and to fully investigate the circumstances surrounding the activity.” By the time of the 2018 FDIC examination, the combination of fraud indicators listed above should have prompted examiners to consider additional procedures to determine the likelihood that fraud had occurred at ESB. However, despite these warning signs of fraud being present, the 2018 examination work papers and results did not indicate that examiners considered or suspected the likelihood of fraud occurring, nor did they indicate that examiners consulted the Regional Office regarding the likelihood of fraud. Identifying the risk of fraud and performing fraud-related examination procedures may have helped the FDIC identify the fraud in 2018 rather than 2019, and reduced the loss to the DIF. However, the impact of this change may have been limited, as examiner review in 2019 indicated that much of the fraudulent activity may have already occurred by the 2018 examination. Recommendations: We recommend that the Director, Division of Risk Management Supervision: (7) Train examiners to perform additional procedures to determine the likelihood of fraud once a dominant official designation is made at a bank with a weak internal control environment. (8) Train examiners on indicators of fraud and how individual issues identified during an examination should be considered holistically to facilitate fraud detection. The FDIC Appropriately Implemented Prompt Corrective Action Section 38 of the FDI Act, Prompt Corrective Action, establishes a framework of mandatory and discretionary supervisory actions for insured depository institutions that are not adequately capitalized. The section requires regulators to take stronger actions, known as “prompt corrective actions,” as an institution’s capital level deteriorates. The purpose of Section 38 is to resolve problems of insured depository institutions at the least possible cost to the DIF. FDIC regulations42 define the capital measures used in determining the supervisory actions that will be taken pursuant to Section 38 for FDIC supervised institutions. The regulations43 also establish procedures for the submission and review of capital restoration plans and for the issuance of directives and orders pursuant to Section 38. The FDIC is required to monitor the institution’s compliance with its capital restoration plan, mandatory restrictions defined under Section 38(e), and discretionary safeguards imposed by the FDIC (if any) to determine if the purposes of PCA are being achieved. Footnote: 42 12 C.F.R. § 324.403 (2019) Footnote: 43 12 C.F.R. § 324.401 and 12 C.F.R. § 324.404 (2019) Based on the supervisory actions taken with respect to ESB, the FDIC appropriately implemented applicable PCA provisions of Section 38 of the FDI Act. The FDIC considered ESB Well Capitalized for PCA purposes from 2011 through April 2019, just prior to failure. On May 24, 2019, the Texas Banking Commissioner issued a capital call letter to ESB requiring the bank to obtain at least $15 million in new capital by May 30, 2019. On the same day, the FDIC and the TDB issued a joint notice downgrading ESB’s CAMELS composite rating to “5,” reflecting the highest level of supervisory concern, and informing ESB that it was “Critically Undercapitalized per PCA guidelines.” On May 28, 2019, the FDIC sent ESB a formal PCA notification of capital category letter stating that the bank was Critically Undercapitalized44 for PCA purposes and issued a Supervisory PCA Directive requiring ESB to take mandatory actions to “increase the volume of capital to a level sufficient to restore the bank to an "Adequately Capitalized"45 capital category.” The bank’s Board was unable to take the necessary actions, and the TDB closed the bank on May 31, 2019. FDIC COMMENTS AND OIG EVALUATION On September 25, 2020, the FDIC’s Director, Division of Risk Management Supervision, on behalf of the Agency, provided a written response to a draft of this report (FDIC Response), which is presented in its entirety in Appendix 3. We reviewed and considered the comments in the FDIC response. The FDIC agreed with our conclusion that ESB failed due to fraudulent activity perpetrated by the bank’s President, and, to a lesser extent, the Vice President and Cashier. The FDIC also agreed that the FDIC’s supervisory program did not uncover the fraud prior to 2019 and did not prevent the Bank’s failure. The he FDIC agreed that in retrospect, there were opportunities for examiners to perform more in-depth reviews based on the organizational structure of the institution. For example, examiners could have performed transaction testing of the segregation of duties of the bank’s employees, given that the President, Vice President and Cashier, and Internal Auditor had multiple responsibilities. The FDIC acknowledged that the inappropriate segregation of duties and nonconformance with the Standards for Safety and Soundness were not identified until the FDIC examination in 2018 and that additional transaction testing likely would have identified these problems sooner. Footnote: 44 For purposes of Section 38 of the FDI Act and this subpart, an FDIC-supervised institution shall be deemed to be "Critically undercapitalized" if the insured depository institution has a ratio of tangible equity to total assets that is equal to or less than 2.0 percent. [12 C.F.R. §324.403(b)(5)] Footnote: 45 An FDIC-supervised institution shall be deemed to be "Adequately capitalized" if it: (i) Has a total risk-based capital ratio of 8.0 percent or greater; and (ii) Has a Tier 1 risk-based capital ratio of 6.0 percent or greater; and (iii) Has a common equity tier 1 capital ratio of 4.5 percent or