Division of Supervision and Consumer Protection's Assessment of Bank Management

September 8, 2004
Audit Report No. 04-033

FDIC
Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434

DATE: September 8, 2004

MEMORANDUM TO: Michael J. Zamorski, Director, Division of Supervision and Consumer Protection

FROM: Russell A. Rau [Electronically produced version; original signed by Russell Rau], Assistant Inspector General for Audits

SUBJECT: Division of Supervision and Consumer Protection's Assessment of Bank Management (Audit Report Number 04-033)

This report presents the results of our audit of the Federal Deposit Insurance Corporation's (FDIC) process for evaluating bank management. The examiners' assessment of management is a key factor in determining an institution's safety and soundness composite rating, [1] and management is one of the six components in the composite rating. The objective of the audit was to determine whether the process used by the FDIC to assess bank management during safety and soundness examinations of FDIC-supervised financial institutions is adequate. To accomplish our objective, we reviewed Division of Supervision and Consumer Protection (DSC) policies and procedures for evaluating bank management. We also selected a sample of problem banks [2] located in two of DSC's six regional offices and analyzed FDIC and state regulators' reports of examination (ROE). Appendix I of this report discusses our objective, scope, and methodology in detail.

BACKGROUND

Corporate governance is generally defined as the fulfillment of the broad stewardship responsibilities entrusted to the board of directors (BOD), officers, and external and internal auditors of a corporation. Certain provisions of the Sarbanes-Oxley Act of 2002 [3] mirror existing FDIC and the other banking agency policy guidance related to corporate governance such as regulatory reporting and annual audit requirements for banks that have $500 million or more in total assets. [4] Although other provisions in the Sarbanes-Oxley Act represent sound corporate governance practices, the provisions are generally not mandatory for smaller, non-public institutions. However, the FDIC does recommend that each institution consider implementing selected provisions of the Sarbanes-Oxley Act commensurate with its size, complexity, and risk profile.

The failure of senior management, BODs, and auditors to effectively carry out their duties has contributed to recent financial institution failures. Furthermore, a common element we observed in many of the failed bank material loss reviews [5] is that a dominant bank official had a direct impact on the failure of the bank. The last three bank failures we reviewed were attributed, in large part, to a dominant official at the bank. [6]

According to the DSC Manual of Examination Policies (DSC Manual), the quality of management is probably the single most important element in the successful operation of a bank. DSC's definition of "management" includes the BOD, which is elected by the shareholders, and executive officers, who are appointed to their positions by the BOD.

Regarding dominant bank officials, the DSC Manual states:

Supervisory authorities are properly concerned about the "One Man Bank" wherein the institution's principal officer and stockholder dominates virtually all phases of the bank's policies and operations.  Over the years, an officer can influence the election of a sufficient number of directors so that the officer is ultimately able to dominate the board and the affairs of the bank.

There are at least two potential dangers inherent in a "One Man Bank" situation. First, incapacitation of the dominant officer may deprive the bank of competent management, and  may render the bank vulnerable to dishonest or incompetent replacement leadership. Second, problem cases resulting from mismanagement of such a bank's affairs are more difficult to solve through the normal course of supervisory efforts designed to induce corrective action by the bank.

DSC has compiled the Management and Internal Control Evaluation Examination Documentation Module (Management ED Module), [7] dated November 2003, as an examination tool that provides procedural guidelines for examiners to consider in the evaluation of bank management. In accordance with Regional Directors Memorandum Guidelines for Examination Workpapers and Discretionary Use of Examination Documentation Modules, [8] dated September 25, 2001, use of the ED modules is discretionary. However, the memorandum also recognizes that the ED modules are excellent training and reference tools that provide consistency and standardized procedures. The Management ED Module instructs examiners to perform a preliminary review of BOD and committee minutes; changes in the bank's management and directorate; and prior examination reports, workpapers, and correspondence. The module also instructs examiners to review the following areas:

  • Board and Management Supervision,
  • Control Environment,
  • Risk Assessment,
  • Control Activities,
  • Information and Communication,
  • Monitoring, and
  • Audit and Other Independent Reviews.

Examiners are instructed (1) to complete other ED modules containing specific procedures that provide insight into management and internal controls [9] in major risk areas or (2) to evaluate the other risk areas prior to assigning an overall assessment of management and internal controls. During the pre-examination planning process, examiners are also instructed to consider various risk scoping procedures at each examination. However, these procedures do not specifically instruct examiners to identify or consider the presence of a dominant official in the planning of examination procedures.

In accordance with the DSC Manual, a bank's performance with respect to asset quality and diversification, capital adequacy, earnings capacity and trends, and liquidity and funds management is, to a very significant extent, a result of decisions made by the bank's directors and officers. Consequently, examiners' findings and conclusions in regard to the other five elements of the CAMELS rating system are often major determinants of the management rating.

The results of our analysis indicate that the management component rating is more closely linked to the overall CAMELS composite rating than the other five component ratings (see Appendix III).

RESULTS OF AUDIT

The process used by DSC examiners to assess bank management and controls during safety and soundness examinations of FDIC-supervised financial institutions is adequate. However, based on our review of six open banks with composite "5" ratings, there are opportunities for improving the regulatory oversight of banks that have a dominant official with significant influence over bank operations. More specifically, examiner guidance could be strengthened with respect to evaluating the risks imposed by dominant officials and to assessing and recommending mitigating controls when a financial institution has that corporate structure. Failure to appropriately evaluate and assess such risks increases the opportunity for fraud or mismanagement to go undetected and uncorrected, and as evidenced by prior material loss reviews, poor corporate governance can ultimately contribute to the failure of an institution.

Within the framework of the existing examination procedures, the risks of a dominant official should be considered as a part of the pre-examination planning and scoping process to the extent that this risk is observed at the senior corporate level. The examiners should also consider examination steps that will assist in the evaluation of the level of risk and the quality of mitigating controls at the bank. Therefore, we are recommending that DSC establish a consolidated set of instructions to ensure that examiners consider the presence of a dominant individual as a risk factor during the pre-examination review process, ensure examiners evaluate specific aspects of corporate governance when a bank has a dominant official, and provide specific corrective and mitigating actions that examiners may recommend in such circumstances.

DOMINANT OFFICIAL'S INFLUENCE ON A FINANCIAL INSTITUTION

The six open institutions we reviewed with composite "5" ratings have critically deteriorated under the influence of a dominant official such as a bank president, chief executive officer (CEO), or board chairman. Based on the definition of a "5" rated institution, these banks pose a significant risk to the deposit insurance fund, and failure is highly probable. Although DSC has established guidance on the various areas discussed in this report, the guidance is not consolidated into a comprehensive set of instructions for examiners on how to identify, assess, and control/mitigate risk posed by a bank with a dominant official and to expand examination procedures, when appropriate. The lack of such instructions may have contributed to examiners not adequately identifying and assessing the risks associated with a dominant official or recommending mitigating controls in a timely or effective manner at the six banks we reviewed.

