The Office of Inspector General Promotes the economy, efficiency, and effectiveness of FDIC programs and operations, and protects against fraud, waste, and abuse, to assist and augment the FDIC's contribution to the stability of, and public confidence in, the nation's financial system.
Communication and Outreach
Communication between the OIG and the Chairman, the Congress, and other stakeholders will be effective.
The OIG will align its human resources to support the OIG mission.
The OIG will effectively manage its resources.
|Office of Inspector General|
to the Congress
April 1, 2002 - September 30, 2002
- Corporate Downsizing,
- Human Capital, and
- Information Security.
The past 6 months at the Federal Deposit Insurance Corporation (FDIC) have been marked by dramatic corporate downsizing, streamlining, and restructuring as the Corporation continues to reinvent itself under the leadership of Chairman Donald Powell. The Corporation's overall streamlining efforts included merging four divisions into two, an action that is estimated to save nearly 300 positions and $35 million per year. The streamlining is also intended to increase operational efficiencies and empower employees through the delegation of increased authority and responsibility to lower levels within the organization. As part of overall savings, the Corporation's approved field management restructuring plan is estimated to save $23.5 million over 5 years. As of September 30, 2002 its 2002 buyout/retirement incentive program had achieved a reduction of 699 staff and $80 million projected savings in future operating costs. Additional staff departures are anticipated in 2003. Looking ahead, the Corporation anticipates a staffing level of approximately 5,380 by December 31, 2006. Current staff totals 5,500. In light of so many fundamental changes, each with ramifications to thousands of FDIC employees and the work they carry out in pursuit of the FDIC mission, some key questions must be asked.
Is the Corporation placing sufficient emphasis on human capital concerns? Is it developing an integrated human capital framework that evidences leadership commitment to human capital management; strategic human capital planning; acquiring, developing, and retaining talent; and a results-oriented organizational culture-all cornerstones of human capital management according to the U.S. General Accounting Office (GAO)?
While there are positive signs that human capital activities are indeed ongoing throughout the Corporation, I urge increased attention to this issue given the Corporation's current state of flux. As we discuss later in this semiannual report, the strategies that the Corporation is currently pursuing will be most effective if they are centralized, focused, and sustained. The Corporation's Human Resources Committee and the recruitment of a human capital professional as Associate Director of the Human Resources Branch of the Division of Administration are steps in the right direction towards achieving this goal.
The Office of Inspector General (OIG) will continue to emphasize this view in the months ahead and offer assistance to the Corporation as it builds on the cornerstones discussed above. The OIG must lead by example, and we are in the process of doing so. The OIG's participation in the FDIC's early retirement and buyout program and other attrition will result in the separation of 54 employees, or 25 percent of our April 2002 staff level. We also closed our San Francisco office during the reporting period. We understand the need to effectively manage the corresponding changes in our organization and processes. We also recognize the impact of organizational upheaval on the individuals comprising our current workforce. Mindful of this, during the reporting period we issued the final version of our Human Capital Strategic Plan. I fully support this plan. It incorporates input received from OIG staff, the GAO, and another OIG. Workforce analysis; competency investments; leadership development; and a results-oriented, high-performance culture are at its core. We are currently developing a technical knowledge inventory tool and will be working to develop key competencies for our occupational series to align our recruiting, training, and professional development efforts with the OIG mission.
Turning now to the issue of Information Security. Information, much of which is sensitive, is a critical corporate resource that must be protected. Information and analysis on banking, financial services, and the economy form the basis for the development of public policies and promote public understanding of and confidence in the nation's financial system. Sound information resources management is essential to the successful accomplishment of the FDIC's mission, goals, and objectives. Based on our work this year related to the Government Information Security Reform Act (GISRA), we concluded that the Corporation had established and implemented management controls that provided limited assurance of adequate security over its information resources.
The FDIC had made progress in addressing a number of security problems identified in our 2001 report. For example, it enhanced its risk management program, developed a security awareness program, improved security controls in the mainframe environment, and strengthened its disaster recovery and business continuity planning and incident response tracking and reporting. However, we concluded that in 3 of 10 key management control areas evaluated, (Contractor Security, Capital Planning and Investment Control, and Performance Measurement), the FDIC had no assurance that adequate security had been achieved. In a fourth area-Security Act Responsibilities and Authorities-we highlighted opportunities for the FDIC to strengthen the accountability and authority of one of its most important leadership positions related to information security-the Chief Information Officer (CIO). We provided Chairman Powell a list of 10 actions in priority order to address the concerns we identified in our review. Chief among those, we advocated appointing a permanent CIO, ensuring that the CIO reports directly and solely to the Chairman, and filling key vacancies in the Division of Information Resources Management that support information security initiatives and operations.
For its part, as referenced later in our semiannual report, during the reporting period, in addition to our GISRA-related work, the OIG participated in a number of meetings and exchanges governmentwide to tackle information security issues. The OIG has also focused attention on information security matters in its internal operations. In keeping with the security program being implemented throughout the Corporation, we named an information security officer, formed an advisory committee with representatives from each OIG component, published "e-security tips" for OIG staff, drafted new security-related policies, and identified priority information security areas for future focus. We will continue to devote attention to these issues internally and will also work closely with the Corporation to further its efforts to implement a comprehensive information security program that provides reasonable assurance of adequate security for its information resources.
