DSCís Examination Assessment of Interest Rate Risk

July 2008
Report No. AUD-08-011

FDIC OIG, Office of Audits
Federal Deposit
Insurance Corporation

Why We Did The Audit

The audit objectives were to (1) determine whether the FDICís examinations comply with applicable policies and procedures for assessing and addressing an institutionís internal control, review, and audit coverage of the interest rate risk management process; and (2) evaluate the corrective actions pursued when significant weaknesses are reported by examiners. Interest rate risk, the exposure of an institutionís earnings and capital to adverse interest rate changes, is fundamental to the business of banking. The audit focused on FDIC-supervised institutions with indicators of elevated interest rate risk.

Background

Changes in interest rates can adversely affect a financial institutionís earnings and market capital. The FDICís Division of Supervision and Consumer Protection (DSC) conducts periodic risk management examinations to ascertain, among other things, an institutionís Sensitivity to Market Risk, including interest rate risk. DSC has issued guidance for conducting these examinations.

Additionally, the Joint Agency Policy Statement on Interest Rate Risk (IRR SOP), issued by the FDIC and the other federal banking agencies, provides guidance to institutions on prudent interest rate risk management principles and assists bankers and examiners in evaluating the adequacy of an institutionís management of interest rate risk. The IRR SOP states that an institutionís interest rate risk management process should be subject to periodic independent review to ensure the integrity, accuracy, and reasonableness of the institutionís overall risk management process. Overall, the purpose of the independent review is to ensure that the interest rate risk measurement and management processes are sound.



Audit Results

For the 38 sampled risk management examinations we reviewed, FDIC examiners generally complied with applicable policies and procedures for assessing and addressing an institutionís internal control, review, and audit coverage of the interest rate risk management process. Generally, as depicted in the figure below, we found:

  • Pre-Examination Planning memoranda listed the red flags identified by the FDICís Interest Rate Risk Standard Analysis software application; and
  • Reports of Examination and supporting working papers showed that examiners either obtained for consideration a copy of the institutionís independent review report or identified a contravention of the IRR SOP.

Regarding the pursuit of corrective actions, we found that informal and formal corrective actions generally addressed significant weaknesses reported by examiners in the area of interest rate risk. We also noted that a provision related to interest rate risk was sometimes not included in corrective actions, even though both the composite and Sensitivity to Market Risk component ratings of the institutions by examiners were less than satisfactory. However, DSC showed that provisions addressing other ratings components reasonably addressed the identified concerns.

We also identified situations where the examinerís assessment of an institutionís independent review and reporting to the institutionís board of directors could be improved. Specifically, we found that examinations often did not:

  • provide conclusions on the adequacy of the independent review functions, or
  • assess the adequacy of the institutionís reporting on the independent reviews to its board.

Additionally, training records we reviewed for 42 interest rate risk and capital markets Subject Matter Experts and Regional Specialists showed that some had obtained little or no training in recent years in their areas of expertise. Targeted training could enhance the contribution of these experts and specialists to the examination process.

Ensuring that appropriate institution and examination controls and resources are in place will help the FDIC to assure that an institutionís interest rate risk management processes are appropriate and functioning adequately. [ D ]

Recommendations and Management Response

We recommended that DSC emphasize to examiners the need to fully assess and conclude on the adequacy of an institutionís independent review and on the adequacy of reporting on the independent review to the bankís board, as warranted by risk; advise examiners of the importance of collectively considering all relevant examination guidance; and establish policies and guidelines for the training of interest rate risk and capital markets Subject Matter Experts and Regional Specialists. Management concurred with our recommendations and is taking responsive action.


Contents

BACKGROUND

Institution Guidance in the Statement of Policy on Interest Rate Risk

FDIC Examination Guidance

RESULTS OF AUDIT
EXAMINER ASSESSMENT OF AN INSTITUTIONíS INDEPENDENT REVIEW AND REPORTING TO THE BOARD OF DIRECTORS

Joint Agency Statement of Policy on Interest Rate Risk

Examination Guidance Related to the Independent Review

Examiner Determination of the Adequacy of Independent Reviews

Examiner Assessment of an Institutionís Reporting to Its Board of Directors on the Independent Reviews

Examiner Implementation of Guidance on Independent Reviews

Reliance on Independent Reviews and Management Systems

Recommendations on Examiner Assessment of an Institutionís Independent Review and Reporting to the Board of Directors

INTEREST RATE RISK TRAINING FOR SUBJECT MATTER EXPERTS AND REGIONAL SPECIALISTS

Training Guidance

Subject Matter Expert and Regional Specialist Training

Establishment of Policy for Continuing Education

Maintenance of Human Capital Resources

Recommendation on Interest Rate Risk Training for Subject Matter Experts and Regional Specialists

CORPORATION COMMENTS AND OIG EVALUATION
APPENDICES

1. OBJECTIVE, SCOPE, AND METHODOLOGY

2. CORPORATION COMMENTS

3. MANAGEMENT RESPONSE TO RECOMMENDATIONS

4. ACRONYMS USED IN THE REPORT

TABLE

Scope and Annual Reporting Expectations for an Institutionís Independent Review

FIGURE

Examination Conclusions Not Provided on the Scope of the Independent Reviews






FDIC, Federal Deposit Insurance Corporation, Office of Inspector General,Office of Auidts, 3501 Fairfax Drive, Arlington, VA 22226-3500
DATE: July 7, 2008
 