greater; and (iv) Has a leverage ratio of 4.0 percent or greater; and (v) Does not meet the definition of "well capitalized" in this section. [12 C.F.R. §324.403(b)(2)] The FDIC’s responses were focused on the inappropriate segregation of duties and additional testing that could have been performed and did not address our finding that the FDIC should have considered the President as a Dominant Official earlier than 2018. Nevertheless, the FDIC’s response support our premise that the President’s multiple roles as a lending officer, a Board member, a shareholder, a Loan Committee member, and the bank’s IT officer gave her the authority, responsibility, and access to exert an influential level of control at the bank. We note that the segregation of duties and nonconformance with the Standards for Safety and Soundness were identified in the FDIC examination in 2018, when examiners determined that the President was a Dominant Official. In its response, the FDIC stated that “RMS’ risk-focused safety and soundness examination program rests, in part, on the premise that the vast majority of bankers are honest and do not intend to harm their bank. Expecting examiners to detect fraud in all cases, especially those involving collusion, would represent a fundamental departure from this premise, and would result in a far more expensive, intrusive, and potentially contentious examination process.” We believe that examiners should conduct their work with an appropriate level of professional skepticism. We noted, in our report, that Examination Manual Section 9.1, Bank Fraud and Insider Abuse, states that The early detection of apparent fraud and insider abuse is an essential element in limiting the risk to the FDIC's deposit insurance funds and uninsured depositors. Although it is not possible to detect all instances of apparent fraud and insider abuse, potential problems can often be uncovered when certain warning signs are evident. It is essential for examiners to be alert for irregular or unusual activity and to fully investigate the circumstances surrounding the activity.” Further, the FDIC noted in its response that it has taken a number of actions in recent years to help examiners identify fraud red flags. We continue to support our conclusion that the FDIC’s supervision did not identify and address the severity of the internal control weaknesses in a timely manner and these weaknesses created an environment where significant loan fraud went undetected for more than 9 years. The FDIC response noted that its IT-RMP (Risk Management Program) was the IT examination work program used by the FDIC from 2005 to 2016. The FDIC noted that the IT Officer’s Questionnaire was the foundation of IT-RMP. Examiner instructions stated that examiners shall review a bank’s audit program and audit findings at every examination and consider, the responses on the IT Officer’s Questionnaire. The FDIC acknowledged that the external IT audits reviewed by the examiners did not cover user access or segregation of duties as they were limited in scope. The FDIC also acknowledged that “[t]he President had control over lending transactions from inception to completion. As a loan officer, she was able to make a loan, disburse loan proceeds, and accept loan payments.” These statements support our conclusion that a stronger FDIC recommendation in 2015 regarding external IT audits may have helped the bank and the FDIC identify sooner than 2018 the President’s inadequately controlled systems access. Specifically, we found the FDIC should have made a stronger recommendation for the bank to obtain timely external IT audits that adequately evaluated bank information system user access controls. OIG Disposition of Recommendations: The FDIC concurred with three recommendations in the report and stated that it “partially agreed” with five other recommendations. The corrective actions proposed by the FDIC appear to be sufficient to address the recommendations and, therefore, we consider all eight recommendations to be resolved. The FDIC agreed with recommendation 1 and stated that RMS will clarify criteria to identify an official as dominant. The FDIC stated that where an individual occupies multiple positions, particularly in smaller institutions, additional transaction testing for segregation of duties and adequate internal controls may be necessary. We believe that this corrective action will result in closer scrutiny of segregation of duties and internal controls at institutions where an individual or individuals occupy multiple key positions. In order to close this recommendation, we expect that the FDIC will incorporate the clarification of criteria into its Examination Manual. The FDIC partially agreed with recommendation 2 and stated that it will incorporate elements of internal audit and internal control review into its case study library. This response alone does not specify whether the training will cover the importance of understanding and documenting the independence and qualifications of the internal auditor and reviewing internal audit work papers and results as we recommended. However, in response to recommendation 6, the FDIC stated its case study training would cover the concepts included in this recommendation. Therefore, we consider this recommendation to be resolved. In order to close this recommendation, we expect that the FDIC’s case study library will specifically incorporate the importance of understanding and documenting the independence and qualifications of the internal auditor and reviewing internal audit work papers and results. The FDIC partially agreed with recommendation 3 but stated that it will reinforce the