And finally, I am again compelled to address an unresolved matter related to the FDIC's organizational leadership. In past semiannual report statements I have voiced concern that the Corporation has been operating with key vacancies on its Board of Directors, a condition that I believe is to the Board's detriment and that fails to ensure the independence of the FDIC. First, the position of Vice Chairman has been vacant since January 2001. On October 3, 2002, the Senate Banking Committee held confirmation hearings regarding the nomination of Director John Reich to be Vice Chairman of the FDIC. As of the date of this statement, he had not yet been confirmed.*
Second, I am concerned not only that Director Reich is awaiting confirmation as Vice Chairman, but also that a vacancy exists on the Board because one of the three FDIC Director positions has remained unfilled since September 1998. While several names have been sent forward for consideration, no definitive action has taken place to select a third FDIC Board Member. Given the make-up of the five-member Board, comprised of the Chairman of the FDIC, two FDIC Directors, the Comptroller of the Currency, and the Director of the Office of Thrift Supervision, the OIG's position is that the balance between various interests implicit in the Board's structure is preserved only when all Board positions are filled. Thus, I reiterate my position that it is critical-especially at this juncture in the FDIC's history, that a full Board be in place to provide the Corporation the strong, sustained leadership needed to meet the Corporation's many challenges.
The FDIC Chairman himself has recently offered a daunting challenge to the entire regulatory community, a challenge that will likely warrant FDIC Board attention and input. Speaking recently about the future of regulatory agencies, the Chairman noted:
"We've seen amazing dynamism and innovation in banking over the last 20 years. Yet we keep in place a regulatory system rooted in an era that is truly gone with the wind Despite the convergence, efficiencies, and economies of scale achieved by the industry, the regulatory community is still mired in a confusing web of competing jurisdictions, overlapping responsibilities, and cumbersome procedures. I know we can do better."
The Chairman's proposed overhaul of financial services regulation would put in place three federal regulators. These entities would oversee the banking industry, the securities industry, and those companies that choose an optional federal insurance charter. In line with his proposed revamping of the regulatory agencies, the Chairman announced that the FDIC would be conducting a major study over the next year on the future of banking in America. He has invited a number of parties to join the FDIC in developing a new and better structure for a new financial age. The FDIC Board could have a significant role to play in the debate that the Chairman has launched. Only with a full complement of Members can the Board provide maximum input to that debate and fully carry out its corporate governance responsibilities.
Of additional note with respect to the FDIC's leadership, the Corporation named Steven O. App as its new Chief Financial Officer during the reporting period. Mr. App formerly served as the Deputy Chief Financial Officer at the Department of the Treasury. The OIG looks forward to continuing to work with him to address issues of mutual interest. Similarly, the OIG has appointed new senior leadership since our last semiannual report. Patricia Black, former Counsel to the Inspector General is now Deputy Inspector General, and Fred Gibson, who has been serving as Acting Counsel, was recently named Counsel to the Inspector General. Pat and Fred are eminently qualified to assume these new responsibilities. I am counting on their assistance and sound legal advice and counsel as I continue to lead our organization and serve the FDIC at this critical time in its history.
Gaston L. Gianni, Jr.
October 31, 2002
|Inspector General's Statement||2|
|Reporting Terms and Requirements||2|
|Appendix I: Statistical Information Required by the Inspector General Act of 1978, as amended||56|
|Abbreviations and Acronyms||64|
|Table 1: Significant OIG Achievements||50|
|Table 2: Nonmonetary Recommendations||50|
|Figure 1: Products and Investigations Closed||53|
|Figure 2: Questioned Costs/Funds Put to Better Use||53|
|Figure 3: Fines, Restitution, and Monetary Recoveries Resulting from OIG Investigations||53|
This section of our report focuses on key challenges confronting the FDIC as it works to accomplish its mission. In the OIG's view, these major issues fall into two broad categories. First, the Corporation faces challenges related to its core mission of contributing to the stability and public confidence in the nation's financial system by insuring deposits, examining and supervising financial institutions, and managing receiverships. Such challenges sometimes involve significant policy decisions and are often influenced by external factors such as industry events, economic trends, activities of other federal banking regulators, consumer concerns, and congressional interest. Second, a number of important operational matters require the Corporation's attention as its workforce actually carries out the corporate mission. These issues touch on, for example, information technology (IT) resources and security, contracting activities, human capital concerns, cost efficiencies, performance measurement and accountability, and physical security.
In our prior semiannual report, we identified a new emerging issue-that of the Quality of Bank Financial Reporting and Auditing. This emerging risk potentially affects the FDIC in its role as regulator, receiver, and insurer. We update the OIG's and the Corporation's efforts to address this issue in this semiannual report.
With respect to the major issues relating to the Corporation's core mission, the FDIC must address risks to the insurance funds in a complex global banking environment that continues to experience change and offer expanded services. At the same time, the Corporation is charged with effectively supervising financial institutions and carefully protecting consumers' rights. A Board of Directors operating at full strength is essential to lead the Corporation as it faces such challenges. Without a full Board, the Corporation's independence cannot be guaranteed. As the Corporation moves forward, deposit insurance reforms will continue to be debated and deliberated by the banking industry and the Congress. One aspect of such reform involves the possible merger of the Bank Insurance Fund and the Savings Association Insurance Fund, an action that the OIG supports.
Turning attention to the Corporation's more "operational" demands, the use of IT at the FDIC is crosscutting and absolutely essential to the Corporation's accomplishment of its mission. IT must be effectively and efficiently used to achieve program results corporate-wide. The Corporation must also continue to develop an enterprise architecture process to manage technology, applications, and technical infrastructure for the Corporation. It also needs to follow sound system development procedures and comply with IT principles espoused by legislation and regulation. A critical priority is ensuring that effective controls are in place and implemented to ensure information system security, mitigate risks, and protect IT resources. Given the extent of the FDIC's contracting activities, strong controls and vigilant contractor oversight are also critical to the Corporation's success. Contracting must be done in a fair and cost-effective manner. The Corporation's contract oversight mechanisms must protect the FDIC's financial interests and help ensure that the FDIC is actually receiving the goods and services for which it is spending millions of dollars.
Major downsizing over the past years has impacted the FDIC workplace, and during the reporting period more occurred. In addition to losing staff, the Corporation has merged groups and streamlined its organizational structure. As a result of these activities, the Corporation has lost leadership and, in some cases, expertise and historical knowledge. The Corporation is taking steps to compensate for these resource losses and must build on ongoing initiatives to develop a comprehensive, integrated approach to human capital issues. It has established a Human Resources Committee and must continue to focus attention on human capital concerns in light of such significant recent organizational change and additional resource challenges to come.
