 |
| ||||
 Federal Deposit Insurance Corporation 801 17th Street, NW, Washington, DC 20434 |
Office of Inspector General |
To Members of the Congress and the This is my eighteenth and final semiannual report to the Congress of the United States. In December I plan to retire from federal service after 401/2 years. It has been a privilege and an honor during the past 81/2 years to serve as Inspector General (IG) for the Federal Deposit Insurance Corporation (FDIC) under both Presidents Clinton and Bush. Since 1996, my office has undergone many changes as we strived to be one of the best IG offices in the government. I am extremely proud of the many contributions and accomplishments made by the professional women and men in my office. As described in this report and in the other 17 semiannual reports that I have issued, their work has provided value and has had a positive impact on the Corporation. I would like to thank each of the FDIC Office of Inspector General (OIG) employees—past and present—for their support and efforts. I especially want to thank my Executive team whose help, dedicated work, and support made this office what it is today. |
 |
I also would like to acknowledge the four FDIC Chairmen—Ricki Helfer, Skip Hove, Donna Tanoue, and Donald Powell—with whom I have worked during my tenure at the FDIC. Their support and understanding of the IG mission was critical to our success. In addition, I want to especially thank Director Joe Neely (1996 -1998) and Vice Chairman John Reich (2001 to present), who served as Audit Committee Chairmen and who were instrumental in ensuring that appropriate attention was given to our reports. Vice Chairman Reich has been extremely supportive in helping to ensure that my office became more effective within the Corporation, and I am extremely grateful for his efforts on our behalf.
Finally, I want to acknowledge and thank the Office of Management and Budget, my Congressional appropriators, and the House Financial Services and the Senate Banking Committees for their support over the years. Their support has been critical to ensuring that the IG function works as the Congress intended. I have great respect for all of my colleagues in the President’s Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency and their commitment to the IG mission.
I am confident that my Executive team, under the leadership of my Deputy Inspector General, Patricia Black, will effectively carry on the mission of the OIG at the Corporation until the President selects my successor. It has been my privilege and pleasure to have been a public servant for our federal government. God Bless America!
Gaston L. Gianni, Jr.
Inspector General
November 8, 2004
United States citizens have recently cast their votes for president and for many other state and local government officials who will lead our Nation. Election Day reminds us of the many freedoms we enjoy and the opportunity afforded voters to shape the future of our country and the world. As public servants, we in the Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) also feel especially privileged to serve our country by helping to achieve the FDIC mission—maintaining stability and public confidence in the nation’s financial system.
The Corporation will carry out its principal business lines—insuring deposits, examining and supervising financial institutions, and managing receiverships—in an atmosphere of constant change over the coming months. The financial services industry is highly dynamic, and new technologies, financial services, and products are introduced every day. Consolidation in the industry can result in much larger institutions that pose unique supervisory challenges. The Corporation’s operations are also marked by change. The FDIC is refining its internal processes to keep pace with the industry, introducing a New Financial Environment to better meet financial management and information needs, guarding against information security risks, responding to Congressional legislation and concerns regarding anti-money laundering and terrorist financing, engaging contractors to provide needed services, and building a new work site for many FDIC employees. At the same time, the Corporation will be carrying out additional downsizing of up to 12 percent of its 5,300 employees through buyouts, retirements, and reductions in force; cross-training many others; and hoping for Congressional approval of the proposed FDIC Workforce 21 Act of 2004 which would grant the FDIC more personnel flexibility. FDIC people, processes, property, and products will all be greatly impacted, and an environment in such flux is highly vulnerable to both known and unforeseen risk. For the Corporation to be successful during this time of critical change, it will need to devote careful attention to ensuring that the risks are managed and minimized.
In that context, I believe that the OIG has a vital, independent role to play in ensuring that controls are in place and operating to mitigate not only existing risks but new ones as well. I further believe that the working relationship principles outlined by the federal Inspector General community and the Office of Management and Budget and articulated on the inside front cover of this report will continue to serve the FDIC and the OIG well as we carry out our respective responsibilities amidst this changing environment.
Those principles are being embraced at the FDIC. The OIG and the Corporation engage in open communications at all levels and maintain personal and professional respect for one another. We understand the mission and priorities of the Corporation, align our strategic plan and goals with those of the Corporation, and take advantage of every opportunity to communicate the OIG mission and vision to FDIC management and staff. Because of the nature of our audits and investigations, we may take positions and express views that others in the Corporation do not share. However, we duly consider the Corporation’s point of view and are careful to ensure that our work is thorough, objective, and fair, and that our audits and evaluations meet Generally Accepted Government Auditing Standards. We engage the Corporation in frequent dialogue. For example, during the reporting period, we coordinated with FDIC management as we developed our Fiscal Year 2005 Assignment Plan and the management and performance challenges that drive much of our work. We also participated at "Getting to Green" meetings with management to address Federal Information Security Management Act related issues and partnered with the Corporation on investigative activities targeting financial institution fraud, concealment of assets, consumer protection, and employee integrity issues.
In line with the principles, the OIG is also very focused on human capital and the knowledge and skills the OIG needs to add utmost value to FDIC programs and operations. Our highly qualified staff meets rigorous professional training standards, and as we hire new staff, we seek to maintain a workforce with the proper expertise and skills to carry out the Inspector General mission. At an Emerging Issues in Banking symposium that we recently cosponsored with the Department of the Treasury and Federal Reserve OIGs, officials from several of the FDIC’s major divisions shared their perspectives with us—a valuable source of knowledge on corporate issues and priorities.
Feedback is another important guiding principle—both formal and informal. Such feedback occurs in a number of ways. We meet regularly with the Chairman,Vice Chairman, Chief Operating Officer, Chief Financial Officer, Chief Information Officer,Division and Office Directors, and engage in dialogue at every operating level. Meetings of the Audit Committee provide us an opportunity to present report findings and recommendations and respond to Audit Committee members’ questions about our work. We have also recently completed a sixth client survey to solicit feedback from corporate management on various aspects of OIG communications, processes, and products. The feedback provided by the Corporation, much of which is captured in our fiscal year 2004 performance report and included in this semiannual report, was constructive and will help guide our efforts going forward.
While I have spoken of our office as a whole and how we espouse principles to ensure successful working relationships with all others in the Corporation, I also wish to recognize some of the individuals in the OIG whose success has been especially commended during the reporting period. Samuel Holland, our Assistant Inspector General for Investigations was named as a finalist for the Service to America Medal in the Justice and Law Enforcement category. The Service to America program is sponsored by the Atlantic Media Company and the Partnership for Public Service and recognizes the outstanding accomplishments of America’s public servants. Mr. Holland was nominated for his pioneering efforts in fighting white-collar crime in the nation’s financial system. One of our Special Agents, J. Kenneth Meyd, was also recognized by the District of Connecticut’s U.S. Attorney’s Office for his work on a criminal restitution case involving an individual who concealed assets from the FDIC.
Three teams of individuals also received Awards for Excellence at the annual awards ceremony of the President’s Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency this month. First, individuals responsible for the audit of Supervisory Actions Taken for Bank Secrecy Act Violations were honored for recommending improvements to follow-up of Bank Secrecy Act violations at FDIC-supervised institutions. Members of the joint investigative/prosecutorial team responsible for investigating the failure of Hamilton Bank, N.A. were also acknowledged for their efforts leading to the indictment of those alleged to be responsible for the bank’s failure. Third, an interagency OIG team led by Robert L. McGregor, Assistant Inspector General for Quality Assurance and Oversight, received recognition for updating the Quality Standards for Offices of Inspector General, known as the "Silver Book," in honor of the 25th anniversary of the passage of the Inspector General Act of 1978. Also of note during the reporting period, Rex Simmons, our Assistant Inspector General for Management and Congressional Relations, accepted a Training Recognition Award from the U.S. Department of Agriculture Graduate School as runner-up for the W. Edwards Deming Outstanding Training Award. This award acknowledged the OIG’s enduring efforts to identify core competencies for staff that are aligned with OIG and corporate strategic goals and link training investments to core competencies and identified skill gaps. We are proud of these accomplishments.
In closing, the OIG is committed to continuing to promote effective working relationships with the FDIC and helping the Corporation accomplish its mission in the very challenging months ahead. We appreciate and count on the support of all OIG staff, the Corporation, and the Congress, as we serve under the newly elected Administration and work at being the best OIG in government.
Management and Performance Challenges
The Management and Performance Challenges section of our report presents OIG results of audits, evaluations, and other reviews carried out during the reporting period in the context of the OIG’s view of the most significant management and performance challenges currently facing the Corporation . We identified the following 10 management and performance challenges, and, in the spirit of the Reports Consolidation Act of 2000, we presented our assessment of them to the Chief Financial Officer of the FDIC in December 2003. The Act calls for these challenges to be presented in the FDIC’s consolidated performance and accountability report. The FDIC included such reporting as part of its 2003 Annual Report. Our work has been and continues to be largely designed to address these challenges and thereby help ensure the FDIC’s successful accomplishment of its mission.
1. Adequacy of Corporate Governance in Insured Depository Institutions
2. Protection of Consumer Interests
3. Management and Analysis of Risks to the Insurance Funds
4. Effectiveness of Resolution and Receivership Activities
5. Management of Human Capital
6. Management and Security of Information Technology Resources
7. Security of Critical Infrastructure
8. Management of Major Projects
9. Assessment of Corporate Performance
10. Cost Containment and Procurement Integrity
OIG work conducted to address issues in these areas during the current reporting period includes 31 audit and evaluation reviews containing questioned costs and funds put to better use of nearly $51.2 million and 86 nonmonetary recommendations; comments and input to the Corporation’s draft policies in significant operational areas; participation at meetings, symposia, conferences, and other forums to jointly address issues of concern to the Corporation and the OIG; and assistance provided to the Corporation in such areas as concealment of assets cases and participation in the Federal Information Security Management Act "Getting to Green" initiative.
Investigations
In the Investigations section of our report, we feature the results of work performed by OIG agents in Washington, D.C.; Atlanta; Dallas; and Chicago who conduct investigations of alleged criminal or otherwise prohibited activities impacting the FDIC and its programs. In conducting investigations, the OIG works closely with U.S. Attorneys’ Offices throughout the country in attempting to bring to justice individuals who have defrauded the FDIC. The legal skills and outstanding direction provided by Assistant U.S. Attorneys with whom we work are critical to our success. The results we are reporting for the last 6 months reflect the efforts of U.S. Attorneys’ Offices throughout the United States. Our write-ups also reflect our partnering with the Federal Bureau of Investigation, the Internal Revenue Service, and other law enforcement agencies in conducting investigations of joint interest. Additionally, we acknowledge the invaluable assistance of the FDIC’s Divisions and Offices with whom we work closely to bring about successful investigations.