principles of the existing statutory framework and supervisory guidance in its case study library. Therefore, we consider this recommendation to be resolved. The FDIC stated that annual external financial audits are only required for institutions with total assets of $500 million or more and, therefore, it cannot require institutions below this asset threshold to obtain an annual audit or provide a justification for not doing so. The FDIC’s response does not consider the aspects of our finding related to the Directors’ Examination that did not cover high-risk areas, nor the citation from the Examination Manual included in our report. The Examination Manual states “[i]f the audit committee or board, after due consideration, determines not to engage an independent public accountant to conduct an annual audit of the financial statements, the reason(s) for the conclusion to use one of the acceptable alternatives or to have no external auditing program should be documented in the written meeting minutes.” [emphasis added] Further, according to the Examination Manual, “The examiner should determine whether the alternative selected by the bank adequately covers the bank’s high-risk areas, and is performed by a qualified auditor who is independent of the bank.” [emphasis added] In order to close this recommendation, we expect that the FDIC’s training will cover (1) the documentation required when an institution decides to use an acceptable alternative or have no external audit program, and (2) ensuring the alternative approach adequately covers all high-risk areas, as noted in the Examination Manual. The FDIC partially agreed with recommendation 4, but stated that RMS would implement a tracking system for follow-up on State-issued MRBA and will conduct a training call with Case Managers once the system is implemented. Therefore, we consider this recommendation to be resolved. The FDIC concurred with recommendations 5 and 6 and the corrective actions proposed appear to be sufficient to address these recommendations. Therefore, recommendations 5 and 6 are considered to be resolved. The FDIC partially agreed with recommendation 7 but agreed to incorporate the lessons learned from Enloe State Bank into its case study library. Additionally, RMS agreed to add tasks to its Internal Control and Fraud Review Examiner Reference Tool to provide examiners with additional procedures related to management red flags. Therefore, we consider this recommendation to be resolved. The FDIC partially agreed with recommendation 8 but agreed to incorporate additional elements of fraud into its case study library. Therefore, we consider this recommendation to be resolved. Appendix 1 Objectives, Scope, and Methodology Objectives The objectives of this evaluation were to (1) determine the causes of Enloe State Bank’s failure and the resulting loss to the DIF and (2) evaluate the FDIC’s supervision of the bank, including the FDIC’s implementation of the PCA provisions of Section 38 of the FDI Act. We performed our work at the FDIC’s offices in Arlington, Virginia, and the Dallas Regional Office from March 2020 through July 2020. We conducted our work in accordance with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for Inspection and Evaluation. Scope and Methodology The scope of our review covered examinations and visitations performed and supervisory actions taken from March 2011 until ESB failed on May 31, 2019. We selected this time period because the earliest fraudulent loan the FDIC identified and reviewed in May 2019 had an origination date of 2011. In addition, the 2011 fullscope safety and soundness examination led the TDB and the FDIC to issue a joint MOU with ESB that contained several provisions related to the bank’s lending and Board oversight of the lending function. To accomplish our objectives, we reviewed: • The FDIC’s Failing Bank Case and Supervisory History for the bank; and FDIC and TDB lessons learned documents related to ESB. • FDIC and TDB examination and visitation reports. • Pertinent regulations, policies, procedures, and guidance, including the RMS Manual of Examination Policies (Examination Manual). • Bank UBPR and Call Report data. • Correspondence; available 2015, 2018, and 2019 FDIC examination work papers; and other documentation located in the Regional Automated Document Distribution and Imaging System (RADD). • Correspondence, available 2019 TDB examination work papers, and bank documentation provided by TDB. We interviewed RMS officials from the FDIC’s Dallas Regional Office, Dallas Field Office, and TDB officials. We obtained their perspectives on the principal causes of ESB’s failure, the FDIC’s supervisory approach, and other examination-related information. We performed certain procedures to determine whether the FDIC had complied with relevant PCA provisions in Section 38 of the FDI Act. We also assessed compliance with aspects of the FDIC Rules and Regulations, including examination frequency requirements defined in 12 C.F.R. § 337.12 Frequency of Examination. We obtained data from three FDIC systems, the Virtual Supervisory Information on the Net (ViSION), RADD, and the FDIC Business Data Services system. We determined that information system controls pertaining to these systems were not significant to the evaluation objectives. Therefore, we did not evaluate the effectiveness of information system controls. We relied primarily upon reports of examination, memoranda, and other correspondence, as well as testimonial evidence, to validate system-generated information. We assessed the risk of fraud and abuse in the context of our evaluation objectives in the course of evaluating