MEMORANDUM TO:Sandra L. Thompson, Director
Division of Supervision and Consumer Protection
 
FROM:Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]
Assistant Inspector General for Audits
 
SUBJECT:DSCís Examination Assessment of Interest Rate Risk
(Report No. AUD-08-011)
 

This report presents the results of our audit of the Division of Supervision and Consumer Protectionís (DSC) examination assessment of interest rate risk at FDIC-supervised institutions. The audit objectives were to (1) determine whether the FDICís examinations comply with applicable policies and procedures for assessing and addressing an institutionís internal control, review, and audit coverage of the interest rate risk management process; and (2) evaluate the corrective actions pursued when significant weaknesses are reported by examiners.1 We focused the audit on those FDIC-supervised institutions with indicators of elevated interest rate risk. We conducted this performance audit in accordance with generally accepted government auditing standards. Appendix 1 of this report discusses our audit objectives, scope, and methodology in detail.

BACKGROUND

Interest rate risk is fundamental to the business of banking. Changes in interest rates can expose an institution to adverse shifts in net interest income, increase the cost of funds, and impair the underlying value of its assets, thereby adversely affecting an institutionís earnings and market capital. The FDIC is responsible for ensuring that the financial institutions it supervises operate in a safe and sound manner. To accomplish this, the FDIC conducts risk management examinations to ascertain, among other things, an institutionís Sensitivity to Market Risk, including interest rate risk. This assessment is summarized in an assigned risk rating for Sensitivity to Market Risk, which is the ďSĒ part of the CAMELS rating system.2 Failure to appropriately assess an institutionís interest rate risk can impact the overall effectiveness of the risk management examination and expose the institution to the risk of loss.

Institution Guidance in the Statement of Policy on Interest Rate Risk

The FDIC provides supervisory guidance to institutions and examiners, in part, through FDIC Statements of Policy. In 1996, the federal banking agencies3 issued The Joint Agency Policy Statement on Interest Rate Risk (IRR SOP) to provide guidance to institutions on interest rate risk management and to assist bankers and examiners in evaluating the adequacy of an institutionís management of interest rate risk.4 Although a Statement of Policy (SOP) does not constitute a legal requirement, an institutionís failure to adhere to an SOP requirement may result in a citation for contravention in the examinerís Report of Examination (ROE).

The IRR SOP states that effective control of the interest rate risk management process includes an independent review and, where appropriate, internal and external audit. According to the IRR SOP, a bank should conduct periodic reviews of its risk management process to ensure its integrity, accuracy, and reasonableness. According to DSCís Risk Management Manual of Examination Policies (DSC Examination Manual), the independent review serves as a means to independently assess the adequacy of an institutionís measurement system. The level and depth of independent review performed by an institution should be commensurate with the institutionís activities.

The SOP also indicates that the findings of the review should be reported annually to the institutionís board of directors.

FDIC Examination Guidance

The DSC Examination Manual and the FDICís Rate Sensitivity Examination Documentation Module (Rate Sensitivity ED Module)5 address interest rate risk management and an institutionís independent review.



RESULTS OF AUDIT

For the 38 risk management examinations we reviewed, FDIC examiners generally complied with applicable policies and procedures for assessing and addressing an institutionís internal control, independent review, and audit coverage of the interest rate risk management process. Specifically, we found that:

Additionally, informal and formal corrective actions generally addressed significant weaknesses reported by examiners in the area of interest rate risk. We sampled 50 institutions that had a Sensitivity to Market Risk component rating and composite rating of ď3,Ē ď4,Ē or ď5,Ē which are considered less than satisfactory. For 44 (88 percent) of the 50 institutions, where both the composite and Sensitivity to Market Risk component ratings were less than satisfactory, corrective actions contained either a specific or general provision that addressed weaknesses and/or deficiencies related to Sensitivity to Market Risk. For the remaining six institutions (12 percent), a provision related to Sensitivity to Market Risk was not included in an informal or formal corrective action; however, DSC provided us reasonable explanations for these instances. In each case, DSC showed that there were provisions related to other CAMELS components that could improve deficiencies within the area of Sensitivity to Market Risk. In addition, we noted that the examiners had discussed their interest rate risk concerns and recommendations with the institutionsí management and documented those matters in the ROEs.

We also found that the examiner assessment of an institutionís independent review and reporting of review results to its board of directors could be improved. Specifically, some examiners for our sampled examinations did not conclude on the adequacy of an institutionís independent review functions or on the adequacy of the institutionís reporting of the review results to its board of directors. Adequate independent reviews help ensure the integrity, accuracy, and reasonableness of an institutionís interest rate risk measurement system; an institutionís safety and soundness; and the FDICís ability to rely on the results of an institutionís interest rate risk measurement system (Examiner Assessment of an Institutionís Independent Review and Reporting to the Board of Directors).

