Retention Strategies for Failed Insured Depository Institution Employees

August 20, 2004
Audit Report No. 04-030

FDIC
Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434

DATE: August 20, 2004

MEMORANDUM TO: Mitchell L. Glassman, Director, Division of Resolutions and Receiverships and Arleas Upton Kea, Director, Division of Administration

FROM: Russell A. Rau [Electronically produced version; original signed by Stephen M. Beard for Russell Rau], Assistant Inspector General for Audits

SUBJECT: Retention Strategies for Failed Insured Depository Institution Employees (Audit Report Number 04-030)

This report presents the results of the Federal Deposit Insurance Corporation (FDIC) Office of Inspector General's (OIG) audit of the FDIC's retention strategies for failed insured depository institution employees (former institution employees). [1] The objective of this audit was to determine whether the Division of Resolutions and Receiverships (DRR) decisions for retaining and paying former institution employees to assist in the process of liquidating receiverships were reasonable and adequately supported.

BACKGROUND

The FDIC's roles and responsibilities when serving as a receiver are defined by statutory provisions in the Federal Deposit Insurance Act (FDI Act) of September 21, 1950, P.L. No. 797, as codified at 12, United States Code (U.S.C.) section 1821(d), Powers and Duties of Corporation as Conservator or Receiver. Specifically, the power to control an institution's assets includes the power to "conduct all business of the institution" (section 1821(d)(2)(B)(i)); "perform all functions of the institution  consistent with the appointment as conservator or receiver" (section 1821(d)(2)(B)(iii)); and "preserve and conserve the assets and property of such institution," section 1821(d)(2)(B)(iv). The primary objective of the FDIC as receiver is to maximize the value of the failed institution's assets in order to limit losses to the deposit insurance funds [2] and repay uninsured depositors and general creditors. [3]

As required by the FDIC Improvement Act of 1991, [4] each resolution of a failed insured financial institution [5] is to be the least costly possible under the circumstances. Within the FDIC, DRR is primarily responsible for ensuring that the requirements of the Act are fulfilled. Specifically, as stated in DRR's 2003 Strategic Plan "DRR exists to plan and efficiently handle the resolutions of failing FDIC-insured institutions and to provide prompt, responsive, and efficient administration of failing and failed financial institutions in order to maintain confidence and stability in our financial system." To fulfill its mission, DRR monitors troubled banks and plans for resolution activities. DRR has developed policies, procedures, and other guidance to cover most aspects of these operations, including the: Resolutions Handbook, Failed Financial Institutions Closing Manual (Closing Manual), and Resolutions Policy Manual.

Even before a failing financial institution is closed, DRR performs considerable work during the pre-closing period. DRR's pre-closing efforts include valuing an institution's assets to determine resolution options, estimating the liquidation value of the assets, and calculating the cost of a deposit payoff and/or loss to the insurance fund. One important DRR decision during the pre-closing period is whether to retain former institution employees to assist DRR in the operations of the receivership. DRR assesses whether retaining and paying former institution employees is the most cost-effective way to maintain asset values and ensure a smooth resolution. To retain such employees, DRR generally engages the former employees through third-party contractors or compensates the assuming bank for associated personnel costs and continues the former employees' pay. DRR may also offer various bonuses and benefits as incentives for the employees to continue working as long as their services are needed.

The primary responsibility for managing the operations of an FDIC receivership is shared by two DRR officials:

  • The Receiver-in-Charge (RIC) is the coordinator for DRR operational activities in preparing an institution for receivership and has delegated authority to act on behalf of the receivership.

  • The Closing Manager (CM) is responsible for supervising all aspects of the institution's closing and reports to the RIC.

During the audit period, DRR had no formal written policies or procedures in place related to retaining former institution employees. However, in a revision to DRR's Closing Manual, dated December 2003, procedures were added to address the use of such employees. Specifically, the manual states that in anticipation of prolonged receivership activities in the field, the RIC coordinates efforts with DRR's Asset Management Unit in establishing a field site, including consideration of the use of failed bank employees employed through the use of a payroll services or asset management contractor. The Closing Manual further states "[t]he RIC and post closing Asset Management Team leader seek recommendations from the payroll services or asset management contractors for post closing retention incentives, giving consideration to: a) cost of the incentive vs. the disruptive cost to the receivership should the employees leave, b) industry standards, and c) alternative retention strategies."

During the period covered by our audit, January 1, 2002 through October 31, 2003, 13 insured depository institutions failed with assets totaling about $3.6 billion. Of the 13 failed institutions, each of the following 4 institutions had more than $100 million in assets at the time of closing:

  • Hamilton Bank, NA (Hamilton) of Miami, Florida ($1.2 billion);
  • NextBank, NA (NextBank) of Phoenix, Arizona ($669 million);
  • Connecticut Bank of Commerce (CBC) of Stamford, Connecticut ($379 million); and
  • Southern Pacific Bank (Southern Pacific) of Torrance, California ($1.1 billion).