Dominant Official as a Risk Factor

We determined that each of the six banks had a similar risk element in its corporate governance structure, that is, the bank was controlled by a dominant official. In considering control of a bank by a dominant official as a risk factor, we identified, at a minimum, six potential areas of control that examiners should evaluate to determine the degree of control by a dominant official and to determine the need for recommendations to improve the overall control structure. The six potential areas of control and associated weaknesses we identified in DSC's examinations of the institutions we reviewed follow:

  • Segregation of Duties [10] – Examiners did not identify an inadequate segregation of duties and did not recommend that key duties and responsibilities be divided among various individuals.

  • Active and Informed BOD Oversight – Examiners did not always identify an inactive and/or uninformed BOD until the bank's financial condition significantly deteriorated. In some cases, when earlier detection of these deficiencies was noted, examiners were unable to sufficiently persuade bank management to improve the control environment.

  • Outside/Independent Directors – Examiners did not always identify the need for and assess the role of outside/independent directors.

  • External and Internal Audits – Examiners did not always provide a discussion or analysis of the need for an annual financial audit, [11] adequacy of internal audit personnel and related functions, or rationale for changes in external auditors, even though weaknesses were identified.

  • Code of Conduct and Conflicts of Interest Policies – Examiners' reviews of the banks' code of conduct and conflicts of interest policies were inconsistent. Although some of the banks had established policies, significant conflicts and apparent violations were evident.

  • External and Internal Loan Review – Examiners generally recognized the absence or inadequacies of the banks' loan review programs; however, sufficient and timely actions were not taken to substantially improve the loan oversight process.

Although each of these control areas is addressed, to some degree, in various DSC policies and procedures, the guidance does not address these issues in the context of banks that are controlled by a dominant official. Nor does the guidance provide examiners with instruction on how to (1) identify and consider a dominant official during the pre-examination scoping process, (2) review these areas in the overall assessment of management, (3) identify and assess other possible mitigating controls, and (4) develop and recommend alternative courses of action to mitigate the risk from a dominant official. Therefore, we are providing specific areas of consideration that examiners should use in assessing a bank's control environment and in recommending improvements to a bank's control structure when a dominant official is present. These specific areas of consideration should be incorporated into a comprehensive set of instructions that provides examiners with a structured review process for the risk factor of a dominant official. When examiners assess the risk profile and control environment of a bank, with respect to institutions that are controlled by a dominant official, we suggest that at a minimum, examiners should consider and assess whether:

  • An appropriate segregation of duties and responsibilities is achieved or alternative actions are taken to mitigate the level of control exercised by the one individual.

  • Director involvement in the oversight of policies and objectives of the bank is at an appropriate level.

  • A diverse board membership provides the bank with an assortment of knowledge and expertise, including, but not limited to, banking, accounting, and the major lending areas of the bank's target markets.

  • There are a sufficient number of outside and independent directors.

  • Committees of major risk areas exert a proper level of function, responsibility, and influence, and the value of the committees is exhibited in the decision-making process.

  • A proper level of independence has been achieved for board committees of major risk areas, including, but not limited to, audit committees.

  • An adequate audit committee [12] has been established with only, or at least a majority of, outside directors.

  • A need exists for the performance of annual financial audits by an independent certified public accounting firm.

  • A qualified, experienced, and independent internal auditor is in place at the bank.

  • A proper segregation of the internal audit function is achieved from operational activities.

  • An appropriate rationale was established regarding changing a bank's external auditors, independent of oral discussions with bank management, including, but not limited to, a review of the audit committee minutes or a review of auditor notifications.

  • An adequate written code of conduct and ethics and conflicts of interest policies has been established.

  • A need exists for the bank's BOD to perform and report on an annual conflicts of interest and ethics review. [13]

  • A need exists for a bank to engage outside consultants to conduct an external loan review.

  • A proper segregation of the internal loan review process is established.

For the six banks reviewed, we evaluated DSC's assessment and application of each of these areas as a potential control that could have served to mitigate the risk posed by a dominant official. In general, we concluded that examiners should have placed greater emphasis on strengthening a bank's corporate governance structure. More specifically:

  • the examiners' analyses and recommendations did not adequately address the influence of the dominant official;
  • recommendations, including provisions within supervisory actions, were not made on a timely basis; and
  • additional measures could have been taken earlier by DSC to help mitigate the risks posed by a dominant official.

A detailed discussion of our results is provided in Appendix II.

FDIC Initiatives and DSC Policies and Procedures on Corporate Governance

The FDIC has initiated various measures designed to assess and improve controls that mitigate the risk posed by weaknesses in corporate governance. Such measures include reviewing the bank's BOD activities, ethics policies and practices, and auditor independence requirements. Further, the FDIC reviews the financial disclosure and reporting obligations of publicly traded state nonmember financial institutions. Other corporate governance initiatives include issuing Financial Institution Letters, [14] allowing bank directors to participate in regular meetings between examiners and bank officers, maintaining a "Directors' Corner" on the FDIC's public Web site, and expanding the Corporation's "Directors' College" [15] program.

Additionally, as stated earlier, DSC has policies and procedures in place with respect to examining corporate governance, although in some instances, governing regulations that stipulate formal controls are primarily applicable to larger banks with total assets equal to or over $500 million. However, when risks in smaller institutions are increased by the presence of a dominant chairman, president, or majority shareholder at either the bank or holding company [16] level, corporate governance requirements applicable to larger institutions may be necessary. DSC senior management noted that most of the FDIC's supervised banks are small institutions and that about 52 percent of FDIC-supervised banks have $100 million or less in total assets. Senior management stated that corporate governance and the issues brought about by the presence of a dominant official present a challenge, to some degree, for these small banks. In particular, any policy and procedural change must be considered in correlation with concerns about the regulatory burden that may be imposed and about the "cost vs. benefit" relationship that may exist. [17]

CONCLUSIONS AND RECOMMENDATIONS

The FDIC has made significant strides in addressing corporate governance issues; however, they remain a key concern. The presence of a dominant official heightens the risk profile of an institution and could ultimately pose a greater risk to the insurance funds. An effective system of internal control and an independent internal audit function form the foundation for safe and sound operations, regardless of an institution's size. If management controls are properly designed and effectively applied, examiners are encouraged to place greater reliance on the control systems and limit or, in some cases, eliminate the scope of their review. Therefore, failure to identify and appropriately assess a weak control environment, or a control environment that can be easily circumvented or manipulated by one individual, increases the risk that errors, omissions, and fraud may go undetected and uncorrected. Furthermore, high-risk and improperly managed activities may also remain undetected and not assessed by examiners on a timely basis. Accordingly, when a weakness is identified in a bank's control environment, examiners are expected to perform additional testing or review procedures. Due to the complexity of corporate governance oversight and the increased level of inherent risk at financial institutions dominated by one official, a comprehensive set of instructions is needed to facilitate the supervisory review process regarding a dominant official.

