2021 Top Management and Performance Challenges Facing the Federal Deposit Insurance Corporation

This is the accessible text file for FDIC OIG report 'Top Management and Performance Challenges Facing the Federal Deposit Insurance Corporation.' This text file was formatted by the FDIC OIG to be accessible to users with visual impairments. We have maintained the structural and data integrity of the original printed product in this text file to the extent possible. Accessibility features, such as descriptions of tables, graphs, and footnotes are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version. [FDIC OIG Logo] Top Management and Performance Challenges Facing the Federal Deposit Insurance Corporation February 2022 Federal Deposit Insurance Corporation Office of Inspector General [FDIC OIG letterhead, Federal Deposit Insurance Corporation Office of Inspector General] Date: February 17, 2022 Memorandum To: Board of Directors From: Jay N. Lerner Inspector General Subject: Top Management and Performance Challenges Facing the Federal Deposit Insurance Corporation The Office of Inspector General (OIG) presents its annual assessment of the Top Management and Performance Challenges facing the Federal Deposit Insurance Corporation (FDIC). This document summarizes the most serious challenges facing the FDIC and briefly assesses the Agency's progress to address them. This Challenges document is based on the OIG's experience and observations from our oversight work, reports by other oversight bodies, review of academic and relevant literature, perspectives from Government agencies and officials, and information from private-sector entities. In several instances, we discuss topic areas where the OIG had previously conducted work to evaluate, audit, and review the FDIC's progress in these Challenge areas. We identified nine Top Challenges facing the FDIC. This document incorporates and consolidates discussions of the risks identified in prior years and updates our assessments with respect to current conditions and circumstances. This year, we added a new Challenge regarding the FDIC's collection, analysis, and use of data, and we highlighted the importance of governance to ensure the effective execution of the FDIC's mission. The Top Challenges facing the FDIC include: 1. The FDIC's Readiness for Crises; 2. Cybersecurity for Banks and Third-Party Service Providers; 3. Supporting Underserved Communities in Banking; 4. Organizational Governance at the FDIC; 5. Information Technology Security at the FDIC; 6. Security and Privacy at the FDIC; 7. The FDIC's Collection, Analysis, and Use of Data; 8. Contracting and Supply Chain Management at the FDIC; and 9. Human Resources at the FDIC. We believe that this researched and deliberative analysis is beneficial and constructive for policy makers, including the FDIC Board and officials, as well as Congressional oversight bodies. We further hope that it is informative for the American people regarding the programs and operations at the FDIC and the Challenges it faces. Executive Summary The FDIC plays a unique and vital role in support of the U.S. financial system. The FDIC insures approximately $9.5 trillion in bank deposits at over 4,900 banks, supervises and examines more than 3,200 banks, oversees over $123 billion in the Deposit Insurance Fund (DIF) that protects bank depositor accounts, and resolves failed and failing banks. This Top Management and Performance Challenges (TMPC) document summarizes the most serious challenges facing the FDIC and briefly assesses the Agency's progress to address them, in accordance with the Reports Consolidation Act of 2000 and Office of Management and Budget Circular A-136 (revised August 10, 2021). This TMPC report is based on the OIG's experience and observations from our oversight work, reports by other oversight bodies, review of academic and relevant literature, perspectives from Government agencies and officials, and information from private-sector entities. To compile this document, we considered comments from the FDIC, and while exercising our independent judgment, we incorporated suggestions where appropriate. We acknowledge several instances where the FDIC has taken steps to address the Challenge, particularly where the Agency has implemented concrete actions that demonstrate a direct relationship towards achieving a desired outcome. We also recognize that there may be other ongoing plans and intentions for future activities that might still be under development at the time of this writing. We identified nine Top Challenges facing the FDIC: The FDIC's Readiness for Crises. The FDIC must be prepared for all crises, because of its unique role in overseeing and administering the DIF, which insures the bank accounts of millions of depositors and consumers. The FDIC faces Challenges in fully developing its plans to respond to an unfolding crisis. Further, the FDIC should consider climate-related risks with respect to the report issued by the Financial Stability Oversight Council, and whether it will take actions in response to the reports recommendations in preparing its supervisory and examination processes. The FDIC should also be ready to respond to evolving risks associated with the current pandemic and other crises, including supervising and examining Government-guaranteed loans at banks and related fraud risks. Cybersecurity for Banks and Third-Party Service Providers. Cybersecurity has been identified as the most significant threat to the banking sector and the critical infrastructure of the United States. The FDIC faces Challenges to ensure that examiners have the appropriate skillsets and knowledge to conduct information technology examinations that adequately identify and mitigate cybersecurity risks at banks and their third-party service providers (TSP). Further, the FDIC should establish a process to receive, analyze, and act on reports of significant cyber incidents at banks in order to adjust supervisory strategies, policies, and training for bank examiners; to warn other banks of such threats; and to prepare for potential bank failures. Mitigating cybersecurity risk is critical as a cyber incident at one bank or TSP has the potential to cause contagion within the financial sector. The FDIC also should assess the risks to banks presented by crypto assets, particularly with respect to the anonymous nature of these assets and the increased risk of money laundering and other wrongdoing. Supporting Underserved Communities in Banking. The FDIC should ensure that its programs - including those that support Minority Depository Institutions and Community Development Financial Institutions -- are effectively designed to foster financial inclusion and reduce the number of unbanked and underbanked individuals. Further, the FDIC's examinations should continue to ensure that banks are in compliance with regulations that combat discriminatory lending practices against low-income borrowers and minority populations. The FDIC also should ensure that its examiners have the skills, capabilities, and procedures to assess the effect of banks'use of artificial intelligence in decision-making and minimize any undue bias related to the algorithms or historical data used. Organizational Governance at the FDIC. Effective governance allows FDIC Board members and senior FDIC officials to manage the affairs of the Agency and its risks, formulate regulatory policy, and provide clear guidance to banks and FDIC Regional Offices. Through these processes, the FDIC can allocate resources, prioritize and improve the flow of risk information to decision-makers, and work towards achieving the FDIC's mission. The FDIC faces Challenges in providing clarity concerning the submission of motions presented to the Board of Directors for consideration and approval. Further, the FDIC should ensure that the Board, through its Audit Committee, can oversee and manage the risks identified and monitored through its Enterprise Risk Management Program. The FDIC also should clarify under what circumstances and which portions or provisions of Executive Branch policies or guidance are to be followed. In addition, the FDIC should ensure that weaknesses in FDIC programs are corrected and recommendations are addressed in a timely manner. FDIC rulemaking and guidance should also be aligned with other regulators to ensure that banks are not treated differently depending upon their primary regulator. FDIC internal guidance also should be clearly defined to ensure consistent application of FDIC program requirements. In addition, FDIC rulemaking should be a transparent process that analyzes the need for safety and soundness regulations and the compliance burden placed on banks. Information Technology Security at the FDIC. The FDIC relies on its IT systems for day-to-day activities and especially during crises. The FDIC continues to face Challenges to ensure that it has strong information security processes to guard against persistent and increasing cyber threats against Federal agencies. Security control weaknesses of FDIC systems limit the effectiveness of FDIC controls, which places the confidentiality, integrity, and availability of FDIC systems and data at risk. The FDIC should address its outstanding corrective actions related to IT security controls, management of privileged Administrative Accounts, and oversight and monitoring of information systems. Further, the FDIC should ensure that it establishes effective security controls for its mobile devices and for the automated systems that monitor and control critical building services at facilities. Security and Privacy at the FDIC. The FDIC employs a workforce of approximately 5,800 employees and 1,600 contract personnel at 92 FDIC facilities throughout the country, and it is custodian of 76 IT systems and voluminous hard-copy records. The FDIC should continue to manage risks associated with its personnel security and suitability processes to ensure that employees and contractors undergo appropriate and timely investigations and re-investigations commensurate with their positions. As well, the FDIC should maintain its risk-based physical security program and ensure that its policies promote an FDIC work environment that is free from discrimination, harassment, and retaliation. Further, the FDIC should have effective programs to safeguard all forms of sensitive and Personally Identifiable Information in its possession. The FDIC's Collection, Analysis, and Use of Data. Data and information can enhance capabilities to mitigate threats against banks and the U.S. financial system. The FDIC faces Challenges in establishing effective processes to govern its sharing of threat information to guide the supervision of financial institutions. Effective sharing of threat information helps the FDIC to protect the DIF and the financial system by building situational awareness; supporting risk-informed decision-making; and influencing supervisory strategies, policies, and training. The FDIC should establish a written governance structure and implement a Charter to establish a common understanding of its Threat Information Sharing program and define an overall strategy and requirements for it. Further, the FDIC should develop goals, objectives, and measures to guide the performance of its Intelligence Support Program, and it should establish adequate policies and procedures to define roles and responsibilities. The FDIC faces Challenges in the four component functions of Threat Information Sharing - acquisition, analysis, dissemination, and feedback. Further, the FDIC should improve the reliability of its internal data to ensure that the FDIC Board and senior officials can depend upon the data to assess program effectiveness throughout the organization. Contracting and Supply Chain Management at the FDIC. The FDIC awarded over $2 billion in contracts for goods and services in 2021 in support of its mission. The FDIC faces Challenges to establish an effective contract management program that ensures the FDIC receives goods and services according to contract terms, price, and timeframes. Further, the FDIC should have processes in place to identify and ensure heightened monitoring of contracts for Critical Functions, so that the Agency maintains control of its mission functions and prevents over-reliance on contractors. The FDIC also should have programs in place to manage and mitigate security risks associated with the supply chains for contracted goods and services. Further, the FDIC should ensure notifications to contractors and sub-contractor personnel, so that they are advised about and aware of their whistleblower rights and protections, and that they know how to report allegations of misconduct, violations, and gross mismanagement. Human Resources at the FDIC. The FDIC relies on the talents and skills of its employees to achieve its mission, and it faces Challenges in managing its human capital lifecycle. At the present time, nearly 25 percent of the FDIC workforce is eligible to retire, and this figure climbs to nearly 40 percent by 2026. These figures include personnel in key divisions supporting the FDIC mission - including the Division of Resolutions and Receiverships (over 59 percent by 2026); Division of Finance (over 55 percent by 2026); Legal Division (over 51 percent by 2026); and Division of Administration (about 49 percent by 2026). Further, the FDIC should continue to improve its program for the retention of employees, as well as the collection and analysis of relevant personnel data. In addition, the FDIC should continue to ensure diversity and inclusion among its workforce. Absent effective human capital management, the FDIC may lose valuable knowledge and leadership skill sets upon the departure of experienced examiners, managers, and executives. Meeting these Challenges is especially important as the FDIC shifts its operations to a hybrid work environment. FDIC's Readiness for Crises Key Areas of Concern [text box] The primary areas of concern for this Challenge on Crisis Readiness are: .Improving the Crisis Readiness framework at the FDIC and coordination with other financial regulators; .Addressing climate-related risks to banks; and .Supervising and examining banks for the risks associated with Government-guaranteed loans and fraud. The OIG has identified Crisis Readiness as a Top Challenge for the FDIC since 2018. [end of text box] The Financial Stability Oversight Council (FSOC), in its 2021 Annual Report (December 2021), stated that the "risks to U.S. financial stability today are elevated compared to before the pandemic." The FSOC Annual Report further indicated that "[s]ome episodes in financial markets [in 2021] generated unusually high volatility. . . Vulnerabilities include structural weakness in the financial system and its regulatory framework. Vulnerabilities in the financial system can amplify the impact of an initial shock, potentially leading to substantial disruptions in the provision of financial services." The FDIC should continue its efforts to be prepared for a wide range of crises that could affect bank operations, including cybersecurity threats, natural disasters, climate change, money laundering, and terrorism. Improving the Crisis Readiness Framework at the FDIC and Coordination with Other Financial Regulators The FDIC should fortify its operations and activities to address risks through the implementation of its Crisis Readiness plans. The FDIC should have agile supervisory processes to address risks stemming from crises, including climate-related risks. In our OIG report, The FDIC's Readiness for Crises (April 2020), we found that the FDIC did not have documented Agency policy and procedures for a crisis readiness planning process; did not have an Agency-wide all-hazards readiness plan nor Agency-wide hazard-specific readiness plans; and did not train personnel on the plans' contents. The FDIC needed to fully establish seven elements of crisis readiness to be prepared to respond to any type of crisis that may impact the banking system: (1) policies and procedures; (2) plans; (3) training; (4) exercises; (5) lessons learned; (6) maintenance; and (7) assessment and reporting. Based upon the findings in our report, the FDIC has taken several steps to institute crisis planning policies and procedures and has established a new Crisis Readiness & Response Section within the Division of Administration. While most of our recommendations have been implemented, the FDIC has yet to implement an important recommendation from our report issued in April 2020: to establish and implement Agency-wide hazard-specific readiness plans. Hazard-specific plans address special response procedures that may be unique to a particular hazard. The FDIC plans to implement this recommendation by March 2022. In addition, the FDIC should coordinate with FSOC and its member agencies on Crisis Readiness planning. Both the Government Accountability Office (GAO) and the International Monetary Fund (IMF) have recommended that FSOC enhance its crisis preparedness role.1 In particular, the IMF stated that FSOC "should devote greater attention to ensuring that the [Federal banking regulatory agencies] and the Treasury have comprehensive and complementary organization-wide preparedness plans." FSOC's mandate includes responding to emerging financial stability threats and serving as a forum for coordination among its member agencies. As noted by the IMF, this design of FSOC allows for "collective crisis preparation to ensure decisive and coordinated responses