Unimplemented Recommendations

Develop a change management process and require Divisions and Offices to employ a change management strategy and plan that incorporates relevant elements mentioned in this report when implementing significant changes to business processes. The relevant change management elements should consider the following:
• Understanding the impact on workforce segments,
• Identifying and engaging the right people,
• Assigning a change management leader,
• Establishing relevant objectives and goals,
• Establishing a communication strategy and plan,
• Ensuring open communication and collaboration with employees impacted by the change,
• Providing effective employee training and tools,
• Assessing achievement of objectives and goals, and
• Analyzing and reporting independently and objectively on project health (using tools such as a project sentiment survey or pulse survey) at key intervals.

Implementation of this recommendation will result in $9.9 million in funds to be put to better use as the FDIC realizes better outcomes over time.

Develop and provide training to Executive and Corporate Managers on the change management process and in developing and employing change management strategies and plans.

Develop and implement a change management strategy and plan for the acquisition of a new acquisition management system.

Conduct a formal assessment of the Regional Service Provider examination program to establish program-level goals, metrics, and indicators and determine whether additional resources and controls are needed to improve the effectiveness of the program, as identified in this memorandum.

Evaluate why large-bank examination teams may wait to issue CAMELS ratings downgrades until issuance of Reports of Examination (ROEs), rather than promptly when circumstances warrant it as required by the RMS Continuous Examination Process Procedures. Then, take corrective action as appropriate.

Identify additional communications or adjustments to training curriculum to reemphasize to examiners the importance of timely ratings changes in accordance with the FDIC’s approach to forward-looking supervision.

Evaluate and update as appropriate examination guidance to require specified supervisory actions when a bank’s business practices do not align with its policies and procedures (e.g., a balance sheet position that does not align with its interest rate policy).

In light of the unexpected uninsured deposit outflows experienced by First Republic, we recommend that the Director, Division of Risk Management Supervision comprehensively re-evaluate the Manual to determine whether updates to examination guidance are needed pertaining to the evaluation of banks’ deposit outflow assumptions for liquidity stress testing, including the magnitude and velocity of uninsured deposit outflows.

Proactive horizontal identification and monitoring of similarities across banks – including like business characteristics and risks, and like reputational characteristics – that may result in similar behaviors amongst their depositors, including shared risk characteristics that may result in increased contagion risk between institutions.

Incorporating shared risk characteristics that may result in increased contagion risk between institutions into the FDIC’s supervisory approach across large institutions.

Explore potential processes and information sources for real-time monitoring of large bank reputational risk. Potential information sources could include bank share price tracking websites, short seller activity, and social media discussions.

Engage with other federal regulators to evaluate the need for changes to rules under the safety and soundness standards, including the adoption of noncapital triggers that would require early and forceful regulatory actions tied to unsafe banking practices before they impair capital.

Emphasize to examiners in the form of training and other internal communications the requirements around timely escalation of supervisory concerns in line with the FDIC’s
forward-looking approach to supervision.

Reiterate to examiners requirements around prompt communication of risk and supervisory results to bank management, emphasizing the significance of prompt communication over linear or chronological issuance of supervisory products.

Conduct and document an evaluation of existing examination guidance to determine whether updates are warranted for:
a. The need to timely communicate findings to bank board and management even when not all supervisory findings are finalized.

b. Escalation of supervisory concerns and ratings downgrades when SRs and MRBAs have been outstanding for multiple examination cycles.
c. Specific circumstances that give rise to interim rating changes, including when concerns are known in advance of the issuance of ROEs and other supervisory
products.
d. The effect of bank management’s and board’s lack of receptiveness and responsiveness towards the supervisory process on the rating for the CAMELS Management component.
e. Permitting the LBS Branch to review all supervisory products prior to issuance to the bank when requested, regardless if the products contain ratings information.
f. Resolution of situations in which trends between UFIRS and LIDI ratings trend differently for multiple quarters.

Reevaluate the FDIC's strategy to attract, retain, and allocate staffing, including how to enhance the supervision of large, complex financial institutions.
a. This evaluation should be documented and submitted to the FDIC’s Chairman for review and approval.