Investigative work during the period led to indictments or criminal charges against 9 individuals and convictions of 15 defendants. Criminal charges remained pending against 33 individuals as of the end of the reporting period. Fines, restitution, and recoveries resulting from our cases totaled about $38.6 million. This section of our report also includes an update of the work of our Electronic Crimes Team, acknowledges special recognition given to our Assistant Inspector General for Investigations and one of our Special Agents, and features Special Olympic activities of some Office of Investigations staff.
OIG Organization
In the Organization section of our report, we note many significant activities and initiatives that the FDIC OIG has pursued over the past 6 months in furtherance of our four main strategic goals and corresponding objectives. These activities complement and support the audit, evaluation, and investigative work discussed in the earlier sections of our semiannual report. Activities of OIG Counsel and cumulative OIG results covering the past five reporting periods are also shown in this section.
Statistical Tables Required Under the Inspector General Act
The statistical tables required under the Inspector General Act, as amended, are included here.
Other Material
We offer congratulations to President’s Council on Integrity and Efficiency and Executive Council on Integrity and Efficiency award winners and bid farewell to several FDIC OIG retirees in the back section of our report.
We also feature an Emerging Issues Symposium sponsored jointly by the Department of the Treasury, Federal Reserve, and FDIC Offices of Inspector General on the inside back cover of our report.
OIG’s Fiscal Year 2004 Performance Report
We are including our performance report for fiscal year 2004 as a separate but integral component of our Semiannual Report to the Congress. Our performance report summarizes our progress against our 41 annual performance goals for the fiscal year. We met or substantially met 31 of 41 of our goals under four categories: OIG Products Add Value and Achieve Significant Impact, Communication Between the OIG and Stakeholders Is Effective, Align Human Resources to Support the OIG Mission, and Resources Are Effectively Managed. We hope that by presenting this report along with our semiannual report, the results of our work will be transparent, and the Congress and other readers will have a full understanding of our overall performance and accountability. (Our Performance Report directly follows the main text of our semiannual report.)
 |
The Office of Audits issues 31 reports containing questioned costs of $110,915 and funds put to better use of $51,084,587. |
|
OIG reports include 86 nonmonetary recommendations to improve corporate operations and activities. Among these are recommendations to improve the effectiveness of information technology security controls, strengthen the supervisory information technology examination process, enhance the quality of supervision of industrial loan companies, improve documentation of certain decisions and processes, and better allocate and contain costs. |
|
OIG investigations result in 9 indictments/informations; 15 convictions; and approximately $38.6 million in total fines, restitution, and other monetary recoveries. |
|
The OIG aggressively pursues its strategic goals and related objectives in furtherance of the OIG mission. Numerous activities and initiatives are carried out to add value and achieve impact; communicate effectively with the Chairman, the Congress, OIG employees and other stakeholders; align our human capital with the OIG mission; and effectively manage OIG resources. |
|
The OIG publishes its Performance Report for Fiscal Year 2004, presenting the OIG’s progress in accomplishing 41 goals for FY 2004. We report that we met or substantially met 31 of 41 goals, or 76 percent. |
|
A federal grand jury in Miami, Florida, returns a 42-count indictment for conspiracy, wire fraud, securities fraud, false filings with the Securities and Exchange Commission, false statements to accountants, obstruction of an examination of a financial institution, and making false statements to the Office of the Comptroller of the Currency against three former senior executive officers of Hamilton Bancorp and Hamilton Bank, N.A. The FDIC OIG’s Office of Investigations, Counsel to the Inspector General, members of the Treasury OIG, and U.S. Attorney’s Office of the Southern District of Florida are responsible for working this case. Named in the indictment are the following: the former Chairman of the Board and Chief Executive Officer; the former President and Director; and the former Senior Vice President and Chief Financial Officer. The former Chairman of the Board and Chief Executive Officer also was charged with insider trading. |
|
Assistant Inspector General for Investigations, Samuel Holland, is named a finalist for the Service to America Medal. Mr. Holland was recognized in the Justice and Law Enforcement category of the program. This medal program is cosponsored by the Atlantic Media Company and the Partnership for Public Service and recognizes the outstanding accomplishments of America’s public servants. Mr. Holland was nominated for his pioneering efforts in holding financial industry executives accountable and deterring fraudulent activity that undermines public confidence in the nation’s financial system. |
|
The OIG works closely with the Division of Information Resources Management, the Division of Administration, and the Office of Enterprise Risk Management throughout the reporting period on a "Getting to Green" initiative on the OIG’s annual Federal Information Security Management Act of 2002 evaluation scorecard, designed to ensure that management’s establishment and implementation of information technology security controls provide reasonable assurance that the Corporation’s information technology assets are protected. Meetings address various corporate information security issues, such as new and emerging security requirements being developed by the National Institute of Standards and Technology. Additional getting- to-green meetings are planned beginning in November 2004. |
|
The OIG issues its 2004 report on the Federal Information Security Management Act, concluding that the Corporation had established and implemented management controls that provided limited assurance of adequate security over its information resources. As a result of focused efforts over the past several years, the FDIC has made considerable progress in improving its information security controls and practices. Notably, this is the first annual security evaluation wherein the OIG identified no significant deficiencies as defined by the Office of Management and Budget that warrant consideration as a potential material weakness. However, continued management attention was needed in several key security control areas. |
|
The Office of Audits receives an unqualified opinion on a peer review of the system of quality control for the audit function of the FDIC OIG. According to the Department of Energy OIG, the system of quality control for the audit function in effect for the year ended March 31, 2004 was designed in accordance with quality standards established by the President’s Council on Integrity and Efficiency and provided the OIG with reasonable assurance of material compliance with professional auditing standards in the conduct of the FDIC OIG’s audits. |
|
The OIG issues the Office of Audits Assignment Plan—Fiscal Year 2005 presenting 53 audit and evaluation assignments that the OIG plans to pursue. Each assignment is linked to risk-based management and performance challenges that the OIG has identified. The OIG received a number of constructive comments and suggestions from the Corporation that were considered and addressed. Cooperative efforts resulted in a plan that provides comprehensive coverage of the Corporation’s key risk areas. |
|
The OIG responds to questions posed by Honorable Sue W. Kelly, Chairwoman of the Subcommittee on Oversight and Investigations, Committee on Financial Services, U.S. House of Representatives. These questions were sent to the OIG subsequent to IG Gianni’s March 4, 2004 testimony at the hearing on "Oversight of the Federal Deposit Insurance Corporation." The Chairwoman’s questions addressed matters related to safety and soundness, downsizing and human capital, and information security. |
|
The Inspector General testifies at a hearing on Bank Secrecy Act (BSA) Compliance and Enforcement before the Senate Committee on Banking, Housing, and Urban Affairs. IG Gianni presents a historical perspective on the BSA, discusses the BSA-related work the FDIC OIG has conducted over the past several years, and offers views on the challenges that the Congress and the financial regulators face going forward in anti-terrorist and anti-money laundering activities. The IG and other OIG management representatives later meet with Committee staff to discuss assignments planned for 2005 and ongoing and completed OIG work. |
|
The OIG provides a copy of our audit report entitled Supervisory Actions Taken for Bank Secrecy Act Violations to the Honorable Sue Kelly, Chairwoman, Subcommittee on Oversight and Investigations, Committee on Financial Services, U.S. House of Representatives. The OIG initiated that audit as a result of discussions with staff of the Subcommittee. The report presents the results of an audit of the process established by the Division of Supervision and Consumer Protection for ensuring that corrective actions are taken by bank management to address violations of BSA. |
|
The OIG receives a Training Recognition Award as a runner-up for the W. Edwards Deming Outstanding Training Award from the U.S. Department of Agriculture Graduate School. The OIG has worked over a 2-year period to identify core competencies for its staff that are aligned with OIG and corporate strategic goals and to link training investments to the core competencies and identified skill gaps. The W. Edwards Deming Outstanding Training Award recognizes a federal government organization or civilian branch of the military that has completed an innovative and impressive employee development and training initiative with measurable results. |
|
The OIG's proposed fiscal year 2005 budget is awaiting Congressional approval. The proposed budget of $29.9 million was included in the President's budget, which was transmitted to the Congress in February 2004. The budget will support an authorized staffing level of 160, a further reduction of 8 authorized staff (5 percent) from fiscal year 2004. Fiscal year 2005 will become the 9th consecutive year OIG budgets have decreased after adjusting for inflation. |
|
The OIG completes the conduct of both an Employee Survey and a Client Survey and issues the results of each. These survey instruments are designed to assist the FDIC OIG as it works to be the best OIG in government. |
|
OIG Counsel’s Office provides advice and counsel on a number of issues, including applicability of the Sarbanes-Oxley Act to FDIC-insured institutions, BSA compliance, and supervision of limited-charter institutions. Counsel was involved in 24 litigation matters, 23 of which are awaiting further action by the parties or rulings by the court. |
|
The OIG reviews and comments on 2 proposed formal FDIC regulations, responds to 6 requests and 1 appeal under the Freedom of Information Act, and completes 29 policy analyses on proposed FDIC directives or proposed revisions to directives and FDIC manuals. |
|
The OIG responds in a timely manner to 68 Hotline allegations, issues 2 reports based on previous allegations, and refers 14 allegations for further review. |
|
The OIG coordinates with and assists management on a number of initiatives, including serving in an advisory capacity on the Audit Committee’s Information Technology Security Subcommittee and the Chief Information Officer Council; Office of Investigations and Office of Audits Executives’ participation at the Division of Supervision and Consumer Protection regional office and other meetings; Office of Investigations’ Electronic Crimes Team’s coordination with the Division of Information Resources Management (DIRM), Division of Resolutions and Receiverships, and the Legal Division; and Office of Audits’ coordination with the Corporation on "Getting to Green" on the Federal Information Security Management Act of 2002 and DIRM Transformation projects. |
|
The Office of Investigations coordinates with DIRM and agency officials to establish appropriate processes in addressing cyber crimes, including computer intrusion, phishing and spoofing schemes, as well as investigations of computer misuse by FDIC employees and contractors. |
|
OIG Special Agent J. Kenneth Meyd is acknowledged by the U.S. Attorney’s Office, District of Connecticut, at an annual awards presentation in New Haven, Connecticut. The ceremony recognized a select number of significant prosecutions adjudicated during the past year and honored those who had contributed to the success of these prosecutions. Special Agent Meyd was commended for his great efforts and skillful detective work in proving that a Hartford, Connecticut, businessman owed the FDIC $2.7 million in criminal restitution and had hidden his assets from the U.S. Probation Office and the FDIC. |
|
As Vice Chair of the President’s Council on Integrity and Efficiency, the Inspector General oversees a number of initiatives, including publication of the Fiscal Year 2003 Progress Report to the President and issuance of a protocol entitled Working Relationship Principles for Agencies and Offices of Inspector General. Along with several colleagues in the IG community, IG Gianni testifies before the Subcommittee on Government Efficiency and Financial Management, House Committee on Government Reform, regarding Proposed Legislation Affecting the Inspector General Community—"Improving Government Accountability Act," (H.R. 3457)—legislation introduced by Representative Jim Cooper. The IG also participates as a presenter at numerous professional conferences and other forums, and shares information and best practices with respect to ensuring integrity and transparency with delegations of foreign visitors from Brazil, the Russian Federation, Indonesia, and Jamaica. |
|
In the spirit of the Reports Consolidation Act of 2000, and to provide useful perspective for readers, we present a large body of our work in the context of "the most serious management and performance challenges" facing the Corporation. In December 2003 we updated our assessment of these challenges and provided them to the Corporation. The 10 challenges we have identified are listed below in priority order and fall under two categories. The first category, which includes challenges 1 through 4, relates to rather broad corporate and industry issues, and the second category, which includes challenges 5 through 10, relates to more specific operational issues at the FDIC. We identified the following challenges, and the Corporation included them in its 2003 Annual Report:
|
We will continue to pursue audits, evaluations, investigations, and other reviews that address the management and performance challenges we identified. Our work during the reporting period can be linked directly to these challenges and is presented as such in the sections that follow. We will be updating our identification of the management and performance challenges by year-end 2004 and will continue to work with corporate officials to successfully address all challenges identified.