from the entire FSOC community." The Council of Inspectors General on Financial Oversight (CIGFO)2 is preparing a guidance document for FSOC that is a compilation of information and activities that are integral to pre-crisis planning and crisis management. Once issued, the CIGFO Guidance may be used to assist FSOC in fulfilling its coordination role and help identify risks to the financial stability of the United States by considering: (i) the type of crisis planning materials that are available for collection and dissemination to and from member agencies; (ii) the threats posed to financial stability relating to potential gaps in crisis planning activities; and (iii) prioritizing crisis planning. In addition, the Guidance will provide useful information to member agencies about crisis readiness practices in order to improve preparedness procedures; identify potential gaps in readiness plans; and assist in managing future crises. The FDIC, as a member agency of FSOC, is in a position to support and advance this interagency effort. Addressing Climate-Related Risks to Banks Banks may incur climate-related risks from exposure to losses from companies that rely on fossil fuels.3 For example, banks may face losses on loans issued to entities that invest in oil, gas, power, utilities, and agriculture. According to CNBC, the "60 largest commercial and investment banks have collectively financed $3.8 trillion in fossil fuel company loans between 2016 and 2020."4 For the first time, both FSOC and the Federal Reserve Bank of New York have reported that climate change may affect the financial sector.5 According to the Office of the Comptroller of the Currency (OCC), "[w]eaknesses in how banks identify, measure, monitor, and control the potential physical and transition risks associated with a changing climate could adversely affect a bank's safety and soundness, as well as the overall financial system."6 Further, bank portfolios include risk exposure to businesses and households that may suffer physical effects from climate-related risks.7 According to estimates from the National Oceanic and Atmospheric Administration (NOAA), the cumulative cost for the 285 weather and climate disasters in the United States in 2020 exceeded $1.875 trillion, with 22 events resulting in at least $1 billion in damages (Figure 1). [Figure 1] Figure 1 depics the U.S. 2020 Billion-Dollar Weather and Climate Disasters: Central Severe Weather, July 10-11; Western Wildfires, California, Oregon, Washington Firestorms Fall 2020; Western/Central Drought and Heatwave Summer-Fall 2020; Central and Eastern Severe Weather May 3-5; Southern Severe Weather April 21-23; Central Southern, and Eastern Severe Weather April 27-30; South Texas Hail Storms May 27; Hurricane Hanna July 25-26; Hurricane Delta October 9-11; Hurricane Laura August 27-28; Hurrican Zeta October 28-29; Hurricane Sally September 15-17; Tropical Storm Eta November 8-12; Southeast and Eastern Tornado Outbreak April 12-13; South, Central and Eastern Severe Weather May 20-23; South, East and Northeast Severe Weather Feb. 5-7; Hurrican Isaias August 3-4; Tennessee Tornadoes and Southeast Severe Weather March 2-4; Southeast Tornadoes and Northern Storms and Flooding Jan.10-12; Midwest and Ohio Valley Severe Weather March 27-28; North Central and Ohio Valley Hail Storms and Severe Weather April 7-8; Central Severe Weather-Derecho August 10. Source: NOAA National Centers for Enivironmental Information, U.S. Billion-Dollar Weather and Climate Disasters (2021). [End of Figure 1] On May 20, 2021, the President signed Executive Order 14030, Climate-Related Financial Risk, to "advance consistent clear, intelligible, comparable, and accurate disclosure of climate-related financial risk." This Executive Order required, among other things, an assessment of climate-related financial risk by Federal financial regulators. On October 21, 2021, FSOC issued its Report on Climate-Related Financial Risk (FSOC Climate Report). The FSOC Climate Report characterized climate change as an "emerging threat to the financial stability of the United States" and made 30 recommendations to FSOC members related to four topic areas: .Building capacity and expanding efforts to address climate-related financial risks. Agencies should invest in their capacity to define, identify, measure, monitor, assess, and report on the financial impact of climate change. .Filling climate-related data and methodology gaps. Agencies should compile an inventory of existing climate-related risk data and develop plans to acquire additional needed data through collection, sharing, or procurement. .Enhancing public climate-related disclosures. Agencies should assess current public disclosure requirements and adjust them to address climate-related risks. .Assessing and mitigating climate-related risks that could threaten the stability of the financial system. Agencies should use scenario analysis such as modeling to assess climate-related financial risk and assess whether additional regulations or guidance are needed to clarify supervisory expectations. The FSOC Climate Report noted that coordination among regulators, including international bodies, should be robust in order to expand capacity, improve data and measurement, enhance disclosures, assess the scale of potential vulnerabilities, and make appropriate adjustments in regulatory and supervisory tools. CIGFO is currently reviewing the actions of FSOC and its member agencies regarding the implementation of Executive Order 14030 and the recommendations in the FSOC Climate Report. The FDIC Chair (hereinafter referring to the Chair who served from June 2018 to February 2022) abstained from casting her vote on the FSOC Climate Report, explaining that "FSOC has not had an adequate opportunity to conduct sufficient analysis, fully consider broader macro consequences, and thoroughly evaluate the impact of its recommendations."8 The FDIC will need to determine whether it intends to implement the recommendations contained in the FSOC Climate Report. If the FDIC plans to implement the FSOC recommendations, the Agency will need to decide how it will undertake such actions. If the FDIC does not intend to implement such recommendations, it may be out of step with other Federal financial regulators with respect to bank examinations, crisis preparedness, and risk management. In response to performance goals noted in the FDIC 2021 Annual Performance Plan, FDIC economists and policy staff have been working with other regulatory agencies and international bodies on climate-related financial risks, including participation on the Task Force for Climate-Related Financial Risks of the Basel Committee on Banking Supervision. The FDIC Division of Insurance and Research also has conducted research on climate-related risk to local banks and economies for six weather events in the United States. This research also assessed the impact on low- and moderate-income areas before and after each climate event. In late 2021, the FDIC engaged with other banking regulators to draft a Request for Information and Comment (RFI/C) on climate-related financial risks. However, this RFI/C document was never issued or published, and as a result, no comments were received. On December 16, 2021, the OCC issued a set of draft principles designed to support the identification and management of climate-related financial risks at institutions. These risks include Credit Risk, Liquidity Risk, Operational Risk, Legal/Compliance Risk, as well as other financial and non-financial risks. FDIC Regional Risk Committees have identified climate-related risks on a regional level, but as of December 2021, the FDIC had not identified climate-related risk on its Agency-wide Risk Inventory or Risk Profile as part of its Enterprise Risk Management program. In order to address the FSOC recommendations, the FDIC would need a coordinated effort among its Divisions and Offices, other regulators, and international organizations.9 In so doing, the FDIC would need to continue to gather climate-related risk data and establish processes to define, measure, monitor, assess, and report on these risks. Further, according to the FSOC Climate Report, climate-related risk may disproportionately affect vulnerable populations and underserved communities. Additionally, the Environmental Protection Agency stated that "the most severe harms from climate change fall disproportionally upon underserved communities who are least able to prepare for, and recover from, heat waves, poor air quality, flooding and other impacts."10 The FDIC will need to continue to consider how such risks affect its programs serving these communities. Supervising and Examining Banks for the Risks Associated with Government-Guaranteed Loans and Fraud In March 2020, the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) created the Paycheck Protection Program (PPP) in order to provide financial relief and Government-guaranteed loans to small businesses adversely affected by the pandemic. The PPP loans are provided through our Nation's banks and the program is administered by the Small Business Administration (SBA). According to the SBA, more than 11 million PPP loans were issued by more than 5,400 lenders - primarily community banks supervised by the FDIC. These PPP loans amounted to nearly $800 billion.11 According to a study by the University of Texas, it is estimated that more than seven percent of loans made by nanks had indications of fraud.12 As of March 2021, approximately 83 percent of FDIC-supervised institutions (2,689 banks) carried PPP loans on their balance sheets. These institutions held approximately 1.5 million PPP loans totaling about $145 billion. Based on our analysis of PPP loan data, 46 FDIC-regulated banks had PPP loan portfolios that accounted for more than 20 percent of the bank's total assets. In fact, six such banks held portfolios where PPP loans ranged from 50 to 75 percent of the bank's total assets. As of March 2021, the U.S. Government has charged 474 defendants in 56 Federal districts with crimes related to pandemic fraud.13 In particular, FDIC OIG investigations resulted in more than 110 indictments and criminal complaints, resulting in 65 arrests and 41 convictions. These cases involve defendants who aim to steal funds from a Government program that was intended to help those most in need during the pandemic. The PPP fraud schemes are complex and sophisticated, and they involve the use of synthetic identities, financial technology services (FinTech), bank insiders, and criminal organizations. In June 2020, the FDIC stated its view that, "[g]iven the 100 percent SBA guarantee, there is, in effect, no credit risk associated with loans extended under the program, provided the lender complied with its obligations under the PPP."14 However, because of the substantial volume of PPP loans at FDIC banks and the potential fraud associated with this program, there may be risk to banks that have not complied with the requirements of the PPP loan program. According to the program requirements, the Government may be released from its guarantee obligation if a bank fails to materially comply with program requirements, such as loan administration, underwriting, and servicing. If banks are not in compliance with program requirements, they may be required to absorb PPP loan losses. As a result, the loan guarantee is not absolute, and banks may bear credit risk for non-compliance with the PPP program. The OCC has recognized banks' heightened compliance risks for PPP loans in its recent report Semiannual Risk Perspectives (Fall 2021), as well as in its prior OCC reports. In addition, PPP loans may pose reputational and compliance risks to financial institutions, and banks may have to set aside additional funding to address compliance and legal risks associated with potential loan revocation. We have ongoing work to review the FDIC's examination of the risks associated with PPP and other Government-guaranteed loans. As a banking regulator that insures deposits and resolves failed banks, the FDIC must remain vigilant in preparing for future crises. The FDIC should continue to expeditiously develop and implement its Crisis Readiness framework and coordinate with other financial regulators. In so doing, the FDIC should assess and address the impact of climate-change risks in its crisis preparedness program activities and bank supervision. Further, the FDIC should closely examine the risks posed by guaranteed loan fraud. Cybersecurity at Banks and Third-Party Service Providers Key Areas of Concern [text box] The primary areas of concern for this Challenge on Cybersecurity at Banks and Third-Party Service Providers (TSP) are: .Ensuring that FDIC bank examinations adequately assess and address cybersecurity risks at financial institutions and their TSPs; .Ensuring that banks report serious cyber security incidents to the FDIC in a timely manner, so that it can take appropriate action; and .Supervising and managing risks associated with crypto assets. The OIG has identified Cybersecurity in the banking sector as a Top Challenge for the FDIC since 2018, particularly with respect to TSPs and emerging technologies. [end of text box] FSOC, in its 2021 Annual Report (December 2021), noted that "[a] destabilizing cybersecurity incident could potentially threaten the stability of the U.S. financial system by disrupting a key financial service or utility, causing loss of confidence among a broad set of customers or market participants, or compromising the integrity of critical data." The FSOC Annual Report continued that the financial sector "is vulnerable to ransomware and other malware attacks, denial of service attacks, data breaches, and other events. Such incidents have the potential to impact tens or even hundreds of millions of Americans and result in financial losses of billions of dollars due to disruption of operations, theft, and recovery costs." In April 2021, the Chairman of the Federal Reserve Board (FRB) also identified cybersecurity risk at banks as the most significant risk to financial institutions today. The FRB Chairman explained that "[t]here are cyber-attacks every day on all major institutions" and a successful attack on a large institution could cause a broad part of the financial system to come to a halt. According to the OCC Semiannual Risk Perspective (Fall 2021), banks' expanded use of remote work for employees and increased use of TSPs increases the importance of cyber controls. Analysis by the Financial Crimes Enforcement Network (FinCEN) found that banks reported more than $590 million in suspicious activity related to ransomware in just the first 6 months of 2021. This figure was greater than the amount reported for the entire previous year ($416 million reported in 2020) - an increase of approximately 41 percent. Banks may suffer cyber attacks directly at the institutions, or alternatively through interconnections with third parties that provide banks with services, such as accounting, transaction processing, loan servicing, and human resources.16 The 2021 FSOC Annual Report stated that "financial institutions have increased their reliance on third-party service providers for teleworking tools and services. The interdependency of these networks and technologies supporting critical operations magnifies cyber risks, threatening the operational risk mitigation capabilities not just at individual institutions, but also of the financial sector as a whole." In the OCC Semiannual Risk Report (Fall 2021), the OCC recognized that cyber actors continue to exploit "vulnerabilities in third-party hardware and software systems to conduct malicious cyber activities." Further, the Federal Reserve noted that "[c]yber shocks may spread through the financial system through complex and often unrecognized interdependencies across firms, including a layer of exposures to shared technologies and third-party service providers."17 For example, in December 2021, the Cybersecurity & Infrastructure Security Agency issued an Emergency Directive regarding a vulnerability in remote software used by banks known as Apache Software Foundation's Log4j. For banks running this software, the vulnerability may allow hackers to download malware in order to steal customer login information, transfer funds, and open fraudulent accounts.18 Also, in July 2021, cyber-hackers targeted the remote software of information technology (IT) firm Kaseya, which provides software as a service to banks. As a result, hackers were able to infiltrate Kaseya customers' networks and install ransomware. The ransomware locked the victim companies' data and released it only after a ransom of $70 million was paid in cryptocurrency. Assessing and Addressing Cybersecurity Risks at Banks and Third-Party Service Providers According to the Boston Consulting Group, "[f]inancial services firms are 300 times as likely as other companies to be targeted by a cyberattack."19 A study by Constella Intelligence found that between 2018 and 2021, financial services companies suffered nearly 6,500 breaches that exposed 3.3 million records, including email communications, dates of birth, credit card information, addresses, telephone numbers, and account login credentials.20 Further, bank employees' remote work increases cyber risks as employees access information remotely through multiple connections.21 Employee wireless networks, router software, and cameras provide new means for cyber attacks. Financial institutions of all sizes, including community banks, may