We recommend that the Director, DSC:

(1) Require that the pre-examination review process consider and identify the presence of a dominant official as a potential targeted/high-risk area and that examination steps be planned to evaluate the level of risk and the quality of mitigating controls at the bank.

(2) Consolidate and/or expand existing guidance for the assessment of and response to banks that are controlled by a dominant official.

CORPORATION COMMENTS AND OIG EVALUATION

On August 26, 2004, the DSC Director provided a written response to the draft report. The response is presented in its entirety as Appendix V to this report. DSC concurred with recommendation 1. Regarding recommendation 2, DSC concurred with the intent of the recommendation and offered an alternative action that was responsive. Accordingly, the recommendations are resolved but will remain undispositioned and open until we have determined that agreed-to corrective actions have been completed and are effective. See Appendix VI for a summary of management's response to, and the status of, the recommendations. A summary of the Director's comments follows.

Recommendation 1: DSC management stated its existing guidance addresses this recommendation. However, to ensure that the presence of a dominant official is considered and included in the planning process, DSC stated that it will recommend to the Interagency ED Module Maintenance Committee [18] that a specific requirement to "consider the impact of the existence of a dominant official" be added to the Risk Scoping Module. DSC's planned action is responsive to our recommendations.

Recommendation 2: DSC management partially concurred with recommendation 2 and offered an acceptable alternative action. The section in the DSC Manual that addresses the risks associated with an institution controlled by a dominant individual will be expanded. The revised Manual will also address issues identified in this report. DSC's planned action is responsive to our recommendations.

The Director also commented on two aspects of the report. First, DSC questioned the size of our sample, asserting that it was too small to support the report's conclusions. DSC further noted that the sample did not include any institutions with composite ratings of "1" or "2" that were controlled by a dominant official. Secondly, DSC indicated that a "separate set of guidance" to assess dominant officials is not needed because it would be redundant of steps already performed and that the risk factors we recommended be addressed in the guidance are the same as those assessed at all institutions.

Regarding our sample size, we selected 100 percent of the "5" rated banks, located in two DSC regions, representing a total of six banks. As of March 1, 2004, eight FDIC-supervised banks in the country were "5" rated. Our sample did not include any of the numerous institutions with composite ratings of "1" or "2" that are currently controlled by a dominant individual. However, for each of the six banks sampled, we reviewed the ROEs issued for a 10-year period beginning when the institutions had been rated a "1" or "2" and had been controlled by a dominant official. Our analysis included a detailed review of a total of 60 FDIC and state ROEs. Therefore, our sample provides a sufficient basis on which to formulate and support our conclusions.

We recognize that banks that are dominated by one person may not necessarily experience problems. Compensating controls such as strong risk management systems and adequate lending policies and procedures can mitigate the adverse impact of a dominant individual. Nevertheless, our report entitled, Observations from the FDIC OIG Material Loss Reviews Conducted 1993 through 2003 (Report No. 04-004, dated January 22, 2004), states that the major causes of failure were inadequate corporate governance, poor risk management, and lack of risk diversification. Oftentimes, the underlying cause was a dominant person taking risks that were not mitigated by systems to adequately identify, measure, monitor, and most importantly, control the risks. Our review found examination weaknesses concerning the adequacy of analysis performed and timeliness of recommendations and actions taken to control both the inherent risks of a dominant person and those created by an institution whose mitigating controls were lacking. The examination weaknesses identified by our review may be attributable, in large part, to the absence of a comprehensive set of instructions that provides examiners with a structured review process that guides and facilitates the review of the banks that are controlled by a dominant official. As a result, further guidance should be provided to examiners that facilitates the examination process for this high-risk factor.

Lastly, the report does not suggest that a separate set of guidance be developed for assessing banks controlled by a dominant person. In fact, page 4 of the report states, "Within the framework of the existing examination procedures, the risks of a dominant official should be considered as part of the pre-examination planning and scoping process to the extent that this risk is observed at the senior corporate level." The report recognizes that existing guidance addresses the impact of dominant individuals, but this guidance is not consolidated and, therefore, some aspects could be overlooked by examiners. In fact, DSC has established consolidated guidance such as that which we are recommending for commercial real estate and subprime lending programs because of their perceived risk and significance to the safety and soundness of institutions. Therefore, we continue to conclude that regulatory oversight of banks that are dominated by one individual could be strengthened by ensuring that examiners (1) consider the presence of a dominant individual as a risk factor during the pre-examination review process and (2) evaluate specific aspects of corporate governance when a bank has a dominant official.



APPENDIX I

OBJECTIVE, SCOPE, AND METHODOLOGY

The objective of the audit was to determine whether the process used by the FDIC to assess bank management and controls during safety and soundness examinations of FDIC-supervised financial institutions is adequate. To accomplish our objective, we reviewed DSC policies and procedures for evaluating bank management. We also reviewed a sample of problem banks located in the DSC Chicago and Dallas Regional Offices.

As of February 29, 2004, there were eight state nonmember banks with a CAMELS composite rating of "5." Five of these institutions were supervised by the DSC Chicago Regional Office, two were supervised by the DSC Dallas Regional Office, and one institution was supervised by the DSC San Francisco Regional Office. We selected six banks from the DSC Chicago and Dallas Regions to review bank management's role and DSC's assessment of bank management. Details on our analysis of the six banks are in Appendix IV.

We performed our audit from October 2003 through May 2004 in accordance with generally accepted government auditing standards. To accomplish the audit objectives, we:

  • reviewed DSC policies and procedures pertaining to the evaluation of bank management;
  • reviewed Federal Reserve Board, Office of the Comptroller of the Currency, and Office of Thrift Supervision policies and procedures pertaining to the evaluation of bank management;
  • reviewed and analyzed reports of examination prepared by the FDIC and state banking agencies for the banks in our sample during the last 10 years;
  • reviewed and analyzed related Uniform Bank Performance Reports (UBPR) [19] and Summary Analysis of Examination Reports (SAER); [20] and
  • interviewed DSC policymakers in Washington, D.C.

We requested that DSC provide all FDIC and state ROEs for the six sampled banks for the period January 1, 1993 through December 31, 2003. However, DSC was unable to provide us with 1 FDIC and 13 state ROEs applicable to 5 of the 6 banks that we sampled.

Government Performance and Results Act, Reliance on Computer-Processed Data, Fraud and Illegal Acts, Management Controls, and Compliance with Laws and Regulations

The nature of the audit objective did not require reviewing related performance measures under the Government Performance and Results Act. We did not determine the reliability of computer-processed data because such data was not significant to accomplishing our audit objective. Our audit program included steps for providing reasonable assurance of detecting fraud or illegal acts.

Additionally, we gained an understanding of relevant control activities by examining DSC applicable policies and procedures as presented in the FDIC's Rules and Regulations, FDIC's Statements of Policy, DSC Manual, ED Modules, and Regional Directors Memoranda.