evidence. We reviewed available bank and FDIC documentation, inquired with OIG Office of Investigations personnel, and interviewed FDIC and TDB officials about ongoing investigations related to the fraudulent activity at the bank. On the date of issuance of this report, we received clarifying comments from TDB. These comments were incorporated in our report where appropriate and did not affect the OIG’s findings and recommendations. Appendix 2 Acronyms and Abbreviations CAMELS Capital Adequacy, Asset Quality, Management Capabilities, Earnings Sufficiency, Liquidity Position, and Sensitivity to Market Risk DIF Deposit Insurance Fund EBI Entex Bancshares, Inc. ESB Enloe State Bank FBR Failed Bank Review FDI Act Federal Deposit Insurance Act FDIC Federal Deposit Insurance Corporation IDR In-Depth Review IT Information Technology MOU Memorandum of Understanding MRBA Matters Requiring Board Attention OIG Office of Inspector General PCA Prompt Corrective Action RADD Regional Automated Document Distribution and Imaging System RD Memo Regional Directors Memorandum RMS Division of Risk Management Supervision ROE Report of Examination TDB Texas Department of Banking UBPR Uniform Bank Performance Report UFIRS Uniform Financial Institutions Rating System ViSION Virtual Supervisory Information on the Net Appendix 3 FDIC Comments [FDIC letterhead, Division of Risk Management Supervision] September 25, 2020 TO: Terry L. Gibson, Assistant Inspector General for Program Audits and Evaluations FROM: Doreen R. Eberley, Director SUBJECT: Response to Draft Evaluation Report Entitled In-Depth Review of Enloe State Bank, Cooper, Texas (No. 2020-008) Thank you for the opportunity to review and respond to the Draft Evaluation Report Entitled In- Depth Review (IDR) of Enloe State Bank, Cooper, Texas. On May 31, 2019, the Texas Department of Banking (State) closed the Enloe State Bank (Enloe or the Bank), a small community bank with approximately $37 million in total assets, and the FDIC was appointed receiver. The Division of Risk Management Supervision (RMS) agrees with the conclusion that Enloe failed due to fraudulent activity perpetrated by the Bank’s President, and, to a lesser extent, the Vice President and Cashier. Both individuals have since confessed to their crimes. The Bank operated with inadequate segregation of duties and infrequent and reduced scope external audit activities, allowing the President to hide her fraudulent lending activities from the Bank’s board of directors and regulators with the assistance from unnamed co-conspirators. The State was scheduled to start a state-only examination of Enloe on May 13, 2019. The start date of the examination was delayed slightly because a suspicious fire occurred the preceding weekend resulting in the Bank’s temporary closure. The fire occurred in close timing to the State receiving initial findings from the independent Directors’ Examination of a large out-of- balance situation on the bank’s loan general ledger account. Given the unfolding circumstances, the FDIC informed the State that it would like to participate on the examination, which began on May 16, 2019. The State welcomed the FDIC’s participation. On May 24, 2019, examiners downgraded the Bank to a “5” and designated it a troubled institution based on the ongoing examination, which identified significant losses associated with over 100 fraudulent and/or fictitious loans. The FDIC and the State also notified Enloe that it had become Critically Undercapitalized. Given the Bank’s board of directors was unable to recapitalize the Bank, it voluntarily agreed to close on May 31, 2019. RMS agrees the FDIC’s supervisory program did not uncover the fraud prior to 2019 and did not prevent the Bank’s failure. RMS’ risk-focused safety and soundness examination program rests, in part, on the premise that the vast majority of bankers are honest and do not intend to harm their bank. Expecting examiners to detect fraud in all cases, especially those involving collusion, would represent a fundamental departure from this premise, and would result in a far more expensive, intrusive, and potentially contentious examination process. Importantly, examiners identified many weaknesses in the bank’s risk management practices, control environment, and audit program and made appropriate recommendations based on their findings. However, the Bank’s board of directors did not appropriately respond to all recommendations or do so in a timely manner. In retrospect, we also agree that there were opportunities for examiners to perform more in-depth reviews based on the organizational structure of the institution. For example, examiners could have performed transaction testing of the segregation of duties1 of the Bank’s employees, given that the President, Vice President and Cashier, and Internal Auditor had multiple responsibilities. This organizational structure is commonplace in very small institutions and requires segregation of duties as an internal control. If segregation of duties cannot be fully accomplished, a Bank’s internal control structure would be inconsistent with the Interagency Guidelines Establishing Standards for Safety and Soundness and would require mitigation. The inappropriate segregation of duties and nonconformance with the Standards for Safety and Soundness were not identified until the 2018 FDIC exam, due in large part to the deception of the President and inaction of the board. However, additional transaction testing in earlier examinations likely would have identified these problems sooner. One area of concern relates to the appropriateness of security controls governing the President’s access to Enloe’s IT systems. IT-RMP (Risk Management Program) was the IT examination work program used by FDIC from 2005 to 2016. 