be targets of cyber attacks. For example, in May 2021, two ransomware groups appear to have infiltrated the servers of three community banks, stealing data and demanding a ransom.22 In the following month, a ransomware group attacked a New Jersey community bank. The bank stated that it was able to contain the attack, because it was made on a network that was separate from its operational systems.23 FDIC IT examinations must be capable of identifying and addressing weaknesses in cybersecurity risk management at supervised banks and their TSPs. The FDIC conducts IT risk examinations to assess whether bank management has appropriate controls in place to mitigate cybersecurity risks and to assess financial institutions' management of TSP risk. The FDIC also examines a subset of TSPs for the soundness of their risk management and cybersecurity practices. Since 2016, the FDIC has been using the Information Technology Risk Examination (InTREx) work program24 to conduct bank IT examinations and assess financial institutions' oversight of TSPs. An initial InTREx procedure, the Information Technology Profile scoring matrix, is used by examiners to determine the scope of an IT examination consistent with the bank's IT complexity and risk profile, and to allocate resources to the examination. The scope of an IT examination may increase due to, among other things, the introduction of new business lines or technology, or the addition of a TSP. The FDIC should ensure that its assessments accurately capture current and relevant risks and reflect the scope and complexity of banks' IT security and systems. The FDIC should also ensure that it has appropriate examination processes, resources, and staff. FDIC examiners should have up-to-date information on cyber controls and threats, and the requisite skills to identify risks and complete thorough examinations. We are currently conducting an audit of the InTREx program. The objective of our work is to determine the effectiveness of the InTREx program in assessing and addressing IT and cyber risks at FDIC-supervised financial institutions. Reporting Cybersecurity Incidents at Banks Banks should report cyber incidents to Federal regulators in a timely manner so that the regulators may take appropriate supervisory actions to address and mitigate the risks associated with such incidents. It is important for regulators to receive this information, as a cyber incident at one bank could result in contagion from the affected bank to another bank, and prompt similar attacks at other banks. Armed with knowledge of cyber incidents, the FDIC can warn other supervised banks of these threats and execute preparations for potential bank failures if needed. Further, cyber incident reporting may allow the FDIC to shift examination and resolution resources to address these cyber risks. The FDIC also may use these incident reports to adjust its supervisory strategies, as well as its examinations, policies, and training to assist examiners in identifying and mitigating emerging risks. On April 30, 2020, the OIG issued a Management Advisory Memorandum to the FDIC uncovering a gap in regulation. Federal regulations did not require banks to report destructive cyber incidents to Federal banking regulators, even though such incidents could jeopardize the safety and soundness of an institution. In response to our OIG Management Advisory Memorandum, Federal banking regulators proposed a regulation that would require financial institutions to promptly notify their primary Federal regulator in the event of a computer security incident.25 On November 18, 2021, Federal banking regulators promulgated a rule requiring that banks report computer security incidents "no later than 36 hours after the banking organization determines that a notification incident has occurred."26 The FDIC should ensure that it has clear guidance, procedures, and processes in place to receive, evaluate, analyze, and investigate these reports from the banks. Supervising and Managing Risks Posed by Crypto Assets Crypto assets are a digital form of value that is issued or transferred using distributed ledger or blockchain technology.27 The 2021 FSOC Annual Report recognized that "the rapid growth of digital assets, including stablecoins and lending and borrowing on digital asset trading platforms, is an important potential emerging vulnerability." The FSOC Report continued that digital assets "pose risks related to illicit financing, national security, cybersecurity, privacy, and international monetary and payment system integrity." It has been reported that the cryptocurrency market amounted to more than $2 trillion.28 According to the OCC Semiannual Risk Report (Fall 2021), banks are exploring "the development of crypto-custody services, crypto-asset derivative products, or the provisions of access to third-party crypto-related products." The Basel Committee on Banking Supervision stated that virtual currencies "raise financial stability concerns and increase risks faced by banks."29 Crypto assets "have exhibited a high degree of volatility, and could present risks for banks as exposures increase, including liquidity risk, credit risk, market risk, operational risk (including fraud and cyber risks), money laundering / terrorist financing risk, and legal and reputation risks."30 The U.S. regulatory landscape for digital assets is unclear and fragmented. In May 2021, the Secretary of the Treasury stated that the United States does not yet have an "adequate framework" for tackling cryptocurrency regulation.31 The FDIC Chair noted that stablecoins (a fungible token pegged to or redeemable for fiat currency) could also lead to "money migrating out of insured banks with significant ramifications for credit creation, financial stability, and bank funding."The Chairman of the FRB stated that "if[stablecoins] are going to be a significant part of the payments universe . . . we need an appropriate regulatory framework, which frankly we don't have."33 The President's Working Group on Financial Markets' Report on Stablecoins noted that the prospect of a stablecoin not performing could cause mass redemption of multiple coins and fire sales of the reserve assets.34 The market capitalization for stablecoins was estimated at approximately $115 billion as of July 2021.35 The FDIC should assess the risks involved with banks'entry into crypto assets and stablecoins, and determine what regulatory actions to take. The FDIC should also ensure that examiners have proper skillsets and training to understand and assess these risks. In addition, because the FDIC becomes responsible for the assets of a failed U.S. bank, the FDIC should determine how to resolve banks that hold digital assets. On May 21, 2021, the FDIC issued a request for information soliciting comments about current and potential digital asset activities. On November 23, 2021, bank regulators, including the FDIC, summarized their work on a crypto asset policy "sprint" on crypto-asset-related activities.36 The FDIC's work in this area remains ongoing. A cyber incident at a bank or its TSP has the potential for wide disruption throughout the banking sector. The FDIC should ensure that it has the procedures and personnel with the appropriate skills to conduct effective IT examinations to assess banks' cybersecurity risks. The FDIC should receive prompt notification of bank cyber incidents in order to take appropriate supervisory action. Further, the FDIC should evaluate the risks to banks posed by cryptocurrencies and stablecoins, and adjust FDIC guidance, policies, supervisory strategies, examination procedures, and training accordingly. Supporting Underserved Communities in Banking Key Areas of Concern [text box] The primary areas of concern for this Challenge on Supporting Underserved Communities are: .Fostering financial inclusion for the unbanked and underbanked; and .Understanding bias risk associated with technology. The OIG has identified Supporting Underserved Communities as a Top Challenge for the FDIC since 2020. [end of text box] According to the World Bank, financial inclusion is a "key enabler to reducing poverty and boosting prosperity."37 As noted by the FDIC Chair, "[w]hen talking about financial inclusion, the question before us is not merely whether a person has a checking account or a credit card but, more fundamentally, whether they are a part of the financial fabric of the United States."38 Fostering Financial Inclusion for the Unbanked and Underbanked On January 20, 2021, the President issued Executive Order 13985, Advancing Racial Equity and Support for Underserved Communities Through the Federal Government, which aims to pursue a comprehensive approach to advancing equity for all, including people of color and others who have been historically underserved, marginalized, and adversely affected by persistent poverty and inequality. The Executive Order requires that most Federal agencies "recognize and work to redress inequities in their policies and programs that serve as barriers to equal opportunity." Such policies and programs should include those geared towards financial inclusion. In June 2021, the FDIC Chair emphasized, however, that despite the Agency's efforts, "millions of American households remain unbanked and millions of Americans do not have a credit score."39 The Chair noted that "[t]he persistent gap in access to the banking system has shown that we must think outside the box to create a regulatory system that will help close this gap." In a study published in October 2020, the FDIC found that 7.1 million U.S. households (5.4 percent) lacked a checking or savings account at an insured financial institution. Importantly, minority households were more likely to be among the unbanked. For example, 13.8 percent of Black households surveyed and 12.2 percent of Hispanic households surveyed were unbanked in 2019, as compared to only 2.5 percent of White households. Further, as noted in the Crisis Readiness section of this Report, climate-related risk may disproportionately affect vulnerable populations and underserved communities. The Environmental Protection Agency stated that "the most severe harms from climate change fall disproportionally upon underserved communities who are least able to prepare for, and recover from, heat waves, poor air quality, flooding and other impacts."40 The FDIC will need to consider how climate-related risks affect its programs serving these communities. The FDIC should also ensure that its programs designed to foster financial inclusion and reduce the number of unbanked and underbanked individuals are effective. These programs include support of Minority Depository Institutions (MDI) and Community Development Financial Institutions (CDFI) that provide financial products and services to individuals and businesses in minority, low-income, and rural communities. The FDIC also promotes access to banking through community affairs programs in its Regional Offices. Further, the FDIC conducts examinations to ensure that banks are in compliance with regulations such as the Community Reinvestment Act (CRA). The CRA and its regulations aim to "combat the legacy of discriminatory lending practices against low-income borrowers and minority populations."41 In September 2021, the FDIC launched an initiative to address unbanked households. The Mission-Driven Bank Fund is a capital investment vehicle that will channel private-sector investments to support MDIs and CDFIs. The Fund is intended to help MDIs and CDFIs raise capital. Although the FDIC does not participate in the Fund's management or individual investment decisions, the FDIC should assess the alignment of the Fund's ongoing operations with FDIC objectives to ensure the advancement of equity in underserved communities. In addition, in November 2021, the FDIC established a new Office of Minority and Community Development Banking to support the Agency's engagement with MDIs, CDFIs, and other mission-driven banks.42 This effort remains under development. Understanding Bias Risk Associated with Technology According to the World Economic Forum survey of 151 global financial services companies, 85 percent are using artificial intelligence (AI) in their operations.43 Banks' use of AI includes, for example, lending decisions.44 While AI has the potential to lower lending costs and improve the speed of credit decisions, such innovative technologies may have unintended consequences, such as the exclusion of individuals based on biased algorithms or flawed data.45 The Federal Reserve Bank of San Francisco noted that unchecked technological innovation can introduce a variety of risks and consumer harm.46 Specifically, the Federal Reserve Bank of San Francsisco cited a reasearch study from the University of California at Berkley that indicated that machine learning can result in minority borrowers experiencing higher loan rates and more expensive financial products. Algorithms and complex machine learning models, such as AI, may rely on outdated or flawed data or mistakes in rule development.47 For example, AI algorithms may perpetuate discriminatory lending practices and higher interest rates charged to African American and Latino borrowers, as reflected in historical loan data.48 On November 29, 2021, the Chairwoman of the Committee on Financial Services, U.S. House of Representatives, and Congressman Bill Foster transmitted a letter to financial regulators, including the FDIC, noting that the use of historical data as "inputs for AI and ML [machine learning] can reveal longstanding biases, potentially creating models that discriminate against protected classes, such as race or sex, or proxies of these variables." The Committee highlighted several principles: Transparency and Explainability; Oversight and Enforceability; Safeguarding Consumer Privacy; and Promoting Fairness and Equity in AI Usage. The letter encouraged regulators to keep pace with the rapid developments to "ensure that AI regulation and rulemaking can meaningfully address appropriate governance, risk management, and controls over AI." The FDIC's consumer compliance examiners should have the proper skillsets to understand and assess the new technologies used by banks and detect potential biases. Further, examiners should have effective examination processes and procedures to monitor for technology biases. The FDIC plays an important role in fostering economic inclusion and maintaining confidence in the U.S. banking system. It is well positioned to help support and empower minority communities' access to capital. The FDIC should continue its efforts to assess the effectiveness of its MDI and CDFI outreach programs and continue to promote financial and technological innovations to achieve economic inclusion while at the same time avoiding potential biases. Organizational Governance at the FDIC Key Areas of Concern [text box] The primary areas of concern for this Challenge on Organizational Governance are: .Clarifying protocols for submissions to the FDIC Board of Directors; .Incorporating important risks into the FDIC's Enterprise Risk Management (ERM) program; .Explaining whether the FDIC will follow certain Executive Branch policies and guidance; .Addressing recurring recommendations; .Ensuring clarity and consistency of FDIC policies and alignment with other regulators; and .Enhancing FDIC rulemaking. The OIG has identified Governance as a Top Challenge for the FDIC since 2018, particularly with respect to ERM and rulemaking. [end of text box] FDIC Board members and senior FDIC officials are responsible for administering the affairs of the Agency, managing its risks, establishing regulatory policy, and providing clear guidance to banks and throughout the Agency. Organizational governance refers to a management framework that incorporates operational, financial, risk management, and reporting processes so that FDIC Board members and senior officials can effectively plan, govern, and meet strategic objectives.49 A governance framework should ensure strategic guidance, effective monitoring of management, and accountability to stakeholders.50 FDIC Board members are appointed by the President and confirmed by the Senate, and include: the FDIC Chair, FDIC Vice Chair, Comptroller of the Currency, Director of the Bureau of Consumer Financial Protection (CFPB), and an independent Director. The FDIC Board has been operating with only four members since 2015, and the Vice Chair position has been vacant since April 2018. On December 31, 2021, the FDIC Chair announced that she would be resigning from her position, effective February 4, 2022 - thus, leaving three remaining members of the FDIC Board (an acting FDIC Chair, CFPB Director, and acting Comptroller of the Currency). In February 2022, the FDIC's Chief of Staff and Chief Operating Officer, Chief Innovation Officer, General Counsel, and Deputy Director for Policy also announced their departures from the FDIC. The Director of the Division of Insurance and Research will also retire in 2022. Clarifying Protocols for Submissions to the FDIC Board of Directors FDIC Board members play a critical role in shaping FDIC policies and processes. FDIC Board members are responsible for considering and approving motions brought before the Board, such as the issuance or modification of regulations and guidance. However, the process for bringing such measures to the Board has been in dispute. On November 26, 2021, the CFPB Director, as a member of the FDIC Board, requested that the Board take action to publish a Request for