Implement target metrics and monitor variances for key supervisory outputs consistent with requirements contained in CEP Procedures, such as:
a. Supervisory Plan percentage completed to actual percentage completed to identify and take timely corrective action when examination teams are not on
track to achieve objectives detailed in annual supervisory plans.
b. Target review start date to actual review start date to identify and take timely corrective action when examination teams are not on track to achieve objectives
detailed in annual supervisory plans.
c. Number of days elapsed between target review start date and exit meeting to expectation to identify and take corrective action when reviews are not being completed and informal results communicated to the bank timely.
d. Number of days elapsed between target review start date and issuance of Supervisory Letter to expectation to identify and take corrective action when the results of reviews are not being completed and results communicated to the bank timely.
e. Number of days elapsed between year-end and ROE issuance to expectation to identify and take corrective action when ROEs are not being completed and
results communicated to the bank timely.
f. Number of days elapsed between quarter-end and issuance of Ongoing Monitoring Reports to expectations to identify and take corrective action when
ongoing monitoring is not being completed timely.

Comprehensively re-evaluate the Manual in light of the SBNY failure to determine whether updates to examination guidance are needed in the areas of:
a. stability of deposits, including large and long-term uninsured depositor relationships.
b. the velocity and magnitude of potential deposit outflows, including the supervision of liquidity stress testing.

Establish a plan with timeframes for assessing risks pertaining to crypto-related activities by:
a) Continuing to identify and document crypto-asset risks, b) Performing and documenting an analysis of the identified risks to estimate their significance, and c) Developing and documenting strategies to address crypto-asset risks.

Update and clarify the supervisory feedback process to (a) establish an expected timeframe for reviewing information and responding to FDIC-supervised institutions pursuant to the Financial Institution Letter and (b) describe what constitutes the completion of its review of its supervised institutions’ crypto-related activities.

Establish and maintain a consistent focus on the Orderly Liquidation Authority program in the Division of Complex Institution Supervision and Resolution strategic planning, to include a roadmap with established milestones for ensuring that the FDIC promptly matures the Orderly Liquidation Authority program.

Develop and consistently maintain comprehensive Orderly Liquidation Authority policies and procedures for systemically important financial companies, to include:
a. Tier I policies and procedures for framework-level activities.
b. Tier II policies and procedures for operational process-level activities.
c. Tier III policies and procedures for institution-specific planning activities.
d. Other operational program policies and procedures for Orderly Liquidation Authority resolution planning activities.

Apply Tier III policies and procedures to develop and consistently maintain institution-specific resolution planning documents for all nonbank financial companies and financial market utilities designated by the Financial Stability Oversight Council as systemically important.

Establish an action plan for promptly developing and issuing rules and regulations required by the Dodd-Frank Act, including:
a. In consultation with the U.S. Secretary of the Treasury, rules or regulations to meet the requirements of 12 U.S.C. § 5390(o)(6).
b. In coordination with the FRB, and in consultation with FSOC, rules or regulations to meet the requirements of 12 U.S.C. § 5393(d).

Ensure regular interdivisional oversight of the Orderly Liquidation Authority program and related products.

Establish a process for identifying and preparing staff who would be responsible for key Orderly Liquidation Authority resolution governance roles, such as the Executive Advisory and Oversight Group, the Tactical Project Manager, and the Onsite Liaison, to include:
a. Completing planned guidance and/or preparing a charter that will define in more detail the key resolution governance roles and responsibilities.
b. Maintaining a roster of potential staff for key resolution governance roles.
c. Informing potential staff for the key resolution governance roles of their respective Orderly Liquidation Authority resolution responsibilities.

Ensure the completed Tier I and II policies, procedures, and related guidance documents fully define the applicable Orderly Liquidation Authority roles and responsibilities of each FDIC Division and Office.

Ensure the FDIC establishes a timeframe to obtain, and then obtains, the staff resources needed to mature the Orderly Liquidation Authority resolution planning program.

Conduct and document a representative survey or other assessment of the Orderly Liquidation Authority-related skill sets existing or needed within the Division of Complex Institution Supervision and Resolution and ensure the Division’s Professional Development Plan incorporates the results.

Conduct and document an assessment of the level of staff and contractor resources needed for a baseline Orderly Liquidation Authority resolution execution team.

Regularly conduct and document Orderly Liquidation Authority general and functional training and ensure that training is clearly linked to the key components of the systemic resolution framework and processes.

Complete and implement the operational exercise program for significant Orderly Liquidation Authority-related activities, such as the systemic risk determination process, and ensure key contractor resources and FDIC Board Members are included in exercises.