In light of changes in the banking industry, advances in technology, and such dramatic shifts in staffing and skill levels, the Corporation has been closely scrutinizing its business processes and their associated costs in the interest of identifying operational efficiencies. Among other activities, its Supervision Process Redesign, New Financial Environment, focus on e-business, and plans to relocate many D.C.-based staff to Virginia Square in the future have generated ideas for such efficiencies and are positive steps.
Under the provisions of the Government Performance and Results Act with its emphasis on accountability, the Corporation establishes goals, measures performance, and reports on its accomplishments for all of these major issues and their corresponding challenges. With respect to a more recent concern, largely as a result of the events of September 11, 2001, one year ago we added the major issue of Ensuring Security of the FDIC's Physical and Human Resources to our list of management challenges. Our report discusses actions that the Corporation as taken to address these areas.
Our Major Issues section discusses the OIG's completed and ongoing/planned work to help the Corporation successfully confront these major issues and their associated challenges. We discuss areas where we identified opportunities for improvements and the recommendations we made in those areas. We identified potential monetary benefits of $2.1 million and made 73 nonmonetary recommendations during the reporting period. Our work targets all aspects of corporate operations and includes a number of proactive approaches and cooperative efforts with management to add value to the FDIC (see pages 11-32).
The operations and activities of the OIG's Office of Investigations are described beginning on page 33 of this report. As detailed in the Investigations section, the Office of Investigations is reporting fines, restitution, and recoveries totaling approximately $820 million. Cases leading to those results include investigations of bank fraud, theft of government funds, credit card fraud, and misrepresentations regarding FDIC insurance. Our report also highlights efforts of OIG agents who received the Attorney General's Award for Distinguished Service. Some of the investigations described reflect work we have undertaken in partnership with other law enforcement agencies and with the cooperation and assistance of a number of FDIC divisions and offices. To ensure continued success, the OIG will continue to work collaboratively with FDIC management, U.S. Attorneys' Offices, the Federal Bureau of Investigation, and a number of other law enforcement agencies (see pages 33-44).
The OIG Organization section of our report highlights several key internal initiatives that we have actively pursued during the reporting period. The OIG's internal focus has been on realigning resources in light of significant downsizing of staff and planning for the challenges of the future. Our Human Capital Strategic Plan is an important driver of that activity. This section of our report also references some of the cooperative efforts we have engaged in with management during the reporting period. These include making presentations at corporate conferences and meetings and providing technical assistance to corporate management in determining whether FDIC policies ensure that accounting and auditing contractors comply with the U.S. General Accounting Office's new independence standards. We note the proposed or existing laws and regulations reviewed during the past 6 months, refer to litigation and other efforts of OIG Counsel, and also capture some of our other internal initiatives this reporting period. In keeping with our goal of measuring and monitoring our progress, we visually depict significant results over the past five reporting periods (see pages 45-53).
We list the Inspector General Act reporting requirements and define some key terms in this section. The appendixes also contain much of the statistical data required under the Act (see pages 56-63).
| The Office of Audits issues 22 reports containing total questioned costs of $556,535 and a memorandum identifying funds put to better use of $1.6 million.|
OIG reports include 73 nonmonetary recommendations to improve corporate operations and activities. Among these are recommendations to strengthen security over FDIC information systems, improve the effectiveness of the offsite review program, develop additional policy for and better capture and track Gramm-Leach-Bliley Act-related activities, and enhance the asset valuation review process.
OIG investigations result in 14 indictments/informations; 17 convictions; and approximately $820 million in total fines, restitution, and other monetary recoveries. Approximately $819 million of that amount represents court-ordered restitution and is not an amount that has been collected.
The OIG's participation in the FDIC's early retirement and buyout program and other attrition will result in the separation of 54 employees. All OIG components adjust to reductions through staff reorganizations and modifications in operational processes.
Office of Audits reorganizes around five operational directorates: Resolution, Receivership, and Legal Affairs; Insurance, Supervision, and Consumer Affairs; Information Assurance; and Resource Management. A fifth directorate, Corporate Evaluations, performs corporate-wide and other evaluations.
The OIG issues its Human Capital Strategic Plan for 2002-2006 outlining four objectives relating to workforce analysis; competency investments; leadership development; and a result-oriented, high-performance culture.
The OIG focuses audit and evaluation work on information security matters through such projects as issuance of the 2002 Government Information Security Reform Act evaluation report, presentations at governmentwide meetings, and coordination with the U.S. General Accounting Office (GAO) and Office of Management and Budget.
The OIG issues its Government Information Security Reform Act report, concluding that the Corporation had established and implemented management controls that provided limited assurance of adequate security over its information resources. While progress had been made in addressing previously identified weaknesses, in 3 of 10 key management control areas evaluated (Contractor and Outside Agency Security, Capital Planning and Investment Control, and Performance Measurement), the FDIC had no assurance that adequate security had been achieved. Our report also highlighted opportunities for the Corporation to strengthen the accountability and authority of its Chief Information Officer position.
| The OIG and GAO continue their joint effort to audit the Corporation's financial statements. The OIG and GAO agree that the OIG will commit three staff members to perform the receivables from bank/thrift resolutions and receivership receipts audit work. One staff member will assist with information systems testing. The OIG is developing a multi-year strategy for performance of the information systems audit requirements starting in 2003.|
OIG counsel litigates 11 matters during the reporting period and provides advice and counsel on a number of issues. H The OIG reviews and comments on one proposed federal regulation and 22 proposed FDIC policies and directives and responds to 13 requests under the Freedom of Information Act and Privacy Act.
The OIG coordinates with and assists management on a number of initiatives, including a joint project with the Office of Internal Control Management and the Division of Administration to ensure that accounting and auditing contractors comply with GAO's new independence standards, coordination with the Division of Supervision and Consumer Protection (DSC) on its Process Redesign II project, and Office of Investigations and Office of Audits executives' participation at the DSC Field Office Supervisor meetings.