Further, the FDIC could enhance its training for Subject Matter Experts and Regional Specialists. Some Subject Matter Experts and Regional Specialists had obtained little or no recent training in their designated areas of expertiseóinterest rate risk and capital markets. These individuals are an important resource for examiners seeking advice and guidance on an institutionís Sensitivity to Market Risk during the examination process (Interest Rate Risk Training for Subject Matter Experts and Regional Specialists).




EXAMINER ASSESSMENT OF AN INSTITUTIONíS INDEPENDENT REVIEW AND REPORTING TO THE BOARD OF DIRECTORS

Examiner assessment of an institutionís independent review and reporting of the review results to the board of directors could be improved. Specifically, we found that FDIC examiners did not:

  • provide conclusions on the adequacy of the independent review functions for 15 (39 percent) of the 38 examinations reviewed.
  • assess the adequacy of the institutionís reporting on the independent reviews to its board of directors for 26 (68 percent) of the 38 examinations reviewed.

An inadequate independent review could reduce both (1) an institutionís assurance that its interest rate risk management processes and system are appropriate and functioning adequately and (2) DSCís ability to rely on the results of that system for examination purposes.

Joint Agency Statement of Policy on Interest Rate Risk

Although not a legal requirement, the IRR SOP states that an institution should conduct periodic independent reviews of its risk management process to ensure its integrity, accuracy, and reasonableness. The policy statement identifies the scope and annual reporting expectations for an independent review as shown in the following table:

Scope and Annual Reporting Expectations for an Institutionís Independent Review
Minimum Areas for Review and Validation During the Independent Review   Minimum Areas for Review and Validation During the Independent Review
The adequacy of, and personnelís compliance with, the institutionís internal control system.   The findings of the review.
The appropriateness of the institutionís risk measurement system given the nature, scope, and complexity of its activities.   A brief summary of the institutionís interest rate risk measurement techniques and management practices.
The accuracy and completeness of the data inputs into the institutionís risk measurement system.   The identification of major critical assumptions used in the risk measurement process.
The reasonableness and validity of scenarios used in the risk measurement system.   A discussion of the process used to derive major critical assumptions.
The validity of the risk measurement calculations.   An assessment of the impact of major critical assumptions on the institutionís measured exposure.
Source: Office of Inspector General (OIG) analysis of the IRR SOP.

Examination Guidance Related to the Independent Review

The DSC Examination Manual emphasizes that, at a minimum, each institution should have procedures in place to independently review its input process, assumptions, and system output reports. To illustrate, among other things, the institutionís:

  • system-input process review should evaluate the adequacy and appropriateness of the level of knowledge and skill of the individuals responsible for the measurement system;
  • assumption review should address the process of developing assumptions for all material asset, liability, and off-balance sheet exposures; and
  • system output and reporting assessment should include coverage of the timeliness and frequency of reporting to management and the board.

In addition, the DSC Examination Manual states that individuals responsible for performing the independent review should not be involved in the interest rate risk measurement process. Institutions may use internal staff, an outsourcing arrangement, or a combination of the two, to independently appraise the measurement system.

The FDICís Rate Sensitivity ED Module incorporates an examiner assessment of an institutionís independent review. In particular, one of the moduleís core analysis decision factors asks, ďAre the audit or independent review functions adequate?Ē In addition, the corresponding core analysis procedures include the following examiner determinations:

  • Determine that the scope of the audit or independent review is sufficient to identify policy, reporting, internal control, and compliance deficiencies.
  • Determine that the scope includes a review and validation of risk measurement calculations and tests for reasonableness and accuracy of assumptions and data inputs.
  • Determine that results are reported to the board on a timely basis.
  • If recent reviews disclosed any deficiencies, determine if management responses are reasonable.

Although the IRR SOP and the DSC Examination Manual describe specific independent review procedures, the Rate Sensitivity ED Module does not describe all of the minimum scoping procedures for the independent review or all of elements to be included in the institutionís reporting to the board of directors as prescribed by the IRR SOP and DSC Examination Manual. Further, the Rate Sensitivity ED Module does not refer the examiner to the IRR SOP. According to DSC management, examiners are expected to consider all sources of guidance and would not rely solely on the Rate Sensitivity ED Module when reviewing interest rate risk.

Examiner Determination of the Adequacy of Independent Reviews

To assess examiner coverage of the IRR SOP and compliance with applicable examination procedures for interest rate risk, we sampled 38 examinations for FDIC-supervised institutions with indicators of an elevated interest rate risk profile. These sampled institutions had from one to seven ďred flagsĒ identified by the FDICís IRRSA application.

For 23 of the 38 examinations for which examiners provided a conclusion on the adequacy of the institutionís independent review, we saw evidence that the examiners had concluded on the adequacy of the review either in the ROEs or in examination working papers. We accepted examinersí conclusions and observations on the adequacy of the institutionís independent review in various forms, such as a check mark on a procedural step, a declaration of adequacy or inadequacy, and/or a citation of a contravention of the IRR SOP.

The results of our analysis for 15 (39 percent) of the 38 examinations with no conclusions on the adequacy of the institutionsí independent reviews are presented below.