Regarding compliance with laws and regulations, we gained an understanding of aspects of the FDI Act and the requirements of Part 363 of the FDIC's Rules and Regulations and evaluated the FDIC's establishment and implementation of procedures for examining the sampled institutions' regulatory compliance.



APPENDIX II

DSC'S ASSESSMENT OF MANAGEMENT CONTROL AREAS IN SELECTED
BANKS AND RELATED FDIC GUIDANCE

The finding section of this report identifies specific areas of consideration that examiners should use in assessing a bank's control environment and in recommending improvements to a bank's control structure when a dominant official is present. A more detailed discussion follows of the (1) weaknesses we identified in the various control areas for the six banks we reviewed with a composite "5" rating, (2) benefits of reviewing these issues in the context of financial institutions controlled by a dominant official, and (3) existing related policies and procedures.

Each of the control areas discussed below is addressed, to some degree, in various DSC policies and procedures. However, the guidance does not address these issues in the context of banks that are controlled by a dominant official. Nor does the guidance provide examiners with instruction on how to (1) review these areas in the overall assessment of management, (2) identify and assess other possible mitigating controls, and (3) develop and recommend alternative actions to mitigate the risk from a dominant official.

Segregation of Duties

Overall, examiners did not identify the dominant official's level of control or extent of responsibility as a concern and, therefore, did not recommend specific corrective action for this control structure.

For all six banks reviewed, we noted that an appropriate segregation of duties [21] and responsibilities had not been achieved and that a dominant official controlled multiple bank functions. Examiners identified the presence of a dominant official but did not identify the lack of a proper segregation of duties or recommend that key duties and responsibilities be divided among different people. The lack of an appropriate segregation of duties could result in a significant internal control deficiency.

In one case, the dominant official was recognized as the bank's chairman of the board, president, primary operations officer, primary loan officer, and primary loan review officer. This individual was also a member of the bank's loan, compliance, and audit committees. Examiners routinely recognized that the individual had a dominant influence on the bank; however, limited action was taken to mitigate his control. In 1994 and 2002, the official was found to be involved in fraudulent activities. Also of note, in 1999, questionable practices were identified that appear to indicate that other fraudulent activity was evident.

Ensuring an appropriate segregation of duties and responsibilities among different individuals helps to reduce the risk of error or fraud.

Related FDIC Guidance

The DSC Manual describes a segregation of duties in the context of an accounting control in a transaction, but does not emphasize the need to ensure a segregation of duties over key areas of responsibilities in authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets. The DSC Manual describes the basic elements of an internal control system. Within this guidance, the DSC Manual states that a bank's organization plan must segregate the operating and recording functions and that an internal control system should at a minimum provide for a segregation of duties. The DSC Manual also states that "Ideally, the segregation of duties should be arranged so that no one person dominates any transaction from inception to termination."

The Management ED Module instructs examiners to determine whether the organizational structure of a bank is appropriate given the size and complexity of the bank and the organization's strategic plan. The procedures also require examiners to determine whether management maintains an effective system of controls and safeguards for activities that expose the bank to risk. In particular, examiners are instructed to consider the segregation of duties as an element of internal control.

Active and Informed Board of Directors' Oversight

Examiners did not always identify an inactive and/or uninformed BOD until the banks' financial condition significantly deteriorated. In some cases, when earlier detection of these deficiencies was noted, examiners were unable to sufficiently persuade bank management to improve the control environment. Examiners provided limited discussions in the ROEs regarding the BOD's active and informed oversight.

A bank with a dominant official and an inactive and/or uninformed BOD creates a weak control environment in which the decision-making process is centralized in one individual. In most cases, the BOD's oversight was not criticized in the ROE until the bank was categorized as a problem bank. In the ROEs, examiners occasionally detailed board members' professional backgrounds but provided no assessments on the members' qualifications or on the overall level of knowledge, experience and expertise of the BOD directorship.

  • In one bank, from 1994 to 2000, examiners reported that the BOD appeared to be active and well informed. The BOD was also described as effectively overseeing the operations of the bank and policies and providing adequate operating guidelines. Furthermore, ROE comments were complimentary of the dominant official. In 2001, examiners became aware of a subprime lending operation that had been in place for 3 years. Also of note, the bank did not have any loan policy guidelines nor prior experience in this speciality financing. However, examiners reported that the management team (the CEO and the president) appeared to have the capabilities to implement the necessary improvements in this area. In the September 2002 ROE, examiners recognized the performance of senior management and the BOD as being "extremely weak, as reflected by the financial condition of the institution." In the September 2003 ROE, the management study, required by a Cease and Desist Order (C&D Order), reported that the president did not have the background, abilities, or interpersonal skills to operate as the president. The report also stated that deficient BOD oversight allowed previous executive management to engage in objectionable and hazardous credit policies and practices. The examiners also reported that the BOD had failed to carry out its fiduciary duty to the bank, its depositors, and its shareholders. The examiners stated that it was apparent that the BOD turned over virtually unsupervised control of the bank to executive officers and overly relied on prior management.

  • For another bank, as early as 1994, the examiners encouraged the bank's BOD to take a more active role in the bank through involvement in day-to-day activities, committees, and strategic planning. Examiners also observed that the CEO reportedly talked with the BOD only periodically and forwarded loan approvals to them for approval by telephone. The examiners concluded that because of this off-site approach by the BOD, it appeared that most of the time, the CEO ran a "one man" operation. In 2003, the examiners summarized that BOD supervision had been inadequate with too much authority vested with the former CEO/president and other lending officers. In addition, BOD involvement in the loan approval process had been limited, and the BOD failed to sufficiently scrutinize lending practices. For at least 9 years, examiners were unable to sufficiently persuade bank management to improve the control environment.

  • For a third bank, the examiners reported in 1999 that the BOD had failed to provide adequate oversight of management's performance and effectively monitor the bank's overall risk profile during monthly meetings. By 2003, the examiners stated that the unacceptable practices and condition of this bank indicated inadequate supervision by the BOD. In addition, the examiners stated that, "while one individual [President/Chairman of the Board] is blamed for the loan quality, the BOD must accept the ultimate responsibility for failing to provide adequate controls and procedures to protect the bank." The DSC Manual states that "Supervision by directors does not necessarily indicate a BOD should be performing management tasks, but rather seeing that its policies are being implemented and adhered to and its objectives achieved. It is the failure to discharge these supervisory duties, which has led to bank failures ."

With the presence of a dominant official controlling the bank, it becomes more critical to have active and informed board oversight to help mitigate risks. Further efforts are needed by examiners to identify inactive and uninformed BODs and to pursue corrective action on a more timely basis before the financial condition of a bank significantly deteriorates. In particular, an active and informed BOD should serve to mitigate the risk imposed by a dominant official through directors' involvement in the oversight and decision-making processes.