1. Adequacy of Corporate Governance in Insured Depository Institutions
Corporate governance is generally defined as the fulfillment of the broad stewardship responsibilities entrusted to the Board of Directors, Officers, and external and internal auditors of a corporation. A number of well-publicized announcements of business failures, including financial institution failures, have raised questions about the credibility of accounting practices and oversight in the United States. Such events have increased public concern regarding the adequacy of corporate governance and, in part, prompted passage of the Sarbanes-Oxley Act of 2002. The public’s confidence in the nation’s financial system can be shaken by deficiencies in the adequacy of corporate governance in insured depository institutions. For example, the failure of senior management, boards of directors, and auditors to effectively conduct their duties has contributed to certain financial institution failures. In some cases, board members and senior management engaged in high-risk activities without proper risk management processes, did not maintain adequate loan policies and procedures, and circumvented or disregarded various laws and banking regulations. In other cases, independent public accounting firms rendered clean opinions on the institutions’ financial statements when, in fact, the statements were materially misstated.
To the extent that financial reporting is not reliable, the regulatory processes and FDIC mission achievement (that is, ensuring the safety and soundness of the nation’s financial system) can be adversely affected. For example, essential research and analysis used to achieve the supervision and insurance missions of the Corporation can be complicated and potentially compromised by poor quality financial reports and audits. The insurance funds could be affected by financial institution and other business failures involving financial reporting problems. In the worst case, illegal and otherwise improper activity by management of financial institutions or their boards of directors can be concealed, resulting in potential significant losses to the FDIC insurance funds.
The FDIC has initiated various measures designed to mitigate the risk posed by these concerns, such as reviewing the bank’s board activities and ethics policies and practices and reviewing auditor independence requirements. In addition, the FDIC reviews the financial disclosure and reporting obligations of publicly traded state non-member institutions. The FDIC also reviews their compliance with Securities and Exchange Commission regulations and the Federal Financial Institutions Examination Council-approved and recommended policies to help ensure accurate and reliable financial reporting through an effective external auditing program and on-site FDIC examination.
The Corporation issued comprehensive guidance in March 2003, describing significant provisions of the Sarbanes-Oxley Act and related rules of implementation adopted by the Securities and Exchange Commission. Other corporate governance initiatives include the FDIC’s issuing Financial Institution Letters, allowing bank directors to participate in regular meetings between examiners and bank officers, maintaining a "Directors’ Corner" on the FDIC Web site, and the expansion of the Corporation’s "Directors’ College" program. While the FDIC has taken significant strides, corporate governance issues remain a key concern.
Also, pursuant to the Economic Growth and Regulatory Paperwork Reduction Act of 1996, the FDIC, along with the other members of the Federal Financial Institutions Examination Council, is engaged in reviewing regulations in order to identify outdated or otherwise unnecessary regulatory requirements imposed on insured depository institutions. The OIG supports prudent opportunities to reduce regulatory burdens on insured depository institutions along with consideration to the impact on the FDIC’s ability to adequately supervise the institutions.
OIG Audit and Investigative Work Addresses Corporate Governance Issues
Division of Supervision and Consumer Protection’s Assessment of Bank Management
The Division of Supervision and Consumer Protection (DSC) examiners’ assessment of management is a key factor in determining an
institution’s safety and soundness composite rating. During the reporting period, we conducted an audit of the process that the FDIC uses to assess bank management and controls during examinations of FDIC-supervised financial institutions. We concluded that the process is adequate. However, based on our review of six open banks with high-risk composite ratings, we found opportunities for improvement pertaining to banks that have a dominant official with significant influence in bank operations.
Specifically, examiner guidance could be strengthened with respect to evaluating the risks posed by dominant officials and for assessing and recommending mitigating controls when that type of corporate structure exists at a financial institution. Failure to appropriately evaluate and assess such risks increases the opportunity for fraud or mismanagement to go undetected and uncorrected and could, as evidenced by prior OIG reports, ultimately cause an institution to fail.
We concluded that within the frame work of the existing examination procedures, the risks of a dominant official should be considered as a part of the pre-examination planning process to the extent that this risk is observed at the senior corporate level. Due to the complexity of corporate governance oversight and the increased level of inherent risk at financial institutions dominated by one official, a comprehensive and consolidated set of instructions is needed to facilitate the supervisory review process regarding a dominant official. We made two recommendations to address these concerns, and the corrective actions that management proposed were responsive. (Report No. 04-033, September 8, 2004.)
FDIC’s Implementation of the Sarbanes-Oxley Act of 2002
We also conducted an audit to examine the FDIC’s issuance of implementing guidance to financial institutions and examiners for applicable provisions of the Sarbanes-Oxley Act. We concluded that the FDIC took adequate steps to issue implementing guidance for applicable provisions of the Act both to FDIC-supervised institutions and to FDIC examiners. In addition, the Act did not have a major impact on FDIC-supervised financial institutions because of pre-existing audit committee and internal control reporting requirements imposed by the Federal Deposit Insurance Corporation Improvement Act of 1991.
We did not make recommendations in this report. We may conduct further work related to examiner assessment of institution compliance with the Sarbanes-Oxley Act in a subsequent audit. (Report No. 04-042, September 29, 2004.)
Our investigative work also addresses corporate governance issues. In a number of cases, financial institution fraud is a principal contributing factor to an institution’s failure. Unfortunately, the principals of some of these institutions—that is, those most expected to ensure safe and sound corporate governance—are at times the parties perpetrating the fraud. Our Office of Investigations plays a critical role in investigating such activity. (See the Investigations section of this report for specific examples of bank fraud cases involving corporate governance weaknesses.)
 |
|
Strategies for Enhancing Corporate Governance While several of our audits this reporting period focused on issues relating to external governance, we also completed an audit to present information to the Corporation on strategies for enhancing its internal corporate governance. Reforms such as the Sarbanes-Oxley Act of 2002 are challenging the way organizations conduct business. For example, audit committees representing an organization’s board of directors and shareholders are expected to be more involved than before in understanding the entity’s business, monitoring financial reporting issues, and being aware of financial risks. Also, as a result of the Sarbanes-Oxley Act, management must evaluate its internal control structure over financial reporting and report on its effectiveness. Several practices have emerged to assist organizations in meeting these challenges. One practice that has emerged in managing risk is enterprise risk management (ERM). ERM enables management to evaluate risk from a corporate-wide perspective. Also, regarding internal control over financial reporting, an internal control maturity framework has been developed to assist organizations in evaluating their internal control over financial reporting. The FDIC currently has structures either in place or in development that address these emerging business practices. For example, the FDIC has a Board of Directors with an Audit Committee that monitors the Corporation’s financial reporting responsibilities and internal control programs and an Office of Enterprise Risk Management that monitors risks. The intent of our work was to synthesize information and provide a prospective focus that may be useful in further enhancing key elements of the FDIC’s corporate governance structure – the Audit Committee, risk management, and internal control over financial reporting. Our report presents strategies for enhancing corporate governance and discusses challenges faced by other organizations and the ways in which they have resolved challenges while implementing an ERM program. (Strategies for Enhancing Corporate Governance, Report No. 04-032, September 3, 2004) |
2. Protection of Consumer Interests
The FDIC’s mission is to maintain public confidence in the nation’s financial system. The availability of deposit insurance to protect consumer interests is a very visible way in which the FDIC accomplishes this mission. Additionally, as a regulator, the FDIC oversees a variety of statutory and regulatory requirements aimed at protecting consumers from unfair and unscrupulous banking practices. The FDIC, together with other primary federal regulators, has responsibility to help ensure bank compliance with statutory and regulatory requirements related to consumer protection, civil rights, and community reinvestment. Some of the more prominent laws and regulations related to this area include the Truth in Lending Act, Fair Credit Reporting Act, Real Estate Settlement Procedures Act, Fair Housing Act, Home Mortgage Disclosure Act, Equal Credit Opportunity Act, Community Reinvestment Act, and Gramm-Leach-Bliley Act. In December 2003, the President signed the Fair and Accurate Credit and Transactions Act of 2003 to expand access to credit and other financial services for all citizens, enhance the accuracy of consumers’ financial information, and help fight identity theft.