[ D ]

Examiner Assessment of an Institutionís Reporting to Its Board of Directors on the Independent Reviews

For 26 (68 percent) of the 38 examinations reviewed, we found that FDIC examiners did not conclude on the adequacy of the institutionís reporting on the independent review to its board. In accordance with the IRR SOP, the institutionís report to the board on the review results should address all five elements described earlier in this report. For 12 examinations, we accepted examinersí conclusions and observations on the adequacy of the institutionís reporting on the independent review in various formsóeither in the ROEs or the examination working papers, such as a check mark on a procedural step, a declaration of adequacy or inadequacy, an affirmative statement that the independent review was reported to the institutionís board, and/or a citation of a contravention of the IRR SOP.

Examiner Implementation of Guidance on Independent Reviews

We interviewed 13 DSC field examiners, from 3 field offices, who explained their understanding of DSCís examination policies and procedures and described their assessment process for independent reviews and the institutionís reporting on the reviews to its board of directors. In particular, field examiners stated that an institutionís compliance with the IRR SOP should be evaluated at every examination. The examiners also stated that in assessing an institutionís compliance with the IRR SOP, they would always check for an independent review. Although the examiners stated that they believed that an institutionís independent review should be reviewed at all examinations, the depth of review deemed necessary varied. Some examiners stated that it was necessary to validate an institutionís compliance with all of the provisions of the IRR SOP, while other examiners stated it was necessary to validate only that an independent review had been conducted and that the institution had reported the independent review to the institutionís board.

Although the IRR SOP is not a legal requirement, the IRR SOP provides that examiners should consider certain risk factors in conducting their review, as follows:

When evaluating the applicability of specific guidelines provided in this Statement Ö bank management and examiners should consider factors such as the size of the bank, the nature and complexity of its activities, and the adequacy of its capital and earnings in relation to the bankís overall risk profile.

The extent of an independent review should be commensurate with the bankís activities; however, as risk increases, we believe that an examination should more thoroughly assess an institutionís implementation of the IRR SOP. An adequate independent review should provide the institution assurance that its interest rate risk management processes and systems are commensurate with the institutionís activities and permit DSC reliance on the review. Therefore, it is important for examiners to conclude on the adequacy of the independent reviews and to assess whether the institutionís reporting to the board on the independent review addressed all IRR SOP elements.

Reliance on Independent Reviews and Management Systems

Independent reviews serve as a significant element of an institutionís interest rate risk management process because such reviews are an objective source of verification and assessment. The absence of or a weak independent review could compromise the integrity, accuracy, and reasonableness of an institutionís interest rate risk measurement system and even the safety and soundness of the institution. Adequate independent review and board oversight increases the FDICís ability to rely on the results of an institutionís interest rate risk measurement system.

FDIC emphasis on the need for examiners to fully assess and conclude on the adequacy of the scope of an institutionís independent review and on the extent of an institutionís reporting to its board on review results could achieve improvement in controls and interest rate risk measurement systems at FDIC-supervised institutions. This is particularly the case in institutions with indicators of elevated interest rate risk, such as those assessed in this audit. In turn, the independent reviews and board reporting could provide the FDIC and examiners greater assurance and reliance on the results of institutionsí interest rate risk management and systems during on-site examinations.

Recommendations on Examiner Assessment of an Institutionís Independent Review and Reporting to the Board of Directors

We recommend that the Director, DSC:

  1. Emphasize to examiners the need to fully assess and conclude on the adequacy of an institutionís independent review and on the adequacy of reporting on the independent review to the institutionís board as warranted by risk.
  2. Advise examiners of the importance of collectively considering the IRR SOP, the DSC Examination Manual, and the Rate Sensitivity ED Module in scoping examination coverage of IRR independent reviews and the institutionís reporting on the independent reviews to its board.




INTEREST RATE RISK TRAINING FOR SUBJECT MATTER EXPERTS AND REGIONAL SPECIALISTS

Our review of available training records8 and follow-up discussions with DSC indicated that some Subject Matter Experts and Regional Specialists had obtained little or no training in recent years in their designated areas of expertiseóinterest rate risk and capital markets. These individuals are an important resource for examiners seeking advice and guidance on an institutionís sensitivity to market risk during the examination process.

Training Guidance

DSC has not established policies or guidelines on the training of interest rate risk and capital markets Subject Matter Experts and Regional Specialists. However, the FDICís Corporate Performance Objectives for 2007 and 2008 identified that the FDIC has a ďResource ManagementĒ objective to ensure that the FDIC has the necessary skills in its workforce, on an ongoing basis, to effectively address current and emerging safety and soundness risk. These corporate performance objectives highlight senior managementís goals in improving the knowledge and depth of employee skills and ensuring the transfer and succession of knowledge.

Also of note, the Government Accountability Office (GAO) issued Standards for Internal Control in the Federal Government, dated November 1999, which contains internal control guidance for the federal government. In part, one of the internal control standards states the following:

All personnel need to possess and maintain a level of competence that allows them to accomplish their assigned duties Ö . Management needs to identify appropriate knowledge and skills needed for various jobs and provide needed training Ö .

In implementing this standard, the GAO recommends, in part, that agencies consider whether an appropriate training program exists to meet the needs of all employees, emphasize the need for continuing training, and have a control mechanism in place to help ensure that all employees receive appropriate training.

