supervisory insights: vol. 2, issue 2 - winter 2005 · the views expressed in supervisory...

Inside

Model Governance

Identity Theft

Enforcement ActionsAgainst Individuals

Relationship ManagerProgram

Basel II Capital ImpactStudy

Supervisory InsightsSupervisory InsightsDevoted to Advancing the Practice of Bank Supervision

Vol. 2, Issue 2 Winter 2005

Supervisory Insights

Supervisory Insights is published by theDivision of Supervision and ConsumerProtection of the Federal DepositInsurance Corporation to promotesound principles and best practicesfor bank supervision.

Donald E. PowellChairman

Christopher J. SpothActing Director, Division of Supervisionand Consumer Protection

Steven D. FrittsExecutive Editor

Journal Executive Board

Donna J. Gambrell, Deputy DirectorJohn M. Lane, Deputy DirectorWilliam A. Stark, Acting Deputy DirectorJohn F. Carter, Regional DirectorDoreen R. Eberley, Acting Regional

DirectorStan R. Ivie, Regional DirectorJames D. LaPierre, Regional DirectorScott M. Polakoff, Regional DirectorMark S. Schmidt, Regional Director

Journal Staff

Kim E. LowryManaging Editor

Brett A. McCallisterFinancial Writer

April G. SchwabFinancial Writer

Supervisory Insights is available online by visiting the FDIC’s website at www.fdic.gov. To provide comments or suggestions for future articles orto request permission to reprint individual articles, send an e-mail [email protected]. To request print copies, send an e-mail to [email protected].

The views expressed in Supervisory Insights are thoseof the authors and do not necessarily reflect officialpositions of the Federal Deposit Insurance Corporation.In particular, articles should not be construed as defini-tive regulatory or supervisory guidance. Some of theinformation used in the preparation of this publicationwas obtained from publicly available sources that areconsidered reliable. However, the use of this informa-tion does not constitute an endorsement of its accu-racy by the Federal Deposit Insurance Corporation.

Letter from the Director......................................................... 2

Issue at a Glance

Vol. 2, Issue 2 Winter 2005

Regular Features

From the Examiner’s Desk . . . The FDIC’s RelationshipManager Program: A Win/Win Situation 22Relationships between banks and theirregulators have evolved into an alliance.This article describes the FDIC’s Rela-tionship Manager Program, an initiativethat will further strengthen relationshipsbetween the FDIC and bank manage-ment while continuing to improve thesupervision process.

Capital and Accounting News…Basel II and the Potential Effecton Insured Institutions in theUnited States: Results of theFourth Quantitative Impact Study 27The Federal banking agencies havefocused on the implementation of theBasel II Capital Accord since 1998.Before the United States implementssignificant changes to capital policy, theproposed rules must be evaluated. Thisarticle reviews the Basel II frameworkand highlights the results of the mostrecent quantitative impact study.

Regulatory and Supervisory Roundup 33This feature provides an overview ofrecently released regulations and super-visory guidance.

Articles

Model Governance 4Financial modeling represents an increasingly importantmanagement tool for the banking industry; however, themodels themselves introduce a new source of risk — thepotential to inform management decisions incorrectly. Stronggovernance procedures can help minimize model risk. Thisarticle suggests areas of examiner review when evaluatingthe adequacy of a bank’s oversight, control, and validation ofmodels.

Online Delivery of Banking Services: Making Consumers Feel Secure 12Strengthening security for Internet-based financial transac-tions has become a priority for banks, regulators, andconsumers. This article reviews key findings of an FDIC studythat evaluates a variety of identity authentication technolo-gies. The article also focuses on interagency guidance requir-ing insured financial institutions and service providers toaddress the protection of sensitive customer data and assetsas part of the development of Internet banking products andservices.

Enforcement Actions Against Individuals: Case Studies 18Second in a series about the enforcement action process asit applies to individuals, this article discusses two cases ofinsider misconduct — one of embezzlement and the other ofloan fraud. The article highlights internal control weaknessesthat facilitated the misconduct and presents an overview ofthe elements of an effective internal audit program.