The OIG accomplishes a number of internal office initiatives, including completion of a comprehensive plan for downsizing and restructuring, issuance of Office of Audits' Fiscal Year 2003 Assignment Plan, establishment of an information security program, and outreach activity to various banking organizations on OIG operations.
Four OIG Special Agents are among an 11-member team that receives the Attorney General's Award for Distinguished Service for their exemplary work in the investigations and prosecutions relating to the failure of Keystone Bank, Keystone, West Virginia.
The OIG completes its annual review of the FDIC's Internal Control and Risk Management Program, concluding that the program complied with policy and was consistent with the Federal Managers' Financial Integrity Act provisions.
The OIG issues the results of its evaluations of the adequacy of the physical security of FDIC facilities in headquarters and other selected sites.
As Vice Chair of the President's Council on Integrity and Efficiency, the Inspector General leads the Inspector General community's activities designed to facilitate agency efforts related to the President's Management Agenda. These include work in the financial management, government performance, information technology, and human capital arenas.
A primary goal of the FDIC under its insurance program is to ensure that its deposit insurance funds remain viable. Achieving this goal is a considerable challenge, given that the FDIC supervises only a portion of the insured depository institutions. The identification of risks to non-FDIC supervised institutions requires coordination with the other federal banking agencies. The FDIC engages in an ongoing process of proactively identifying risks to the deposit insurance funds and adjusting the risk-based deposit insurance premiums charged to the institutions. The Division of Finance completes the final phase of this ongoing process by collecting the premium assessments.
Although the FDIC has a continuous program to ensure the viability of the deposit insurance funds, recent trends and events continue to pose additional risks to the funds. The economic landscape changed dramatically following the events of September 11, 2001, and the potential exists for an increased number of bank failures. Additionally, the environment in which financial institutions operate is evolving rapidly, particularly with the acceleration of interstate banking; new banking products and asset structures; electronic banking; and consolidations that may occur among the banking, insurance, and securities industries resulting from the Gramm-Leach-Bliley Act (GLBA).
Bank mergers have created "megabanks," or "large banks" (defined as institutions with assets of over $25 billion), and, for many of these institutions, the FDIC is not the primary federal regulator. As of March 31, 2001, there were 38 megabanks in the country. Of the $5.3 trillion consolidated assets controlled by the 38 megabanks, the FDIC was the primary regulator for only $162.5 billion in 3 institutions. The megabanks created as a result of mergers and the new or expanded services that the institutions can engage in under GLBA are presenting challenges to the FDIC. The failure of a megabank, for example, along with the potential closing of closely affiliated smaller institutions, could result in huge losses to the deposit insurance funds.
During the reporting period, the Corporation selected designated onsite examiners to enhance the FDIC's risk monitoring of the eight largest insured institutions.
Focus on Bank Insurance Fund
The Federal Deposit Insurance Act, Section 7(b), Assessments, requires the FDIC Board of Directors to set semiannual assessments for insured depository institutions if the required reserve ratio of the insurance fund balance to estimated insured deposits falls below 1.25 percent.
As of March 31, 2002, the Bank Insurance Fund (BIF) reserve ratio was at 1.23 percent, the first time it had fallen below 1.25 percent since 1995. By June 30, 2002, the BIF reserve ratio was at 1.26 percent, slightly above the statutorily mandated designated reserve ratio for the deposit insurance funds. If the BIF ratio is below 1.25 percent, the FDIC Board of Directors must charge premiums to banks that are sufficient to restore the ratio to the designated reserve ratio within 1 year.
Mindful of this significant issue, the OIG will be conducting related work during the upcoming months.
OIG Completes Superior Bank-Related Reviews
In our previous semiannual report, we reported on a series of reviews that we had conducted based on a congressional request from Senator Paul Sarbanes, Chairman of the Senate Committee on Banking, Housing, and Urban Affairs, related to the failure of Superior Bank, FSB, Hinsdale, Illinois.
Upon the failure of Superior Bank, the Office of Thrift Supervision closed the institution on July 27, 2001. At the time of closure, Superior had total assets of $2.2 billion and total deposits of $1.6 billion. The FDIC was named conservator and transferred the insured deposits and substantially all of the assets of Superior to Superior Federal, FSB (New Superior), a newly chartered, full-service mutual savings bank. The failure of Superior was one of the costliest of all recent failures. The FDIC's most recent loss estimate is $440 million.
During the reporting period, we completed the last of our series of audits related to the Superior Bank failure-an audit of the Division of Resolutions and Receiverships' (DRR) marketing efforts for the deposit liabilities, assets, and principal product groups of New Superior.
We determined that DRR effectively marketed Superior's deposit liabilities and assets to maximize the return to the conservatorship. The FDIC, as the receiver, transferred deposit liabilities totaling $1.5 billion and assets totaling $2 billion to New Superior. We reviewed the sale of the deposit liabilities and approximately 65 percent of the assets. DRR awarded the sales to the highest bidders in all sales we reviewed, except for one security sale. We were unable to determine whether DRR selected the highest bidder for the one security sale, because of insufficiencies in the sale file documentation.OIG Reviews the FDIC's Implementation
of GLBA Provisions
Signed into law on November 12, 1999, GLBA reverses many of the barriers between banking and commerce erected by the Glass-Steagall Act of 1933 and is the most extensive reform of financial services regulation in over 60 years. GLBA also affects how various bank and affiliate activities are regulated and examined. GLBA eliminates many federal and state barriers to affiliations among banks and securities firms, insurance companies, and other financial services providers. Financial organizations are provided flexibility in structuring these new financial affiliations through a holding company structure or a financial subsidiary. The Federal Reserve System remains the "umbrella" supervisor for holding companies, but GLBA also incorporates "functional regulation" to use the strengths of the various federal and state financial supervisors. Increased affiliation between state non-member banks and other financial services providers engaged in expanded activities-in a new functional regulation environment-poses risks to the FDIC and the Bank Insurance Fund.