Information and Comment (RFI/C) regarding bank merger transactions; this action was also recommended by two other Board members. On the same day, the FDIC General Counsel wrote that this action was not valid, because the FDIC bylaws do not confer authority to an individual Board member to circulate an item for a vote, and such authority rests with the Executive Secretary under the supervision of the General Counsel and at the direction of the Chair. On December 6, 2021, the three Directors submitted written votes to approve the RFI/C, and the FDIC General Counsel reiterated his position that the CFPB Director (as a member of the FDIC Board) did not have authority to circulate an item for a vote, and that the subsequent Directors' responses did not constitute valid votes. The CFPB Director expressed his view that the FDIC Board had approved the RFI/C. On December 9, 2021, the CFPB released the RFI/C on its website, and the FDIC issued a statement that the document was not approved for publication because there was no valid vote by the FDIC Board according to longstanding FDIC internal policies and procedures.51 At a Board meeting on December 14, 2021, the CFPB Director (as a member of the FDIC Board) moved that the written vote on the RFI/C be included in the minutes of the Board meeting, and the Chair ruled that the motion was not in order. The dispute about the authorities of the FDIC Chair and individual Board members to bring items before the FDIC Board for a vote creates uncertainty about the organizational governance and structure of the FDIC. The FDIC should clarify and resolve the requirements for consideration of actions by the FDIC Board of Directors. Incorporating Risks into the FDIC's Enterprise Risk Management Program The FDIC faces an array of risks that should be identified, assessed, and considered by the FDIC Board and senior FDIC officials. Enterprise Risk Management (ERM) is an essential component of governance that provides an entity-wide view of the full spectrum of internal and external risks facing an organization. Effective ERM provides information to Board members and senior FDIC officials, so that they can allocate resources appropriately, effectively prioritize and proactively manage risk, improve the flow of risk information, and work towards achieving the FDIC's mission. ERM assists Federal agencies in the identification, assessment, and mitigation of external and internal risks. On May 25, 2021, the FDIC Board delegated ERM responsibilities to its Audit Committee, which now oversees the ERM program and is responsible for ensuring that relevant risks are identified and addressed. It is not clear or transparent the processes by which the FDIC Audit Committee will consider the range of risks facing the enterprise, and debate and deliberate over the proposed risk ratings. The Audit Committee oversees and has responsibility for the agency's ERM activities. In our OIG evaluation, The FDIC's Implementation of Enterprise Risk Management (July 2020), we determined that ERM was not fully implemented at the FDIC, and, therefore, proper execution of program activities, roles, and responsibilities had yet to take place. Without a mature governance structure over ERM, the FDIC could not be sure that ERM would be fully integrated into the Agency and its culture, and the FDIC would develop a comprehensive portfolio view of risk at the Agency. The FDIC addressed the eight recommendations from our OIG report. In 2021, the FDIC conducted a survey of Agency personnel about the ERM program; the response rate was 22 percent. The FDIC survey noted that less than half of survey participants were familiar with the FDIC's ERM program, including the FDIC's Risk Appetite Statement and how to use it. Further, since the issuance of our report, we have found that the FDIC's ERM process has not identified certain existing risks and not fully assessed the potential impact of other risks, for example: .Personnel Security and Suitability. In our report, The FDIC's Personnel Security and Suitability Program (January 2021), we found that the FDIC's ERM program did not fully reflect the extent of risks associated with untimely, incomplete, or inadequate background investigations. .Critical Functions in Contracts. In our report, Critical Functions in FDIC Contracts (March 2021), we found that the FDIC's ERM Risk Inventory did not recognize procured Critical Functions as a separate and distinct risk, or as an analytical factor in determining inherent or residual risk associated with cybersecurity and privacy support services. A Critical Function is an activity that is necessary for an agency to effectively perform and control its mission and operations. .Climate-Related Financial Risk. The ERM program has not considered or addressed the risks associated with climate change, as identified in the FSOC Climate Report (referenced in the Crisis Readiness Challenge). .Supply Chain Risk. The FDIC has not established an Agency-wide consideration of supply chain risk. As a result, the FDIC's ERM does not capture certain supply chain risks that FDIC Divisions and Offices face, nor does it capture supply chain risks associated with non-IT products and services. We also note that the FDIC's Enterprise Risk Management program has not considered the risks associated with the requirements for Board of Directors' consideration and approval of motions (discussed above), nor the risks related to the Agency's review of bank mergers noted in the RFI/C submitted and approved by the three FDIC Directors.52 These risk factors are not part of the FDIC's Risk Inventory nor its Risk Profile. Explaining Whether the FDIC Will Follow Certain Executive Branch Guidance The Executive Branch regularly issues policies and guidance for Federal agencies, in the form of Executive Orders, Presidential Directives, OMB Circulars and Memoranda, and National Institute of Standards and Technology (NIST) guidance. Such policies and guidance often address risks in operational areas such as information technology, security, privacy, contracting, and risk management. The policies and guidance provide best practices that Executive Branch agencies must implement to mitigate operational risks. In many cases, independent agencies such as the FDIC are not required to follow such requirements; however, the FDIC has, in a number of cases, chosen to voluntarily comply with all, or portions of, certain policies and guidance. It is not clear under what circumstances and which specific portions or provisions of the policies or guidance are to be followed. Ambiguity in the FDIC's determinations and lack of clarity may result in inconsistencies with other agencies (including other bank regulators) and may cause uncertainty and confusion among FDIC employees in the application of such policies and guidance. In addition, such determinations may not seem clear or transparent to the American public. For example, in our OIG report, Whistleblower Rights and Protections for FDIC Contractors (January 2022), we found that the FDIC Division of Administration's (DOA) Acquisition Services Branch voluntarily adopted some of the Federal whistleblower provisions and requirements for insertion into its contracts. However, the FDIC's Legal Division, under its separately delegated contracting authority, did not operate consistently with the FDIC's DOA. The FDIC Legal Division had neither adopted any whistleblower rights notification provisions for contractors nor included any whistleblower clauses in its contracts. Further, we found that FDIC procedures and processes were not aligned with laws, regulations, and policies designed to ensure notice to contractor and subcontractor employees about their whistleblower rights and protections. The FDIC should clearly articulate and explain its determinations regarding whether or not to follow Executive Branch policies and guidance, and it should be transparent under what circumstances and which specific portions or provisions of the policies or guidance are to be followed. Consistent analysis and application, and centralized documentation of these decisions would enhance the confidence and transparency of FDIC operations, programs, and functions. Further, in our recent OIG reports, we found that when the FDIC chooses not to implement certain Executive Branch policies, its programs incur risks that these policies were intended and designed to address or mitigate. For example: .Contracting: The OMB issued Policy Letter 11-01 to provide Federal agencies with guidance on managing contracts for the performance of Critical Functions. 53 The FDIC's Legal Division concluded that the Policy Letter did not apply to the FDIC, but it may be used for guidance. In our OIG evaluation, Critical Functions in FDIC Contracts (March 2021), we found that the FDIC did not have policies and procedures for identifying Critical Functions in its contracts, as recommended by the OMB Policy Letter. Without these best practices in place, the FDIC cannot be assured that it will provide sufficient management oversight of contractors performing Critical Functions. .Enterprise Risk Management (ERM): In 2016, in an effort to modernize existing agency risk management efforts across the Federal Government, the OMB updated its Circular A-123.54 The FDIC took the position that it was not required to follow OMB Circular A-123. As noted earlier, in our OIG evaluation, The FDIC's Implementation of Enterprise Risk Management (July 2020), we found that the FDIC did not fully implement its ERM program in accordance with OMB criteria. Specifically, the FDIC did not establish a clear governance structure, and clearly define authorities, roles, and responsibilities related to ERM. Further, the FDIC did not clearly define the roles, responsibilities, and processes of the committees and groups involved in ERM. .Supply Chain Risk: In our OIG report on The FDIC's Information Security Program-2021 (October 2021), the FDIC stated that the NIST publications for supply chain risk management were not binding on the FDIC, but that the FDIC chose to follow the guidance. NIST guidance includes a Risk Management Framework for supply chains, and the framework is purposefully designed to be technology neutral so that the methodology can be applied to any type of information system without modification.55 However, the FDIC's Supply Chain Risk Management (SCRM) Directive limits the applicability of the NIST framework solely to IT systems, products, and services. As a result, non-IT purchases are not assessed against the NIST framework for supply chain risks. .Rulemaking Cost Benefit Analysis: In our report, Cost Benefit Analysis Process for Rulemaking (2021), we found that the FDIC did not follow identified best practices from Executive Orders, GAO, and other Federal agencies to establish and document a process for determining when to perform cost benefit analyses and how the analyses should be conducted. Addressing Recurring Recommendations The FDIC Board and senior officials should also ensure that program weaknesses are promptly resolved and remediated. The FDIC has encountered several examples in which the OIG has made repeated recommendations to the FDIC in order to improve its programs and operations. Unaddressed program improvement recommendations increase the likelihood that the underlying vulnerabilities or deficiencies will continue or recur. To mitigate these risks, these recommendations should be addressed by the FDIC in a timely manner. We have identified repeated breakdowns in controls, for example: .Incomplete contract files. We made recommendations to address incomplete contract files in two reports issued between 2018 and 2019. In our OIG reviews Payments to Pragmatics (December 2018) and Contract Oversight Management (October 2019), we found that FDIC personnel did not retain appropriate contract documentation in the FDIC's contract repository known as "CE File." Without this documentation, the FDIC faces challenges in monitoring and enforcing contracts in the event of contractor noncompliance. Further, the FDIC may incur additional costs to recover or replace lost documentation, as such processes may require labor-intensive manual searches through hard-copy documentation. .Confidentiality Agreements for Contractors. We identified missing or inadequate Confidentiality Agreements in three reports between 2017 and 2022. In our OIG reviews Controls over Separating Personnel's Access to Sensitive Information (September 2017), Security of Critical Building Services at FDIC-owned Buildings (March 2021), and Whistleblower Rights and Protections for FDIC Contractors (January 2022), we found that the FDIC either did not obtain Confidentiality Agreements from its contractors and contract personnel as required by the contracts, or did not use the current up-to-date Confidentiality Agreement form. Without the required Confidentiality Agreements, the FDIC has reduced assurance that contractors and subcontractors will protect sensitive FDIC information. .Cybersecurity. In each of our past four annual reviews of FDIC information security (2018 through 2021), we reported weaknesses related to the FDIC's management of Administrative Accounts.56 Weaknesses in the FDIC's processes for managing Administrative Accounts increase the risk of unauthorized activity, such as individuals accessing, modifying, deleting, or exfiltrating sensitive information. We also found that the FDIC continues to have overdue and unaddressed information security control deficiencies. Without consistently addressing control deficiencies in a timely manner, FDIC data is vulnerable to security exploits from unmitigated threats. .Personnel Security and Suitability Program. In our OIG evaluation, The FDIC's Personnel Security and Suitability Program (PSSP)(January 2021), we found several deficiencies that were similar to those identified in previous reports -- including our OIG evaluation of the FDIC's PSSP conducted 6 years earlier in 2014.57 Specifically, a number of issues had not been corrected, including: o Completing preliminary background investigations within allowed timeframes; o Keeping records of background investigation documentation; o Ensuring that background investigation levels match an individual's position risk; and o Ensuring the reliability of background investigation data in FDIC systems. The FDIC should ensure that the Agency addresses programmatic weaknesses in a timely manner. Absent correction, these weaknesses continue to inhibit program performance and expose FDIC information, systems, and personnel to vulnerabilities. Ensuring Clarity and Consistency of FDIC Policies and Alignment with Other Regulators FDIC internal guidance to its personnel should be clearly defined and aligned, as appropriate, with other financial regulators. Without clear guidance, the FDIC cannot ensure that its personnel will consistently apply FDIC policies in a coherent, Agency-wide manner. Further, similarly-situated banks may be treated differently as FDIC guidance may be applied inconsistently or in conflict with guidance from other regulators. In our OIG evaluation, Termination of Bank Secrecy Act/Anti-Money Laundering Consent Orders (BSA/AML) (December 2021), we found that the FDIC and the Federal Reserve Board used different guidance to assess whether to terminate BSA/AML Consent Orders. As a result, for one of our sampled Consent Orders, the FDIC and the Federal Reserve Board assessed similar facts about the bank and its holding company, but came to different conclusions regarding the timing for terminating their respective BSA/AML Consent Orders. The Federal Reserve Board maintained its Consent Order longer than the FDIC, while the FDIC terminated its Order and included uncorrected provisions in an informal enforcement action. The FDIC should align its termination criteria with other financial regulators, so that FDIC-supervised banks are treated similarly to other regulated banks. We also found that FDIC guidance did not address how Regional Office personnel should apply key policy terms to determine whether to terminate a Consent Order. For 4 of 10 sampled Consent Order Terminations, FDIC guidance did not address how to apply the terms "substantial compliance" and "partially met." As a result, the FDIC could not be certain that these four Consent Orders were terminated using a consistent interpretation of these terms. The term, "partially met," provides extremely wide latitude to terminate a Consent Order when any portion of it is met. The FDIC should ensure consistent treatment of FDIC-supervised banks regardless of the bank's geographical location. Further, Consent Order termination decisions were not centrally monitored. Monitoring decisions across Regional Offices would serve as an important internal control to identify the potential for inconsistent application of Consent Order termination guidance across Regional Offices. We made 10 recommendations to enhance the FDIC's guidance regarding termination of its Consent Orders, and related processes, monitoring, and documentation. Enhancing FDIC Rulemaking FDIC rulemaking should be a transparent process that analyzes the need for safety and soundness regulation and the compliance burden placed on banks. A foundational component of rulemaking is the FDIC's access to reliable information to measure a regulation's costs and benefits. Quantifying both the costs and benefits of significant financial regulations can be challenging, and it often may be imprecise and unreliable.58 For example, performing such