The Corporation accomplishes its mission related to fair lending and other consumer protection laws and regulations by conducting compliance examinations, taking enforcement actions to address compliance violations, encouraging public involvement in the community reinvestment process, assisting financial institutions with fair lending and consumer compliance through education and guidance, and providing assistance to various parties within and outside of the FDIC.
The FDIC’s examination and evaluation programs must assess how well the institutions under its supervision manage compliance with consumer protection and fair lending laws and regulations and meet the credit needs of their communities, including low- and moderate-income neighborhoods. A challenge for the Corporation is risk focusing compliance examinations while still protecting consumers’ interests. The FDIC must also work to issue regulations that implement federal consumer protection statutes both on its own initiative and together with the other federal financial institution regulatory agencies. A challenge in this area is ensuring compliance with out undue regulatory burden.
The Corporation’s community affairs program provides technical assistance to help banks meet their responsibilities under the Community Reinvestment Act. One of the FDIC’s principal areas of emphasis is financial literacy, aimed specifically at low- and moderate-income individuals who may not have had previous banking relationships. The Corporation’s "Money Smart" initiative has been a key outreach effort. The FDIC must also continue efforts to maintain a Consumer Affairs program by investigating consumer complaints about FDIC-supervised institutions, answering consumer inquiries regarding consumer protection laws and banking practices, and providing data to assist the examination function.
The continued expansion of electronic banking presents a challenge for ensuring consumers are protected. The number of reported instances of identity theft has also ballooned in recent years. The Corporation will need to remain vigilant in conducting comprehensive, risk-based compliance examinations, analyzing and responding appropriately to consumer complaints, and educating individuals on money management topics, including identity protection.
The Corporation’s deposit insurance program promotes public understanding of the federal deposit insurance system and seeks to ensure that depositors and bankers have ready access to information about the rules for FDIC insurance coverage. Informing bankers and depositors about the rules for deposit insurance coverage helps foster public confidence in the banking system.
OIG Efforts to Address Consumer Protection Issues
Supervision Appeals Review Committee Decision Regarding the Appeal of a Fair Lending Violation
One of our audits during the reporting period resulted from a Hotline complaint and examined the FDIC’s Supervision Appeals Review Committee’s (SARC) decision regarding a financial institution’s appeal of a fair lending violation. Appeals denied at the FDIC division level are reviewed by the SARC, which, at the time of the audit, consisted of the FDIC’s Vice Chairman, Ombudsman, General Counsel, the Director of DSC, and the Director of the Division of Insurance and Research.
We found no evidence that the SARC acted outside of its delegated authority. We also found that the SARC considered all relevant facts and that the SARC and DSC followed applicable requirements and procedures in the appeal case. We did not make recommendations in our report and received no comments from the SARC chairman or other members of the committee. (Report No. 04-036, September 20, 2004.)
The OIG’s involvement with consumer protection matters includes our investigative cases regarding misrepresentations of FDIC insurance or affiliation to unsuspecting consumers. Additionally, our Office of Investigations’ Electronic Crimes Team has been involved in investigating emerging e-mail "phishing" identity theft schemes that have used the FDIC’s name in an attempt to obtain personal data from unsuspecting consumers who receive the e-mails. Our investigations have also uncovered multiple schemes to defraud depositors by offering them misleading rates of returns on deposits. These abuses are effected through the misuse of the FDIC’s name, logo, abbreviation, or other indicators suggesting that the products are fully insured deposits. Such misrepresentations induce the targets of schemes to invest on the strength of FDIC insurance while misleading them as to the true nature of the investments being offered. (See the Investigations section of this semiannual report.)
Our experience with such cases prompted us on March 4, 2003, to submit to the House Financial Services Committee Chairman, Michael Oxley, a legislative proposal to prevent misuse of the Corporation’s guarantee of insurance. This proposal was incorporated in H.R. 1375: Financial Services Regulatory Relief Act of 2003. On March 24, 2004, H.R. 1375 was passed by the House of Representatives and referred to the U.S. Senate. Section 615 of H.R. 1375, as we suggested, would provide the FDIC with enforcement tools to limit misrepresentations regarding FDIC deposit insurance coverage. We appreciate Congressional support of this proposal.
3. Management and Analysis of Risks to the Insurance Funds
The FDIC seeks to ensure that failed financial institutions are and continue to be resolved within the amounts available in the insurance funds and without recourse to the U.S. Treasury for additional funds. Achieving this goal is a significant challenge because the insurance funds generally average just over 1.25 percent of insured deposits, and the FDIC supervises only a portion of the insured institutions. In fact, the preponderance of insured institution assets are in institutions supervised by other federal regulators. Therefore, the FDIC has established strategic relationships with the other regulators surrounding their shared responsibility of helping to ensure the safety and soundness of the nation’s financial system. The FDIC engages in an ongoing process of proactively identifying risks to the deposit insurance funds and adjusting the risk-based deposit insurance premiums charged to the institutions. One of the key tools used by the FDIC is its safety and soundness examination process which, when combined with off-site monitoring and extensive industry risk analysis, generally provides an early warning and corrective action process for emerging risks to the funds. The Risk Analysis Center, managed and staffed by the DSC, Division of Insurance and Research, and Division of Resolutions and Receiverships, facilitates and coordinates risk analysis at the FDIC.
Recent trends and events continue to pose risks to the funds. From January 1, 2002 to September 30, 2004, 18 insured financial institutions failed, and the potential exists for additional failures. While some failures may be attributable primarily or in part to economic factors, as previously mentioned, bank mismanagement and apparent fraud have also been factors in the most recent failures. The environment in which financial institutions operate is evolving rapidly, particularly with the acceleration of interstate banking, new banking products and complex asset structures, and electronic banking. The industry’s growing reliance on technologies, particularly the Internet, has changed the risk profile of banking. Continuing threats to the U.S. financial infrastructure have made business continuity planning an essential ingredient to sound risk management programs. The consolidations that may occur among banks, securities firms, insurance companies, and other financial services providers resulting from the Gramm-Leach-Bliley Act pose additional risks to the FDIC’s insurance funds. Limited charter depository institutions may also pose unique risks, as discussed later in this section. Also, institutions face challenges in managing interest rate risks in an environment of historically low interest rates. The Corporation’s supervisory approach, including risk-focused examinations, must operate to identify and mitigate these risks and their real or potential impact on financial institutions to preclude adverse consequences to the insurance funds.
The FDIC employs a number of supervisory approaches, several of which are described below, to identify and mitigate institution risk and faces challenges in ensuring that each meets its intended purpose.
|
|
Risks Related to Money Laundering and Terrorist Financing Emphasis on anti-terrorism efforts has risen significantly in recent years, especially since the events of September 11, 2001. In response to those events, the Congress enacted the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act), which expands the Department of the Treasury’s authority initially established under the Bank Secrecy Act of 1970 (BSA) to regulate the activities of U.S. financial institutions, particularly their relations with individuals and entities with foreign ties. In turn, this expansion has increased the responsibilities of the bank regulatory agencies for assessing the adequacy of financial institution BSA programs. Specifically, the USA PATRIOT Act expands the BSA beyond its original purpose of deterring and detecting money laundering to also address terrorist financing activities. The reality today is that all institutions are at risk of being used to facilitate criminal activities, including money laundering and terrorist financing. The OIG has previously reported on several assignments related to the USA PATRIOT Act and BSA. We intend to add the challenge of risks related to money laundering and terrorist financing to our assessment of the management and performance challenges facing the Corporation in our upcoming submission of those challenges to the Corporation in December. Future semiannual reports will report the results of OIG work in this area in the context of this new challenge. |
Supervisory Strategies for Large Banks: In 2002, the FDIC initiated the Dedicated Examiner Program for the eight largest banks in the United States. The FDIC is the insurer but not the primary federal regulator for these institutions. Examiners are dedicated to those institutions to participate in targeted reviews and attend management meetings. Also, case managers closely monitor such institutions through the Large Insured Depository Institutions Program’s quarterly analysis and executive summaries. Additionally, case managers consistently remain in communication with their counterparts at the other regulatory agencies, frequently attending pre-examination meetings, post-examination meetings, and exit board meetings.
Maximum Efficiency, Risk-focused, Institution Targeted (MERIT) Examinations Program: This program was introduced in March 2002 and is designed to improve the efficiency and effectiveness of bank examinations by maximizing the use of risk-focused examination procedures in well managed banks in sound financial condition. As of September 30, 2004, over 4,600 of approximately 5,300 FDIC-supervised institutions were MERIT-eligible based on asset size (less than $1 billion) and composite rating (of 1 or 2). DSC has reported that the MERIT program has reduced the average time spent conducting safety and soundness examinations of small, low-risk institutions by well over the 20 percent target in qualifying institutions.
Relationship Manager Program: Still in its early stages, under this approach, commissioned examiners are assigned a portfolio of banks and are designated the "Relationship Manager" or primary point of contact for these banks. As such, relationship managers will conduct comprehensive risk assessments of the banks in their portfolios and in consultation with other experts prepare a risk-focused supervisory plan. Off-site and on-site activities will be conducted as needed throughout the examination cycle rather than the current "point-in-time" approach. The emphasis is on scheduling offsite and on-site reviews during the examination cycle to better leverage external sources of information.
Many other challenges also exist as the Corporation seeks to protect and ensure the continued strength of the insurance funds, as discussed below:
Merging the Insurance Funds: Because of bank mergers and acquisitions, many institutions hold deposits insured by both the Bank Insurance Fund (BIF) and Savings Association Insurance Fund (SAIF), obscuring the difference between the funds. There is ongoing consideration of merging the two insurance funds with the perceived outcome being that the merged fund would not only be stronger and better diversified but would also eliminate the concern about a deposit insurance premium disparity between the BIF and the SAIF. The prospect of different premium rates for identical deposit insurance coverage would be eliminated. Also, insured institutions would no longer have to track their BIF and SAIF deposits separately, resulting in cost savings for the industry. Assessments in the merged fund would be based on the risk that institutions pose to that fund.