2 IT-RMP focused on security controls at a broad program level that, if operating effectively, would help institutions protect information security as described in the Interagency Guidelines Establishing Information Security Standards (Interagency Security Guidelines).3 The IT Officer’s Questionnaire was the foundation of IT- RMP. The Officer’s Questionnaire asked a series of yes/no questions about an institution’s IT controls and operations and required the signing officer to certify to the accuracy of the information presented. The document contained the following language related to the certification: “This is an official document. Any false information contained in it may be grounds for prosecution and may be punishable by fine or imprisonment.” Footnote: 1 The principle of segregation of duties is that one person should not be able to control a transaction from inception to completion. For example, a loan officer should not perform more than one of the following tasks: make a loan, disburse loan proceeds, or accept loan payments. Individuals having authority to sign official checks should not reconcile official check ledgers or correspondent accounts, and personnel that originate transactions should not reconcile the entries to the general ledger. Additionally, information technology (IT) personnel should not initiate and process transactions, or correct data errors unless corrections are required to complete timely processing. In this situation, corrections should be pre-authorized, when possible, and authorized personnel should review and approve all corrections as soon as practical after the corrections are processed, regardless of any pre-authorizations. See RMS Manual of Examination Policies, Section 4, Internal Routine and Controls. Footnote: 2 See Financial Institution Letter 81-2005, Information Technology Risk Management Program, dated August 15, 2005, at https://www.fdic.gov/news/financial-institution-letters/2005/fil8105.ht…. 3 The Interagency Security Guidelines set forth an expectation that institutions adopt an information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the institution's activities. In doing so, institutions are to consider whether the following security measures, among others, are appropriate for the institution and, if so, adopt those measures the institution concludes are appropriate: (1) access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means and (2) dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information. Instructions issued to examiners to implement IT-RMP4 stated that “[under IT-RMP] examiner focus shifts from historic broad-based technology and control reviews to assessing management and IT risk management practices as communicated through their formal information security program. This top-down approach places considerable emphasis on management, information security program content, and confirmations and assurances through audit or independent review.” IT-RMP was designed for examiners to rely, in part, on management attestations regarding the extent to which IT risks were being managed and controlled. Examiners focused their efforts on management-identified weaknesses and had the option to confirm selected safeguards described by management as adequate. Among the questions on the Officer’s Questionnaire was, “Does audit coverage include assessing users and system services access rights (Y/N)?” Examiner instructions for the use of IT-RMP stated that, [e]xaminers shall review a bank’s audit program and audit findings at every examination and consider, at a minimum, all of the above responses [including the response to the question on users and system services access rights].” The IT Officer’s Questionnaire for the 2015 examination of Enloe shows that “YES” was typed in response to the question. Additionally, the Officer’s Questionnaire lists the following audits in response to the question, “[p]lease provide the following information regarding your most recent IT audits/independent reviews:5” Information Security Program (October 2014 – Internal Audit); IT General Controls Review (October 2014 – Internal Audit); Vulnerability Testing (April 2013 – External Audit); Penetration Testing (April 2013 – External Audit); Wire Transfer Audit (August 2014 – Internal Audit); and NACHA Rule Compliance Audit (October 2014 – Internal Audit). Management indicated the first four audits listed were presented to the Bank’s board of directors. Workpapers for 2015 do not contain copies of the internal audits on the Information Security Program or IT General Controls, and external audits do not cover user access or segregation of duties. Workpapers from the 2013 and 2016 examinations are not available for review.6 Examiners cannot recall exactly what work they performed so many years ago, but indicate they would have reviewed any audits listed. The external audits were performed by a reputable firm, but were limited in scope. We do not know what the missing internal audits covered, or their veracity; examiners later described the internal auditor as not having sufficient technical knowledge to perform IT audits. Footnote: 4 Instructions were issued via Regional Director Memorandum 2005-031, Information Technology - Risk Management Program (IT-RMP), dated August 15, 2005. Footnote: 5 The question includes the following as references for this question: [FDIC Rules and Regulations Part 364 Appendix B Section III (C)(3) and (F); FFIEC IT Examination Handbook, Audit Booklet: FIL-12-1999 Uniform Rating System for Information Technology] Footnote: 6 