Related FDIC Guidance

The DSC Manual details the general powers and responsibilities of bank directors which include, but are not limited to, regulating the manner in which all business of the bank is conducted. The DSC Manual also states that the BOD is the source of all authority and responsibility. In the broadest sense, the board is responsible for the formulation of sound policies and objectives of the bank, effective supervision of its affairs, and promotion of its welfare. In addition, the continuing health, viability, and vigor of the bank are dependent upon an interested, informed, and vigilant BOD.

The Management ED Module instructs examiners to review BOD and committee minutes since the last examination as well as the most recent and year-end BOD packages to determine the extent and adequacy of BOD supervision considering, in part, director attendance, BOD independence from executive management, and dominant control. Examiners are also directed to determine if the BOD minimizes operating management's ability to override policies and procedures through effective monitoring and enforcement of established guidelines.

Outside/Independent Directors

Examiners did not always identify the need for and assess the role of outside/independent board directors. For the majority of banks reviewed, examiners provided limited discussions in the ROEs on the presence of outside and independent directors.

The failure to have outside/independent board representation creates a weak control environment in which individuals are potentially providing oversight of their own actions. Furthermore, the presence of an outside/independent director enhances the composite judgment of the group by providing more diverse perspectives. Specifically, within the six banks reviewed, we observed the following:

  • Dominant officials served on board committees of major risk areas, including the audit committees.
  • No board committees or audit committees had been established.
  • The entire BOD served on all committees.
  • Limited, if any, assessments or discussions were performed or held, respectively, regarding the qualifications of the directors and the functions of these individuals as outside and independent directors.
  • Examiners inconsistently reported information on the existence and/or participation of board members on various board committees in the confidential-supervisory section [22] of the ROEs.

For five of the six banks reviewed, the dominant official was a member of the bank's audit committee and/or participated in other committees of major risk areas. For one bank, the examiners noted in the ROE that prior to 2000, the bank did not have any board committees. In 2000, the bank stipulated to a Memorandum of Understanding (MOU), which required the establishment of board committees. At that time, the establishment of an audit committee was not recommended; however, the FDIC issued a follow-up letter to the bank a short time later, recommending the establishment of an audit committee. The bank established an audit committee, but in 2003, the examiners observed that three out of the four board directors did not represent the interests of the bank, but rather the interests of the bank holding company by serving as a manager, consultant, and accountant for other businesses owned by the primary shareholder/director. Additionally, the examiners stated that "The lack of an independent board may have contributed to the problems present in this bank."

For three banks, based on information provided in the ROEs, we concluded that the entire BOD acted as or served on all board committees without regard to achieving a majority of outside directors to inside directors. In some cases, examiners recommended adding outside directors. During a 2001 examination of one bank, the examiners reported that the audit committee included only one outside director. Examiners commented that it is considered a prudent practice for a majority of the committee to consist of outside directors and recommended that additional outside directors be added to the committee.

The 1993 and 1994 ROEs for another bank referenced an MOU, issued in 1990, and a Notice of Determination (NOD), [23] issued in 1994. Both the MOU and NOD required the bank to review the composition of the BOD with the objective of increasing the number of independent outside directors. None of the ROEs discussed which directors qualified as outside or as independent directors (the 2001 ROE stated that four of the nine directors were not "insiders" of the bank). However, the "nonmanagerial/nonemployee" directorship increased from two out of seven directors in 1993 to four out of nine directors in 1999. Nevertheless, two of the four directors appeared related to each other and owned over 19 percent of outstanding voting class shares of the bank. Regulatory guidelines classify such directors as not independent. In addition, if the directors were also considered principal shareholders, then they would be considered inside directors. Another of the "non-managerial/nonemployee" directors was also a former vice president/employee who had retired. According to regulatory guidelines, an outside director would not be considered independent of management if that individual had been an officer or employee of the bank within the preceding year.

In two other banks we reviewed, it appeared that the directors had limited experience in banking and/or accounting and auditing based on the background descriptions of the BOD provided in the ROEs.

To help mitigate the risk to an institution that is dominated by an individual, it would be prudent to require, at a minimum, that this individual does not participate on the board committees of major risk areas, and where feasible, the board committees should be composed of a majority of outside directors.

Related FDIC Guidance

The DSC Manual states that "each director should bring to the position particular skills and experience which will contribute to the composite judgment of the group." In reference to audit committees, the DSC Manual states:

 all banks are strongly encouraged to establish an audit committee consisting, if possible, entirely of outside directors and, in appropriate circumstances, should be criticized for not doing so. Although a committee of outside directors may not appear possible in a small closely-held bank where there are, in effect, no outside directors on the board, all banks should be encouraged to add outside directors to their board and to appoint them to the audit committee.

Part 363 of the FDIC's Rules and Regulations specifically requires, in part, that banks with $500 million or more in total assets must establish an independent audit committee consisting entirely of outside directors. [24] Also, Part 363.5 requires that the audit committees of banks with $3 billion or more in total assets shall include members with banking or related financial management expertise, have access to its own outside counsel, and not include any large customers of the institution.

Additionally, the Management ED Module instructs examiners to determine the extent and adequacy of board supervision by considering, in part, the BOD's independence from executive management and the dominant control by a board member, shareholder, or executive management. The Management ED Module also instructs examiners to determine whether an audit committee has been established and to evaluate the composition of the committee by considering the number of members, number of outside directors, independence from management, and the presence of "financial experts" on the committee.

The Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations encourages all banks to establish an audit committee consisting entirely of outside directors or, at a minimum, organize the audit committee so that outside directors constitute a majority of the committee.

External and Internal Audits

Examiners did not always provide a discussion or analysis of the (1) need for an annual financial audit by an independent public accountant; (2) adequacy of internal audit personnel and related functions; or (3) rationale for changes in external auditors, despite weaknesses being present.

An annual financial audit and/or a qualified and independent internal auditor can reduce the risk posed by a dominant official by providing a layer of independent oversight and verification of the bank's financial position and operations. Additionally, the investigation into the decision- making process for significant changes to a bank's audit program can serve as a validation of the bank's control structure and of its operation. In turn, appropriately functioning controls may mitigate the risk posed by a dominant official by ensuring that the various duties and responsibilities are appropriately delegated and performed without undue influence or circumvention by the dominant official.

When a bank is controlled by a dominant official, examiners should consider requiring that an annual financial audit be conducted which would enhance the level of control and provide greater assurance that financial statements are properly presented. Examiners should also consider the qualification, experience, and independence of the bank's internal auditors. Furthermore, the internal audit function should be segregated from operational activities. In particular, an effective system of internal control and an independent internal audit function form the foundation for safe and sound operations, regardless of an institution's size, and each bank should have an internal audit function that is appropriate to its size and the nature and scope of its activities.

Additionally, any change in a bank's external auditor should be investigated and the reasons for the change reported. In particular, for banks that are dominated by one individual, the rationale for the change should be assessed to ensure that the basis for the change is not driven by the desire to obtain a favorable audit opinion or outcome. Furthermore, the bank's audit committee should be assessed to determine whether committee members are materially participating in the decision-making process and are serving as an independent control.