We selected these four institutions for review because of their size and because DRR, through third-party contractors, offered retention packages to selected former employees. [6]

RESULTS OF AUDIT

For the four institutions we reviewed, DRR's decisions to retain and pay failed institution employees to assist in the orderly transition of receiverships appeared reasonable. However, DRR could have better documented the basis for the retention decisions. In addition, DRR could have implemented better personnel security practices when hiring the former institution employees through third-party contractors.

  • DRR's decisions to retain and pay former institution employees to assist in the operations of its receiverships appeared justified given the specific circumstances of the closed institutions. Also, retention decisions were adequately communicated to, and approved by, appropriate FDIC management officials. However, to ensure that future retention decisions are adequately supported and defensible, the DRR should more fully document its considerations of (1) the cost of incentives as compared to the disruptive cost to the receivership should the former institution employees leave, (2) industry retention standards, and (3) alternative retention strategies (see Finding A: Retention Decisions).
  • DRR did not always require that former institution employees be subject to some form of background check before allowing their continued access to sensitive financial and customer information. Although no specific misuse was identified, the potential for misuse of sensitive institution and customer information by former institution employees in the operations of the receivership could place the FDIC at significant financial and reputational risk for not adequately protecting sensitive information (see Finding B: Personnel Security).

We are recommending that DRR improve policy and procedures related to assessing and documenting retention decisions and decisions related to contractor personnel security.


FINDINGS AND RECOMMENDATIONS

FINDING A: RETENTION DECISIONS

DRR's decisions to retain former institution employees from the four failed institutions we reviewed appeared reasonable given the circumstances surrounding each failure. Moreover, DRR's retention decisions were sufficiently communicated to, and approved by, the appropriate levels of FDIC management. In addition, DRR adequately documented, in qualitative terms, its comparison of the cost of the retention incentives to the cost to the receiverships should selected former institution employees leave. However, DRR did not always adequately document its consideration of industry standards and alternative retention strategies.

Documentation of Retention Strategy Decisions

DRR's December 2003 revision to its Closing Manual did not specify how DRR personnel were to document the retention considerations; therefore, for the purpose of this report, we established the following criteria for assessing the adequacy of such documentation.

  • Consideration of Incentive Cost Compared to Disruptive Cost—An analysis comparing the estimated quantitative and/or qualitative cost of retaining the former employees as compared to the estimated disruptive cost should the former employees not be retained. The analysis should contain sufficient detail so that any reasonable party could reach the same decision.

  • Consideration of Industry Retention Standards—A detailed discussion of the financial institution or company benchmarks used for determining whether DRR's retention package was reasonable.

  • Consideration of Alternative Retention Strategies—A detailed discussion, preferably supplemented with analytical information, indicating the alternative strategies considered for a particular resolution. The discussion should indicate the reasons alternative strategies were deemed unacceptable under the circumstances.

The table below summarizes our assessment of how adequately DRR documented its consideration of the elements described above for the four institutions we reviewed.

Table: DRR's Documentation of Retention Strategy Decisions
Institution Consideration of the Cost of the Incentive vs. Disruptive Cost to the Receivership Should the Employees Leave Consideration of Industry Standards Consideration of Alternative Retention Strategies
Hamilton Adequately Documented Partially Documented Partially Documented
NextBank Adequately Documented Partially Documented Partially Documented
CBC Adequately Documented Partially Documented Adequately Documented
Southern Pacific Adequately Documented Partially Documented Partially Documented
Source: OIG analysis of documentation provided by DRR for each institution closing.

Retention Decisions for Each Institution Failure

Based on the specific circumstances of each institution failure, DRR's retention decisions appeared to be justified. For the four institutions, DRR adequately supported that the FDIC would be best served by retaining former institution employees, through third-party contractors, to assist DRR with the orderly transition of the receivership. In addition, for each of the four retention decisions we reviewed, DRR prepared a Strategic Resolution Plan (SRP) [7] to document its retention decisions and needs and a case [8] to request the necessary expenditure authority. In addition to oral statements made by DRR officials to the audit team during the audit, these two documents further supported DRR's need to retain former institution employees and evidenced that the retention decisions were sufficiently communicated to senior management.

Details on the retention decisions for the four institutions follow.