1Supervisory Insights Winter 2005

Letter from the Director


Ask any banker his view on theBasel II rulemaking and you arelikely to hear conflicting

responses. Given the major changes that will occur in how we measure risk-based capital adequacy at the largest,most sophisticated insured financial institutions, we should anticipate thatother banks will scrutinize all aspects of the regulators’ implementation plans.Many comments, including some criti-cism, have already been delivered bybanks that will not be required to adoptBasel II. Why would these bankers takeissue with the Basel II text? The mostoften cited reason is the potential forcompetitive inequity.

The results of the most recent capitalimpact study (the fourth QuantitativeImpact Study – QIS-4) show Basel IIwould most likely lead to an unaccept-ably large decline in capital for thelargest banks unless modifications aremade (see the Capital and AccountingNews feature on page 27 for greaterdetail on the QIS-4 results). Compet-ing head to head with large banks,holding in some cases a fraction of thecapital non-Basel II banks hold on thesame loan portfolio, would be a daunt-ing challenge for the nation’s commu-nity banks.

At this point, the bank regulatoryagencies have two alternatives. The firstis to modify the Basel II framework toprevent substantial declines in capital —something the agencies are committedto doing should the QIS-4 resultsbecome a reality when Basel II is imple-mented. The second alternative is tomodify the existing capital frameworkfor non-Basel II banks to reduce, amongother things, competitive inequities.This Letter focuses on the modificationof the existing capital framework fornon-Basel II banks.

To better understand the competitiveissues Basel II may pose to non-Basel IIbanks, the agencies began a formal rule-making dialogue with the banking indus-try. We did this with the publication ofan Advance Notice of Proposed Rulemak-ing (ANPR) outlining potential changesto the existing risk-based capital regula-tions. The ANPR was unanimouslyapproved by the FDIC Board of Directorson October 6, 2005, and published inthe Federal Register on October 20,2005.1 The agencies are accepting publiccomment through January 18, 2006,and welcome a discussion with the indus-try, policymakers and the public.

The FDIC believes changes to the exist-ing risk-based capital framework arenecessary in order to address concernsabout competitive equity, as well as manyof the concerns about the risk-basedcapital framework generally. The propos-als in the ANPR, commonly referred toas Basel 1A, are designed to be the firststep toward modernizing the risk-basedcapital framework to ensure it remains areliable measure of the risk, as well asminimize potentially material differencesin capital requirements likely to emergeonce Basel II is implemented by thelargest banks.

One key proposal set forth in theANPR addresses modifications to theexisting capital requirements on resi-dential mortgages. It is generallyaccepted by the bank regulatorycommunity that Basel II banks willrecognize substantial capital reductionson their residential mortgage portfolio.For non-Basel II banks, the ANPRsuggests basing the risk weights formortgages on loan-to-value ratios, asimple and straightforward measure ofrisk. For prudently underwritten mort-gages with a loan-to-value ratio of 80percent, the ANPR considers reducing

1 This proposal is available at www.fdic.gov/news/news/press/2005/pr10505.html. Also see Federal Register:October 20, 2005 (Volume 70, Number 202), Page 61068-61078.

the risk weight from 50 percent to 35percent. Mortgages with even lowerloan-to-value ratios could have riskweights as low as 20 percent. The resi-dential mortgage proposal shows will-ingness by the regulators to addressconcerns raised by community banks.In fact, this proposal is based largely onsuggestions made by several of ourFDIC-supervised banks.

The ANPR includes other specificproposals, such as increasing the numberof risk-weight categories from five tonine, expanding the use of externalcredit rates, and widening the range ofcollateral and guarantors that may qual-ify an exposure for a lower risk weight.Such proposals are intended to encour-age community banks to consider usingrisk mitigating techniques that lowertheir overall credit risk profile. In otherareas, the ANPR is more open-ended,discussing concepts for promotinggreater risk sensitivity in other businesslines where risk measurement factors arenot well defined or universally applied,such as with unrated commercial loansand certain retail loans.

In addition, the ANPR proposes modi-fications to the existing risk-based capi-tal rules where quantitative factors usedto measure the risk associated with agiven product or exposure can be read-ily articulated. Examples of thesechanges include modifying the creditconversion factors for various commit-ments, including those with an originalmaturity of less than one year; increas-ing the risk weight of certain loans 90days or more past due or in non-accrualstatus; and increasing the risk sensitiv-ity of commercial real estate, retail,multifamily, small business, andcommercial exposures.