External Audits. Four of the six banks reviewed had annual directors' examinations [25] performed, and pursuit of annual financial audits was lacking. One of the four banks changed to an annual financial audit in 1995. Due to the lack of comments in the ROEs explaining why the bank expanded the scope of the audit, we determined that the change in scope appeared to have been initiated by bank management and was not changed in response to a regulatory recommendation.

Another bank was subject to a Section 39 Safety and Soundness Compliance Plan [26] in October 1999 and then to a C&D Order in November 2000. The Section 39 Safety and Soundness Compliance Plan contained a provision for certain agreed-upon procedures to be performed at the next directors' examination, and the C&D Order contained a provision requiring that one financial audit be conducted. However, the bank failed to comply with the Section 39 Safety and Soundness Compliance Plan, and a qualified opinion was rendered by the certified public accounting firm on the financial audit. Following the financial audit, the bank reverted to having only annual directors' examination performed. The ROEs for the remaining two banks had no comments or recommendations that encouraged or required the banks to obtain annual financial audits. Furthermore, there were limited, if any, discussions in the ROEs on the adequacy of the scope of the directors' examination. Of particular interest, for one of the two banks that had only annual directors' examinations performed, an examiner made a recommendation in 1994 that a provision for an annual financial audit be included in a NOD. However, this provision was not included in the final NOD. Subsequent to the NOD, a state commitment letter [27] was issued in 2000 and a C&D Order was issued in 2002. Despite the identification of apparent fraud committed by the president in 1994 and then again in 2002, the examiners did not provide either an ROE statement encouraging an annual financial audit or an informal/formal action with a provision requiring an annual financial audit.

Related FDIC Guidance

The DSC Manual emphasizes that "Each bank is strongly encouraged to adopt an external auditing program that includes an annual audit of its financial statements by an independent public accountant." [28] The DSC Manual also states that the bank's board should select the scope of the planned external auditing program. However, if in the judgment of the examiner, unique risks of the bank need additional external auditing coverage, the examiner should make specific recommendations for addressing these areas for consideration by the audit committee and/or BOD. In particular, the DSC Manual notes that the examiner should determine whether the scope selected by the bank (1) adequately covers the high-risk areas of that particular bank and (2) is performed by a qualified auditor who is independent of the bank.

The Management ED Module instructs examiners to review the bank's external audit program. Examiners are directed to determine whether the audit program is in compliance with FDIC Part 363, or the Statement of Policy Regarding Independent External Auditing Programs of State Nonmember Banks. In banks that have chosen not to obtain an external audit, examiners are instructed to review the board minutes at each examination in order to assess the BOD's reasons for not having an annual financial audit and the BOD's determination that the audit program provides sufficient coverage of areas of potential concern or unique risk. If, in the judgment of the examiner, additional external audit coverage is warranted, specific suggestions for addressing these areas should be recommended. However, the lack of an external audit will not automatically result in a negative examiner comment.

Internal Audits. Several of the banks reviewed had designated internal auditors and/or outsourcing arrangements; however, the ROEs contained no assessment of the auditors' and/or entities' qualifications, experience, or independence as internal auditors.

  • At one institution, the designated internal auditor was the president's son and the bank's assistant cashier, who was also a recent college graduate with 30 credits in accounting. At the same institution, the internal audit function was later outsourced to a "Banking Specialist." However, the ROEs contained no information or assessment concerning the individual's qualifications or experience as an internal auditor. Furthermore, the individual reported to the full BOD instead of an independent audit committee, and the full BOD was primarily composed of inside directors and was dominated by the president.

  • At a second institution, the bank's audit program was administered by an internal auditor, but no summary or assessment was provided in the ROEs on this individual's qualifications, experience, or independence. At the same institution, the audit program was later administered by the bank's external audit firm. Although this firm eventually stopped performing external auditing services in accordance with new regulatory guidelines, the firm was also noted as providing/performing compliance reviews, loan review services, and financial consulting functions for the bank – "since the departure of the Chief Financial Officer."

  • At a third institution, two individuals had been designated as internal auditors. The first individual was also the bank's cashier and compliance officer. Although no summary or assessment was provided in the ROE on this individual's qualifications, experience, or independence; the individual was later found to be intentionally reporting false information to the bank's BOD. The bank's second internal auditor was initially hired to provide only audit services. Examiner comments in the ROE indicated that this individual lacked experience; however, the ROE had no assessment on the individual's qualifications, experience, or independence as an internal auditor. In addition, limited action was taken or recommended to correct the noted weaknesses. Furthermore, in subsequent periods, this individual took on greater responsibilities, including, but not limited to, marketing, asset/liability management, investments, cash and funds management, and personnel administration. The internal auditor also held the following titles: vice president, senior/chief operations officer and cashier, bank secrecy act officer, and compliance officer. The internal auditor was also listed as a member of the executive committee, asset/liability committee, and the loan committee. Examiners also noted in the ROE that, in response to an outstanding C&D Order, the internal auditor "oversees the daily affairs of the bank with the assistance of chairman  and director  however, these individuals lack bank management experience."

Related FDIC Guidance

The DSC Manual states the following:

Perhaps the most effective internal control procedure available to a bank's BOD is the appointment of a professionally competent internal auditor responsible for the development and administration of an internal audit program .  Auditors must have complete independence in carrying out the audit program and should report their findings directly to the bank's BOD or a designated directors' audit committee. It is imperative that internal auditors have sufficient authority and the degree of audit independence essential to exercise their responsibilities, and that they be divorced from operations.

The FDIC's Statement of Policy, Interagency Policy Statement on the Internal Audit Function and Its Outsourcing, states that an effective system of internal control and an independent internal audit function form the foundation for safe and sound operations, regardless of an institution's size. A small institution without an internal auditor can ensure that it maintains an objective internal audit function by implementing a comprehensive set of independent reviews of significant controls. The key characteristic of such reviews is that the person(s) directing and/or performing the review of internal controls is not also responsible for managing or operating those controls.

The Management ED Module provides examiner review guidelines for banks with a formal internal audit department. These guidelines include, but are not limited to, examiners determining (1) that committee minutes document significant actions; (2) whether the internal audit function is sufficiently segregated from bank operations; and (3) that the size of the audit staff is appropriate and that related academic backgrounds, experience, competency, and ongoing training initiatives are sufficient for the size and complexity of the bank.

Changes in External Auditors. Half of the banks reviewed had multiple changes in the banks' designated external auditors; however, the reasons for the changes provided in the ROEs were not always noted or fully investigated. The six banks reviewed had a total of 18 changes in the banks' designated external auditors. No reasons were provided in the ROEs for 13 out of the 18 changes. Explanations for the changes in the banks' external auditors were provided in five cases; however, the source of the information was not always stated in the ROEs. In two cases, ROEs stated that the source of the information was the bank's president. Examiners did not reference the bank's auditors or audit committee minutes as a source of information. An assessment of the bank's decision-making process that referenced the audit committee minutes also was not evident. One bank, in particular, was subject to the FDIC's Rules and Regulations, Part 363, Annual Independent Audits and Reporting Requirements. One of the bank's external auditor changes was prompted by the auditor's termination of the contractual agreement, but no reason was provided in the ROE. In accordance with Part 363 guidelines, the reasons for the resignation of the external auditor should have been submitted in writing to the regional office 15 days after the relationship was terminated by both the bank and the independent public accountant. If written notices had been provided to the regional office, they were not cited in the ROE.