The Corporation has worked hard to bring about deposit insurance reform, and the OIG supports the FDIC’s continued work with the banking community and the Congress in the interest of eventual passage of reform legislation.
| ||||||
|
Inspector General Testifies on Bank Secrecy Act On June 3, 2004, the Inspector General (IG) testified before the Senate Committee on Banking, Housing, and Urban Affairs, on Bank Secrecy Act (BSA) Compliance and Enforcement. The IG gave some historical perspective, discussed BSA-related work that the FDIC OIG has done over the past several years, and offered views on the challenges that the Congress and the financial regulators face going forward in this critical area. The FDIC Chairman’s testimony on that day indicated that the FDIC had conducted almost 11,000 BSA examinations since 2000. Over the past several years, in line with responsibilities under the Inspector General Act, the FDIC OIG conducted three audits that address the FDIC’s efforts to design and implement a supervisory program to examine institutions’ compliance with provisions of the BSA and the more recently enacted USA PATRIOT Act. Overall, these audits identified that the Corporation had taken steps to implement a riskfocused examination program for BSA. However, improvements were needed to ensure that institutions were fully complying with, and the FDIC was effectively enforcing provisions of, the Act. The IG reported that the Corporation had corrective action completed or ongoing to address all of the OIG’s recommended improvements. Of particular importance, the audit results in our report entitled Supervisory Actions Taken for Bank Secrecy Act Violations raised concerns related to four general areas:
The IG closed his testimony by suggesting that in light of the knowledge we have gained since 9/11 and more recent terrorist threats, there are key questions that the FDIC should consider, in conjunction with the Treasury Department and the other financial regulators, as it looks to improve its BSA program.
The OIG is prepared to assist in addressing these issues and has additional audits underway and planned in this area to help ensure that financial institutions, through efficient and effective supervision by the FDIC, will remain vigilant in implementing BSA programs that assist in preventing money laundering and terrorism. (Hearing on Bank Secrecy Act Compliance and Enforcement, Statement of Gaston L. Gianni, Jr., June 3, 2004) |
The Designated Reserve Ratio: If the BIF ratio is below 1.25 percent, in accordance with the Federal Deposit Insurance Act, the FDIC Board of Directors must charge the banks premiums that are sufficient to restore the ratio to the statutorily mandated designated reserve ratio within 1 year. As of March 31, 2002, the BIF reserve ratio was at 1.23 percent, the first time since 1995 that the ratio had fallen below 1.25 percent. By June 30, 2002, the BIF reserve ratio was at 1.25 percent, precisely at the minimum mandated level. According to the Corporation’s Letter to Stakeholders, the BIF ratio reported for 2nd Quarter 2004 was 1.31 percent. The Corporation must maintain or exceed the designated reserve ratio, as required by statute.
Setting Deposit Insurance Premiums: Insurance premiums are generally assessed based on the funding requirements of the insurance funds. Because the reserve ratio may not fall below the statutory designated reserve ratio of 1.25 percent, this approach has the impact of assessing premiums during economic downturns when banks are failing and are likely not in the best position to afford the premiums. Also, numerous institutions have benefited from being able to sharply increase insured deposits without contributions to the insurance funds commensurate with this increased risk. This situation can occur because the designated reserve ratio is not breached, thereby triggering across-the-board premiums. Current deposit insurance reform proposals include provisions for risk-based premiums to be assessed on a more frequently scheduled basis than would occur using the existing approach. Risk-based premiums can provide the ability to better match premiums charged to institutions with related risk to the insurance funds.
Adoption of the Proposed Basel Committee II Capital Accord: Adoption of the accord poses a potential major impact to the insurance funds due to the prospect of lower minimum capital requirements for some of the largest, most complex institutions. The initial Basel Capital Accord only took credit risks into account; Basel II will require that banks evaluate and measure other forms of risk, including operational risk. Banks will have to make capital provisions to effectively act as a contingency fund, to cover the direct and indirect losses that emergent operational risks could cause. The failure of at-risk institutions to fully adhere to this proposed contingency funding mechanism in place of higher minimum capital requirements constitutes a threat of increased insurance losses to the funds. Adoption of the accord may pose challenges for the Corporation by requiring new skill sets to address Basel II issues.
FDIC’s Information Technology Examinations
One of our audits during the reporting period examined whether the FDIC’s information technology (IT) examinations provide reasonable assurance that IT risks are being addressed by the risk management programs in FDIC-supervised financial institutions. We focused our audit work primarily on institutions with more than $1 billion in assets which generally had more complex IT architectures.
We concluded that the Corporation’s IT examination program does provide such assurance. We did, however, identify opportunities for improving the quality of the IT examination process. Specifically, the FDIC did not have a review process in place to determine whether appropriate examination procedures are applied and that findings and conclusions are adequately supported. The FDIC has a quality review process in place for its safety and soundness examinations but generally has not conducted similar quality reviews for IT examinations. We recommended that the FDIC improve the quality, efficiency, and effectiveness of its IT examinations by instituting a standardized quality review of all phases of the IT examination process and supporting documentation prior to issuance of IT examination results.
DSC generally concurred with the report’s findings and agreed that the IT review process could be enhanced. DSC provided an action plan that would enhance DSC’s quality review process from the field office and field territory levels. We consider the recommendation resolved. (Report No. 04-022, June 15, 2004.)
The Division of Supervision and Consumer Protection’s Approach for Supervising Limited-Charter Depository Institutions
We completed an evaluation of the FDIC’s supervisory approach for examining limited-charter depository institutions, which include industrial loan companies (ILCs). ILCs are state-chartered, FDIC-supervised financial institutions that may be owned by commercial firms that are not regulated by a federal banking agency. We performed this evaluation because there has been much debate among the banking regulators and with the Congress regarding whether ILCs pose safety and soundness risks. The objectives of our review
were to evaluate: (1) whether ILCs pose greater risks to the insurance fund than other financial institutions, and (2) DSC’s supervisory approach in determining and mitigating material risks posed to ILCs by parent companies.
The Corporation contends that ILCs are no riskier than traditional banks and the risks lie within business line, not the charter type. Most ILC parent companies are subject to varying degrees of federal regulation. Many are subject to consolidated supervision by the Office of Thrift Supervision (OTS), the Securities and Exchange Commission, or the Federal Reserve Board. The FDIC has stated it has sufficient legislative authority to supervise ILCs and their parents. However, differences exist in the scope of authority granted to the FDIC, the Federal Reserve Board, and OTS relating to holding company supervision. We concluded that ILCs may pose additional risks to the deposit insurance fund because ILC parent holding companies are not always subject to the scope of consolidated supervision, consolidated capital requirements, or enforcement actions imposed on parent organizations subject to the Bank Holding Company Act or the Home Owners’ Loan Act. However, the FDIC has established controls to help mitigate these added risks through its deposit insurance application process, routine examination of ILCs and affiliates, and offsite monitoring program.
Nevertheless, we identified opportunities to: strengthen DSC’s insurance application process; better define and clarify guidance for determining the parent company’s source of financial and managerial strength to the ILC; enhance examination policies and procedures for assessing the impact of ILC-parent relationships; and develop a more formal examination program for ILC parent companies that generally relies on the primary federal regulator when applicable and addresses those parent companies that are not supervised by a federal regulator.
Our report contained eight recommendations for strengthening the quality of DSC’s program for supervising ILCs. The Corporation generally agreed with our recommendations, which we consider resolved. (Report No. EVAL-04-048, September 30, 2004.)
Division of Supervision and Consumer Protection’s Regional Office Structure
We conducted an audit of DSC’s regional office structure to assess the structure in light of changes that have occurred since the 1980s at the FDIC and in the banking industry it regulates.
In our view, industry, technology, and security changes along with changes in DSC’s approach to its supervisory responsibilities warrant reconsideration of the current geographic and organizational structure of the regional offices. We therefore recommended that the Director, DSC, initiate an independent analysis of DSC’s regional office structure to determine the optimal means to effectively manage the division’s organizational structure and its resources.
DSC agreed to evaluate its regional structure as part of its annual workforce planning and budgeting efforts. This corrective action is responsive to our recommendation. (Report No. 04-040, September 28, 2004.)
4. Effectiveness of Resolution and Receivership Activities
One of the FDIC’s corporate responsibilities is planning and efficiently handling the franchise marketing of failing FDIC-insured institutions and providing prompt, responsive, and efficient resolution of failed financial institutions. These activities maintain confidence and stability in our financial system. Notably, since the FDIC’s inception over 70 years ago, no depositor has ever experienced a loss of insured deposits at an FDIC-insured institution due to a failure. According to the Corporation’s Letter to Stakeholders for the 3rd Quarter 2004, the FDIC is managing over $603 million in assets in liquidation in 35 BIF and SAIF receiverships. The Asset Servicing Technology Enhancement Project is a key initiative to implement an integrated solution to meet the FDIC’s current and future asset servicing responsibilities based on industry standards, best practices, and available technology.
The FDIC has outlined primary goals for three business lines that are relevant to the three major phases of its work: Pre-Closing, Closing, and Post-Closing of failing or failed institutions. Each is accompanied by significant challenges:
Deposit Insurance: The FDIC must provide customers of failed financial institutions with timely access to their insured funds and financial services. A significant challenge in this area is to ensure that FDIC deposit insurance claims and payment processes are prepared to handle large institution failures.
Resolutions: As the FDIC seeks to resolve failed institutions in the least costly manner, its challenges include ensuring the efficiency of contingency planning for institution failures and effective internal FDIC communication and coordination as well as communication with the other primary federal regulators. Such steps help ensure timely access to records and optimal resolution strategies.
Receivership Management: The FDIC’s goal is to manage receiverships to maximize net return toward an orderly and timely termination and provide customers of failed institutions and the public with timely and responsive information. Related challenges include ensuring the efficiency of the receivership termination process, effective claims processing, continual assessment of recovery strategies, sound investigative activities, collection of restitution orders, and accurate charging of receiverships for services performed under the Receivership Management Program.
Our work in the receiverships and resolutions area included the following reports:
Retention Strategies for Failed Insured Depository Institution Employees
The objective of this audit was to determine whether the Division of Resolutions and Receiverships’ (DRR) decisions for retaining and paying former institution employees to assist in the process of liquidating receiverships were reasonable and adequately supported.
DRR’s decisions to retain and pay former institution employees to assist in the operations of its receiverships appeared justified given the specific circumstances of the closed institutions. Also, retention decisions were adequately communicated to, and approved by, appropriate FDIC management officials. However, DRR could have better documented the basis for the retention decisions. We also concluded that the FDIC can better protect against the misuse of sensitive financial and customer information by former institution employees retained to assist in liquidating receiverships.