  • Hamilton
  • Value of Retention Package Maximum Terms of Retention Package No. of Retained Employees Maximum Length of Retention
    $2,988,089
    • Retention bonus 20 percent if employee stays until 6/30/02 (approximately 6 months after the closing date)
    • Health benefits
    • Additional bonus ranging from 5 percent to 60 percent for mission-critical employees
    139 6 months

    DRR's decision to retain former institution employees from Hamilton, which closed January 11, 2002, appeared reasonable and adequately supported based on the circumstances surrounding the resolution. During pre-closing, DRR's closing team concluded that the services of an outside asset manager would be needed to handle Hamilton's portfolio of international loans because DRR staff did not have the necessary expertise. About 140 Hamilton employees were retained through the asset management contractor for periods of up to 6 months at a total cost of about $3 million. This retention decision was communicated to appropriate FDIC management. Specifically, the asset management contractors that DRR used to retain and pay selected former Hamilton employees occurred under two contracts, [9] and DRR documented its retention decision in the Hamilton pre-closing SRP, dated December 6, 2001. The SRP stated that an international credit advisory services contractor would be engaged to manage the day-to-day trade financing operation, using Hamilton personnel to the extent possible. In addition, the Hamilton failing bank case, sent to the FDIC Board of Directors on January 4, 2002, explained that a contractor was on board to provide oversight and management of the international assets in order to preserve the value of the assets and that most of Hamilton's existing loan department personnel would be retained by the contractor. The case also indicated that expenditure authority for the contract activities was provided under the Consolidated Contracting Expenditure Authority Case approved in July 1999. [10] Finally, a DRR January 24, 2002 memorandum to the DRR Receivership Oversight Committee stated that Hamilton employees would be performing specialized functions such as accounting, management information systems work, or asset marketing assistance.

    Cost of the Incentive vs. Disruptive Cost to the Receivership

    DRR adequately documented, in qualitative terms, its comparison of the cost of the retention incentive to the cost to the receivership should the employees leave. Specifically, as stated earlier, the Hamilton SRP and failing bank case clearly described DRR's rationale for using Hamilton employees, through asset management contractors, to perform certain receivership functions.

    Consideration of Industry Standards

    DRR partially documented its consideration of industry standards in the Hamilton retention decision. Specifically, one of the Hamilton cases authorizing the use of an outside contractor indicated that the two Hamilton retention packages provided comparable benefits to employees under both the asset management services contract and the temporary services contract. However, there was no evidence in any of the documents we reviewed that either DRR or its outside contractors considered industry standards in developing the retention packages.

    Alternative Retention Strategies

    DRR partially documented its consideration of alternative retention strategies. Specifically, the January 24, 2002 memorandum to the Receivership Oversight Committee identified two alternative strategies. The first alternative strategy was to employ all former institution employees under the Allen C. Ewing asset services contract, and the second strategy was to employ institution employees under a separate FDIC temporary services contract. However, DRR's documentation of alternative retention strategies would have been more complete had the memorandum clearly indicated why alternative strategies were deemed unacceptable.

  • NextBank
  • Value of Retention Package Maximum Terms of Retention Package No. of Retained Employees Maximum Length of Retention
    $37,087,000
    • Terms and conditions identical to current employment (salaries and benefits)
    • Retention bonuses up to 4 months' salary
    454 6 months (with one 3-month extension)

    DRR's decision to retain selected employees, through the use of a contractor, following the failure of NextBank, closed on February 7, 2002, appeared reasonable and adequately supported based on the circumstances of the resolution. Specifically, DRR decided to negotiate with NextCard, Inc. (NextCard) — NextBank's holding company [11] — to retain NextCard's servicing employees because of the complex and specialized nature of the servicing operation and to attempt to avoid the early amortization of a related securitization. [12] This was necessary because NextBank had virtually no employees of its own, and DRR believed that the loss of the NextCard servicing employees would have had an adverse effect on the value of NextBank's assets.

    NextBank, one of the first Internet banks, focused on the subprime loan market and sold a number of products and credit card plans with unique features. According to a DRR official, credit cards represent a unique type of asset, and the FDIC needed to retain the expertise of the holding company's employees to help manage the credit card operations. Additionally, DRR concluded that experienced servicing staff were needed to run the specialized software used to maintain the credit card accounts. According to DRR officials, at the time of the closing, Phoenix, Arizona, was a hot market for the services required by the receivership, and the closing team was concerned that it would lose a number of needed servicing employees if a retention package was not offered. In total, about 450 NextCard employees were retained through a contractor for about 6 months at an estimated cost of $37 million.

    DRR's NextBank retention decision was adequately communicated to appropriate FDIC management. Specifically, the NextBank SRP, dated February 26, 2002, clearly showed plans to retain NextCard servicing employees under a temporary employment contract. Similarly, in a memorandum to the FDIC Board of Directors, dated February 28, 2002, the Director, DRR, communicated the intent to retain NextCard servicing employees to assist with the operations of the receivership.