Related FDIC Guidance

The DSC Manual states that "The FDIC encourages communication between its examiners and external auditors with the permission of an institution's management." Banks that are subject to Part 363 of the FDIC's Rules and Regulations must provide written notice to the FDIC regarding the engagement of an independent public accountant, the resignation or dismissal of a previously engaged accountant, and the reasons for such an event. In addition, an independent public accountant must notify the FDIC when it ceases to be the accountant for an insured depository institution. The notification must be in writing, be filed within 15 days after the relationship is terminated, and contain the reasons for the termination.

The Management ED Module instructs examiners to determine whether changes in external auditors or legal counsel occurred and why.

Code of Conduct and Conflicts of Interest Policies

Examiners' reviews of the banks' code of conduct and conflicts of interest policies were inconsistent. Significant conflicts and apparent violations were evident, despite the policies at some of the banks.

The presence of a dominant official increases the potential risk of fraud and insider abuses and that these actions may go undetected. In these circumstances, it is essential to have policies and systematic controls in place that deter unethical behavior.

Inconsistencies were evident in the review process. For example, at one bank, examiners identified, in a timely manner, the establishment of formal code of conduct and conflicts of interest policies as early as 1994. In another bank, however, examiners did not recommend that formal policies be developed until 2002. In some cases, the general identification of policy weaknesses coincided with concerns over potential insider abuse. Furthermore, in a few banks, that had code of conduct and conflicts of interest policies, potential insider abuses were noted in the ROEs. We noted no discussion concerning the need for banks to implement a BOD's annual conflicts of interest and ethics review; DSC has not established a related requirement.

The benefit of establishing written code of conduct and conflicts of interest policies is that they will help to communicate and reinforce the foundation of a bank's corporate culture and ethics. In addition, assigning personal responsibility to the BOD or to a select committee by requiring an annual BOD's review will help to instill awareness of and accountability for potential conflicts of interest and ethical issues. Furthermore, a corporate culture that is based on valuing personal integrity in its code of conduct, ethics policies, and actions will help to limit the risk of fraud and insider abuse and, ultimately, the risk to the insurance funds.

Related FDIC Guidance

The DSC Manual suggests that examiners review a bank's written code of conduct and that examiners determine whether a policy covers conflicts of interest. The DSC Manual states, in part, that the early detection of apparent fraud and insider abuse is an essential element in limiting risk and that "Corporate Culture/Ethics" is one such area in which potential problems may exist. The DSC Manual also states that the "Absence of a written code of conduct may make it difficult to discipline directors, officers or employees who may be involved in questionable activities."

The DSC Manual provides examiners with a list of "Warning Signs" in relation to the existence of potential problems surrounding a bank's corporate culture/ethics including, but not limited to, the absence of a code of ethics; lack of oversight by the institution's BOD, particularly outside directors; and the lack of management independence in acting on recommended corrective actions. The DSC Manual instructs examiners to inquire into bank policies and procedures designed to bring conflicts of interest to the attention of the BOD when it is asked to approve loans or other transactions in which an officer, director, or principal stockholder may be involved. Examiners are also instructed to scrutinize any loan or other transaction in which an officer, director, or principal stockholder is involved.

The Management ED Module instructs examiners to review a bank's code of conduct and the bank's specific guidelines concerning conflicts of interest. The module also instructs examiners to determine whether the BOD appropriately monitors and manages conflicts of interest between the institution and its directors, management, principal shareholders and affiliates, including conflicts arising from transactions between the institution and an associated person. In addition, examiners are instructed to determine if management adequately addresses integrity in its code of conduct, ethics policy, and actions. Examiners are also directed to determine the appropriateness of salary levels and compensation arrangements for both the BOD and executive management and whether self-serving practices or conflicts of interest exist and adequate systems are in place to monitor and manage these conflicts of interest. The Management ED Module's expanded analysis section states examiners are to determine why an ethics policy has not been adopted.

External and Internal Loan Review

Examiners generally recognized the absence or inadequacies of the banks' loan review programs; however, sufficient and timely actions were not taken to substantially improve the loan oversight process.

When a dominant official controls the loan review process, the potential risk is greater that the bank's financial condition and performance could be distorted, that the timely recognition of loss could be delayed, that the allowance for loan and lease losses (ALLL) [29] could be underfunded, and that the recognition of loan administration and collection deficiencies could be delayed and/or go undetected. Thus, delaying and/or preventing timely corrective action could escalate the problems and risks over time.

Five of the six banks reviewed were routinely criticized by examiners as having an inadequate internal loan review program. In two of these banks, examiners recommended that an external loan review be performed; one bank complied with the recommendation, and one did not. One recommendation was presented in a State Safety and Soundness Compliance Plan, and the other recommendation was presented in a C&D Order. Both of these recommendations were made after the bank's asset quality had significantly deteriorated. Also of note, in three of the six banks, bank management reportedly outsourced the internal loan review process to an external agency. This process was initiated as early as 1998 and as late as 2002. Based on a review of the ROEs, examiners inconsistently recognized and described the existing loan review program. In particular, a few ROE comments and the corresponding examiner analysis appeared to have confused an external loan review with an outsourced internal loan review process. Nevertheless, at all of the banks reviewed, the loan review functions were either nonexistent or largely controlled by the dominant official.

In one bank, the examiners made recommendations as early as 1993 to improve the loan review process. In 1999, the examiners reported that the bank did not have a formal loan review function. By 2003, the examiners observed that a loan review officer had not been appointed and that the board minutes did not indicate that a loan review committee had been established. In addition, despite a provision from a 1999 Safety and Soundness Compliance Plan that required an external loan review be conducted by an outside consultant, there is no evidence to suggest that this external loan review was conducted. In another bank, over a 10-year period, examiners repeatedly identified loan review weaknesses and repeatedly recommended improvements to the bank's loan review process. In 2002, the bank's internal loan review was reported as being outsourced to an external company that was performing only an annual review. Although examiners did not recognize this as a concern, an internal loan review process conducted on an annual basis should not be considered timely or sufficient. In 2003, examiners reported that the bank's ALLL was underfunded and that the BOD was unaware of the extent of the loan portfolio's problems. Examiners also reported that the BOD and others placed too much reliance on the representations of former management and loan grades assigned by loan officers. Furthermore, examiners reported that the extent of the bank's collections problems had only recently become apparent.