Subject Matter Expert and Regional Specialist Training

Based on our review of available training records, we found that 12 (29 percent) of 42 interest rate risk and capital markets Subject Matter Experts (who are also examiners) and Regional Specialists from two regions appeared to have had little or no capital markets training over the last 2 years,9 and in some cases, for up to 5 years. For these examiners, we noted the following:

  • four individuals had no direct capital markets training10 and no indirectly-related training11 within the last 5 years.
  • four individuals had no direct capital markets training within the last 5 years and no indirectly-related training within the last 2 years.
  • four individuals had no direct capital markets training and no indirectly-related training within the last 2 years.

We discussed the lack of recent training with one of the Subject Matter Experts from our sample. She reviewed and verified the accuracy of her training data available from the Corporate University. Additionally, the Subject Matter Expertís Field Supervisor indicated that a similar situation exists with another designated Subject Matter Expert from another field office. Although the Field Supervisor recognized the importance of the Subject Matter Expert positions, he also expressed concern with the need to balance the level of training provided to Subject Matter Experts with the level of time these examiners need to perform examinations.

We also asked DSC to provide information on any additional related training not included in the Corporate Universityís training data for the 12 Subject Matter Experts and Regional Specialists. DSC indicated that two individuals were no longer designated as interest rate risk or capital markets Subject Matter Experts or Regional Specialists. One of the individuals had been designated as a capital markets expert until recently but was not conducting work in that area. In addition, some of the remaining individuals had attended capital markets-related sessions at regional training and other conferences but no extended training in their designated areas of expertise.

Establishment of Policy for Continuing Education

The lack of recent training may be attributable to the lack of expectations and guidance related to the training for Subject Matter Experts and Regional Specialists, who are involved in providing technical support for examination teams. Additionally, DSC indicated that examination scheduling often is a deciding factor as to whether a Subject Matter Expert will be available for specialized training opportunities. We found that DSC has no formal policies for the training of Subject Matter Experts or Regional Specialists. DSC senior managers stated that the experience level and qualification of the individuals who hold those positions varies widely. The managers expressed that establishing more formalized standards and policies in this area would be beneficial and generally supported the idea of providing more consistent training through a shared effort with Corporate University.

Maintenance of Human Capital Resources

Field office Subject Matter Experts are an important resource in an examination of an institutionís sensitivity to market risk because these individuals are the first point of contact for other examiners who are seeking guidance during the examination process. Regional Specialists are also an important resource as a secondary point of contact. In this regard, establishing policies and guidelines for the training of interest rate risk and capital markets Subject Matter Experts and Regional Specialists will help to ensure that examiners have access to effective resources during the examination process. When designated Subject Matter Experts and Regional Specialists do not attend pertinent training to further their understanding and knowledge, they can lose proficiency in their designated area of expertise and diminish the FDICís ability to successfully manage its resources and to ensure the proper succession of knowledge and skills.

Recommendation on Interest Rate Risk Training for Subject Matter Experts and Regional Specialists

We recommend that the Director, DSC:

(3) Establish policies and guidelines for the training of interest rate risk and capital markets Subject Matter Experts and Regional Specialists.




CORPORATION COMMENTS AND OIG EVALUATION

On July 3, 2008, the Director, DSC, provided a written response to the draft of this report. Managementís response is presented in its entirety in Appendix 2. Management concurred with our findings and recommendations. A summary of managementís response to the recommendations is in Appendix 3.

In response to recommendation 1, DSC stated that it will re-emphasize that examination staff should assess and conclude on the adequacy of institutionsí independent reviews, and the reporting of such reviews, as directed by examination guidance. For recommendation 2, DSC stated that it will re-emphasize that examiners should collectively consider outstanding guidance, policies, and examiner resources in risks-coping examination coverage of an institutionís management of its rate sensitivity. Regarding recommendation 3, DSC will recommend the establishment of training policies and guidelines for capital markets Subject Matter Experts and Regional Specialists to the appropriate FDIC training oversight groups and will assist with the development and implementation of the applicable policies and training curriculum.

DSCís planned actions are responsive to our recommendations. The recommendations are resolved but will remain open until we determine that the agreed-to corrective actions have been completed and are responsive.

APPENDIX 1

OBJECTIVE, SCOPE, AND METHODOLOGY

Objectives

The objectives of this audit were to (1) determine whether the FDICís examinations comply with applicable policies and procedures for assessing and addressing an institutionís internal control, review, and audit coverage of the interest rate risk management process; and (2) evaluate the corrective actions pursued when significant weaknesses are reported by examiners.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provided a reasonable basis for our findings and conclusions. We performed the audit from August 2007 through April 2008.