The joint 2013 ROE indicates that a State examiner completed the IT examination program using IT-RMP, and the 2016 State ROE also shows the use of IT-RMP The President had control over lending transactions from inception to completion. As a loan officer, she was able to make a loan, disburse loan proceeds, and accept loan payments. She also withheld information about the fraudulent loans she originated from the Director’s Loan Committee. She hid the loans from examiners in preparation for examinations, and she created false pay-off documentation for loans that were included in the examiners’ loan samples. It is also now clear that she lied on the IT Officer’s Questionnaires for 2015 to conceal her fraudulent activities. The scope of external audits was limited, and we cannot know at this point whether the missing internal audits were reliable. The focus on management assertions and internal and external audits over independent examiner evaluation was one of the limitations of the IT-RMP model. Nevertheless, transaction testing of the segregation of duties of the Bank’s employees likely would have identified, or led examiners to question, the adequacy of internal controls at the Bank prior to 2018. IT-RMP was replaced by the Information Technology Risk Examination (InTREx) Program, implemented via RD Memorandum 2016-009, dated June 24, 2016. Among other concerns, IT- RMP was considered to not adequately cover the growing risks of cybersecurity or the management information system and internal control standards outlined in Interagency Guidelines Establishing Standards for Safety and Soundness. The InTREx program was designed to enhance identification, assessment, and validation of information technology and operations risks in financial institutions. All examiners were trained on the new program during 2016. Following the implementation of the InTREx Program, examiners identified weaknesses in Enloe’s IT program, including access controls, adequacy of audits, and qualifications of the auditors, which were documented in the 2018 Examination. RMS has processes in place to continuously assess examination procedures and identify lessons learned from bank failures. To that end, RMS has taken a number of actions in recent years to improve its supervision program. Many of these actions are designed to help examiners identify the root cause of problems, fraud red flags, and weak control environments, as well as make appropriate recommendations to bank boards that are consistent with laws and regulations to remedy any identified concerns. Changes to examination policies and procedures and training activities that address these items include the following: • RD Memo 2018-025, Lessons Learned from Post-Crisis Bank Failures: Risk-Focused, Forward-Looking Supervision Strategies to Target Root Causes of Deficiencies, dated October 29, 2018. This memo contains detailed discussion of common risk patterns and lessons learned in recent post-crisis failures, as well as actions to be taken. Training on ‘root cause analysis’ was included in the 2019 Case Manager and Examiner training programs. • RD Memo 2019-030, Updates to the Examination Documentation Modules, dated October 23, 2019. The Internal and External Audit Evaluation module was updated to include considerations for preliminary review activities. • In 2019, RMS implemented a computer based fraud training simulation in which examiners interview bank employees and review documents to identify red flags, conduct further investigation, and recommend findings related to weak risk management practices. RMS also conducted fraud training as part of its national examiner training programs in 2014/2015 and 2017/2018. Each of the fraud training programs included case studies. This training simulation module replaced a similar module that had been in place for many years. The replacement was not related to the Enloe’s failure, but the module addresses the broad issue of fraud red flag identification. In addition, RMS has made changes as a result of Dallas Regional Office recommendations based on a July 2019 internal review of the Bank’s supervision and its own consideration of the facts and circumstances surround this institution’s failure. For example, RMS informed the OIG that it: • Updated its policies related to loan review during September 2019 to: o require examiners to verify a sample of loans that paid off during or just prior to the on-site portion of the examination by reviewing the loan file, payoff tickets, and tracing the source of funds for the payoff; o require examiners to use certain analytical tools that identify characteristics or relationships in the loan portfolio that may indicate fraud or loan administration weaknesses; o include a sample of loans flagged by the tool in the loan review; and o perform additional loan transaction testing procedures when the tool (or other known information) identifies specific loans that exhibit suspect characteristics, including tracing loan proceeds and payments, reviewing controls over loan disbursements, verifying loan delinquencies, and reviewing loans for straw borrowers or “padding” of loan balances. • Committed to add a new tracking system for case manager follow-up on Matters Requiring Board Attention (MRBA) in State reports of examination (ROE). FDIC has long tracked its follow-up on actions taken by institutions to respond to FDIC ROE MRBA, and is adding the tracking of State ROE MRBA as an additional control. The Draft Report contains eight recommendations for the Director, RMS, to improve examiner guidance and training. RMS has shared with OIG the extensive training conducted with all commissioned