When a dominant official controls a bank and the loan review process, the risk of undue influence can be mitigated by the establishment of a loan review program that consists of an independent internal loan review and oversight process and by the performance of an external loan review by an outside consultant. An internal loan review program is essential; however, an independent assessment of the loans by a third party consultant can provide an additional level of risk protection.

Related FDIC Guidance

According to the DSC Manual, "it is essential that all institutions maintain an effective loan review system." [30] In particular, an effective loan review system is expected, in part, to provide the BOD and senior management with an objective assessment of the overall portfolio quality. Furthermore, "Management should ensure that, when feasible, all significant loans are reviewed by individuals that are not part of or influenced by anyone associated with, the loan approval process." The DSC Manual provides that the complexity and scope of a bank's loan review system will vary based upon an institution's size, type of operations, and management practices.

The DSC Manual also states that "Systems may include components that are independent of the lending function, or may place some reliance on loan officers. Although smaller institutions are not expected to maintain separate loan review departments, it is essential that all institutions maintain an effective loan review system."

The primary component of an effective loan review system is accurate and timely credit grading. [31] The DSC Manual states:

Credit grading systems often place primary reliance on loan officers for identifying emerging credit problems. However, given the importance and subjective nature of credit grading, a loan officer's judgment regarding the assignment of a particular credit grade should generally be subject to review. Reviews may be performed by peers, superiors, or loan committee(s), or by other internal or external credit review specialists. Credit grading reviews performed by individuals independent of the lending function are preferred because they often provide a more conservative assessment of credit quality.

The ED Module: Loan Portfolio Management and Review: General (Loan ED Module) instructs that examiners review internal and external loan review reports as well as other reports provided by third party sources. Examiners are instructed, in part, to determine that the bank's audit program is sufficient to obtain reasonable assurance that loans are properly classified, described, and disclosed in the financial statements, including fair values of loans and concentrations of risk. The Loan ED Module also instructs examiners to ascertain whether the loan review practices are adequate for the size and complexity of the bank. Examiners are directed, in part, to verify that the loan review function provides senior management and the BOD with an objective and timely assessment of the overall quality of the loan portfolio.



APPENDIX III

ANALYSIS OF THE MANAGEMENT COMPONENT RATING

We generated a sample of all state nonmember safety and soundness examinations that were conducted from January 1, 2001 to September 30, 2003. We collected CAMELS data on 11,389 examinations conducted at state nonmember banks by both the FDIC and state regulators. Table 1 below shows the percentage of occurrences in which a CAMELS component rating was the same as the CAMELS composite rating.

Table 1: CAMELS Component Rating Equals the
CAMELS Composite Rating

CAMELS Components CAMELS Component
Rating Equals
Composite Rating
Capital 72%
Assets 72%
Management 86%
Earnings 64%
Liquidity 63%
Sensitivity 70%
[D]

The results of our analysis indicate that the Management component rating is more closely linked to the overall CAMELS composite rating than the other five component ratings. This supports DSC's philosophy with respect to rating bank management. As stated in the DSC Manual:

a bank's performance with respect to asset quality and diversification, capital adequacy, earnings capacity and trends, and liquidity and funds management is, to a very significant extent, a result of decisions made by the bank's directors and officers. Consequently, examiners' findings and conclusions in regard to the other five elements of the CAMELS rating system are often major determinants of the management rating.



APPENDIX IV

PROFILES OF STATE NONMEMBER BANKS

As of February 29, 2004, eight state nonmember banks had been assigned a CAMELS composite rating of "5." Five of these institutions are supervised by the DSC Chicago Regional Office, two institutions are supervised by the DSC Dallas Regional Office, and one institution is supervised by the DSC San Francisco Regional Office. The six open state nonmember banks with a composite rating of "5" that we selected and analyzed are profiled in Table 2 below:

Table 2:  Profiles of State Nonmember Banks Rated a CAMELS Composite "5"
(1993-2003)
Bank Designation Years of a
"3" to "5"
Management Rating
Years of a
"3" to "5"
Composite Rating
Total Asset Rangea
($ in Millions)
Main Loan Product Lines
(11-Year Average)
Low High
Bank A 1993 to 1994, 1996, and 2001 to 2003 2003 Under $100 Under $200 1-4 Family Residential Properties (30%), Loans to Individuals (21%), Commercial and Industrial (17%), Non-Farm Non-Residential (13%), and Farmland (10%).
Bank B 1993,b 1997, and 1999 to 2003 1993,b and 1999 to 2003 Under $100 Under $100 1-4 Family Residential Properties (37%), Loan to Individuals (26%), Non-Farm Non-Residential (9%), Farmland (9%), Agricultural (9%), and Commercial and Industrial (9%).
Bank C 1994, 1998 to 2000,b and 2001 to 2003 1999 to 2000,b and 2001 to 2003 Under $100 Under $200 1-4 Family Residential Properties (39%), Non-Farm Non-Residential (24%), Commercial and Industrial (24%), and Multifamily Residential (10%).
Bank D 1993 to 1994, and 1999 to 2003 1993 to 1994, and 2001 to 2003 Under $50 Under $50 Agricultural (77%), Farmland (10%), and Loans to Individuals (10%).
Bank E 2001 to 2003 2001 to 2003 Under $150 Under $700 Commercial and Industrial (28%),
1-4 Family Residential Properties (24%), Non-Farm Non-Residential (20%), and Lease Financing Receivables (13%).
Bank F 1994, and 1997 to 2003 1998 to 2003 Under $50 Under $50 Commercial and Industrial (30%), Loans to Individuals (29%), and
1-4 Family Residential Properties (28%).
Source: OIG Analysis of Uniform Bank Performance Reports and the FDIC's online resources. Averages were based on year-end computations.
a These ranges were derived from the lowest and highest levels achieved in total assets for the years ended 1993 to 2003.
b During the year, the rating was subsequently upgraded.

APPENDIX V

CORPORATION COMMENTS

Corporation Comments - Page 1
Corporation Comments - Page 2
[D]



APPENDIX VI

MANAGEMENT RESPONSE TO RECOMMENDATIONS

This table presents the management response on the recommendations in our report and the status of the recommendations as of the date of report issuance.

Rec. Number Corrective Action: Taken or Planned/Status Expected Completion Date Monetary Benefits Resolved:a
Yes or No
Dispositioned:b
Yes or No
Open or Closedc
1 DSC will review the guidance for the pre-examination review process to ensure that it is clear that the risk factor related to the existence of a dominant official be considered and included in the planning process. DSC will recommend to the Interagency ED Module Maintenance Committee that a specific requirement to "consider the impact of the existence of a dominant official" be added to the Risk Scoping Module. December 31, 2004 N/A Yes No Open
2 DSC will update coverage in the DSC Manual to emphasize the existence of a dominant official as a risk factor. March 31, 2005 N/A Yes No Open

a Resolved – (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.
(2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.
(3) Management agrees to the OIG monetary benefits or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.

b Dispositioned – The agreed-to corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the recommendation.

c Once the OIG dispositions the recommendation, it can then be closed.

Last updated 10/07/2004