analysis can be difficult, because it involves theory, modeling, statistical analysis, and other tools to predict future outcomes based on certain assumptions.59 In our OIG review, Cost Benefit Analysis Process for Rulemaking (February 2020), we found that the FDIC had not established and documented a process to determine when and how to perform cost benefit analyses in its rulemaking process. In addition, the FDIC was not transparent in publishing (i) the reason(s) why a cost benefit analysis was or was not performed; (ii) the reason(s) for the depth of analysis performed; (iii) the analytical scope and methodology used; and (iv) the analysis performed. Without transparent cost benefit analyses, stakeholders such as financial institutions, the public, and Congress may not understand the FDIC's analyses and conclusions. Also, we found that the FDIC did not perform cost benefit analyses after issuance of a final rule. Without performing cost benefit analyses of existing rules or establishing a formal process to proactively review each final rule, the FDIC may not identify duplicative, outdated, or overly burdensome rules in a timely manner. In addition, the FDIC may not ensure that its rules are effective and achieve their intended objectives/outcomes. We made five recommendations in this report; however, none of them have been implemented since the report was issued in February 2020. The FDIC had originally designated an Expected Completion Date for four of these recommendations as June 30, 2021; however, the Agency has extended the time period for implementation of its corrective actions. FDIC staff indicated that the reason for the extension was to allow for the completion of the FDIC's review process for a draft directive and accompanying staff guidance on regulatory analysis. Effective governance by the FDIC Board and executives ensures that the FDIC is prepared to meet its mission. The FDIC should clarify the protocols for submitting motions to the Board for consideration. Further, the FDIC's ERM program should assist the FDIC Board and Agency officials by identifying and assessing external and internal threats and risks in order to adjust relevant policies and controls. When such policies and controls are found to be weak, the FDIC should continue to take steps to correct these deficiencies in a timely manner and ensure that corrective actions remain effective. The FDIC should be clear about whether and to what extent it adopts Executive Branch policies. In addition, the FDIC should have clear internal policies and procedures to ensure consistent implementation of FDIC programs by its personnel. FDIC policies should be aligned with other regulators, as appropriate, to ensure consistent treatment of banks. The FDIC should also ensure that the process for rulemaking is transparent and that rules are based on sound cost benefit analysis. IT Security at the FDIC [text box] Key Areas of Concern The primary areas of concern for this Challenge on IT Security are: .Improving the FDIC's overall information security; .Managing the security of mobile devices; and .Improving security controls over the FDIC's critical building services. The OIG has identified IT Security as a Top Challenge for the FDIC since 2018. [end of text box] On December 6, 2021, the Office of Management and Budget (OMB) stated that "[t]he United States Government continues to face increasingly sophisticated efforts to compromise Federal IT systems, challenging current defenses and creating an urgent need to evolve to a new security paradigm."60 In Fiscal Year 2020, OMB reported that Federal agencies had suffered 30,819 cybersecurity incidents, an 8 percent increase over the incidents in 2019.61 On November 4, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) issued a Directive stating that the United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the American people's security and privacy.62 The CISA Directive stated that the Federal Government must improve its efforts to protect against these campaigns as these vulnerabilities pose a significant risk to agencies and the Federal enterprise. FDIC IT systems support day-to-day operations of the Agency and are critical to the Agency's mission. As of August 2021, the FDIC had 76 IT systems containing significant amounts of information about FDIC employees, supervised banks, and depositors. For example, the FDIC's Failed Bank Data System holds nearly 2,500 terabytes of sensitive information from over 500 bank failures. A cyber incident at the FDIC could severely limit its capabilities to meet mission requirements, particularly during a crisis. In addition, cyber incidents could compromise sensitive business information and Personally Identifiable Information.63 Improving the FDIC's Information Security In our OIG audit, The FDIC's Information Security Program-2021 (October 2021), we found that while the FDIC had established and strengthened some security controls from the prior year, there remained several security control weaknesses that limited the effectiveness of the FDIC's information security program and practices. These deficiencies placed the confidentiality, integrity, and availability of the FDIC's information systems and data at risk. The highest risk security weaknesses noted in our report included: .High Number of Overdue and Unaddressed High- and Moderate-Risk Plans of Action and Milestones (POA&M). POA&Ms are used to track the progress of corrective actions pertaining to security vulnerabilities. We found that as of July 2021, 176 high- and moderate-risk POA&Ms remained unremediated. Without consistently and timely addressing control deficiencies, the FDIC will continue to face an increasing backlog of POA&Ms, leaving its data more vulnerable to security exploits from unmitigated threats and reducing its overall security posture. .Ad-Hoc Supply Chain Risk Management Processes at the FDIC. The FDIC has not defined processes and procedures that support the underlying components of its SCRM directive. Without these SCRM processes and procedures, the FDIC cannot be assured that it will accurately identify and monitor its supply chain risks. .Administrative Account Management Needs Improvement. During 2021, we identified 11 additional open POA&Ms related to privileged user access. Weaknesses in the FDIC's processes for managing Administrative Accounts increased the risk of unauthorized activity, such as individuals accessing, modifying, deleting, or exfiltrating sensitive information. .Inadequate Oversight and Monitoring of FDIC Information Systems. Federal agencies must ensure that entities operating information systems on behalf of the Federal Government meet the same security and privacy requirements as Federal agencies. Historically, several systems, components, and services that should have been assessed by the FDIC according to these requirements were instead subject to a now-rescinded assessment methodology. As a result, the FDIC did not subject these systems to a proper risk assessment, authorization to operate, or ongoing monitoring. We made six recommendations to improve the IT security systems at the FDIC, in addition to five recommendations that remain from prior Financial Information Security Act (FISMA) reports (including one recommendation from our OIG report issued on November 2, 2016). Managing the Security of Mobile Devices The FDIC has issued approximately 4,700 smartphones and tablets to its employees and contractor personnel. While these mobile devices may enhance communications, they also introduce the risk of cyber threats, such as "malware" that can allow an actor to exploit vulnerabilities on the devices; eavesdrop wireless communications over public networks; and collect and monitor data on mobile applications installed by users, such as the user's location, contacts, and browsing history. In our OIG report, Security and Management of Mobile Devices (August 2021), we found that the FDIC had not established or implemented effective controls and practices to secure and manage its mobile devices in three of nine areas assessed. FDIC policies, procedures, and guidance were outdated and did not reflect current business practices pertaining to mobile devices, and they did not address key elements promulgated by NIST. The FDIC policy on mobile devices was more than 18 years old-issued prior to the introduction of smartphones and tablets-and focused on obsolete technologies such as pagers. The FDIC policies did not address its Bring Your Own Device program, nor the risks associated with personal use of FDIC-furnished mobile devices, such as non-work related applications, and texting, messaging, and video. We also found that FDIC employees and contractor personnel had downloaded non-work related applications, including dating services, shopping, sports entertainment, and movie streaming services. We made nine recommendations to strengthen the FDIC's management of mobile devices. As of the date of this Top Challenges Report, the FDIC aims to implement these recommendations by May 2022. Improving Security Controls over Critical Building Services The FDIC uses building automation systems to monitor and control critical services at its facilities, such as the supply of electrical power, HVAC (heating, ventilation, and air conditioning), and water services. In our OIG audit, Security of Critical Building Services at FDIC-owned Facilities (March 2021), we found that the FDIC security controls over three information systems were not effective to monitor, manage, and help ensure the uninterrupted delivery of critical building services. We identified weak account management practices, the use of unsupported vendor software, and a lack of security oversight and monitoring. Such ineffective controls and practices increased the risk of unauthorized access to these three systems, which could have led to a disruption of the systems, corruption of the systems' data, or other malicious activity. We made 10 recommendations to improve the security controls over three critical building systems at the FDIC and 4 recommendations remain outstanding. In addition, we have ongoing work to review the adequacy and effectiveness of FDIC security controls over its wireless networks and its Windows Active Directory. The FDIC is dependent upon IT systems for day-to-day activities-especially during a banking crisis. The FDIC should ensure that its IT security can withstand increasing risks to Federal systems. Strong IT security is paramount to ensure that the FDIC can fulfill its mission and protect the sensitive information of bank customers and employees, and FDIC personnel. Security and Privacy at the FDIC Key Areas of Concern [Text Box] The primary areas of concern for this Challenge on Security and Privacy are: .Improving the effectiveness of the FDIC's Personnel Security and Suitability processes; .Implementing management of Physical Security based upon risk assessments; .Sustaining a work environment free from discrimination, harassment, and retaliation; and .Securing sensitive and Personally Identifiable Information. The OIG has identified Security and Privacy as a Top Challenge for the FDIC since 2019. [End of Text Box] The FDIC is responsible for the security and safety of approximately 5,800 employees and 1,600 contract personnel who work at 92 FDIC facilities throughout the country. The FDIC is also the custodian of 76 IT systems and a large volume of hard-copy records on premises and in archival storage. Improving the Effectiveness of the FDIC's Personnel Security and Suitability Processes An important step in mitigating risk to the FDIC is ensuring that employees and contractors undergo appropriate security and suitability screening. In March 2021, the GAO stated that "[a] high-quality personnel security clearance process minimizes the risks of unauthorized disclosures of classified information and helps ensure that information about individuals with criminal histories or other questionable behavior is identified and assessed."64 The FDIC should be assured that its employees and contractors are properly screened and investigated before being granted access to systems and entrusted with sensitive, confidential, or, in some cases, classified information. In our OIG evaluation, The FDIC's Personnel Security and Suitability Program (PSSP) (January 2021), we concluded that the FDIC's PSSP program was not fully effective in ensuring the timely completion of preliminary suitability screenings, background investigations commensurate with position risk designations, and re-investigations. We found that four contractor employees with unfavorable background investigation adjudications continued to work at the FDIC for periods ranging from nearly 8 months to 5 years (until we notified the FDIC about these cases). Further, the FDIC did not remove seven contractor personnel with unfavorable adjudications in a timely manner, did not follow its Insider Threat protocols, and conducted limited risk assessments for contractors with unfavorable adjudications. The FDIC also did not initiate numerous required periodic reinvestigations in a timely manner. In addition, data on contractor position risks were unreliable, employee background investigations were often not commensurate with position risk, FDIC personnel security files were frequently missing some preliminary background investigation data, and the FDIC was not meeting its goals for completing preliminary background investigations within a specified timeframe. The FDIC took urgent action to address our recommendations in this report. The FDIC should sustain controls over its personnel security programs as it hires employees and contractors. Implementing Physical Security Based on Risks The FDIC should ensure that its facilities have appropriate physical security controls in place to safeguard personnel. According to the Congressional Research Service, Federal facilities and employees, contractors, and visitors to such facilities "face a variety of threats, including illegal weapon and explosive possession, robbery, riots, civil disturbances, homicide, and arson."65 The FDIC maintains 92 leased or owned facilities across the country and is in the process of assessing facility needs as it transitions to a hybrid workplace. In our OIG evaluation, The FDIC's Physical Security Risk Management Process (April 2019), we concluded that the FDIC had not established an effective physical security risk management process to ensure that it met required standards and guidelines. We found that the FDIC frequently did not document its decisions regarding facility security risks and countermeasures, and such decisions were not guided by defined policies or procedures. Without documentation of these decisions, FDIC executives and oversight bodies were not able to fully consider and review the rationale for these determinations. We also found that the FDIC did not conduct key activities in a timely or thorough manner for determining facility risk level, assessing security protections in the form of countermeasures, mitigating and accepting risk, and measuring program effectiveness. For example, for one of its medium-risk facilities, the FDIC began, but did not complete, an assessment more than 2 1/2 years after the FDIC occupied the leased space. Collectively, these weaknesses limited the FDIC's assurance that it met Federal standards for physical security over its facilities. We made nine recommendations to address the weaknesses in the FDIC's physical security risk management process, and the FDIC has implemented them. The FDIC should continue to monitor its physical security program controls as threats change and as the FDIC reviews and modifies its space needs for buildings and facilities. Sustaining a Work Environment Free from Discrimination, Harassment, and Retaliation The FDIC Chair has stated that, "[t]he FDIC does not tolerate discrimination, harassment (including sexual harassment), or retaliation, and every allegation of these unlawful behaviors is taken seriously. FDIC managers and supervisors must address harassment allegations immediately and appropriately."66 Sexual harassment negatively impacts workplace culture. It can undermine employee morale and can cause employee engagement and productivity to decline. According to a survey conducted by Deloitte (March 2019), 52 percent of women experienced some form of harassment within the last 5 years. Further, a report from Project Include (March 2021) found that 26 percent of respondents experienced an increase in gender-based harassment during the pandemic. On December 21, 2021, the Ranking Member of the Senate Committee on Banking, Housing and Urban Affairs noted that "federal employees at multiple agencies covered by the jurisdiction [of the Senate Banking Committee] have alleged experiencing harassment, discrimination, or other forms of abuse by agency officials in recent months."67 In our OIG evaluation, Preventing and Addressing Sexual Harassment (July 2020), we found that the FDIC had not developed a sexual harassment prevention program that fully aligned with the five core principles promoted by the Equal Employment Opportunity Commission. As part of our work, in April 2019, we conducted a survey of FDIC employees that indicated approximately 8 percent of FDIC respondents (191 of 2,376) had experienced sexual harassment at the FDIC during the period January 2015 to April 2019. This figure was similar to the results of a survey previously conducted by the Merit Systems Protection Board (MSPB) based on an earlier