Establish key performance metrics for the Orderly Liquidation Authority program with which the FDIC can measure and monitor the overall status of the program.

Ensure the FDIC regularly updates the FDIC Operating Committee and the FDIC Chairman on the overall status of the Orderly Liquidation Authority program.

Ensure the Division of Complex Institution Supervision and Resolution maintains the necessary staff and establishes a plan for conducting regular internal reviews of Orderly Liquidation Authority resolution planning activities.

Establish a mechanism to track and monitor the implementation of significant current and future recommended action items from internal and external exercises or actual resolution events.

Develop an FDIC readiness plan for a financial crisis, to include a scenario that involves the resolution of multiple concurrent failures of systemically important financial companies.

Implement process improvements to ensure prompt notification and removal of user network accounts on or before the user’s separation date.

Address the technical issues preventing enforcement of security and privacy training compliance.

In developing future Economic Inclusion Strategic Plans, perform an environmental scan of the current economic inclusion landscape. The environmental scan should include external resources, such as national partners and banks, to identify and understand trends in banking services and technology solutions that may affect the FDIC’s economic inclusion goals.

Resume the Bank survey, or implement another mechanism, to obtain the perspectives of banks, including bank efforts to address primary reasons cited by households for being unbanked, and data related to the Federal Deposit Insurance Reform Conforming Amendments Act of 2005 questions. Data obtained should be leveraged to inform the development of the FDIC’s future economic inclusion strategic planning efforts.

Identify and describe internal and external stakeholder coordination and collaboration efforts, including inputs, responsibilities, and expected contributions in the FDIC’s future Economic Inclusion Strategic Plans.

Review Executive Orders related to advancing equity and improving economic opportunities in specific communities to identify and consider best practices that can be incorporated into the FDIC’s future economic inclusion strategic planning efforts.

Clearly identify and describe strategies to achieve the desired goals in the FDIC’s future Economic Inclusion Strategic Plans.

Develop and implement consistent assessment and progress reporting for all Economic Inclusion Strategic Plan goals and objectives, and ensure that the expressed intent of annual FDIC Performance Goals related to economic inclusion matches the goals and objectives articulated in the Economic Inclusion Strategic Plan.

Coordinate with the Division of Finance to develop and implement formal policy and guidance for the formulation of discretionary strategic plans that are consistent with strategic planning best practices from the Office of Management and Budget, the Government Accountability Office, and other organizations identified in this report.

Align the Economic Inclusion Strategic Plan with the policy and guidance developed in response to Recommendation 7.

Develop or use an existing tracking system to measure internal staffing costs related to individual economic inclusion programs and initiatives.

Develop procedures governing when to form or dissolve an Alliance for Economic Inclusion and for monitoring Alliances for Economic Inclusion to ensure the FDIC aligns Alliances for Economic Inclusion to geographical areas with the highest consumer needs or other factors that contribute to the achievement of Economic Inclusion Strategic Plan goals and objectives.

Develop a mechanism to help identify whether the FDIC needs to reallocate resources for economic inclusion initiatives to meet Economic Inclusion Strategic Plan goals and objectives.

Conduct a feasibility study for expanding the language availability for FDIC economic inclusion outreach products.

Develop clear guidance on running business reports out of Community Affairs Reporting and Events System, including the use of filters.

Ensure risk mitigation strategies identified for the economic inclusion-related Enterprise Risk Management Risk Inventory item clearly address and effectively reduce risks related to implementing strategic objectives, effective controls, and responsive programs to promote economic inclusion.

Share threat and vulnerability information that is uniquely developed or summarized by the FDIC with financial institutions or other financial sector entities to further strengthen their threat intelligence activities. This includes results from the FDIC’s 2022 Ransomware Horizontal Review and relevant trending and analysis conducted by the Division of Risk Management Supervision.

Conduct training for examiners on the requirements for recording computer-security incidents, the information to include, and specific requirements for Notification Rule incidents.

Conduct a review of computer-security incidents reported since May 1, 2022 to ensure Virtual Supervisory Information on the Net system records are complete and accurate.

Ensure FDIC threat and vulnerability communication procedures facilitate the sharing of unclassified non-cyber related threat and vulnerability information.