We made four recommendations to address our concerns with documenting decisions, securing sensitive financial and customer information, and conducting background checks of retained employees. The Director, DRR, agreed with our recommendations and expects significant progress and results in the areas discussed in the report by the end of 2004. (Report No. 04-030, August 20, 2004.)
Proceeds from Terminated Securitizations
Securitization is the process by which assets with generally predictable cash flows are packaged into interest-bearing securities with marketable investment characteristics. The most common securitized product is the mortgage-backed security.
We conducted an audit to determine whether funds from terminated securitization transactions had been properly reported and credited to the FDIC by third parties, which include the mortgage-backed securities master servicer and a trustee appointed to the trust created for each securitization. The reserve fund releases and residual distributions from the four terminated securitization transactions we reviewed totaled $341,578,536 and $241,120,162, respectively. We concluded that DRR had an adequate management control process to ensure that all proceeds from the terminated securitizations were properly reported and credited to the FDIC by third parties. (Report No. 04-034, September 13, 2004.)
Cases Involving Concealment of Assets
As referenced earlier, the OIG’s Office of Investigations coordinates closely with the FDIC’s DRR and with the Legal Division regarding ongoing investigations involving fraud at failed institutions, fraud by FDIC debtors, and fraud in the sale or management of FDIC assets. In particular, investigators coordinate closely with the Corporation to address issues arising in connection with the prosecution of individuals who have illegally concealed assets in an attempt to avoid payment of criminal restitution to the FDIC. As of September 30, 2004, the FDIC was owed approximately $1.7 billion in criminal restitution. In most cases, the individuals subject to restitution orders do not have the means to pay. We focus our investigations on those individuals who do have the means to pay but hide their assets from and/or lie about their ability to pay. The Investigations Section of this report highlights the efforts of one of our Special Agents working on asset concealment cases.
5. Management of Human Capital
Human capital issues pose significant elements of risk that interweave all the management and performance challenges facing the FDIC. Human capital management requires committed, sustained, and inspired leadership and persistent attention. In the last 15 years, the FDIC has dealt with dramatic swings in its staffing levels in response to the banking and thrift crisis of the late 1980s and early 1990s and subsequent period of recovery. The FDIC, like other organizations, continues to be affected by changing technology, market conditions, initiatives designed to improve its business processes, an aging workforce, and by the unknown. Such events impact staffing levels and required skills mix going forward just as they would any other organization.
Since 2002, the FDIC has been working to create a flexible permanent workforce that is poised to respond to sudden changes in the financial sector. As part of the 2005 corporate planning and budget process, senior executives concluded that the FDIC’s future workforce will be smaller with a somewhat different mix of skills. Recently, FDIC executives announced initiatives focused on workforce planning, human resources flexibilities, and the establishment of a Corporate Employee Program.
In August 2004, the FDIC’s Chief Operating Officer announced a Workforce Planning for the Future initiative that requires the FDIC’s three business line divisions to: (1) review future workload assumptions; (2) analyze existing skill sets, identify needed skill sets, and design strategies for closing any gaps; and (3) develop succession management plans. The initiative also established vacancy management goals for carefully reviewing each vacancy within the Corporation to determine whether and how vacancies should be filled.
On September 1, 2004, the FDIC sent a legislative proposal, known as the FDIC Workforce 21 Act of 2004, to the Congress that would provide the Corporation with greater flexibility in the human resources area. The proposal seeks to build upon human capital flexibilities related to streamlined hiring authority, term appointments, reemployment of retired annuitants in exigent circumstances, employment of experts and consultants, and reduction-in-force and early retirement authority.
The Chief Operating Officer has also announced a Corporate Employee Program. The Program’s objectives address risks related to industry consolidation and complexity and will position the Corporation to more successfully respond to rapid changes in individual institutions or the entire financial industry. The program will provide cross-training programs and cross-divisional mobility to provide individual job enhancement and to serve organizational needs as events require. Amid these initiatives, the Corporation will need to confer with the National Treasury Employees Union, when appropriate, in negotiating matters affecting bargaining unit employees.
The FDIC has stated that over the next 10 years, it is likely that almost 1,600 employees or 30 percent of the FDIC’s current workforce will retire. Other employees will leave the FDIC for non-retirement reasons. The Corporation must carefully plan its Corporate University training programs, continue to work to identify an appropriate skills mix, correct any existing skills imbalances, fill key vacancies in a timely manner, engage in careful succession planning, and continue to conserve and replenish the institutional knowledge and expertise that has guided the organization over the past years. A need for additional outsourcing may arise. Hiring and retaining new talent will be important and hiring and retention policies that are fair and inclusive must remain a significant component of the corporate diversity plan. Designing, implementing, and maintaining effective human capital strategies—including developing a coherent human capital blueprint that comprehensively describes the FDIC’s human capital framework and establishes a process for agency leaders to systematically monitor the alignment and success of human resources-related initiatives—are critical priorities and must continue to be the focus of centralized, sustained corporate attention. Our ongoing work in this area includes an evaluation of the effectiveness of DSC’s workforce planning. We are also initiating an evaluation of the Corporate University.
6. Management and Security of Information Technology Resources
Information technology continues to play an increasingly greater role in every aspect of the FDIC mission. As corporate employees carry out the FDIC’s principal business lines of insuring deposits, examining and supervising financial institutions, and managing receiverships, the employees rely on information and corresponding technology as an essential resource. Information and analysis on banking, financial services, and the economy form the basis for the development of public policies and promote public understanding and confidence in the nation’s financial system. IT is a critical resource that must be safeguarded.
Accomplishing IT goals efficiently and effectively requires sound IT planning and investment control processes. The Corporation’s 2004 IT budget is approximately $233 million. The Corporation must constantly evaluate technological advances to ensure that its operations continue to be efficient and cost-effective and that it is properly positioned to carry out its mission, particularly in light of ongoing downsizing. While doing so, the Corporation must continue to respond to the impact of laws and regulations on its operations. The Corporation’s Transformation Project is bringing about significant change in the Division of Information Resources Management (DIRM). Management of IT resources and IT security have been the focus of several laws, such as the Paperwork Reduction Act, the Government Information Security Reform Act, and the Federal Information Security Management Act of 2002 (FISMA). Under FISMA, each agency is required to report on the adequacy and effectiveness of information security policies, procedures, and practices and compliance with information security requirements.
The FDIC has recognized that improvements in its information security program and practices are needed. In its 2003 annual report to the Congress, the FDIC identified information security as a high vulnerability issue within the Corporation. The FDIC also identified improvements in its information security program as a major corporate priority in its 2004 Annual Performance Plan. Senior FDIC managers, including the Vice Chairman of the Board of Directors and the FDIC Audit Committee, have played an active role in strengthening the FDIC’s information security program through oversight of information security initiatives and monitoring of corporate efforts to address security weaknesses. As discussed below in this section, representatives of DIRM, the Division of Administration, and the Office of Enterprise Risk Management have also been working with our office as part of a "Getting to Green" initiative on the OIG’s annual FISMA evaluation scorecard.
Federal Information Security Management Act Evaluation
As required by FISMA, we completed an independent evaluation of the FDIC information security program and practices. FISMA directs
federal agencies to have an annual independent evaluation performed of their information security program and practices and for agencies to report the results of the evaluation to the Office of Management and Budget (OMB). FISMA states that the independent evaluation is to be performed by the agency IG or an independent external auditor as determined by the IG. This is the fourth annual security evaluation that our office has performed pursuant to FISMA and its predecessor legislation, the Government Information Security Reform Act, which expired in November 2002.
|
|
Getting to Green The OIG is working closely with representatives of the FDIC’s Division of Information Resources Management (DIRM), Division of Administration (DOA), and Office of Enterprise Risk Management (OERM) as part of a "Getting to Green" initiative on the OIG’s annual FISMA evaluation scorecard. The OIG assigns one of three assurance levels (reasonable assurance—green, limited assurance—yellow, and minimal/no assurance—red) when assessing the adequacy of security for each management control area that the OIG considers when conducting its FISMA evaluation of the Corporation’s information security program. Representatives of DIRM, DOA, OERM, and the OIG held periodic meetings from November 2003 through April 2004 on various corporate information security issues, such as new and emerging security requirements being developed by the National Institute of Standards and Technology, the Corporation’s progress in addressing reported weaknesses, and next steps and targets. Additional getting-to-green meetings are planned beginning in November 2004, and the OIG is committed to continuing this highly successful working relationship. |
The objective of the evaluation was to determine the effectiveness of the FDIC’s information security program and practices, including its compliance with the requirements of FISMA and related information security policies, procedures, standards, and guidelines. In summary, we concluded that the Corporation had established and implemented management controls that provided limited assurance of adequate security over its information resources. As a result of focused efforts over the past several years, the FDIC has made considerable progress in improving its information security controls and practices. Notably, this is the first annual security evaluation wherein we identified no significant deficiencies as defined by OMB that warrant consideration as a potential material weakness. However, continued management attention was needed in several key security control areas to ensure that appropriate risk-based and cost-effective security controls are designed and in place to secure the FDIC’s information resources and further the Corporation’s security goals and objectives.
We also issued a separate audit report containing responses to specific questions raised by OMB in its August 23, 2004 memorandum, FY 2004 Reporting Instructions for the Federal Information Security Management Act.
Our responses to the OMB questions, together with the independent security evaluation report, satisfy our 2004 FISMA reporting requirements.
Similar to our prior year security evaluations, our FISMA report identified 10 steps that the Corporation can take in the near term to improve its information security program and operations. Generally, the steps focused more on the implementation of the FDIC’s security management controls, whereas the steps contained in our prior year evaluation focused primarily on the establishment of security management controls. In many cases, the FDIC had already begun to address these steps during our evaluation field work. We will continue to work with the Corporation throughout the coming year to ensure that appropriate risk-based and cost-effective IT security controls are in place to secure corporate information resources and further corporate security goals and objectives. (Report No. 04-046, September 30, 2004.)
We also conducted specific work in the following IT areas, much of which contributed to our overall FISMA evaluation:
Enhancements to the FDIC System Development Life Cycle Methodology
We concluded that the FDIC had recently chosen a new system development life cycle methodology that was both risk-based and reflected industry and federal government best practices. We also found that the FDIC had not developed an adequate control framework for system development to ensure that project management practices, performance assessment results, enterprise
architecture alignment, funding decisions and cost-benefit analyses, and certification and accreditation guidance for security requirements were incorporated into development efforts. The report contains four recommendations to improve the system development control framework. The Corporation’s response to this audit addressed the concerns we identified. (Report No. 04-019, April 30, 2004.)