timeframe; the Government-wide average in this MSPB survey was 14 percent. Although 191 FDIC respondents reportedly experienced sexual harassment, the FDIC received only 12 reported sexual harassment allegations during the relevant timeframe. Our survey further indicated that 38 percent of FDIC respondents who stated they had experienced sexual harassment said that they did not report the incident(s) for "fear of retaliation," and nearly 40 percent of FDIC respondents did not know, or were unsure, how to report allegations of sexual harassment. We recommended that the FDIC enhance its policies, procedures, and training to facilitate the reporting of sexual harassment allegations and address reported allegations in a prompt and effective manner. The FDIC has addressed the recommendations in this report. The FDIC should continue to ensure that it maintains an effective program to combat sexual harassment. Securing Sensitive and Personally Identifiable Information The FDIC should have effective processes to manage, monitor, and safeguard its information and ensure the safety and privacy of the records it keeps. FDIC information includes, for example, sensitive information about banks and Personally Identifiable Information (PII) and Social Security Numbers of employees, contractors, bank management, and bank deposit holders. Recently, the GAO reviewed the handling of PII by five Federal financial regulators, including the FDIC.68 With regard to the FDIC, the GAO found that the FDIC "did not establish agency-wide metrics to monitor privacy controls." Without such controls, PII held by the FDIC may be at increased risk of compromise. In our OIG audit, The FDIC's Privacy Program (December 2019), we found that the FDIC had not established an effective privacy program to manage and monitor PII. The FDIC's controls and practices for its Privacy Program did not comply with four relevant privacy laws and/or OMB policy and guidance. Specifically, the FDIC did not: .Fully integrate privacy considerations into its risk management framework designed to categorize information systems, establish system privacy plans, and select and continuously monitor system privacy controls; .Adequately define the responsibilities of the Deputy Chief Privacy Officer or implement Records and Information Management Unit responsibilities for supporting the Privacy Program; .Effectively manage or secure PII stored in network shared drives and in hard copy, or dispose of PII within established timeframes; and .Ensure that Privacy Impact Assessments were always completed, monitored, and retired in a timely manner. These deficiencies increased the risk of PII loss, theft, and unauthorized access or disclosure, which could lead to identity theft or other forms of consumer fraud against individuals. We made 14 recommendations designed to enhance the effectiveness of the FDIC's Privacy Program and practices. As of the date of this Top Challenges Report, actions to remediate three recommendations remain unimplemented since the issuance of our report in December 2019, including those related to: .Developing and approving privacy plans for all information systems; .Updating policies and procedures for the current organizational structure of the Privacy Program; and .Developing and implementing controls to ensure that PII is stored in networks and hard copy in accordance with laws, regulations, policies, and guidelines. Further, in our OIG audit, The FDIC's Information Security Program - 2019 (October 2019), we found that the FDIC had not adequately controlled access to sensitive information and PII stored in hard copy. For example, we identified instances in which sensitive information stored on internal network shared drives was not restricted to authorized users. We also conducted walk-throughs of selected FDIC facilities and found significant quantities of sensitive hard-copy information stored in unlocked filing cabinets and boxes in building hallways. We recommended that employees and contractor personnel properly safeguard sensitive electronic and hardcopy information. The security and safety of FDIC personnel, facilities, and information is critical to its mission and operations. The FDIC can continue to enhance protection in these areas through improvements to its programs to assess personnel suitability, safeguard facilities, mitigate workplace sexual harassment, and ensure the security and privacy of information held in custody by the FDIC. The FDIC's Collection, Analysis, and Use of Data Key Areas of Concern [text box] The primary areas of concern for this Challenge on Collection, Analysis, and Use of Data are: .Establishing processes to share threat information; .Ensuring reliable data for FDIC decision-making; and .Managing the financial and economic impact of the pandemic. The OIG has identified Sharing of Threat Information as a Top Challenge for the FDIC since 2018. [end of text box] The U.S. Government collects and gathers significant volumes of data and information on threats facing the financial and banking sectors. This threat data and information from across the Federal Government may assist the FDIC in its mission to examine and inform banks, implement supervisory strategies, make policy determinations, allocate resources, and ensure U.S. financial stability. The FSOC 2021 Annual Report recognized the critical importance of sharing threat information with the Financial Services Sector and among Federal Government agencies. The OCC also encouraged monitoring of information provided by law enforcement and international organizations regarding "how criminals adapt scams and money-laundering techniques to exploit new vulnerabilities created by the pandemic."69 In addition, data can help Federal agencies, such as the FDIC, understand and improve program performance.70 Through data-driven decision-making, regulators can use data to inform their decision-making processes and validate a course of action.71 Data can also be used as an input for modeling and to identify trends. Such modeling can allow Government agencies to prevent problems rather than react to them.72 For the FDIC, such models may allow the FDIC to forecast financial risks to the banking sector and adjust supervisory strategies, staffing, and budgeting accordingly. Establishing Processes to Share Threat Information As shown in Figure 2, the GAO recognized that numerous Federal Government agencies hold information relevant to banks and the banking sector. In Executive Order 14028, Improving the Nation's Cybersecurity (May 12, 2021), the Administration encouraged reducing barriers to sharing threat information, specifically among Federal agencies and service providers. [Figure 2] Figure 2: Sources of Threat Information for Financial Institutions Figure 2 illustrates the sources of threat information for financial institutions including information related to information source, information flow, and abbreviations used in the chart. Sources of threat information include: Blogs, which have one-way information flow, and are an open information source; Media reports, which have one-way information flow and are an open source; Security researchers, which have one-way information flow and are an open source; RSS Aggregators, which have one-way information flow and are an open source; Bulletin Boards/forums, which have one-way information flow and are an open source; Technology Service Providers, which have one-way information flow and are a private information source; Trade Associations, which have one-way information flow and are a private information source; SANS Institute, which has one-way information flow and is a private information source; National Cyber-Forensics and Training Alliance, which has one-way information flow and is a private information source; Payment Processors Information Sharing Council, which has one-way information flow and is a public/private information source; Financial Services Sector Coordinating Council, which has one-way information flow and is a public/private information source; Federal Bureau of Investigation, which has two-way information flow and is a Government information source. National Security Agency, which has one-way information flow and is a Government information source; Central Intelligence Agency, which has one-way information flow and is a Government information source; U.S. Secret Service (Department of Homeland Security), which has two-way information flow and is a Government information source; U.S. Computer Emergency Readiness Team (Department of Homeland Security), which has one-way information flow and is a Government information source; National Cybersecurity and Communications Integration Center (Department of Homeland Security), which has one-way information flow and is a Government information source; Department of the Treasury, which has one-way information flow and is a Government Information source; Financial Services Information Sharing and Analysis Center (FS-IAC), which has two-way information flow and is a public/private information source; Office of the Comptroller of the Currency, which is a member of the Federal Financial Institutions Examinations Council (FFIEC), has two-way information flow and is a Government Information Source; Federal Deposit Insurance Corporation, which is a member of the Federal Financial Institutions Examinations Council (FFIEC), has two-way information flow and is a Government Information Source; Federal Reserve, which is a member of the Federal Financial Institutions Examinations Council (FFIEC), has two-way information flow and is a Government Information Source; and the National Credit Union Administration, which is a member of the Federal Financial Institutions Examinations Council (FFIEC), has two-way information flow and is a Government Information Source. [end of figure 2] The FDIC, along with its Government partners, collects and queries threat information contained within U.S. Government databases and repositories. The FDIC should acquire, analyze, and disseminate threat information to inform senior FDIC officials and decision-makers, FDIC examiners and Regional personnel, its supervisory program officials, and banks.73 In our OIG audit, Sharing of Threat Information to Guide the Supervision of Financial Institutions (January 2022), we found that the FDIC did not establish effective processes to govern its sharing of threat information. Specifically, the FDIC did not establish appropriate governance through a written governance structure and complete, approve, and implement a governance Charter to establish a common understanding of the role for its Threat Information Sharing program or define an overall strategy and requirements for it. Further, the FDIC did not develop goals, objectives, or measures to guide the performance of its Intelligence Support Program. The FDIC also did not establish adequate policies and procedures to define roles and responsibilities for key stakeholders involved in the threat information-sharing program and activities or fully consider program risks in its ERM process. We also identified gaps in each of the four component functions of Threat Information Sharing: .Acquisition. The FDIC did not develop written procedures for determining its threat information requirements. As a result, the FDIC has limited assurance that it will acquire all relevant threat information to support its business operations and programs. .Analysis. The FDIC did not establish procedures to guide its analysis of threat information. Absent such procedures, the FDIC relied solely on the discretionary judgment of certain individuals to determine the extent to which threat information should be analyzed to support FDIC business needs and the supervision of financial institutions. .Dissemination. The FDIC did not develop procedures for disseminating threat information. Absent such procedures, decisions regarding what to disseminate, to whom, and when, are left solely to the discretion of individuals, which could lead to inconsistent or untimely communications. The FDIC had not established an infrastructure that would allow for secure handling of sensitive information, including transmission, storage, and disposition of such information. .Feedback. The FDIC did not establish a procedure to obtain feedback from recipients of threat information to assess its utility and effectiveness. Such structured feedback could provide valuable information regarding the extent to which such threat information is timely and actionable, and FDIC personnel use threat information. We also found numerous gaps in the FDIC's management of threat information sharing, including: Not having backup personnel for its Senior Intelligence Officer (SIO) or plans for an absence or departure; Not establishing minimum training requirements for the SIO position; Not obtaining required security clearance for certain senior FDIC officials; and Not properly categorizing unclassified threat information. We made 25 recommendations to the FDIC to improve its processes for sharing threat information. We have additional work planned to assess the FDIC's sharing of threat information with its supervised banks and the banking sector. Ensuring Reliable Data for FDIC Decision-Making Data is a key input into the FDIC's decision-making processes. The FDIC Board and senior FDIC officials utilize various data sets to assess program performance, whether FDIC programs are meeting established goals, or whether goals or data collection should be modified. Incorrect, incomplete, and otherwise faulty data can lead to ineffective decision-making especially when data is the basis for policy determinations. Therefore, it is critical that the FDIC support and maintain the integrity of its data systems. We found deficiencies in data reliability, collection, and analysis in a number of recent OIG reviews, for example: .Errors in Examination Completion and Mailing Dates. In our OIG evaluation, Reliability of Data in the FDIC Virtual Supervisory Information on the Net System (ViSION System) (November 2021), we found that the FDIC's risk assessment used for the ViSION system data had not been reassessed or updated in over a decade, since 2009. Also, we found that of the four key data elements we tested in the FDIC's ViSION system, two were reliable and two were not reliable.74 The unreliable data included recorded dates for the completion of bank examinations and mailing of bank examination reports. Errors in either date increase the risk of inaccurate reporting of examination performance metrics to FDIC management and the public. We made six recommendations to the FDIC to improve ViSION data reliability. .Exclusion of Data for Government Reporting. In our OIG audit, FDIC's Compliance under the Digital Accountability and Transparency Act of 2014 (November 2021), we found that the FDIC's submission of financial and award data excluded information for the Federal Savings and Loan Insurance Corporation Resolution Fund (FRF) and the Resolution Trust Corporation (RTC). As a result, obligation and outlay amounts for the FRF and RTC were not available for display on the Government website, USASpending.gov. We made three recommendations to clarify FDIC data reporting. .Unreliable Background Investigation Data. We found FDIC data on employee and contractor background investigations was often not reliable. In our OIG evaluation, The FDIC's Personnel Security and Suitability Program (January 2021), we found that contractor position risk levels recorded in FDIC systems were unreliable. As a result, the FDIC could not determine whether these contractors received background investigations commensurate with their positions. We also found that FDIC systems were missing data for employee and contractor preliminary background investigation completion dates. .Incorrect BSA Reporting to the Board and other Agencies. In our OIG evaluation, Termination of Bank Secrecy Act/Anti-Money Laundering Consent Orders (December 2021), we found that the FDIC did not consistently track Consent Order termination data in its system of record. As a result, the FDIC provided nine incorrect reports to the FDIC Board of Directors concerning enforcement actions; and did not report three BSA/AML Consent Order terminations in a quarterly report to the Financial Crimes Enforcement Network (FinCEN) in the Department of the Treasury. .Analysis of Collected Data: In our OIG memorandum, The FDIC's Management of Employee Talent (September 2021), we found that the FDIC did not have a process for collecting and analyzing the various types of data that can be used to assess employee retention across the Agency as part of its talent management strategy. Specifically, the FDIC did not have a systematic process to holistically capture and analyze data, and to ensure that the information flowed to the Divisions and Offices. Such a process would help the FDIC develop a coherent strategy for managing retention activities throughout the Agency, provide an Agency-wide view of the progression and movements of the FDIC workforce, and provide helpful insights on employees' decisions to stay or separate. Timely and reliable information assists the FDIC in mitigating risks and supports data-driven and transparent decision-making. In addition, threat information from across the Federal Government may assist in examining and informing banks, implementing supervisory approaches, making policy determinations, allocating resources, and ensuring the stability of the financial system. In addition, reliable and accurate program