    Cost of the Incentive vs. Disruptive Cost to the Receivership

    DRR adequately documented, in qualitative terms, its comparison of the cost of the retention incentive to the cost to the receivership should the employees leave. Specifically, the NextBank SRP, dated February 26, 2002, stated that the least disruptive, most logical, and most cost-effective method for completing the sale and transfer of assets would be to retain NextCard servicing employees under a temporary employment contract. The Director, DRR, included similar language in the case memorandum, dated February 28, 2002, to the FDIC Board of Directors. The case also summarized the proposed retention expenses and provided estimated costs under the agreement and the cost for the existing servicing employees.

    Consideration of Industry Retention Standards

    DRR partially documented its consideration of industry retention standards. According to a DRR official, based on instructions in its basic ordering agreement (BOA), a temporary employment contractor initially developed a retention package. Once the contractor developed the package, DRR's closing team shared the retention package with another contractor, First Annapolis Consulting, [13] for its assessment of the reasonableness of the package. However, there was no indication of other company or industry retention packages that were used as benchmarks for comparison purposes.

    Alternative Retention Strategies

    DRR partially documented its consideration of alternative retention strategies. As previously discussed, before NextBank was closed, DRR's closing team made the decision to negotiate with NextCard to retain its servicing employees through a contractor because of the complexity of the credit card operation. Although the decision to retain servicing employees through a payroll contractor was well documented in the SRP and DRR Director's memorandum to the FDIC Board, DRR did not clearly document why alternative strategies were deemed unacceptable.

  • Connecticut Bank of Commerce
  • Value of Retention Package Maximum Terms of Retention Package No. of Retained Employees Maximum Length of Retention
    $1,755,431
    • Health insurance
    • Overtime pay at 1.5 times the straight time rate
    • Bonus of 20 percent of base annual salary
    34 5 months

    DRR's decision to retain former institution employees from CBC, which closed June 26, 2002, appeared reasonable and adequately supported based on the circumstances surrounding the resolution. According to DRR officials, CBC's loan portfolios included a complex mix of manufacturing loans, and CBC's employees had the expertise and institutional knowledge that the FDIC staff did not possess. Approximately 34 former CBC employees were retained through a contractor for about 5 months, until the sale and transfer of assets was completed, at an estimated cost of $1.8 million.

    DRR adequately communicated its decision to retain former CBC employees through an asset management contractor. Specifically, in the SRP for CBC, dated July 5, 2002, DRR clearly stated its intent to retain selected CBC employees. The SRP for CBC stated that to maintain the continuity and value within the different portfolio lines and to be as non-disruptive as possible, the FDIC staff would work with former CBC employees. The SRP also concluded that hiring former CBC employees was the least disruptive and most logical and cost-effective way to maintain the value of the loan portfolio. Also, a July 9, 2002 case memorandum approved by the RIC stated that due to the specialized nature of the receivership's asset base, it was essential that the FDIC retain selected bank employees during the closing and marketing process.

    Cost of the Incentive vs. Disruptive Cost to the Receivership

    DRR adequately documented its comparison of the cost of the retention incentive to the cost to the receivership should the former CBC employees leave. The CBC SRP and case memorandum indicated that in maintaining the value of the CBC portfolio during the receivership, DRR considered it cost-beneficial to use CBC employees already living in the New York City and southwestern Connecticut areas as compared to temporarily housing FDIC staff in this high-cost area.

    Consideration of Industry Retention Standards

    DRR partially documented its consideration of industry retention standards in the retention decision for CBC. Although DRR officials stated that the retention packages for the retained CBC employees were based on the employees' previous earnings (with some reduction in benefits), there was no indication of other company or industry retention packages that were used as benchmarks for comparison purposes.

    Alternative Retention Strategies

    DRR adequately documented its consideration of alternative retention strategies. Specifically, in addition to recommending that selected former CBC employees be used during the closing and marketing process, the July 9, 2002 case memorandum included the following alternatives: (1) using FDIC personnel to perform all the receivership functions or (2) contracting with the assuming bank for interim portfolio servicing. The case also contained a section entitled Substantiation, which briefly described the advantages of retaining former CBC employees.