Scope and Methodology

To achieve our objectives we performed the following:

  • Reviewed supervisory examination guidance for coverage of interest rate risk and the issuance of formal and informal corrective actions. In particular, we performed a review of the:
    • FDIC Statement of Policy entitled, Joint Agency Policy Statement on Interest Rate Risk;
    • Risk Management Manual of Examination Policies;
    • Formal and Informal Action Procedures Manual;
    • Case Manager Procedures Manual;
    • ED Modules entitled, Risk Scoping and Rate Sensitivity;
    • Regional Directors Memoranda; and
    • Financial Institution Letters.
  • Reviewed safety and soundness examination reports and working paper documentation on a non-statistical12 sample of 38 institutions related to the examiner assessment of an institutionís internal control, independent review, and audit coverage of the interest rate risk management process; and use of IRRSA reports during the pre-examination planning process. We selected the sample based on institutions that had elevated indicators of interest rate risk.
  • Reviewed safety and soundness examination reports and corresponding corrective actions on a non-statistical sample of 50 institutions for the corrective action provisions pursued when significant weaknesses related to interest rate risk were reported by examiners. The sample was selected based on institutions that had a Sensitivity to Market Risk component rating and a composite rating of ď3,Ē ď4,Ē or ď5.Ē
  • Described and compared the examinersí assessments of an institutionís internal control, review, and audit coverage of the interest rate risk management process against the examination procedures provided in the FDICís policies and procedures noted above.
  • Interviewed DSC officials in Washington, D.C., and regional and field offices; and interviewed Division of Insurance and Research officials in Washington, D.C.
  • Performed our audit work at the FDICís Headquarters offices in Washington, D.C., and the Philadelphia and San Juan Field Offices.

Internal Control

We gained an understanding of the relevant control activities (related to the examination coverage of the Sensitivity to Market Risk component) by reviewing applicable policies and procedures as detailed under the Scope and Methodology section of this report. In particular, we identified that DSC had established the following process controls related to the examination review of the Sensitivity to Market Risk component:

  • Employee training
    • Assistant Examiner Schools
    • On-the-job training
    • Updates and refresher training
  • Examination policies and procedures
    • Pre-examination planning
    • Examiner review and assessment
    • Examiner-in-Charge/Operational Manager Review
    • Field Supervisor/Case Manager Review
    • Institution management response and appeal process
  • DSC's field office and regional office internal reviews

In assessing these controls, we:

  • Reviewed DSCís training policies and directives.
  • Reviewed employee training programs that cover interest rate risk for DSC personnel in various stages of career development, such as assistant examiners/financial institution specialists, commissioned examiners, Subject Matter Experts, and Regional Specialists.
  • Reviewed the recent level of completed training (based on available training records) on interest rate risk by selecting a non-statistical sample of Subject Matter Experts and Regional Specialists. The sample was selected based on all Subject Matter Experts and Regional Specialists identified within the New York and San Francisco regions as of the time of our audit.
  • Reviewed DSCís examination policies and procedures, as noted in the Scope and Methodology section of this report.
  • Reviewed DSCís internal assessment of the safety and soundness examination process Ė concerning the examination of Sensitivity to Market Risk Ė by selecting a non-statistical sample of DSC regional and field office reviews. We selected the sample of DSC regional office reviews from all reviews conducted from 2004 to 2006. We selected the sample of DSC field office reviews from the reviews completed in the New York and San Francisco regions from 2006 to 2007. For the samples selected, we reviewed the Internal Control and Review Sectionís Internal Review Reports, regional and field office review audit programs, and the working papers completed on the field office reviews.

Overall, controls for examiner assessment of interest rate risk appeared to be adequate except for those areas discussed in this report.

Reliance on Computer-processed Information

Our audit objective did not require that we separately assess the reliability of computer-processed information. However, we conducted tests to determine the reliability of computer-processed information obtained from the IRRSA application. Based on our review of information in IRRSA, we noted that the application failed to correctly identify an institutionís ďred flags.Ē We notified DSC of our concerns, and the applicationís software program was corrected during the audit. The processing errors were caused by a recent IRRSA application software update. This condition was not a long-standing problem and did not affect our sample of examinations. For the other aspects of our audit, we did not rely on computer-processed information to support our significant findings, conclusions, or recommendations. Our assessment centered on reviews of PEP Memoranda, ROEs, examination working papers, on-site reviews, and interviews.

Performance Measurement

The Government Performance and Results Act of 1993 directs federal agencies to develop a strategic plan and annual performance goals and objectives to help improve federal program effectiveness and service delivery. In fulfilling the FDICís supervisory responsibilities, the FDIC pursues two strategic goals: (1) FDIC-supervised institutions are safe and sound, and (2) consumersí rights are protected and FDIC-supervised institutions invest in their communities. Related to the safety and soundness strategic goal, there is one strategic objective: FDIC-supervised institutions appropriately manage risk. This strategic objective has various corresponding annual performance goals. Specifically, there are two annual performance goals related to our audit, in that the FDIC will:

  • Conduct on-site risk management examinations to assess the overall financial condition, management practices and policies, and compliance with applicable laws and regulations of FDIC-supervised depository institutions.
  • Take prompt and effective supervisory action to address problems identified during the FDIC examination of FDIC-supervised institutions that receive a composite rating of ď4Ē or ď5Ē (problem institution). Monitor FDIC-supervised and insured depository institutionsí compliance with formal and informal enforcement actions.

Additionally, the FDICís Corporate Performance Objectives for 2007 and 2008 identified that the FDIC has a ďResource ManagementĒ objective to ensure that the FDIC has the necessary skills in its workforce, on an ongoing basis, to effectively address current and emerging safety and soundness risk.