Update the Division of Risk Management Supervision Threat and Vulnerability Communication Operating Procedures to:
(1) account for a more appropriate methodology for determining when to share threat and vulnerability information created internally and by other credible sources;
(2) formalize processes for (a) coordinating with the Intelligence and Threat Sharing Unit and accounting for threat and vulnerability information received from the Intelligence and Threat Sharing Unit, (b) coordinating with the Chief Information Officer Organization under the Vulnerability Disclosure Policy program, and (c) coordinating with other FDIC Divisions and Offices that may obtain relevant threat and vulnerability information that requires communication to financial institutions; and
(3) specify the key documents that should be retained to support the Division of Risk Management Supervision threat sharing decisions.

Develop and implement a feedback process for external threat sharing activities.

Develop performance measures to assess the effectiveness of its external threat and vulnerability information sharing activities.

Evaluate and, if necessary, obtain the resources needed for the timely implementation of the recommendations in this report to further mature the FDIC’s threat information sharing program.

Ensure that all data sets within the FDIC that contain relevant threat and vulnerability information are assessed and natural language processing or alternative technological capabilities are considered for enhancing threat and vulnerability information sharing operations.

Develop and maintain an inventory and catalog of all FDIC data used throughout the cloud data lifecycle.

Establish and implement data governance requirements (e.g., policies, processes, roles, and responsibilities) for managing data residing in the cloud.

Establish an exit strategy for all cloud-based systems.

Develop and implement Contract Management Plans for all contract actions, including contracts, basic ordering agreements, and related task orders, as required by FDIC policy.

Provide additional training to Contracting Officers and Oversight Managers to emphasize the requirement to develop Contract Management Plans for contract actions, when appropriate.

Update the Project Management Lifecycle and/or System Development Life Cycle frameworks to include a Disposal phase and process.

Develop and implement policies and procedures for overseeing the decommissioning of legacy systems.

Review all current and planned system replacements and ensure legacy system decommissioning plans are created in accordance with FDIC policies and procedures.

Develop and implement FDIC CIOO processes to monitor and oversee internal controls for procurement activities, including ensuring the internal control environment is clearly understood, adhered to, and achieving its intended objectives and reporting out the results.

Develop a strategy to periodically assess workload imbalances and implement a strategy to address such imbalances among Oversight Managers in the FDIC CIOO.

Develop and implement processes to identify and perform a secondary review of variations in invoice amounts and burn rates, and depletions in contract funds, in accordance with FDIC acquisition policies and procedures.

Provide additional training to emphasize password requirements for privileged account users and communicate the effect of poor password practices, including those identified in this report.

Develop and implement controls to monitor and track password usage for privileged users and domain administrators to mitigate insecure password practices.

Develop and implement policies and procedures to automate the password creation and management process for privileged Active Directory accounts.

Develop and implement a process to regularly evaluate the roles to determine whether they are still needed or duplicative of other roles.

Develop and implement a process to reconcile conflicting certification determinations for duplicative roles.

Update and implement procedures to proactively update or replace operating systems before vendor support ends.

Develop and implement a process to monitor all domain controllers and ensure that any exceptions are addressed timely.

Conduct a review to determine areas in which the AlphaRex tool could be utilized to identify areas of improvement for the InTREx program and emerging IT risks and trends at financial institutions.

Develop and implement defined, objective, quantifiable, and measurable goals related to the InTREx program.

Develop and implement a process to collect and analyze relevant data regarding the InTREx program.

Develop and implement metrics and indicators, including outcome measures, to assess the effectiveness of the InTREx program and to determine if the program is achieving its desired results and outcomes.

Develop and implement a policy to review, approve, and centrally manage the configuration settings of current and future Wi-Fi enabled devices in FDIC facilities, before set-up and subsequent updates.
 

Implement SCRM controls of the NIST RMF for IT procurements.

Establish and implement procedures for RMS threat information sharing activities.

Develop and implement procedures for the FDIC to ensure contractors carry out their obligations under the Whistleblower Rights Notification Clause, including methods for verification that (1) all contractor and subcontractor employees of the FDIC are notified of their whistleblower rights and protections, and (2) clauses are appropriately included in subcontracts.

Develop and implement SCRM processes and procedures in accordance with the Supply Chain Risk Management Program Directive and applicable government guidance.

Provide enhanced contract portfolio reports to FDIC executives, senior management, and the Board of Directors.