  • Southern Pacific
  • Value of Retention Package Maximum Terms of Retention Package No. of Retained Employees Maximum Length of Retention
    $625,000
    • Bonus of 5 percent of annual compensation plus 40 hours at employee's hourly rate for each month the employee remains beyond 4/1/03 (approximately 2 months after the closing date)
    • Maximum bonus of 160 hours plus 5 percent of annual compensation
    126 6 months

    DRR's decision to retain former institution employees, through an asset management contractor, from Southern Pacific Bank, which closed February 7, 2003, appeared reasonable and adequately supported based on the circumstances surrounding the resolution. Specifically, Southern Pacific's unique lending activities included asset-based lending; loans to the airline, technology, and communications industries; and operation of a division that provided financing for independent motion picture productions — areas in which DRR claimed to have had little expertise in marketing and liquidating. Accordingly, DRR's Asset Management Unit considered it better for the FDIC to retain the service of an outside asset management contractor. The retention decision was further supported by language in a February 24, 2003 memorandum from the asset management contractor to the Oversight Manager. The memorandum requested that incentive compensation be authorized to retain selected former Southern Pacific employees, stating that the receivership was thinly staffed and that the remaining Southern Pacific personnel were deemed critical to the successful liquidation of receivership assets and the winding up of bank affairs. Ultimately, 126 Southern Pacific Bank employees were retained through an asset management contractor for about 6 months at an estimated cost of $625,000.

    DRR adequately communicated its decision to retain former Southern Pacific employees. Specifically, an expenditure case, dated November 20, 2002, submitted to the Director of DRR, requested authorization to hire an asset management contractor to assist in the liquidation, administration, and servicing of the Southern Pacific Bank loan portfolio. The case also stated that the contractor would use its best efforts to ensure that the FDIC realized maximum return and required the contractor to assess bank personnel to determine retention post-closing to continue the asset management and servicing functions. The SRP, dated January 17, 2003, also discussed the use of an asset management contractor and Southern Pacific employees.

    Cost of the Incentive vs. Disruptive Cost to the Receivership

    DRR adequately documented, in qualitative terms, its comparison of the cost of the incentive package to the cost to the receivership should the former Southern Pacific employees leave. Specifically, the SRP indicated that an asset management contractor would be needed due to the complexity, size, and volume of Southern Pacific's commercial loan assets.

    Consideration of Industry Retention Standards

    DRR partially documented its consideration of industry retention standards in its retention decision for Southern Pacific. Although the contractor-developed retention package (provided to the FDIC for its approval) compared the proposed Southern Pacific retention costs to those of Hamilton Bank, DRR's retention decision would have been more fully documented had DRR provided documentation showing the contractor used other company or industry retention packages as benchmarks for comparison purposes.

    Alternative Retention Strategies

    DRR partially documented its consideration of alternative retention strategies. As previously stated, the Southern Pacific SRP and case memorandum adequately documented DRR's decision to use an outside asset management contractor to hire former Southern Pacific employees to perform the liquidation services. However, DRR's documentation of alternative retention strategies would have been more complete had the SRP or case memorandum clearly addressed the comparative advantages of alternative strategies.

    Conclusion and Recommendation

    Overall, DRR's decisions to retain former institution employees from the four failed institutions we reviewed appeared reasonable, given the circumstances of each failure. Moreover, DRR's retention decisions were sufficiently communicated to the appropriate FDIC management level. Nonetheless, DRR should clearly document future retention decisions to ensure they are fully supportable and defensible.

    We recommend that the Director, DRR:

    (1) Establish guidance in the Failed Financial Institution Closing Manual that clarifies the nature and extent of analysis that should be conducted and documented by the RIC and post-closing Asset Management Team Leader for use in assessing the consideration given to (a) the costs to the receivership of retention incentives in comparison to the costs should former institution employees leave, (b) industry retention standards, and (c) alternative retention strategies.

    FINDING B: PERSONNEL SECURITY

    DRR can better protect against the misuse of sensitive financial and customer information by former institution employees retained to assist in liquidating receiverships. Specifically, DRR did not always require some level of background investigation for former institution employees prior to, or soon after, gaining access to sensitive information. The appropriate level of background investigation is dependent on the circumstances surrounding a particular closing, including the duration of the receivership, personnel security controls in place at the former institution, and the nature of the information available. Consideration of the need for some level of background investigation is important because former institution employees were expected to remain at the four institutions for up to 9 months, thereby placing sensitive institution and customer information at risk of potential compromise.

    Policy and Procedures for Contractor Security

    FDIC policy and procedures regarding contractor security are contained in FDIC Directive 1610.2, Security Policy and Procedures for FDIC Contractors and Subcontractors, dated August 1, 2003. Directive 1610.2 describes a background investigation as a check or checks that DOA completes for contractors and its personnel to ensure they meet minimum security and fitness standards as set forth by the FDIC. As stated in the directive, the checks include:

    • fingerprint criminal records checks by the Federal Bureau of Investigation (FBI);
    • checks of various on-line data bases, such as Lexis/Nexis, Dun and Bradstreet, and the General Services Administration Debarred and Suspended Bidders List; and
    • various background investigations conducted by the U.S. Office of Personnel Management (OPM).

    However, the directive also exempts contractor employees at receiverships from the background requirements. Specifically, the directive states: ". . . no background investigation or fingerprint checks shall be required when a receivership is created, except when a receivership is of a long-term nature. . . ."