We conducted an audit that focused on three of the GLBA's seven titles to determine whether: (1) the Division of Supervision (DOS), now known as the Division of Supervision and Consumer Protection (DSC), had established coordination arrangements for GLBA activities with other regulatory agencies; (2) DOS procedures had been updated to address the restrictions and safeguards in GLBA; and (3) DOS was identifying banks that are directly or indirectly engaged in GLBA activities. We concluded that DOS had established coordination arrangements with other regulatory agencies but needed an updated agreement for information sharing with the Securities and Exchange Commission (SEC). DOS had also updated or created related policies and procedures to address most of the GLBA provisions covered in our review although some additional guidance was needed in the area of related organizations. Also, while the FDIC had access to Federal Reserve System data on financial holding companies, DOS information systems did not identify banks that were directly or indirectly engaged in GLBA-affected activities.
We made four recommendations to DSC related to developing information-sharing procedures in conjunction with the FDIC Legal Division and the SEC, expediting policy revisions, and enhancing information systems and databases to better capture and track GLBA-related activity. DSC is taking action to address all recommendations.Supervising Insured Institutions
The FDIC shares supervisory and regulatory responsibility for approximately 9,480 banks and savings institutions with other regulatory agencies including the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and state authorities. The FDIC is the primary federal regulator for 5,417 federally insured state-chartered commercial banks that are not members of the Federal Reserve System, which includes state non-member banks, including state-licensed branches of foreign banks and state-chartered mutual savings banks. The challenge to the Corporation is to ensure that its system of supervisory controls will identify and effectively address financial institution activities that are unsafe, unsound, illegal, or improper before the activities become a drain on the insurance funds.
Emerging trends and new developments in the banking industry require the DSC to identify and assess risks from such activities as:
- subprime lending;
- declining underwriting standards for commercial real estate lending;
- rapid changes in bank operations between safety and soundness examinations;
- the growth of information technology and its increasing impact on payment systems and other traditional banking functions;
- fraudulent activities, which have contributed significantly to bank failures in recent years; and
- expanded banking activities permitted by the GLBA.
Further, DSC may have to reevaluate the concepts of risk, capital, and asset valuation in light of ever developing investment products and methods.
The FDIC has worked to increase the efficiency of the bank examination process designed to identify and assess these risks. Its Process Redesign efforts are ongoing. Additionally, the Corporation reported in its 3rd quarter Letter to Stakeholders that for the year-to-date, it had completed 485 expedited examinations of well-managed/well-capitalized banks under $250 million, resulting in a reduction of the average examination time on these institutions of more than 20 percent. With the possibility of a serious economic downturn, and in light of the magnitude of FDIC corporate reorganization and downsizing, DSC must continue to assess its size and the mix of expertise and skills in its workforce to ensure sufficient capacity for addressing increased risks. Considering the lead-time for developing new commissioned examiners, the FDIC needs to ensure the examination workforce will be adequate for handling potential problems and bank failures.
Joint Evaluation of the Federal Financial Institutions Examination Council
We collaborated with the Offices of Inspector General of the Department of the Treasury and the Board of Governors of the Federal Reserve System (FRB) to conduct a review of the Federal Financial Institutions Examination Council (FFIEC). The FFIEC is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the FRB, FDIC, National Credit Union Administration, Office of the Comptroller of the Currently (OCC), and Office of Thrift Supervision (OTS) and to make recommendations to promote uniformity in the supervision of financial institutions.
We issued a report concluding that the FFIEC is accomplishing its legislative mission of prescribing uniform principles, standards, and report forms and is achieving coordination between the banking agencies. Further, most officials stated that the FFIEC's role and mission were appropriate going forward and should not be expanded because of the Gramm-Leach-Bliley Act. Notwithstanding, some officials indicated that the FFIEC could accomplish its mission more effectively. The Council has discussed a number of measures to improve FFIEC effectiveness, including having the principals more actively involved in FFIEC matters and developing annual goals, objectives, and work priorities for the task forces.
The FRB, OTS, OCC, and FDIC provided written comments on a draft of the report. The FRB, OCC, and FDIC responses concurred with the report's overall conclusions. The OTS's response did not specifically comment on the overall conclusions but raised several points that we clarified in the final report. A detailed summary of the various agency comments is included in the final report.
OIG Reviews Offsite Rating Tool
During 1998, the FDIC implemented a new offsite rating tool, the Statistical CAMELS Offsite Rating (SCOR) review, to more effectively and efficiently monitor risk to the banking and thrift systems. SCOR uses quarterly Reports of Condition and Income (Call Reports)1 to identify institutions that could potentially receive a downgrade in their CAMELS ratings at their next safety and soundness examination. To do this, SCOR uses statistical techniques to estimate the relationship between Call Report data and the results of the latest examination and estimates the probability of an institution being downgraded at the next examination.
We completed an audit to determine the effectiveness of SCOR as an early warning system and to assess actions taken by the DSC in response to early warning flags identified by SCOR. The audit was conducted nationwide and included a sample of banks from all FDIC regional offices.
We concluded that the effectiveness of the SCOR review program in detecting potential deterioration in the financial condition of insured depository institutions, as presently implemented, was limited. SCOR had not identified emerging supervisory concerns or provided early warnings of potential deterioration at the majority of financial institutions we reviewed. Further, case managers were placing limited reliance on SCOR as an early warning system.
Our report contained three recommendations intended to improve the SCOR offsite review program. First, we recommended that DSC assess the usefulness of SCOR as an early warning system as it is currently being implemented. If DSC determines that SCOR should continue as part of the offsite monitoring program, we recommended that DSC revise SCOR procedures to require that the DSC case manager analyses be performed within shorter timeframes than allowed by the current procedures. We also recommended that DSC instruct case managers to more often recommend onsite activity or other interactions with the institution as a follow-up action for those institutions flagged by SCOR that also have previously identified management weaknesses.