FDIC’s Software Management Program
We concluded that DIRM has implemented several effective controls over its software management program. However, DIRM could
strengthen the program by completing efforts underway to develop policies and procedures, designate program responsibility, and establish a consolidated inventory system. Our report made three recommendations to address control weaknesses. The Corporation’s response addressed the concerns discussed in our report. (Report No. EVAL-04-020, June 8, 2004.)
FDIC’s Virtual Supervisory Information on the Net Application
We conducted an audit of the FDIC’s Virtual Supervisory Information on the Net (ViSION) application to determine whether the application controls over operational components were adequate. ViSION was designed to accept and provide information from and for the FDIC and other federal and state regulators in support of day-to-day operations. ViSION contains information on all insured depository institutions. Users rely on ViSION as a central repository for compiling, reviewing, analyzing, and managing financial, examination, and other data on financial institutions.
We recommended that the Corporation develop, update, and implement key management and operational controls to protect the confidentiality, integrity, and availability of the information contained in the ViSION application. The Corporation’s response adequately addressed our recommendations. (Report No. 04-027, July 30, 2004.)
FDIC’s Capital Investment Management Review Process for Information Technology Investments
One of our evaluations this reporting period focused on the FDIC’s capital planning and investment management (CPIM) process. Our
objective was to determine whether the FDIC’s Capital Investment Review Committee (CIRC) is implementing an efficient and effective review process that supports budgeting for the FDIC’s IT capital investments and ensures the regular monitoring and proper management of these investments once they are funded.
The CIRC was established in September 2002; therefore, measuring the overall effectiveness of the CIRC was difficult. Nonetheless, we found that the program activities the FDIC has undertaken since 2002 aligned with the processes the U.S. Government Accountability Office (GAO) considers necessary to build a successful IT capital investment process. Specifically, the FDIC’s efforts have encompassed a broad range of activities, including ongoing work to develop:
an IT governance structure, including the establishment of the Chief Information Officer Council in February 2004; a systematic, quarterly management oversight process for individual capital investment projects and the overall portfolio; and corporate tools and guidance for project managers.These activities align with the processes associated with the second and third stages of maturity in GAO’s five-tiered model. However, work remains to achieve a mature, repeatable process, and the FDIC has many efforts underway or planned to reach that goal.
We made 11 recommendations to the Chief Financial Officer and Chief Information Officer, the CIRC Co-Chairs, to take actions in 3 general areas to help ensure continued maturation of the CPIM process: (1) Strengthen the IT investment management governance structure, (2) Strengthen CPIM-related procedures, and (3) Create a CPIM plan.
Management did not concur with 2 of our 11 recommendations. With respect to one of those recommendations, we requested that management reconsider its position and clarify requirements for validating quarterly project assessments by independent qualified personnel when management updates the FDIC Capital Investment Policy in June 2005. For the other outstanding recommendation, we agreed with management that further action was not required. (Report No. 04-039, September 23, 2004.)
Audits by IBM
We engaged International Business Machines Business Consulting Services (IBM), an independent professional services firm, to support our efforts to satisfy reporting requirements related to FISMA. IBM issued the following three reports during the reporting period:
FDIC’s IT Security Risk Management Program—Overall Program Policies and Procedures and the Risk Assessment Process: IBM concluded that the FDIC had made progress since August 2003 in implementing the risk management program. However, policies and procedures for the overall program and the risk assessment process could be strengthened.
IBM made three recommendations to the Director, DIRM, to improve the policies and procedures for managing IT risk and the Director agreed. (Report No. 04-028, July 30, 2004.)
FDIC’s Mainframe Security: IBM concluded that the FDIC has established and implemented management, operational, and technical controls that provide reasonable assurance of adequate mainframe security. IBM also found that the FDIC has made progress in its efforts to strengthen mainframe security, update security policies and procedures, and increase employee security awareness.
Further, DIRM has completed the required certification activities in preparation for system accreditation. These activities include completing a mainframe security plan; conducting a risk assessment and preparing the final risk assessment report; performing a self-assessment of mainframe management, operational, and technical controls; and completing a Plan of Actions and Milestones.
IBM did find one aspect of mainframe security that could be improved. DIRM management concurred with IBM’s related recommendation. (Report No. 04-037, September 30, 2004.)
FDIC’s IT Contingency Planning: IBM’s audit focused on the adequacy of the FDIC’s policies, procedures, and tools for contingency planning. IBM concluded that the FDIC had made progress since the OIG’s 2003 FISMA evaluation. However, improvements are needed to ensure that FDIC data can be restored in a timely manner.
IBM made three recommendations to improve the FDIC’s contingency planning program. DIRM agreed to take corrective actions that adequately address the three recommendations. (Report No. 04-038, September 22, 2004.)
7. Security of Critical Infrastructure
The adequate security of our nation’s critical infrastructures has been at the forefront of the federal government’s agenda for many years. Specifically, the President’s Commission on Critical Infrastructure Protection (established in July 1996) was tasked to formulate a comprehensive national strategy for protecting the nation’s critical infrastructure from physical and "cyber" threats. Included among the limited number of systems whose incapacity or destruction were deemed to have a debilitating impact on the defense or economic security of the nation was the banking and finance system. With the increased consolidation and connectivity of the banking industry in the years since 1996, and with the new awareness of the nation’s vulnerabilities to terrorist attacks since September 11, 2001, the security of the critical infrastructure in the banking industry is even more important.
On December 17, 2003, the President signed Homeland Security Presidential Directive (HSPD) 7, Critical Infrastructure Identification, Prioritization and Protection. HSPD–7 established a national policy for federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist acts. On June 17, 2004, OMB issued Memorandum M04-15, Development of the HSPD-7 Critical Infrastructure Protection Plans to Protect Federal Critical Infrastructures and Key Resources. The memorandum provides guidance regarding the format and content of critical infrastructure protection plans that federal agencies are required to submit to the OMB. Although the FDIC has determined that it does not maintain critical infrastructure or key resources as intended by HSPD–7, the FDIC is required to report to OMB on its ability to ensure the continuity of its business operations in the event of a physical or cyber attack.
The intent of HSPD–7 is to ensure that the federal government maintains the capability to deliver services essential to the nation’s security and economy and to the health and safety of its citizens in the event of a cyber- or physical-based disruption. Much of the nation’s critical infrastructure historically has been physically and logically separate systems that had little interdependence. However, as a result of technology, the infrastructure has increasingly become automated and interconnected. These same advances have created new vulnerabilities to equipment failures, human error, natural disasters, terrorism, and cyber attacks.
To effectively protect critical infrastructure, the FDIC’s challenge is to implement measures to mitigate risks, plan for and manage emergencies through effective contingency and continuity planning, coordinate protective measures with other agencies, determine resource and organization requirements, and engage in education and awareness activities. The FDIC will need to continue to work with the Department of Homeland Security and the Finance and Banking Information Infrastructure Committee, created by Executive Order 23231 and chaired by the Department of the Treasury, on efforts to improve security of the critical infrastructure of the nation’s financial system. To address this risk, the FDIC is sponsoring 24 outreach conferences for the Financial and Banking Information Infrastructure Committee and Financial Services Sector Coordinating Council through 2005, which will address protecting the financial sector. The Corporation will also need to be attentive to the new requirements of HSPD-7.
Implementation of Physical Security Policies
During the reporting period we performed a follow-up to two prior OIG evaluations to assess the FDIC physical security program and implementation of physical security at the FDIC’s Washington, D.C., metropolitan area facilities and regional and field offices.
We concluded that the FDIC had implemented the OIG-recommended improvements to security policies for FDIC-owned and leased space in the Washington, D.C., and Virginia Square locations and in the regional and field offices. However, we also found that the Division of Administration (DOA) could further improve the vulnerability assessment process for some of its offices, and we made a recommendation to that effect. The Director, DOA, concurred with our recommendation and agreed to take responsive action. (Report No. 04-021, June 15, 2004.)
FDIC’s Business Continuity Plan
We completed an evaluation of the FDIC’s Business Continuity Plan (BCP) during the reporting period to determine whether the FDIC’s plan addresses key elements of business continuity planning. An FDIC Audit Committee member had asked our office to assess the FDIC’s BCP against the key elements.
We found that the FDIC’s BCP addresses the critical business functions of key FDIC divisions and offices. Also, actions are underway to review and update a business impact analysis and to identify the resources necessary to sustain essential functions in the event of disruptions. However, the FDIC could improve the quality of its BCP in a number of key areas to help ensure its success. As a result, we made 10 recommendations to strengthen the quality of the FDIC’s BCP, with which the Corporation agreed. (Report No. EVAL-04-029, August 9, 2004.)
8. Management of Major Projects
Project management is the defining, planning, scheduling, and controlling of the tasks that must be completed to reach a goal and the allocation of the resources to perform those tasks. The FDIC has engaged in several multi-million dollar projects, such as the New Financial Environment (NFE), Central Data Repository, and Virginia Square Phase II Construction. Without effective project management, the FDIC runs the risk that corporate requirements and user needs may not be met in a timely, cost-effective manner. We have done several reviews of these projects and identified the need for improved defining, planning, scheduling, and controlling of resources and tasks to reach goals and milestones. The Corporation included a project management initiative in its 2004 performance goals and established a Program Management Office to address the risks and challenges that these kinds of projects pose.
In September 2002, the FDIC executed a multiyear contract to replace its core financial systems and applications with a commercial-off-the-shelf software package. NFE is a major corporate initiative to enhance the FDIC’s ability to meet current and future financial management and information needs. At the time the Board case was approved, the FDIC estimated the total lifecycle cost of NFE, including FDIC staff time, to be approximately $62.5 million over 8 years. NFE offers the FDIC significant benefits and presents significant challenges. These challenges will test the Corporation’s ability to (1) maintain unqualified opinions on the FDIC’s annual financial statements through the system implementation and associated business process reengineering; (2) manage contractor resources, schedules, and costs; and (3) coordinate with planned and ongoing system development projects related to NFE. We have reported on several NFE matters in the past and are currently auditing the Corporation’s ongoing NFE efforts.