    Standards for Safeguarding Consumer Information

    In Financial Institution Letter (FIL), FIL-22-2001, Security Standards for Customer Information, dated March 14, 2001, the FDIC, Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Office of Thrift Supervision jointly approved and issued standards for safeguarding customer information as required by the Gramm-Leach-Bliley Act (GLBA). [14] The FIL describes the agencies' expectations for creating, implementing, and maintaining an information security program, to include administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities. The objectives of the standards are to:

    • ensure the security and confidentiality of customer information,

    • protect against any anticipated threats or hazards to the security or integrity of such information, and

    • protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

    The FIL also describes the oversight role of the institution's board of directors in this process and its continuing duty to evaluate and oversee the program's overall status. Institutions are required to:

    • identify and assess the risks that may threaten customer information;

    • develop a written plan containing policies and procedures to manage and control the risks;

    • implement and test the plan; and

    • adjust the plan on a continuing basis to account for changes in technology, sensitivity of customer information, and internal or external threats to information security.

    Additionally, the FIL describes the elements of a comprehensive risk-management plan designed to control identified risks and achieve the overall objective of ensuring the security and confidentiality of customer information. These elements identify the factors that an institution should consider in evaluating the adequacy of its policies and procedures to effectively manage risks commensurate with the sensitivity of customer information and the complexity and scope of the institution and its activities. The FDIC, acting in its receivership capacity, could reasonably be expected to comply with these guidelines. More specifically, the RIC and Contracting Officer should take steps consistent with those described for a board of directors to ensure security, confidentiality, and integrity of sensitive information, including that of customers.

    Background Investigations for Retained Institution Employees

    DRR retained about 750 employees from the four failed institutions we reviewed to assist in resolution activities utilizing the services of various contractors. These former institution employees, working for contractors, assisted DRR in managing receivership assets valued at over $3.3 billion. In managing the receivership assets, the former employees had access to sensitive financial information, including loan files and bid packages. In addition, the former institution employees had access to sensitive customer information, including account balances, social security numbers, addresses, and telephone numbers. Nevertheless, background investigations and fingerprinting were only completed for former Hamilton employees. [15]

    We recognize that the expense of obtaining FBI fingerprint checks or OPM background investigations for failed institution employees may not be warranted when a receivership is expected to last only a few weeks. However, such efforts are warranted when the use of former institution employees is expected to last several months. Although the DRR closing team may have closely monitored the employees from the four institutions we reviewed, the employees were expected to remain at the institutions up to 9 months. Therefore, an adequate consideration of the need for a particular level of background investigation is important because former institution employees clearly had an opportunity to compromise sensitive institution and customer information. In assessing the need for additional personnel security requirements, consideration of the institution's personnel security program in place at the time it was closed may impact decisions for additional personnel security requirements.

    Conclusion and Recommendations

    Although we found no evidence that any of the failed institution employees misused the sensitive information to which they had access, the potential for misuse placed the FDIC and former institution customers at risk of compromise. For example, with respect to the FDIC, loan file information could be inappropriately shared with potential bidders which could negatively impact the results of institution loan sales. Additionally, former institution customers could be at risk of identity theft, [16] which can cause significant financial harm to the customer. Therefore, DRR needs to assess the risk associated with former institution employees gaining access to sensitive information before such access is granted.

    We recommend that the Director, DRR, in conjunction with the Director, DOA:

    (2) Revise Directive 1610.2 to include guidance for determining when a receivership is of a long-term nature and warrants consideration of background investigations for retained failed institution employees.

    We recommend that the Director, DRR:

    (3) Revise the Closing Manual to require that the RIC and the post-closing Asset Management Team Leader assess the risk of compromise of sensitive institution and customer information for each failed insured depository institution that will require a long-term receivership and for which former institution employees will be retained. Based on the assessment, a decision should be made regarding whether any or all of the following should be completed for the retained institution employees: background investigations, fingerprint checks, credit checks, or signed statements of nondisclosure.

    (4) Revise the Closing Manual to require that the RIC and the post-closing Asset Management Team Leader document the results of the risk assessment described in recommendation 3 in the receivership's Strategic Resolution Plan and/or subsequent post-closing receivership reports.

    CORPORATION COMMENTS AND OIG EVALUATION

    On August 11, 2004, the DRR Director provided a written response to a draft of this report. The response is presented in Appendix II to this report. The Director concurred with all four recommendations. A summary of the Director's response to each of the four recommendations and our analysis follows. See Appendix III for additional details on the status of the recommendations.