DSC concurred with each of the three recommendations and took corrective action in response.The FDIC's Assessment of Corrective Action
Work Performed by Third-Party Contractors
One of the Corporation's annual performance goals for 2002 is that prompt supervisory actions are taken to address problems identified in institutions identified as problem insured depository institutions and that the Corporation monitor these institutions' compliance with formal and informal enforcement actions. Corrective actions are agreements (informal) or legally enforceable orders (formal) that the FDIC may institute against a financial institution or individual respondent to correct noted safety and soundness or compliance deficiencies. During the reporting period we conducted an audit to determine whether work performed by third-party contractors for FDIC-supervised institutions met the requirements of corrective actions instituted by the FDIC's DOS.
Asset Valuation Review
We audited the FDIC's asset valuation review (AVR) process for Sinclair National Bank, which failed on September 7, 2001. The Division of Resolutions and Receiverships' (DRR) AVR process resulted in a reasonable estimate of the overall value for the assets of Sinclair. We found that 28 of the 68 individual Sinclair asset valuations that we tested contained significant misstatements, defined as valuation discrepancies that exceeded or could have exceeded 10 percent of the FDIC's final AVR price for the individual asset. However, the net dollar impact of these errors, when the revised valuations were incorporated into the Standard Asset Value Estimation process, was less than 1 percent of the total AVR price of $21.6 million for all the Sinclair assets.
While the individual valuation discrepancies for the Sinclair resolution were not large in relation to the total AVR price for all assets, they stemmed from procedural weaknesses that could result in larger dollar losses on the disposition of individual assets in future resolutions. We also identified other weaknesses that could result in unnecessary costs to the FDIC in future resolutions if not corrected.
Thus, while the process was generally effective, we recommended additional controls to help DRR maintain the accuracy of the AVR process results and recover the highest value for failing institutions. DRR was responsive to all recommendations.
We concluded that the FDIC accepted work performed by third parties as meeting the requirements of the corrective actions instituted by the Corporation, and third-party work was completed within established timeframes. Also, DOS reviewed the corrective actions to ensure their completeness in addressing the underlying safety and soundness concerns. We made no recommendations in this report.Protecting Consumer Interests
The FDIC is legislatively mandated to enforce various statutes and regulations regarding, for example, consumer protection and civil rights with respect to state-chartered, non-member banks and to encourage community investment initiatives by these institutions. Some of the more prominent laws and regulations in this area include the Truth in Lending Act, Fair Credit Reporting Act, Real Estate Settlement Procedures Act, Fair Housing Act, Home Mortgage Disclosure Act, Equal Credit Opportunity Act, and Community Reinvestment Act of 1977.
The Corporation accomplishes its mission related to fair lending and other consumer protection laws and regulations primarily by conducting compliance examinations, taking enforcement actions to address unsafe or unsound banking practices and compliance violations, encouraging public involvement in the compliance process, assisting financial institutions with fair lending and consumer protection compliance through education and guidance, and providing assistance to various parties within and outside of the FDIC. During the reporting period the Corporation made progress implementing its adult financial education curriculum, "Money Smart," nationwide.
In the area of consumer protection, the OIG has planned an audit of the implementation of GLBA privacy provisions. GLBA requires banking agencies to establish appropriate standards for financial institutions relating to the administrative, technical, and physical safeguards of consumer records and information. The Federal Financial Institutions Examination Council has issued guidance summarizing procedures for examining compliance with the regulation. Our audit work will address whether privacy examinations are conducted in accordance with applicable GLBA provisions and corrective actions are taken in a timely manner when banks do not comply.Deposit Insurance Reform
In October 2001, Chairman Powell testified on deposit insurance reform before the Subcommittee on Financial Institutions and Consumer Credit, Committee on Financial Services, U.S. House of Representatives. The Chairman recommended the merger of the Bank Insurance Fund (BIF) and the Savings Association Insurance Fund (SAIF), charging risk based premiums to all institutions, allowing insurance funds to build or shrink around a target or range, establishing assessment credits based on past contributions, and indexing insurance coverage and raising the insurance on retirement accounts.
The FDIC views these recommendations as interrelated and believes they should be implemented as a package because piecemeal implementation could introduce new distortions and aggravate the problems that the recommendations are designed to address. During the reporting period, on May 22, 2002, deposit insurance reform legislation, based on the FDIC's recommendations, passed the House of Representatives. The Corporation also continued to pursue its case for comprehensive deposit insurance reform in speeches, banker outreach sessions, and visits to other Members of Congress.
While conceptually the recommendations appear to the OIG to be sound, we have not done work related to all of them. Based on work to date, the OIG strongly supports merging the funds.
Chairman Powell has noted the unanimity within the banking community on this particular point. Today, as a result of bank mergers and acquisitions, many institutions hold both BIF- and SAIF-insured deposits, obscuring the difference between the funds. The resulting merged fund would not only be stronger and better diversified but would also eliminate the concern about a premium disparity between the BIF and the SAIF. Assessments in the merged fund would be based on the risk that institutions pose to the single fund. The prospect of different prices for identical deposit insurance coverage would be eliminated. Also, insured institutions would no longer have to track their BIF and SAIF deposits separately, resulting in cost savings for the industry.
We will continue to monitor deposit insurance reform, as changes in this area will impact the way the FDIC operates and how our office can best support the FDIC in pursuit of its mission.Managing Information Technology
As the Corporation works to contribute to the stability and public confidence in our nation's financial system, information technology (IT) continues to play an increasingly greater role in every aspect of the FDIC mission. As corporate employees carry out the FDIC's principal business lines of insuring deposits, examining and supervising financial institutions, and managing receiverships, they rely on information and corresponding technology as a critical resource. Information and analysis on banking, financial services, and the economy form the basis for the development of public policies and promote public understanding and confidence in the nation's financial system.