Compliance with Laws and Regulations

In conducting the audit, we considered the following laws and regulations:

  • Federal Deposit Insurance Corporation Improvement Act (FDICIA). This Act (Public Law 102-242) added section 39 to the Federal Deposit Insurance Act (FDI Act) (12 United States Code ß 1811 et seq.), which requires bank regulators to prescribe standards relating to interest rate exposure. FDICIA also contains a provision (section 305(b)) which, as amended in 1994 by Public Law 103-325, required bank regulators to revise, within 18 months, their risk-based capital standards to ensure that those standards take adequate account of interest rate and other risks.
  • FDIC Rules and Regulations, Part 325 Ė Capital Maintenance and Appendix A to Part 325óStatement of Policy on Risk-Based Capital. In order to comply with section 305(b) of FDICIA, Appendix A to Part 325 was revised in 1995, and the Joint Agency Policy Statement on Interest Rate Risk was issued in 1996 to address how interest rate risk will be considered with respect to the adequacy of an institutionís capital. Interest rate risk is also addressed in Appendix C to Part 325óRisk-Based Capital for State Non-Member Banks: Market Risk, published subsequent to the joint agency policy statement.
  • FDIC Rules and Regulations, Part 364 Ė Standards for Safety and Soundness. This regulation and Appendix A to Part 364óInteragency Guidelines Establishing Standards for Safety and Soundness implement section 39 of the FDI Act. Appendix A to Part 364 states that an institution should:
    • Manage interest rate risk in a manner that is appropriate to the size of the institution and the complexity of its assets and liabilities.
    • Provide for periodic reporting to management and the board of directors regarding interest rate risk with adequate information for management and the board to assess the level of risk.
  • FDIC Statements of Policy. Although FDIC SOPs are detailed within the FDICís Rules and Regulations, the SOPs are not technically considered laws or regulations. Regardless, the joint agency policy statement, Joint Agency Policy Statement on Interest Rate Risk, was published on June 26, 1996 to provide guidance to banks regarding prudent interest rate risk management principles and to assist bankers and examiners in evaluating the adequacy of a bankís management of interest rate risk.

In addressing our audit objectives, we did not specifically test for compliance with section 39 nor with FDIC Rules and Regulations parts 325 and 364 or their appendices, and no specific violations were reported within the ROEs sampled, and none came to our attention. However, we did specifically test for compliance with certain sections of the Joint Agency Policy Statement on Interest Rate Risk. The results of our review are discussed throughout this report.

We assessed the risk of fraud and abuse related to the audit objective in the course of evaluating audit evidence.


APPENDIX 2

CORPORATION COMMENTS

FDIC, Federal Desposit Insurance, 550 17th Street, NW, Washington D.C., 20429, Division of Supervision and Consumer Protection.
 
DATE:July 3, 2008
 
TO:Russell A. Rau
Assistant Inspector General for Audits
 
FROM:Sandra L. Thompson [Electronically produced version; original signed by Sandra L. Thompson]
Director
 
SUBJECT:Response to Draft Report Entitled: Examination Assessment of Interest Rate Risk
(Assignment No. 2007-031)
 

This memorandum represents the Federal Deposit Insurance Corporation, Division of Supervision and Consumer Protection's (DSC) response to the draft report entitled Examination Assessment of Interest Rate Risk (Assignment No. 2007-031) (Draft Report), prepared by the FDIC's Office of Inspector General (OIG). We are pleased that the OIG found that FDIC examiners generally complied with applicable policies and procedures for assessing and addressing an institution's internal control, review, and audit coverage of the interest rate risk (IRR) management process, and that informal and formal corrective actions generally addressed significant weaknesses reported by examiners in the area of IRR.

DSC's responses to the report recommendations are discussed below.

OIG Recommendations:

  1. Emphasize to examiners the need to fully assess and conclude on the adequacy of an institution's independent review and on the adequacy of reporting on the independent review to the institution's board as warranted by risk.

DSC concurs. We will re-emphasize that examination staff should assess and conclude on the adequacy of institutions' independent reviews, and the reporting of such reviews, as directed by examination guidance. We will include a discussion of this topic during an upcoming FFIEC Capital Markets Specialists Conference, to be held August 12-15, 2008. The conference includes an "FDIC-only" break-out session which is attended by capital markets subject matter experts and the regional capital markets specialists. Participants will be directed to relay this information to field and regional staff.

  1. Advise examiners of the importance of collectively considering the IRR SOP, the DSC Examination Manual, and the Rate Sensitivity ED Module in scoping examination coverage of IRR independent reviews and the institution's reporting on the independent reviews to its board.

DSC concurs. We will re-emphasize that examiners should collectively consider outstanding guidance, policies and examiner resources in risk-scoping examination coverage of an institution's management of its rate sensitivity. We will include a discussion of this topic during an upcoming FFIEC Capital Markets Specialists Conference, to be held August 12-15, 2008. The conference includes an "FDIC-only" break-out session which is attended by capital markets subject matter experts and the regional capital markets specialists. Participants will be directed to relay this information to field and regional staff.