    (1) Establish guidance in the Failed Financial Institution Closing Manual that clarifies the nature and extent of analysis that should be conducted and documented by the RIC and post-closing Asset Management Team Leader for use in assessing the consideration given to (a) the costs to the receivership of retention incentives in comparison to the costs should former institution employees leave, (b) industry retention standards, and (c) alternative retention strategies.

    DRR management agreed with this recommendation. The response indicated that DRR will review current guidelines and, where necessary, clarify or compose additional guidelines for inclusion in the Failed Financial Institution Closing Manual by October 31, 2004.

    Management's planned actions are responsive to the recommendation. The recommendation is resolved but will remain undispositioned and open until we have determined that agreed-to corrective actions have been completed and are effective.

    (2) Revise Directive 1610.2 to include guidance for determining when a receivership is of a long-term nature and warrants consideration of background investigations for retained failed institution employees.

    DRR management agreed with this recommendation. DRR, in conjunction with DOA, will establish guidelines by December 31, 2004 that define a long-term receivership and address receiverships that are considered long-term in nature.

    Management's planned actions are responsive to the recommendation. The recommendation is resolved but will remain undispositioned and open until we have determined that agreed-to corrective actions have been completed and are effective.

    (3) Revise the Closing Manual to require that the RIC and the post-closing Asset Management Team Leader assess the risk of compromise of sensitive institution and customer information for each failed insured depository institution that will require a long-term receivership and for which former institution employees will be retained. Based on the assessment, a decision should be made regarding whether any or all of the following should be completed for the retained institution employees: background investigations, fingerprint checks, credit checks, or signed statements of nondisclosure.

    DRR management agreed with this recommendation. DRR will review the risk assessment guidelines contained in DOA Directive 1610.2 and will revise the Closing Manual as it pertains to the retention of employees of a failed institution and their involvement with customer information in a long-term receivership. Management plans to complete the revisions by December 31, 2004.

    Management's planned actions are responsive to the recommendation. The recommendation is resolved but will remain undispositioned and open until we have determined that agreed-to corrective actions have been completed and are effective.

    (4) Revise the Closing Manual to require that the RIC and the post-closing Asset Management Team Leader document the results of the risk assessment described in recommendation 3 in the receivership's Strategic Resolution Plan and/or subsequent post-closing receivership reports.

    DRR management agreed with this recommendation. The documentation required to be retained will be addressed in the guidelines discussed in response to recommendation 3. Revisions to the guidelines will be completed by December 31, 2004.

    Management's planned actions are responsive to the recommendation. The recommendation is resolved but will remain undispositioned and open until we have determined that agreed-to corrective actions have been completed and are effective.



    APPENDIX I

    OBJECTIVE, SCOPE, AND METHODOLOGY

    Objective and Scope

    The objective of this audit was to determine whether the DRR's decisions for retaining and paying failed insured depository institution employees (former institution employees) who assist in the liquidation process are reasonable and adequately supported. The audit focused on determining compliance with and adequacy of existing policies and procedures and identifying opportunities for minimizing losses to the insurance funds through reduced expenses associated with retaining former institution employees.

    Our audit scope included the four insured depository institutions that failed from January 1, 2002 through October 31, 2003 and for which retention salaries, bonuses, and benefits were paid for certain employees: Hamilton Bank, NA (Hamilton) of Miami, Florida; NextBank NA (NextBank) of Phoenix, Arizona; Connecticut Bank of Commerce of Stamford, Connecticut; and Southern Pacific Bank of Torrance, California. Those failed institutions were selected based on the value of assets each institution had at closing, specifically, those institutions that had assets greater than or equal to $100 million.

    We performed our work from October 2003 through April 2004 in accordance with generally accepted government auditing standards.

    Methodology

    We focused on obtaining an understanding of the resolution process, especially the decision-making process for retaining and paying former institution employees. In doing so, we also obtained a general overview of selected aspects of the FDIC contracting process, which was key to the retention of former institution employees. A discussion of the activities we performed during the audit follows.

    To gain an understanding of the legislation, policies, and procedures regarding this subject, we reviewed the:

    • Federal Deposit Insurance Act;
    • FDIC Improvement Act of 1991;
    • FDIC's Failed Financial Institution Closing Manual;
    • DRR's Resolutions Policy Manual; Resolutions Handbook; and Quick Guide to FDIC Closings;
    • DRR's 2003 Strategic Plan; the FDIC 2003 Corporate Annual Performance Plan; the 2002 DRR Accomplishments Report; as well as current initiatives and projects;
    • DRR's 2002 Management Control Plan and Listing of Accountability Units;
    • FDIC Directive 3700.16, FDIC Acquisition Policy Manual; and
    • FDIC policies and procedures related to privacy and personnel security, including FDIC Directive 1610.2, Security Policy and Procedures for FDIC Contractors and Subcontractors, dated August 1, 2003.