The Call Report Processing Modernization project is a collaborative effort by the FDIC, the Federal Reserve Board, and the Office of the Comptroller of the Currency to improve the processes and systems used to collect, validate, store, and distribute Call Report information. The project resulted in a Central Data Repository approach to managing bank Call Report Information. We are monitoring the Corporation’s progress on this project.
In March 2002, the Board of Directors approved construction of a new nine-story building at the FDIC’s Virginia Square in Northern Virginia. Known as Virginia Square Phase II, the building will house FDIC staffers (about 1,100) for the most part now working in leased space. The expansion will cost approximately $111 million. The building is expected to be finished by early 2006. Completing construction activities and moving staff from leased to owned space within the planned time and cost budgets presents considerable challenges for FDIC management.
The Corporation must ensure that employees from all divisions and offices properly safeguard the BIF and SAIF. It is critically important that budgets for the major projects discussed above and all others be established and closely monitored to prevent significant cost overruns.
Control Framework for the Virginia Square Phase II Project
We continued our audit coverage of the Virginia Square Phase II project for the construction of a second office building and a special-purpose facility to be completed at Virginia Square. Our audit objective was to determine whether the control framework for the project was adequate to minimize the risk that financial and time budgets may not be met.
We concluded that the FDIC established an adequate control framework for the Virginia Square Phase II construction project that, if consistently and effectively implemented, should ensure that the project will be completed on time and within budget. However, we also found that the FDIC withheld less than the contract entitled the FDIC to retain on progress payments to the general contractor. We recommended that the Director, DOA, emphasize that contractor invoices be reviewed for compliance with all contract terms, including retainage provisions, and that discrepancies be documented and resolved before payment. The Corporation took prompt action in response to our recommendation. (Report No. 04-018, April 22, 2004.)
9. Assessment of Corporate Performance
Assessing corporate performance is a key challenge because good intentions and good beginnings are not the measure of success. What matters in the end is completion: performance and results. To that end, the Government Performance and Results Act (Results Act) of 1993 was enacted. This Act requires most federal agencies, including the FDIC, to prepare a strategic plan that broadly defines each agency’s mission, vision, and strategic goals and objectives; an annual performance plan that translates the vision and goals of the strategic plan into measurable annual goals; and an annual performance report that compares actual results against planned goals.
The current Administration has raised the bar further in this area. Specifically, OMB is using an Executive Branch Management Scorecard to track how well departments and agencies are executing the management initiatives, and where they stand at a given point in time against the overall standards for success. OMB has also introduced the Program Assessment Rating Tool to evaluate program performance, determine the causes for strong or weak performance, and take action to remedy deficiencies and achieve better results.
The Corporation’s strategic plan and annual performance plan lay out the agency’s mission and vision and articulate goals and objectives for the FDIC’s three major program areas: Insurance, Supervision, and Receivership Management. Through its annual performance report, the FDIC is accountable for reporting actual performance and achieving its strategic goals. In addition to the Corporation’s strategic and annual goals and objectives established under the Results Act, the Chairman maintains a comprehensive set of objectives used for internal management which are summarized in terms of Stability, Sound Policy, and Stewardship.
The Corporation has made significant progress in implementing the Results Act. Over the years, it has developed more outcome-oriented performance measures, better linked performance goals and budgetary resources, and improved processes for verifying and validating reported performance. While the FDIC is not included on the Management Scorecard nor required to submit a Program Assessment Rating Tool to the OMB, some of the Corporation’s divisions have begun using a "scorecard" approach to monitoring and evaluating performance, and we support the use of these tools.
The OIG has played an active role in evaluating the Corporation’s efforts in this area. We have conducted reviews of the processes used for verifying and validating data and evaluated the Corporation’s budget and planning process. As part of the Corporation’s overall planning process, we provide input and our perspective annually on the FDIC’s strategic goals and objectives. In doing so, we have pointed to the need to better align the strategic and annual planning process under the Results Act with the separate process used to develop detailed annual corporate performance objectives and initiatives designed to accomplish the Chairman’s priorities.
During the reporting period, we updated an earlier analysis of the linkage between the Corporation’s two separate performance measurement processes. We compared (1) the FDIC’s 2004 Corporate Performance Objectives (i.e., Chairman’s) to (2) the 2004 Results Act Annual Performance Plan. The analysis continues to reflect that the two separate plans are not well integrated. OIG advisory comments on the Corporation’s 2002, 2003, and 2004 Results Act plans have suggested that the Corporation take additional steps to better link the two systems.
Strong internal control and risk management practices can help an organization achieve strategic and annual goals. Internally, the Corporation is currently operating under an internal control policy that predates many developments toward proactive risk management. Since the Corporation issued its internal control policy in February 1998, GAO has issued Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, November 1999), which discusses five components of internal control and provides an overall framework for identifying and addressing major performance challenges and areas of greatest risk for fraud, waste, abuse, and mismanagement. Also, as mentioned earlier in this semiannual report, many organizations in the insurance industry and other organizations are using an Enterprise Risk Management approach to managing not only financial risks, but all business and compliance risks. The Committee of Sponsoring Organizations of the Treadway Commission has issued a document that explains essential concepts and the interrelationship between enterprise risk management and internal control. The Corporation’s Office of Enterprise Risk Management can play a role in risk management activities that help the Corporation achieve its goals.
10. Cost Containment and Procurement Integrity
Stewardship of resources has been a focus of the FDIC’s current Chairman. As steward for the insurance funds, the Chairman has embarked on a campaign to identify and implement measures to contain and reduce costs, either through more careful spending or assessing and making changes to business processes to increase efficiency.
A key challenge to containing costs relates to the contracting area. To achieve success in this area, the FDIC must ensure that its acquisition framework—that is, its policies, procedures, and internal controls—is marked by sound planning; consistent use of competition; fairness; well-structured contracts designed to produce cost-effective, quality performance from contractors; and vigilant contract management to ensure successful oversight management activities. The Corporation has taken a number of steps to strengthen controls and oversight of contracts.
However, as the Corporation downsizes and continues to contract for services, it needs to remain vigilant. We have a contract audit program that looks at the reasonableness and support for billings on significant Corporation contracts and, as needed, evaluates contract award processes. Our work in the cost containment and procurement integrity area during the reporting period included the following:
Acquisition Planning and Execution Strategy
We concluded that the FDIC’s acquisition planning process did not always result in efficient, effective, economical, and timely procurements.
We made seven recommendations to the Director, DOA, to revise certain aspects of the Acquisition Policy Manual, establish additional procedures to document the disposition of Legal Division comments, modify certain contracts, and enhance certain oversight activities of contracting officers. The Director, DOA, provided a written response to the draft report, and through subsequent discussions, all recommendations are now resolved. (Report No. 04-043, September 29, 2004.)
FDIC’s Allocation of Records Storage Costs
We conducted an audit of the FDIC’s allocation of records storage costs and determined that records storage costs were not correctly charged to the appropriate insurance and resolution funds. Specifically, from January 1996 through July 2004, the FDIC charged about $35 million in records storage costs to the BIF and SAIF that should have been charged to the Federal Savings and Loan Insurance Corporation Resolution Fund (FRF). Although the records stored by the FDIC are associated with activities that can be attributed directly to a specific fund, the FDIC allocates the expenses indirectly to the funds as corporate common services costs. As a result, the BIF and SAIF have been charged $35 million in incorrect records storage costs and could absorb an additional $11 million over the next 3 years. We identified the $46 million related to inappropriate allocation of storage costs as funds put to better use.
We recommended that the Director, Division of Finance (DOF), adjust the fund balances for the BIF, SAIF, and FRF; charge the funds appropriately for future records storage costs; and determine whether prior-year adjustments should be made to the funds’ financial statements due to the magnitude of the reallocation of records storage costs to the FRF.
The Corporation disagreed with our finding and recommendations. The Director, DOF, stated that the current allocation methodology provides a reasonable, efficient, and consistent basis for allocating costs to the funds. We requested DOF to reconsider its position and provide a subsequent response. (Report No. 04-044, September 29, 2004.)
Records Management and Storage
We concluded that the FDIC’s contract with Iron Mountain Records Management, Inc. for records storage could be more cost-effective. We reported that the FDIC could avoid costs of $5.6 to $6 million by moving records from climate-controlled
storage, renegotiating certain contract terms, and obtaining permission to destroy thrift records not associated with goodwill litigation. Additionally, the FDIC could improve oversight of the contractor by verifying the application of rounding factors
used to determine billable container size and reconciling actual and recorded container displacement during quarterly physical inspections.
We made nine recommendations to the Director, DOA, to make the FDIC’s contract with Iron Mountain more cost-effective and to improve contract oversight. We also recommended that the General Counsel and DOA expedite efforts related to the destruction of records for thrifts not involved in the goodwill litigation.
The Director, DOA, did not agree with four of our recommendations, and we asked DOA to reconsider its responses and provide additional comments. DOA also disagreed with all but $602,438 of our identified cost avoidances. The General Counsel agreed to take responsive action.
Based on our review, we are reporting a range of $5,151,822 to $5,573,881 for funds put to better use in this Semiannual Report to the Congress. This range has been adjusted to reflect our acceptance of DOA’s lower estimate of savings for moving microforms to general storage space. (Report No. 04-045, September 30, 2004.)
Pre-award and Post-award Contract Audits
We issued the results of one pre-award audit during the reporting period, in which we reported that two proposals related to an asset servicing strategy were reasonable and adequately supported.
We also issued one post-award contract audit report during the reporting period. The objectives of post-award audits are to determine whether amounts charged to FDIC contracts are allowable, allocable, and reasonable. We reported a total of $110,915 in questioned costs as a result of the post-award audit. As of the end of the reporting period, a management decision was pending for the amount identified as a monetary benefit.
The Office of Investigations (OI) is responsible for carrying out the investigative mission of the OIG. Staffed with agents in Washington, D.C.; Atlanta; Dallas; and Chicago; OI conducts investigations of alleged criminal or otherwise prohibited activities that may harm or threaten to harm the operations or integrity of the FDIC and its programs. In addition to its headquarters and field sites, OI operates an Electronic Crimes Team and laboratory in Washington, D.C. The Electronic Crimes Team is responsible for conducting computer-related investigations impacting the FDIC, including employee cases involving computer abusers and providing computer forensic support to OI