In early 1998, the Corporation's Division of Information Resources Management (DIRM) and the other FDIC divisions laid out an IT strategy to address the next 3-5 years and articulated five IT strategic goals:
- Make Customer Satisfaction Our Primary Measure of Success.
- Improve Corporate Business Processes and External Relationships Through the Use of Technology.
- Manage Information for the Corporation.
- Provide an IT Infrastructure that Works Everywhere, All the Time.
- Improve the Efficiency and Effectiveness of IT Management.
The plan is updated every year based on DIRM management planning conferences, client input, changes in the overall business planning process and priorities, and new technology developments. Accomplishing IT goals efficiently and effectively requires significant expenditures of funds and wise decision-making and oversight on the part of FDIC management. The Corporation's 2002 IT budget is approximately $192.5 million.
OIG Participates on
A member of the OIG's audit staff participated in a group focusing on Network Vulnerability Scanning Tools (NVSTs) under the Executive Branch Information Systems Security (EBISS) committee. EBISS was established by the President's Critical Infrastructure Protection Board. Our representative, along with seven other government and industry representatives, completed a report and made the following recommendations to the EBISS committee.
This report is significant because the actions recommended would improve the security and reliability of the government's critical networks.
The Corporation must constantly evaluate technological advances to ensure that its operations continue to be efficient and cost-effective and that it is properly positioned to carry out its mission. The capabilities provided by IT advances, such as paperless systems, electronic commerce, electronic banking, and the instantaneous and constant information-sharing through Internet, Intranet, and Extranet sources, also pose risks to the Corporation and the institutions that it regulates and insures. Many of the risks are new and unique. Solutions to address them are sometimes difficult and without precedent.
In addition to technological advances that assist the Corporation in its mission, the Corporation must continue to respond to the impact of laws and regulations on its operations. Management of IT resources and IT security have been the focus of several significant legislative acts, such as the Government Performance and Results Act and the Paperwork Reduction Act. The Government Information Security Reform Act (GISRA) requires the OIG to conduct an annual evaluation of the FDIC's information security controls. We completed our second such review during the reporting period, as discussed in more detail below. According to the 2002 Annual Performance Plan, the Corporation will continue to be engaged in several major technology initiatives during the remainder of 2002. These include the following:
New Financial Environment. The FDIC is working to replace core components of its financial system and anticipates that the new financial environment will improve business processes by adopting the best practices built into software packages, simplify and consolidate financial systems applications and data, enhance efficiency by automating manual work, maximize e-business opportunities, and provide better decision-making to ensure continuity of financial operations.
E-Business. The FDIC is actively pursuing e-business relationships both with the institutions it insures and with the vendor community that provides goods and services to the Corporation. It is making FDICconnect available to more than 9,000 insured institutions. FDICconnect is an e-business channel between the FDIC and its insured institutions and allows for the direct exchange and sharing of information over the Internet.
Information security program improvements. The Corporation continues to develop and implement an information security program to address identified weaknesses. Several areas of focus are enhancing security performance measurement and contractor and external security.
Enterprise Architecture. A new enterprise architecture process will be introduced to manage technology, applications, and technical infrastructure for the Corporation. The new enterprise architecture process will be integral to corporate and IT planning and should provide a corporate view of and future direction for business processes, information, applications, and infrastructure. It will also provide the standards and procedures to be followed whenever a new information system is built.
Our work in the IT area during the reporting period focused principally on our reporting responsibility under GISRA and related assignments, as discussed below.OIG Reports GISRA Results
The most significant report that we issued in the IT area was our GISRA report entitled Independent Evaluation of the FDIC's Information Security Program-2002. GISRA requires annual agency program reviews of information security by agency program officials, in consultation with Chief Information Officers, and annual independent evaluations by agency Inspectors General. Our first such evaluation report, entitled Independent Evaluation of the FDIC's Information Security Program Required by the Government Information Security Reform Act, was issued in September 2001.
The objective of our 2002 review was to evaluate the effectiveness of the FDIC's information security program and assess the FDIC's compliance with the requirements of the Security Act and related information security policies, procedures, standards, and guidelines. We relied primarily on the Office of Management and Budget (OMB) Circular No. A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, as criteria for evaluating the adequacy of the FDIC's information security program. In addition, our evaluation focused on the FDIC's efforts to improve its information security controls and practices relative to the baseline established in our 2001 Security Act evaluation report.
In summary, we concluded that the Corporation had established and implemented management controls that provided limited assurance of adequate security over its information resources. In 3 of 10 key management control areas evaluated (Contractor and Outside Agency Security,2 Capital Planning and Investment Control, and Performance Measurement), the FDIC had no assurance that adequate security had been achieved. In a fourth management control area (Security Act Responsibilities and Authorities), we highlighted opportunities for FDIC management to strengthen the accountability and authority of one of its most important leadership positions related to information security, the Chief Information Officer.
The FDIC had been working hard to address the security weaknesses identified in our 2001 Security Act evaluation report and new weaknesses identified in recent audits and reviews. However, weaknesses in the FDIC's security operations continued to surface because the FDIC had not fully implemented a comprehensive information security management program. Frequently, security improvements at the FDIC were the result of a reaction to specific audit and review findings, rather than the result of a comprehensive program that provided continuous and proactive identification, correction, and prevention of security problems. Government oversight agencies, such as the U.S. General Accounting Office (GAO) and OMB, and other recognized standard setting organizations, such as the National Institute of Standards and Technology, have identified fundamental management principles and controls needed to implement an effective information security management program. Based on our evaluation work, we found that the FDIC had taken some, but not all, of the actions necessary to establish and implement these fundamental management principles and controls. We concluded that the FDIC's progress in addressing the security weaknesses identified in our 2001 Security Act evaluation report was offset by the emergence of new information security weaknesses identified during our current year evaluation. Accordingly, our overall assessment of the FDIC's information security program remained the same as last year.