    Our methodology also included interviewing DRR Receivership Operations and Internal Review management and staff in Washington, D.C., and Dallas, Texas. We also interviewed DRR and DOA contracting officials. Additionally, we obtained an understanding of the resolution process and each institution closing within our sample. Finally, we reviewed specific controls in place related to DRR's consideration of retention strategies and decisions.

    To determine whether DRR's decisions for retaining and paying former institution employees was reasonable, we assessed the:

    • number of former institution employees retained to assist in the resolution process;
    • terms and conditions of retention packages, including amounts of retention salaries, bonuses, and benefits paid to the former institution employees;
    • period during which the former institution employees would be retained and paid until they were released; and
    • reasons the former institution employees were considered critical for the resolution process.

    To determine whether DRR's decisions for retaining and paying former institution employees were adequately supported, we assessed the following:

    • Key documents related to DRR's decisions for retaining and paying former institution employees for each of the four failed institutions, including:

      • strategic resolution plans for language regarding the anticipated number, need, cost, and length of time for retaining and paying former institution employees;
      • cases requesting expenditure authority for retaining and paying former institution employees; and
      • contract records, including the Statements of Work, and FDIC general contract provisions relating to payroll services contractors and asset management contractors used to hire former institution employees to perform failed institution work.

    • The case requesting expenditure authority for hiring former institution employees to ascertain whether: (1) matters giving the appearance of an unusual, excessive, or unreasonable nature, such as the payment of retention bonuses, should be brought to the attention of FDIC management, and (2) the retention payment ceilings were set.

    In addition, regarding sensitive financial and customer information, we interviewed DRR and DOA officials to determine:

    • the specific FDIC and DRR information systems used at receiverships;

    • access privileges granted to contractor and former institution employees in using FDIC and DRR information systems;

    • whether background investigations and fingerprint checks were performed for contractor/former institution employees; and

    • whether any of the four failed institutions in our audit had a personnel security program and, if so, the steps taken by either the contractor or the FDIC, in addition to meeting contract requirements, to ensure that the program was adequate before former institution employees were brought on board.

    Our methodology also included the following:

    • Reviewing FDIC contracts with payroll services contractors and asset management contractors for provisions related to personnel security.

    • Interviewing headquarters officials, including DRR's Information Security Officer, DOA Security Staff, a Legal Division attorney, and OIG Counsel.

    • Verifying the accuracy of DRR's comparison of names of contractor/former institution employees employed at the four failed institutions with data in the FDIC's Access Control Entry System to ascertain whether the employees had system access during closings and post-closings.

    • Reviewing prior OIG audit and evaluation reports covering FDIC information, personnel, and systems-specific security:

      • FDIC's Personnel Security Program (Report No. 04-016, dated March 30, 2004)
      • Implementation of the Gramm-Leach-Bliley Act Privacy Provisions (Report No. 03-044, dated September 26, 2003)
      • Control Over Use and Protection of Social Security Numbers by Federal Agencies (Report No. 03-012, dated February 14, 2003)
      • Information Security Management of FDIC Contractors (Report No. 03-043, dated September 23, 2003)
      • FDIC's Information Handling Practices for Sensitive Employee Data (Report No. 00-006, dated October 10, 2000)


    APPENDIX II

    CORPORATION COMMENTS

    Corporation Comments - Page 1
    Corporation Comments - Page 2
    [D]



    APPENDIX III

    MANAGEMENT RESPONSE TO RECOMMENDATIONS

    This table presents management's response to the recommendations in our report and the status of the recommendations as of the date of report issuance.

    Rec. Number Corrective Action: Taken or Planned/Status Expected Completion Date Monetary Benefits Resolved:a Yes or No Dispositioned:b Yes or No Open or Closedc
    1 DRR will review current guidelines and, where necessary, clarify or compose additional guidelines for inclusion in the Failed Financial Institution Closing Manual. October 31, 2004 N/A Yes No Open
    2 DRR, in conjunction with DOA, will establish guidelines to address receiverships that are considered long-term in nature. December 31, 2004 N/A Yes No Open
    3 ADRR will review the risk assessment guidelines contained in DOA Directive 1610.2 and will revise the Closing Manual as it pertains to the retention of employees of a failed institution and their involvement with customer information in a long-term receivership. December 31, 2004 N/A Yes No Open
    4 DRR will develop guidelines in the Closing Manual requiring documentation of a risk assessment and a notation in the post Strategic Resolution Plan that the assessment has been completed. December 31, 2004 N/A Yes No Open

    a Resolved – (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.
    (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.
    (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.
    b Dispositioned – The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the recommendation.
    c Once the OIG dispositions the recommendation, it can then be closed.

    Last updated 10/07/2004