examiners over the past six years on the topics of fraud, dominant officials, and corporate governance. RMS has also conducted refresher training for case managers on the topic of MRBA follow-up and for all examiners on the use of the InTREx IT examination workprogram. RMS’ response to the recommendations follows. (1) Clarify criteria the examiners should use to identify an official as dominant; RMS will take this action. RMS agrees that clarity in guidance is important. RMS shared the 2015 update to the 2011 Memorandum with staff for comment prior to issuance.7 RMS implemented this practice in 2014 upon recommendation of internal working groups to ensure that examiner instructions are clear by soliciting comments and questions on guidance in draft form. None of the staff comments on the draft indicated a misunderstanding of the definition of a dominant official. One noted that the definition was broad and could capture many institutions. The definition of a “dominant official” is necessarily broad in order to capture the myriad of situations where a dominant official may be present. RMS will clarify that the definition of a dominant official is not meant to capture individuals who merely occupy multiple positions, particularly in smaller institutions. Nevertheless, in such situations, additional transaction testing for segregation of duties and adequate internal controls may be necessary. RMS will incorporate this training into its case study library. (2) Train examiners on the importance of understanding and documenting the independence and qualifications of internal auditor(s), and reviewing internal audit work papers and results; RMS will incorporate elements of internal audit and internal control review into its case study library. (3) Train examiners on the importance of adequate annual external financial audit coverage, and under what circumstances and with what justifications banks may obtain reviews in place of audits; RMS partially agrees with this recommendation. RMS will reinforce the principles of the existing statutory framework and supervisory guidance in its case study library. As stated in Part 363 of the FDIC’s rules and regulations, implementing Section 36 of the Federal Deposit Insurance Act, annual external financial audits are only required for institutions with total assets of $500 million or more. Accordingly, RMS cannot require institutions below that asset threshold to obtain an annual audit or provide a justification for not doing so, unless the institution is not conforming with the Interagency Guidelines for Standards for Safety and Soundness. If the institution is conforming, the Bank’s board of directors is ultimately responsible for determining whether external audits should be obtained as part of an institution’s control structure, and if so, what form the audit should take. Footnote: 7 The 2011 clarification was issued in response to an OIG Follow-up Audit of FDIC Supervision Program Enhancements, MLR-11-010, which recommended RMS update its guidance in response to RMS’ findings from 51 post failure reviews that identified dominant bank officials as a significant concern and made suggestions and/or identified lessons learned regarding dominant officials. The 2014 clarification was issued in response to OIG’s Material Loss Review of Valley Bank, Moline, Illinois, AUD-15.005, which recommended RMS review the FDIC’s supervisory policy and approach for addressing risks associated with dominant bank officials to ensure that: a) examination coverage of and reporting on the Board’s composition and involvement in overseeing the policies and activities of the bank is sufficiently emphasized and/or required; and b) expectations are clear when prior supervisory actions do not have the intended effect. OIG accepted both supervisory policy issuances via RD Memoranda as responsive to the recommendations made (4) Implement guidance and train personnel on monitoring and following up on State- issued Matters Requiring Board Attention; RMS advised OIG ahead of this in-depth review that, as a result of its internal review of this Bank’s failure, RMS intended to implement a tracking system for follow-up on State ROE MRBA, similar to the tracking system RMS used for follow-up on FDIC ROE MRBA. Development remains in process. Such a tracking system would have identified that Bank management failed to respond timely to the 2016 State ROE (the ROE was transmitted to the bank on August 29, 2016, the Bank’s response was dated September 13, 2016, and yet the Bank’s response was not received by the State until August 1, 2017). Such a tracking system also would have identified that Bank management did not forward a copy of the response to the FDIC. RMS also increased the frequency of interim contacts Case Managers conduct with institution management between examinations. This provides another opportunity for follow-up on prior examination findings. Additional comprehensive training in June 2020 addresses the OIG recommendation. During the training, RMS clearly articulated the continuing responsibility that Case Managers already perform on FDIC ROEs, and the importance of MRBA follow-up. RMS will conduct a training call with Case Managers once the system is implemented, to familiarize them with the new tracking system and requirements. (5) Train examiners on the importance of ensuring that system user access controls are adequately tested; RMS agrees with this recommendation. Training was conducted for all examiners in conjunction with the migration to the InTREx IT examination work program in 2016. Training on the use of InTREx is also covered as part of the Information Technology Examination