  1. Establish policies and guidelines for the training of interest rate risk and capital markets Subject Matter Experts and Regional Specialists.

DSC concurs and offers the following action that addresses the intent of your recommendation. We will recommend the establishment of training policies and guidelines for capital markets subject matter experts and regional specialists to the Course Oversight Group and the Training Oversight Committee by August 31, 2008, after which we will assist with development and implementation of policies and training curriculum.







APPENDIX 3

MANAGEMENT RESPONSE TO RECOMMENDATIONS

This table presents the management response on the recommendations in our report and the status of the recommendations as of the date of report issuance.

Rec. No. Corrective Action: Taken or Planned Expected Completion Date Monetary Benefits Resolved:a Yes or No Open or Closedb
1 DSC will re-emphasize that examination staff should assess and conclude on the adequacy of institutionsí independent reviews, and the reporting of such reviews, as directed by examination guidance. 08/15/2008 $0 Yes Open
2 DSC will re-emphasize that examiners should collectively consider outstanding guidance, policies, and examiner resources in risk-scoping examination coverage of an institutionís management of its rate sensitivity. 08/15/2008 $0 Yes Open
3 DSC will recommend the establishment of training policies and guidelines for capital markets Subject Matter Experts and Regional Specialists to the appropriate FDIC training oversight groups and will assist with the development and implementation of the applicable policies and training curriculum. 08/31/2008 $0 Yes Open
a Resolved Ė (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.
(2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.
(3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount.
b Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.

APPENDIX 4

ACRONYMS USED IN THE REPORT

CAMELS Capital Adequacy, Asset Quality, Management, Earnings, Liquidity, and Sensitivity to Market Risk
DSC Division of Supervision and Consumer Protection
ED Examination Documentation
FDI Act Federal Deposit Insurance Act
FDICIA Federal Deposit Insurance Corporation Improvement Act
FFIEC Federal Financial Institutions Examination Council
GAO Government Accountability Office
IRR Interest Rate Risk
IRR SOP Joint Agency Policy Statement on Interest Rate Risk
IRRSA Interest Rate Risk Standard Analysis
OIG Office of Inspector General
PEP Pre-Examination Planning
ROE Report of Examination
SOP Statement of Policy
UFIRS Uniform Financial Institutions Rating System




Footnotes
1 The FDIC generally initiates informal or formal corrective action against institutions with a composite safety and soundness rating (see footnote 2) of ď3,Ē ď4,Ē or ď5,Ē unless specific circumstances warrant otherwise.

2 Under the Uniform Financial Institutions Rating System (UFIRS), during a regulatory examination, federal regulators assign each financial institution a composite rating based on an evaluation of six essential components of an institution's financial condition and operations: Capital Adequacy, Asset Quality, Management, Earnings, Liquidity, and Sensitivity to Market Risk (CAMELS). A composite rating of 1 through 5 is given, with 1 having the least regulatory concern and 5 having the greatest concern.

3 The FDIC, Board of Governors of the Federal Reserve System, and Office of the Comptroller of the Currency.

4 Refer to the Compliance with Laws and Regulations section in Appendix 1 for further information about the IRR SOP.

5 According to the DSC Examination Manual, an ED Module is an examination tool that focuses on risk management practices and guides examiners to establish the appropriate examination scope. Each module contains a series of decision factors and examination procedures for examiners to consider when evaluating an institutionís risk. The examinerís use of the ED Modules and the need to provide a documented response to individual decision factors and examination procedures is discretionary.

6 A red flag is not an indication of a supervisory concern but rather is intended only to focus examiner attention and to identify potential issues that can be addressed either in the working papers or, if material, in the examination comments.

7IRRSA is not an interest rate risk model and does not attempt to estimate a bankís specific interest rate risk option. Rather, IRRSA is a tool that assists examiner identification of areas that may warrant additional review in the assessment of an institutionís interest rate risk. IRRSAís red flag system identifies institutions that exceed certain thresholds compared to established risk benchmarks.

8 The FDICís Corporate University provided us 5-year training histories for our sample of DSC Subject Matter Experts and Regional Specialists. However, not all training is captured in the Corporate Universityís training server, especially training that is conducted at regional training conferences or at the regional/field offices.

9 In the absence of specific training guidance, we performed our audit assessment based on an assumption that continuing education should be obtained at least once every 2 years. Good business practices suggest that in order to help employees maintain and improve their competence for their assigned positions, a minimum level of continuing education should be sought and maintained.

10 We considered training as ďdirect trainingĒ that was provided by the Federal Financial Institutions Examination Council and that was described as the Capital Markets Conference or the Capital Markets Specialists Conference.

11 We considered ďindirect trainingĒ as training that included any of the following: derivatives, asset-backed securities, interest rate risk, market risk measurement, asset securitization, modeling, supervisory updates, and asset management. Based on discussions with DSC senior management, we also considered training obtained by examiners who attended the Asset Liability Management Models Lab that was conducted by the Chicago Federal Reserve and the Interagency Symposium on Financial Risk Modeling that was sponsored by the FDICís Corporate University.

12 The results of a non-statistical sample cannot be projected to the intended population by standard statistical methods.
Last updated 7/28/2008