Based on our evaluation results, we identified 10 steps, listed in priority order, that the Corporation could take in the near term to improve its information security operations (see write-up on next page). The observations and conclusions contained in our evaluation report were designed to assist the Corporation in furthering its efforts to implement a comprehensive information security program that provides reasonable assurance of adequate security for its information resources. Consistent with the intent of the Security Act, we will continue to work with the Corporation in accomplishing its goals in this critical area.
Products Supporting GISRA Results We issued the following individual reports in support of our GISRA-reported results during the reporting period:Computer Security Incident Response
Team (CSIRT) Activities: CSIRT developed and implemented procedures for identifying and detecting, investigating and resolving, tracking, and reporting security incidents. CSIRT also communicated with appropriate external organizations concerning new threats, vulnerabilities, solutions, and security incidents that the team had investigated. However, we reported that the effectiveness of the program could be improved by consistently defining computer security incidents in relevant FDIC policies and guidance, updating various policy documents, preparing test plans for vulnerability testing, better tracking of incidents, increased reporting to other FDIC security components, and establishing performance goals and measures for CSIRT. DIRM agreed to recommended actions.
|OIG Identifies GISRA Action Items|
The OIG's Government Information Security Reform Act report communicated the following actions, in priority order, to the FDIC Chairman. These actions should be taken to better ensure adequate security of corporate information resources.
1. Strengthen accountability and authority for information security by (a) appointing a permanent Chief Information Officer, (b) ensuring that the individual serving as the Chief Information Officer reports directly and solely to the Chairman, and (c) filling key vacancies within the Division of Information Resources Management that support information security initiatives and operations;
2. Make security a key selection factor in the 2003 information technology (IT) capital planning and investment control process to ensure that appropriate and cost-effective security controls are considered and funded over the life cycle of the FDIC's IT investments. For 2004, the FDIC should have a completed IT Capital Plan;
3. Complete the FDIC IT enterprise architecture to ensure that security controls for components, applications, and systems are consistent with current and planned IT architectures;
4. Continue and complete efforts to define the sensitivity of all corporate data and related business rules and ensure that the results are considered when developing and implementing security measures for corporate systems and applications;
5. Strengthen the FDIC's Acquisition Policy Manual and other Corporation policies and procedures related to contractor-provided services by incorporating the security standards prescribed by OMB Circular No. A-130 and the National Institute of Standards and Technology;
6. Establish key measures to assess the performance of corporate information security activities against established baselines and target performance levels. Such measures should be designed to proactively improve security processes and controls;
7. Define clear roles and responsibilities for all areas related to information security, including general support systems, major applications, information security managers, application contingency plans, and the pre-exit clearance process for employees and contractors;
8. Complete and begin using the recently developed Information Security Program Management Report to better track the integration of the FDIC's information, physical, and operational security activities;
9. Implement a formal software configuration management program that ensures all required software modifications, including software patches, are properly tested, approved, and documented in a timely manner; and
10. Complete and formally issue planned revisions to FDIC circulars related to information security.IT Capital Plan is one output of the capital planning and investment control process and serves as the implementation plan for the budget year. The IT Capital Plan should include a component that demonstrates that IT projects include security controls that are consistent with the agency's enterprise architecture. An enterprise architecture is an institutional systems blueprint that defines in both business and technological terms an organization's current and target operating environments and how the organization will transition between the two.
Information Security Management of FDIC Contractors: We concluded that the FDIC's contractor information security policies and procedures needed improvement. Specifically, the policies and procedures were deficient with respect to the consideration of contractor security in acquisition planning and oversight of contractor security practices. Further, the Corporation's implementation of contractor information security in acquisition planning, incorporation of information security requirements in FDIC contracts, and oversight of contractor security practices were not adequate. Finally, contractors generally failed to implement sufficient security measures. These control weaknesses exposed the FDIC's information resources to the risk of unauthorized disclosure, destruction, and modification of sensitive and critical data, and disruption of system operations.
We made eight recommendations to address the concerns we identified. DIRM and Division of Administration (DOA) management agreed to work jointly to implement corrective actions in response to our recommendations.
Internal and Security Controls Related to the General Examination System (GENESYS): GENESYS is the system used to prepare the report of examination, which contains the results of examinations and ratings given to financial institutions. The finalized report of examination is provided to the examined institution and other federal and state examiners with responsibilities for the institution. Institution regulators are charged with maintaining strict confidentiality in matters related to the financial institution examinations. GENESYS contains confidential information related to the institution's financial condition and management. Our audit, conducted by an independent public accounting firm under our general guidance, evaluated the adequacy of selected internal and security controls related to the system. The independent public accounting firm concluded that automated controls in GENESYS were adequate but recommended enhancements to better protect sensitive data through improved safeguards, password controls, and warning banner screens. Management agreed with the recommendations in our report.
Network Operations Vulnerability Assessment: We engaged PricewaterhouseCoopers Consulting (PwC), an independent professional services firm, to perform a multi-phase vulnerability assessment of the FDIC's network operations.
The primary objective of the first phase of PwC's assessment was to review past security practices and develop a plan for a more detailed assessment of the vulnerability to FDIC's network operations during a follow-on Phase II. The resulting report from Phase I contained seven observations and multiple recommendations intended to improve performance and management controls.
DIRM partially concurred with all but two of PwC's recommendations. DIRM's written comments resolved some recommendations and caused us, in consultation with PwC, to revise four others. A substantial number of recommendations were unresolved at the time of report issuance; however, as of the end of the reporting period, we had reached agreement on all recommendations.
Integration of Information Security into the Capital Planning and Investment Control Process: The OIG and Office of Internal Control Management conducted a joint review to evaluate the FDIC's progress in integrating information security into the capital planning and investment control process (CPICP) since the OIG's first GISRA report was issued in September 2001. That report identified CPICP as an area that may warrant reporting as an individual material weakness. Our objective was to evaluate the extent to which the FDIC integrates security into that process.
Que bebe usted. Чего-нибудь выпьете. - Спасибо.