Course, which each examiner is required to complete within the year after receiving their examiner commission. RMS will prepare refresher training for the examiner workforce. (6) Enhance case study training to incorporate the lessons learned from Enloe State Bank; RMS will take action to add the lessons learned from Enloe to its case study library, and will reinforce the concepts embedded in recommendations 2, 3, 5, 7, and 8. (7) Train examiners to perform additional procedures to determine the likelihood of fraud once a dominant official designation is made at a bank with a weak internal control environment; RMS will incorporate the lessons from Enloe into its case study library. In addition, RMS will add tasks to its Internal Control and Fraud Review Examiner Reference Tool to provide examiners with additional procedures related to management red flags. RD Memo 2016-007, Internal Control and Fraud Reviews Reference Tool, dated June 13, 2016, outlines internal control and fraud review examination instructions and includes a resource tool to help identify red flags and perform associated examination tasks. The tool contains tasks that examiners can perform when they detect potential warning signs of fraud and insider abuse. Each task includes: considerations and examination techniques to assist examiners in completing the task; red flags from examination findings that can indicate a concern or deficiency; and additional information/tips that examiners should be mindful of or consider when completing a task. The determination to use additional procedures will require consideration of the unique facts at any particular institution, and examiners-in-charge will continue to consult with their supervisors and applicable Case Manager on the decision to conduct these procedures in any given exam. (8) Train examiners on indicators of fraud and how individual issues identified during an examination should be considered holistically to facilitate fraud detection. RMS will incorporate additional elements of fraud into its case study library. RMS also notes the extensive training it has already conducted to detect fraud situations. Appendix 4 Summary of the FDIC’s Corrective Actions This table presents management’s response to the recommendations in the report and the status of the recommendations as of the date of report issuance. Row: 1; Rec. No.: 1; Corrective Action - Taken or Planned: Management will clarify criteria the examiners should use to identify an official as dominant.; Expected Completion Date: ; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Closed; Row: 2; Rec. No.: 2; Corrective Action - Taken or Planned: Management will incorporate elements of internal audit and internal control review into its case study library.; Expected Completion Date:June 30, 2021 ; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Closed; Row: 3; Rec. No.: 3; Corrective Action - Taken or Planned: Management will reinforce the principles of the existing statutory framework and supervisory guidance in its case study library.; Expected Completion Date: June 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Closed; Row: 4; Rec. No.: 4; Corrective Action - Taken or Planned: Management will implement a tracking system for follow-up on State-issued MRBA and will conduct a training call with Case Managers once the system is implemented.; Expected Completion Date: June 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Closed; Row: 5; Rec. No.: 5; Corrective Action - Taken or Planned: Management will prepare refresher training for the examiner workforce.; Expected Completion Date: June 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Closed; Row: 6; Rec. No.: 6; Corrective Action - Taken or Planned: Management will incorporate the lessons learned from Enloe into its case study library, and will reinforce concepts embedded in recommendations 2, 3, 5, 7, and 8.; Expected Completion Date: June 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Closed; Row: 7; Rec. No.: 7; Corrective Action - Taken or Planned: Management will incorporate the lessons learned from Enloe into its case study library and add tasks to its Internal Control and Fraud Review Examiner Reference Tool to provide examiners with additional procedures related to management red flags.; Expected Completion Date: June 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Closed; Row: 8; Rec. No.: 8; Corrective Action - Taken or Planned: Management will incorporate additional elements of fraud into its case study library.; Expected Completion Date: June 30, 2021; Monetary Benefits: $0; Resolved-a - Yes or No: Yes; Open or Closed-b: Closed; [End of table] a Recommendations are resolved when — 1. Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation. 2. Management does not concur with the recommendation, but alternative action meets the intent of the recommendation. 3. Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount. b Recommendations will be closed when the OIG confirms that corrective actions have been completed and are responsive. [End of report] Federal Deposit Insurance Corporation Office of Inspector General 3501 Fairfax Drive, Room VS-E-9068, Arlington, VA 22226 (703) 562-2035 The OIG’s mission is to prevent, deter, and detect waste, fraud, abuse, and misconduct in FDIC programs and operations; and to promote economy, efficiency, and effectiveness at the agency. To report allegations of waste, fraud, abuse, or misconduct regarding FDIC programs, employees, contractors, or contracts, please contact us via our Hotline or call 1-800-964-FDIC. FDIC OIG website, www.fdicoig.gov Twitter, @FDIC_OIG Oversight.gov - www.oversight.gov/