data allows the FDIC Board and senior management to measure and assess the effectiveness of FDIC programs and to support decision-making. Contracting and Supply Chain Management at the FDIC Key Areas of Concern [text box] The primary areas of concern for this Challenge on Contracting and Supply Chain Management are: .Improving the FDIC's contract management process; .Managing risks associated with the FDIC's supply chain; and .Ensuring whistleblower rights and protection notices for contractor personnel. The OIG has identified Contracting as a Top Challenge for the FDIC since 2018. [End of text box] According to the FDIC's November 2021 Awards Summary Report, the FDIC issued 483 contract actions for total award amounts of over $2 billion. As shown in Figure 3, FDIC contract award amounts doubled in 2021 when compared to 2020 ($1.025 billion) and 2019 ($994 million). [Figure 3] Figure 3: FDIC Contracts Total Award Amounts Bar graph depicting the FDIC Contracts Total Award Amounts in 2019, 2020, and 2021. FDIC contract award amounts doubled in 2021 when compared to 2020 ($1.025 billion) and 2019 ($994 million). Source: FDIC Awards Summary Report (November 2021) [end of Figure 3] The FDIC should have strong oversight of its contracts. Contract oversight includes activities such as monitoring and validating invoices prior to payment, approving contract deliverables for goods and services, monitoring contractor activities against contractual timelines, and ensuring contractors comply with required security and confidentiality requirements. Improving the FDIC's Contract Management Process In the most recent audit of the FDIC's financial statements in 2021, the GAO identified 10 deficiencies "related to contract-payment review processes that collectively represent a significant deficiency in FDIC's internal control over financial reporting." In addition, the GAO noted five deficiencies in the 2020 financial statement report. The GAO concluded that the "FDIC cannot reasonably assure internal controls over contract payments are operating effectively, which increases the risks of improper payments and financial statement misstatements."75 We have also conducted a number of reviews that found weaknesses in FDIC contract oversight management. In our OIG evaluation, Contract Oversight Management (October 2019), we concluded that the FDIC needed to strengthen its contract oversight management, particularly in terms of its information system and contract documentation. We determined that the FDIC's contracting management information system had limited data and reporting capabilities for Agency-wide oversight of its contract portfolio. We found that the FDIC was overseeing acquisitions on a contract-by-contract basis rather than on a portfolio basis and did not have an effective contracting management information system to readily gather, analyze, and report portfolio-wide contract information across the Agency. As a result, FDIC Board Members and other senior management officials were not provided with a portfolio-wide view or the ability to analyze historical contracting trends across the portfolio, identify anomalies, and perform ad hoc analyses to identify risk or plan for future acquisitions. Therefore, we recommended that the FDIC provide enhanced contract portfolio reports to FDIC executives, senior management, and the Board of Directors. This recommendation remains unimplemented since the issuance of our report in October 2019. The FDIC had originally designated an Expected Completion Date for this recommendation as December 31, 2020. Further, in our OIG evaluation, Critical Functions in FDIC Contracts (March 2021), we reviewed two existing FDIC contracts with Blue Canopy Group, LLC, which performed services in support of the FDIC's information security and privacy program. FDIC contracts with Blue Canopy amounted to approximately 38.3 percent ($16.2 million) of the FDIC's annual operating expenses for Information Security ($42.3 million) in 2019. We had previously found that "the FDIC hired [Blue Canopy] to assess certain security controls . . . for which the FDIC had also assigned the firm duties related to design and/or execution . . . . [T]his arrangement limited the firm's independence and impaired the firm's ability to conduct impartial security control assessments."76 [Emphasis added.] We found that the FDIC did not have policies and procedures to identify Critical Functions at the Agency, nor did it implement any heightened contract monitoring activities for Critical Functions. Therefore, the FDIC did not identify services provided by Blue Canopy as Critical Functions. As a result, the FDIC cannot be assured that it will provide sufficient management oversight of contractors performing Critical Functions or supervision to ensure that the Agency does not lose control of its mission or operations. We made 13 recommendations to strengthen the FDIC's identification and monitoring of contracts involving Critical Functions. As of the date of this Top Challenges Report, 12 recommendations remain unimplemented. Further, 5 of these 12 recommendations are unresolved, meaning FDIC management did not propose acceptable corrective actions for these recommendations. Establishing an Effective Supply Chain Risk Management Program According to NIST, there are inherent risks associated with an agency's supply chain for contracted goods and services.77 According to the GAO, supply chain risks include, for example: .Installation of hardware or software containing malicious logic causing significant damage by allowing attackers to take control of entire systems and read, modify, or delete sensitive information; disrupt operations; launch attacks against other organizations' systems; or destroy systems. .Installation of counterfeit hardware or software threatening the integrity, trustworthiness, and reliability of information systems because they fail more often and more quickly, and provide an opportunity to insert a back door to give an intruder remote access. .Failure or disruption in the production or distribution of critical products, including manmade and natural disruptions of the supply of IT products critical to Federal agencies. .Reliance on a malicious or unqualified service provider that can use its access to systems and data to gain access to information, commit fraud, disrupt operations, or launch attacks against other computers or networks. .Installation of hardware or software that contains unintentional vulnerabilities such that defects in code or misconfigurations can be exploited to gain access to information systems and data and disrupt service.misconfigurations can be exploited to gain access to information systems and data and disrupt service.misconfigurations can be exploited to gain access to information systems and data and disrupt service.78 Organizations may have reduced visibility, understanding, and control of these risks when their vendors rely on second- and third-tier suppliers and service providers. The European Union Agency for Cybersecurity reported that hackers often focus on an entity's vendor systems for supply chain attacks and predicted that supply chain cyberattacks would quadruple in 2021.79 In our report, The FDIC's Information Security Program-2021 (October 2021), the FDIC's SCRM operated at a Level 1 (Ad Hoc). We found that the FDIC's SCRM Program is still in its initial phase, and procedures that support the underlying components have not yet been defined in accordance with FISMA requirements. Specifically, the FDIC did not have procedures that defined: .How to implement its SCRM policy or strategy and associated baseline SCRM controls; .Obtaining assurance over external service providers' compliance with the FDIC's cybersecurity requirements, including: o How to identify and prioritize externally provided systems, components, and services; o The organizational requirements for cybersecurity and SCRM for externally provided systems, system components, and services; o The tools or methods used to validate that SCRM requirements are being met; o The risk-based processes for evaluating SCRM risks associated with suppliers; o How awareness is maintained over risks stemming from upstream suppliers through monitoring activities; and o The integration of its acquisition process and the use of contractual stipulations detailing appropriate SCRM measures for external providers. .Management of counterfeit components, including: o How to detect and prevent counterfeit components; o How to maintain configuration control over components being repaired or serviced; and o The process for reporting counterfeit components. Because the FDIC is a financial regulator and holds sensitive and nonpublic information, it is a potential target of adversaries seeking to interfere with its regulatory activities or obtain information for their own advantage. Ad hoc SCRM processes limit the FDIC's ability to identify vulnerabilities throughout its supply chain consistently, and to manage and monitor associated risks effectively. Ensuring Whistleblower Rights and Protection Notices for Contractor Personnel FDIC contracts should contain a provision notifying contractors that they must provide their employees with information regarding the rights and protections for whistleblowers.80 In our OIG evaluation, Whistleblower Rights and Protections for FDIC Contractors (January 2022), we found that the FDIC had not aligned its procedures and processes with laws, regulations, and policies designed to ensure notice to contractor and subcontractor employees about their whistleblower rights and protections. The FDIC also did not always comply with the whistleblower rights notification requirements it established. Specifically, the FDIC did not incorporate the Whistleblower Rights Notification Clause into three of the nine contracts that we tested. Further, the FDIC's Legal Division did not adopt any whistleblower rights notification provisions for contractors or include any whistleblower clauses in its contracts. The FDIC also did not verify that contractors and subcontractors notified employees of their whistleblower rights and protections. Without clear guidance and direction on where and to whom to report a violation of any law, rule, or regulation; gross mismanagement; gross waste of funds; abuse of authority; or a substantial and specific danger to public health and safety, FDIC contractors may not take the initiative to report such allegations. The FDIC should make it clear in its contracts that contractors must notify their employees that such whistleblower allegations may be reported to the FDIC OIG Hotline. We made nine recommendations to improve the FDIC's compliance with legal requirements, including required contract clauses regarding contractor obligations to notify employees of whistleblower disclosure rights and protections. Contracting is an important function at the FDIC. The FDIC should prioritize improving its oversight to ensure proper contract monitoring, especially for Critical Functions. The FDIC should also mitigate supply chain risk by establishing a robust SCRM strategy that allows the Agency to assess, evaluate, monitor, and mitigate supply chain risk. The FDIC must also ensure that it has processes in place to advise contractors and subcontractors of their whistleblower rights and protections. Human Resources at the FDIC Key Areas of Concern [text box] The primary areas of concern for this Challenge on Human Resources are: .Optimizing talent management throughout the Agency; .Managing a wave of potential employee retirements at the FDIC; and .Ensuring diversity and inclusion within the FDIC workforce. The OIG has identified Human Resources as a Top Challenge at the FDIC since 2019, particularly with respect to potential retirements among FDIC personnel. [End of text box] In March 2021, the GAO continued to recognize strategic human capital management as a Government-wide area of high risk.81 The GAO identified the need for Federal agencies to measure and address existing mission-critical skill gaps. A lack of strategic workforce planning may have lasting effects on the capacity of an agency's workforce and its ability to fulfill its mission. Workforce planning is especially important as the FDIC shifts towards a hybrid work model that includes the potential for a significant increase in employees working remotely. On January 4, 2022, the FDIC reached agreement with the National Treasury Employees Union on new policies to support a hybrid work environment and expanded telework opportunities. New and enhanced skillsets may be required for this transition. According to the Society of Human Resource Management, employee traits such as adaptability, resiliency, self-motivation, communication and collaboration have become critical for successful remote work.82 Optimizing Talent Management Throughout the FDIC As part of an agency's talent management, the Office of Personnel Management (OPM) recommends retention strategies as a way to create an environment where employees understand and are committed to the mission of the organization and empowered to make a difference.83 The term, "talent management," encompasses attracting and retaining talent for improving organizational performance, while also considering attrition.84 Talent management also seeks to address competency gaps, by implementing and maintaining programs to attract, develop, promote, and retain talent, particularly for mission-critical positions and occupations. In our OIG memorandum, The FDIC's Management of Employee Talent (September 2021), we identified concerns with the FDIC's management of its employee retention. Specifically, we found that the FDIC: .Did not have clear goals to manage employee retention. The FDIC had strategic plans in place in March 2021 related to its management of employee retention. However, two of the three FDIC talent retention goals were not objective, quantifiable, and measurable. As a result, the FDIC could not assess its progress towards these goals. .Did not have a systematic process for collecting and analyzing employee retention data. The FDIC did not have a systematic process to holistically capture and analyze data, and to ensure that the information flowed to the Divisions and Offices. Such a process would help the FDIC develop a coherent strategy for managing retention activities throughout the Agency, provide an Agency-wide view of the progression and movements of the FDIC workforce, and provide helpful insights on employees' decisions to stay or separate. .Did not establish metrics or indicators to measure the effectiveness of its retention activities or actions. Instead, the FDIC tracked its "inputs" - that is, the implementation status of the activities or actions designed to meet its employee retention goals. Thus, the FDIC could not determine whether or not its retention activities were working effectively. We made three recommendations to improve the FDIC's management of talent at the Agency. Managing a Wave of Potential Retirements at the FDIC The FDIC faces a wave of potential retirements among its workforce in the coming years. As shown in the Table more than 25 percent (1,536 individuals) of the FDIC workforce is currently eligible to retire. This figure climbs to nearly 40 percent (2,356 individuals) within 5 years by 2026. The FDIC's retirement-eligibility rates are higher than the 15-percent eligibility rate last reported for the entire Federal Government.85 The FDIC faces significant risks regarding retirement eligibility in key Divisions involved in crises readiness efforts. As noted in the Table, more than a third of the employees in four key FDIC Divisions are currently eligible to retire - that is, the Division of Resolutions and Receiverships, Division of Finance, Division of Administration, and Legal Division. Absent seasoned professionals from these Divisions with knowledge of lessons learned from past crises, the FDIC may not be sufficiently agile in executing resolution and receivership activities in future crises. Also, all FDIC Divisions have more than 18 percent of their workforce who are currently eligible to retire. [Table] Table: FDIC Employee Retirement Eligibility This table depicts FDIC Employee Retirement Eligibility in 2022, 2023, 2024,2025, and 2026 in the FDIC divisions of DOF, DRR, LEGAL, DOA, RMS, DIT, CISR, DIR, DCP, and retirement eligibility overall for FDIC. DOF will have 45.2% of its workforce eligible to retire in 2022; 47.4% eligible to retire in 2023, 52.6% eligible to retire in 2024, 55.6% eligible to retire in 2025, and 55.6 eligible to retire in 2026. DRR will have 42.7% of its workforce eligible to retire in 2022; 48.6% eligible to retire in 2023, 53.3% eligible to retire in 2024; 57% eligible to retire in 2025, and 59.6% eligible to retire in 2026. LEGAL will have 41.7% of its workforce eligible to retire in 2022, 43.8% eligible to retire in 2023, 46.7% eligible to retire in 2024, 48.9% eligible to retire in 2025, and 51.6% eligible to retire in 2026. DOA will have 34.1% of its workforce eligible to retire in 2022, 39.1% eligible to retire in 2023, 42.5% eligible to retire in 2024, 45.93% eligible to retire in 2025, and 49% of its workforce eligible to retire in 2026. RMS will have 21.6% of its workforce eligible to retire in 2022, 25.1% eligible to retire in 2023, 29% eligible to retire in 2024, 32.5% eligible to retire in 2025, and 35% eligible to retire in 2026. DIT will have 21.5% of its workforce eligible to retire in 2022, 25.5% eligible to retire in 2023, 28.5% eligible to retire in 2024, 31.2% eligible to retire in 2025, and 34.9% eligible to retire in 2026. CISR will have 18.8% of its workforce eligible to retire in 2022, 24.7% eligible to retire in 2023, 28% eligible to retire in 2024, 32.8% eligible to retire in 2025, and 36% eligible to retire in 2026. DIR will have 18.6% of its workforce eligible to retire in 2022, 20.5% eligible to retire in 2023, 24.7% eligible to retire in 2024, 27.4% eligible to retire in 2025, and 28.8% eligible to retire in 2026. DCP will have 18.3% of its workforce eligible to retire in 2022, 21.1% eligible in 2023, 24.4% eligible in 2024, 27.7% eligible in 2025, and 31.1% eligible in 2026. FDIC Overall will have 25.3% of its workforce eligible to retire in 2022, 29% eligible in 2023, 32.6% eligible in 2024, 35.9% eligible in 2025, and 38.8% eligible in 2026. Source: OIG analysis of FDIC-provided retirement eligibility as of July 2021. [End of Table] In addition, more than 36 percent of the Executives and Managers at the FDIC are eligible to retire currently. These rates climb for FDIC Executives and Managers to nearly 60 percent by 2026. Such retirements may result in gaps in leadership positions. Leadership gaps can cause delayed decision-making, reduced program oversight, and failure to achieve Agency goals. Ensuring Diversity and Inclusion Within the FDIC Workforce On June 25, 2021, the President issued Executive Order 14305 on "Diversity, Equity, Inclusion, and Accessibility in the Federal Workforce." This Executive Order charged Federal agencies with assessing the current state of diversity, equity, inclusion, and accessibility within their workforces and developing strategic plans to eliminate barriers faced by underserved employees.86 The FDIC Chair has stated that "[p]romoting diversity at all levels of the FDIC's workforce continues to be a key challenge for the agency, especially the ability to attract, retain, and advance minorities and women in our bank examiner workforce."87 In June 2021, the FDIC reported that 68.5 percent of all FDIC employees were White, 16.9 percent were Black/African American, 4.5 percent were Hispanic, 7.5 percent were Asian/Pacific Islander, 0.6 percent were American Indian/Alaska Native, and 2 percent were two or more races.88 By comparison, at the end of 2020, 61.5 percent of the Federal workforce was White, 18.4 percent were Black, 9.4 percent were Hispanic, 6.9 percent were Asian/Pacific Islanders, 1.6 percent were Native American/Alaskan Native, and 1.9 percent were more than one race.89 The FDIC's 2021-23 Diversity, Equity, and Inclusion Strategic Plan includes prioritized actions to continue to promote FDIC workforce diversity. The FDIC is driven by its human resources. The FDIC must continue to focus on managing its human capital lifecycle-hiring, talent management, and retirements-under its new hybrid operating structure, including promoting diversity and inclusion throughout the FDIC workforce. Without diverse, dedicated, and trained staff, it risks falling short of achieving its goals. Footnotes: Footnote: 1 - IMF, United States Financial System Stability Assessment (August 2020); U.S. Government Accountability Office, Financial Stability: Agencies Have Not Found Leveraged Lending to Significantly Threaten Stability but Remain Cautious Amid Pandemic (GAO-21-167) (December 2020). Footnote: 2 - The Dodd-Frank Wall Street Reform and Consumer Protection Act created CIGFO to provide oversight of the Financial Stability Oversight Council. CIGFO is chaired by the Inspector General of the Department of the Treasury and includes nine additional Inspectors General, including the Inspector General of the FDIC. Footnote: 3 - Federal Reserve Bank of New York Staff Report, Climate Stress Testing (September 2021); Financial Stability Oversight Council, Report on Climate-Related Financial Risk (October 21, 2021). Footnote: 4 - CNBC, These are the world's largest banks that are increasing and decreasing their fossil fuel financing (April 22, 2021). Footnote: 5 - Federal Reserve Bank of New York Staff Report, Climate Stress Testing (September 2021); Financial Stability Oversight Council, Report on Climate-Related Financial Risk (October 21, 2021); FSOC, 2021 Annual Report. Footnote: 6 - OCC Bulletin 2021-62, Principles for Climate-Related Financial Risk Management for Large Banks (December 16, 2021). Footnote: 7 - Federal Reserve Bank of New York Staff Report, Climate Stress Testing (September 2021); Financial Stability Oversight Council, Report on Climate-Related Financial Risk (October 21, 2021). Footnote: 8 - Statement by FDIC Chairman at the Financial Stability Oversight Council Meeting (October 21, 2021). Footnote: 9 - Federal Reserve Press Release, Federal Reserve Board announces it has formally joined the Network of Central Banks and Supervisors for Greening the Financial System, or NGFS, as a member (December 15, 2020); American Banker, Will FDIC, OCC follow Fed into global climate group? (May 18, 2021). Footnote: 10 - Environmental Protection Agency Press Release, EPA Report Shows Disproportionate Impacts of Climate Change on Socially Vulnerable Populations in the United States (September 2, 2021). Footnote: 11 - SBA, Paycheck Protection Program Report, Approvals through May 31, 2021. Footnote: 12 - McCombs School of Business, University of Texas at Austin, Did FinTech Lenders Facilitate PPP Fraud? (December 6, 2021). Footnote: 13 - Department of Justice, Justice Department Takes Action Against COVID-19 Fraud (March 25, 2021). Footnote:14 - FDIC Regional Directors Memorandum 2020-022, Examination Considerations Related to the Paycheck Protection Program (June 22, 2020). Footnote:15 - CBS News, Jerome Powell Full 60 Minutes Interview transcript (April 2021). Footnote: 16 - OCC, Semiannual Risk Perspective (Fall 2021); Board of Governors of the Federal Reserve System, Financial Stability Report (November 2021). Footnote: 17 - Board of Governors of the Federal Reserve System, Financial Stability Report (November 2021). Footnote: 18 - American Banker, Log4j Security Vulnerability Is a Double Threat to Banks (December 23, 2021). Footnote: 19 - Boston Consulting Group, Global Wealth 2019: Reigniting Radical Growth (June 2019). Footnote:20 - Constella Intelligence, Financial Services Sector Exposure Report: 2018-2021 Findings and Trends. Footnote: 21 - American Banker, Bankers Must Confront Security Risk of Remote Work (December 22, 2021). Footnote: 22 - American Banker, 'It's Very Scary': Small Banks Quietly Hit By Ransomware Attacks (May 24, 2021). Footnote: 23 - American Banker, Ransomware Group Attacks A New Jersey Bank-Then Shuts Down (June 16, 2021). Footnote: 24 - The InTREx work program includes examination procedures used to determine the Uniform Rating System for Information Technology. The procedures also assess compliance with Appendix B to Part 364 of the FDIC Rules and Regulations entitled Interagency Guidelines Establishing Information Security Standards and cybersecurity preparedness. Footnote: 25 - Notice of Proposed Rulemaking, Computer-Security Incident Notification Requirements for Banking Organizations and Their Service Providers, 86 Fed. Reg. 2299 (January 12, 2021). Footnote: 26 -Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 223 (November 23, 2021). Footnote: 27 - These digital assets are not insured by the FDIC. According to the National Institute of Standards and Technology (NIST), distributed ledgers, such as blockchains, are tamper-resistant digital records of transactions that, once established, cannot be changed. NIST Internal Report 8202, Blockchain Technology Overview (October 2018). Footnote: 28 - Bloomberg, Crypto Market Retakes $2 Trillion Market Cap Amid Bitcoin Gains (August 15, 2021). Footnote: 29 - Basel Committee on Banking Supervision, Discussion Paper: Designing a Prudential Treatment for Crypto-assets (May 2021). Footnote: 30 - Basel Committee on Banking Supervision, Discussion Paper: Designing a Prudential Treatment for Crypto-assets (May 2021). Footnote:31 - Bloomberg, Yellen Says U.S. Lacks Adequate Regulatory Framework for Crypto (May 4, 2021). Footnote: 32 - Remarks of FDIC Chairman at Money 20/20 Conference (October 27, 2021). Footnote: 33 - Time, Fed Chairman Says U.S. Might Need More Crypto Regulations, Here's What That Means for Investors (August 12, 2021). Footnote: 34 - President's Working Group on Financial Markets, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency, Report on Stablecoins (November 2021). Footnote: 35 - American Banker, PNC Chief Executive Warns of Threat from Stablecoins (October 15, 2021). Footnote: 36 - Financial Institution Letter 75-2021, Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps (November 23, 2021). Footnote: 37 - The World Bank, Financial Inclusion. Footnote: 38 - FDIC Chairman, Remarks at Fintech: A Bridge to Economic Inclusion Conference (June 29, 2021). Footnote: 39 - FDIC Chairman, Remarks at Fintech: A Bridge to Economic Inclusion Conference (June 29, 2021). Footnote: 40 - Environmental Protection Agency Press Release, EPA Report Shows Disproportionate Impacts of Climate Change on Socially Vulnerable Populations in the United States (September 2, 2021). Footnote: 41 - Cleveland Federal Reserve, The CRA Is Important for Underserved Communities, and Your Input Can Help Modernize It (November 16, 2020). Footnote: 42 - Message from FDIC Chair, New Office and Continued Focus on Minority Depository Institutions and Other Mission-Driven Banks (November 2, 2021). Footnote: 43 - World Economic Forum, Transforming Paradigms A Global AI in Financial Services Survey (January 2020). Footnote: 44 - American Banker, Banks Warming to AI-based Lending (October 21, 2019). Footnote: 45 - Brookings Institution, Reducing Bias in AI-based Financial Services (July 10, 2020). Footnote: 46 - Federal Reserve Bank of San Francisco, Community Development Innovation Review, Regulation to Build a More Inclusive Financial System and Drive Financial Health (August 19, 2021). Footnote: 47 - Brookings Institution, Reducing Bias in AI-based Financial Services (July 10, 2020). Footnote: 48 - Forbes, The AI-Bias Problem And How FIntechs Should Be fighting It: A Deep Dive With Sam Farao (September 29, 2021), citing, University of California at Berkley, Consumer-Lending Discrimination in the FinTech Era (November 2019). Footnote: 49 - Deloitte, Developing an effective governance operating model - A guide for financial services boards and management teams. Footnote: 50 - Organization for Economic Co-operation and Development (OECD), G20/OECD Principles of Corporate Governance (2015). Footnote: 51 - See FDIC Statement on CFPB Statement; the Joint Statement of the CFPB Director and FDIC Director (stating that in light of extensive consolidation in the banking industry over the last 30 years, "the effectiveness of the regulatory framework in meeting the requirements of the Bank Merger Act is critical to the future safety and soundness, financial stability, community accountability, and competitiveness of the banking system."), and Statement of Acting Comptroller of the Currency. Footnote:52 - On December 17, 2021, the Department of Justice, Antitrust Division, issued a request for public comments on its guidelines regarding bank mergers. Footnote: 53 - OMB Office of Federal Procurement Policy, Policy Letter 11-01, Performance of Inherently Governmental and Critical Functions (September 2011). Footnote: 54 - OMB Circular No. A-123, Management's Responsibility for Enterprise Risk Management and Internal Control (July 2016). Footnote: 55 - NIST SP 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A Systems Lifecycle Approach for Security and Privacy (December 2018). Footnote: 56 - The FDIC's Information Security Program - 2021; The FDIC's Information Security Program - 2020; The FDIC's Information Security Program - 2019; The FDIC's Information Security Program - 2018. Footnote: 57 - Prior to March 2017, the FDIC closed recommendations without OIG review of the corrective actions. As of March 2017, the OIG now reviews all corrective actions to determine whether the FDIC's actions satisfy the recommendation and therefore can be considered closed. Footnote: 58 - Yale Law Journal Forum, Cost-Benefit Analysis of Financial Regulation: A Reply (January 22, 2015). Footnote: 59 - Congressional Research Service, Cost-Benefit Analysis and Financial Regulator Rulemaking (April 12, 2017). Footnote: 60 - OMB, Fiscal Year 2021-2022 Guidance on Federal Information Security and Privacy Management Requirements (December 6, 2021). Footnote: 61 - OMB, Federal Information Security Modernization Act of 2014 Annual Report to Congress (Fiscal Year 2020). For example, in November 2021, a hacker gained access to an FBI email system and sent more than 100,000 emails. FBI Press Release, FBI Statement on Incident Involving Fake Emails (November 13, 2021). Footnote: 62 - CISA Binding Operational Directive Advisory 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities (November 3, 2021). Footnote: 63 - For example, in April 2021, threat actors gained access to five Federal agencies through remote connection software service provider, Ivanti. The FDIC used an Ivanti product known as Pulse Secure and took action to remediate the vulnerability. In December 2020, Federal networks were compromised by a software update from IT management services company SolarWinds. FDIC uses a SolarWinds product and FDIC officials represented that they disconnected its use. Also in December 2020, nation state actors exploited a vulnerability in VMware products that allowed attackers to forge security credentials and gain access to protected date. The FDIC uses a VMware product and FDIC officials represented that they took action to apply the patch and reduce the risk of exploitation. Footnote: 64 - GAO, High Risk Series: Dedicated Leadership Needed to Address Limited Progress in Most High-risk Areas, (GAO-21-119SP) (March 2021). Footnote: 65 - Congressional Research Service, Federal Building and Facility Security: Frequently Asked Questions (January 27, 2021). Footnote: 66 - FDIC, Equal Employment Opportunity Policy Statement (October 29, 2020). Footnote: 67 - United States Senate Committee on Banking, Housing, and Urban Affairs Minority Press Release, Toomey Encourages Federal Employees to Report Allegations of Misconduct (December 20,2021). Footnote: 68 - GAO, Federal Financial Regulators Should Take Additional Actions to Enhance Their Protection of Personal Information (GAO-22-104551) (January 2022). Footnote: 69 - OCC, Semiannual Risk Report (Fall 2021). Footnote: 70 - GAO, Issue Summary: Using Data and Evidence to Improve Federal Programs. Footnote: 71 - Harvard Business School, The Advantages of Data-Driven Decision Making (August 26, 2019). Footnote: 72 - Deloitte, Anticipatory Government, Preempting Problems Through Predictive Analytics (June 24, 2019). Footnote: 73 - The Department of Homeland Security (DHS) defines the term, "threat," as "a natural or human-created occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment and/or property." See DHS Risk Lexicon Terms and Definitions, 2017 Edition - Revision 2 (October 2017). Footnote: 74 - The ViSION system is an FDIC mission-essential system that supports the FDIC's supervision and insurance responsibilities and provides users with access to financial, examination, and supervisory information on financial institutions. Footnote: 75 - GAO, Management Report: Improvements Needed in FDIC's Internal Control over Contract-Payment Review Processes (GAO-21-420R) (May 13, 2021). Footnote: 76 - FDIC OIG, Security Configuration Management of the Windows Server Operating System (January 2019). Footnote: 77 - NIST, Special Publication 800-161 - Supply Chain Risk Management Practices for Federal Information Systems and Organizations (April 2015). Supply chain refers to "organizations, people, activities, information and resources, possibly international in scope, that provide products or services to consumers." Footnote:78 - GAO, Information Security: Supply Chain Risks Affecting Federal Agencies, (GAO-18-667T) (July 12, 2018). Footnote: 79 - Europe Union Agency for Cybersecurity, Press Release, Understanding the Increase in Supply Chain Security Attacks (July 29, 2021). Footnote: 80 - Pub. L. 114-261, An Act to Enhance Whistleblower Protection For Contractor and Grantee Employees (December 14, 2016). Footnote: 81 - GAO, High-Risk Series: Dedicated Leadership Needed to Address Limited Progress in Most High-Risk Areas (GAO-21-119SP) (March 2021). Footnote: 82 - The Society for Human Resource Management, 4 Essential Soft Skills for Successful Remote Work (November 5, 2020). Footnote: 83 - OPM, Guidance on Establishing an Annual Leadership Talent Management and Succession Planning Process (November 2017). Footnote: 84 - The McKinsey Quarterly, The War for Talent (1998 Number 3). Footnote: 85 - FedWeek, Retirement Wave? Eligibility Numbers Holding Steady (January 7, 2020). Footnote: 86 - Executive Order 14305, Diversity, Equity, Inclusion, and Accessibility in the Federal Workforce (June 25, 2021). The FDIC Legal Division asserted that the Executive Order is not binding on the FDIC, but that the FDIC may voluntarily implement the Executive Order's requirements. Footnote: 87 - Statement of FDIC Chair, On Oversight of Regulators: Does Our Financial System Work for Everyone? (August 3, 2021). Footnote: 88 - FDIC OMWI, Total FDIC Workforce Demographics as of June 30, 2021. Footnote:89 - White House, Strengthening the Federal Workforce (May 2021). [end of report]