While developing a more risk sensitiveframework is important from a competi-tive equity perspective, the agencies wantto ensure the burden generated by ourproposals is commensurate with thebenefit. In this respect, we believe most,if not all, of the proposals discussed inthe ANPR could be applied using readilyavailable information. However, we haveasked for comment on whether thetrade-off of a more risk-sensitive capitalframework is justified by the amount ofany additional burden that may be gener-ated by its implementation. To preventundue burden, we are looking for ways tomake the application of any new capitalrules more flexible. In addition, we areasking for comments on whether somecommunity banks should be allowed tomaintain “status quo” and opt out of anynew framework altogether. Communitybanks operating with capital ratios wellin excess of their minimums may suggestthat we pursue this “status quo” option.

The FDIC is encouraging carefulconsideration of the implications of theproposals included in the ANPR. In addi-tion to comments on the specific propos-als set forth in the ANPR, we wouldwelcome any alternatives or suggestionsthat will promote the development ofmore comprehensive proposals. Examin-ers should keep informed as the Basel1A and Basel II approaches develop.Supervisory Insights is one source ofinformation, and this issue’s Capital andAccounting News column discusses theresults of the most recent Basel II quanti-tative impact study (QIS-4).

Christopher J. Spoth

Acting Director, Division of Supervision and Consumer Protection


Model Governance


default or delinquency used in theloan approval process and riskpricing

■ Interest rate risk models measurerisk, monitoring earnings exposureto a range of potential changes inrates and market conditions

■ Derivatives pricing models estimateasset value, providing a methodologyfor determining the value of new orcomplex products for which marketobservations are not readily available

In addition, models play a directrole in determining regulatory capitalrequirements at many of the nation’slargest and most complex bankingorganizations. Some of these institutionsalready use value-at-risk models to deter-mine regulatory capital held for marketrisk exposure.1 At institutions adoptingthe Basel II capital standards when final-ized, financial models will have a muchexpanded role in establishing regulatorycapital held for all risk types.

Not all models involve complex mathe-matical techniques or require detailedcomputer programming code. Thisdoes not, however, diminish their poten-tial importance to the organization. Forexample, many banks use spreadsheetsthat capture historical performance,current portfolio composition, and exter-nal factors to calculate an appropriaterange for the allowance for loan andlease losses. Although at first glance thismay not appear to be a “model,” theoutput from such spreadsheets directlycontributes to preparation of the institu-tion’s reported financial statements, andsome controls are necessary, given theseriousness of any potential errors.

Model Governance

Institutions design and implementprocedures to help ensure modelsachieve their intended purpose. The

Financial modeling is increasinglyimportant to the banking industry,with almost every institution

now using models for some purpose.Although the use of models as a manage-ment tool is a significant advance for theindustry, the models themselves repre-sent a new source of risk — the potentialfor model output to incorrectly informmanagement decisions.

Although modeling necessarily involvesthe opportunity for error, strong gover-nance procedures can help minimizemodel risk by

■ Providing reasonable assurancethe model is operating as intended;

■ Contributing to ongoing modelimprovement to maintaineffectiveness; and

■ Promoting better managementunderstanding of the limitationsand potential weaknesses of a model.

This article briefly discusses the useof models in banking and describes aconceptual framework for model gover-nance. In addition, the article suggestspossible areas of examiner review whenevaluating the adequacy of an institu-tion’s model oversight, controls and vali-dation practices.

Use of Models in the BankingIndustry

Fundamentally, financial modelsdescribe business activity, predictingfuture or otherwise unknown aspectsof that activity. Models can serve manypurposes for insured financial insti-tutions, such as informing decisionmaking, measuring risk, and estimat-ing asset values. Some examples:

■ Credit scoring models inform deci-sion making, providing predictiveinformation on the potential for

1 Institutions with $1 billion or more in trading assets are subject to the 1996 Market Risk Amendment to risk-based capital regulations.

5

necessary rigor of procedures is specificto each model. An institution’s use ofand reliance on a model determines itsimportance and, in turn, establishes thelevel of controls and validation neededfor that model. For some simple spread-sheet models, controls and validationmay consist of a brief operational pro-cedures document; password protectionon the electronic file; and periodicreview by internal audit for accuracyof the data feeds, formulas, and outputreporting. While procedures will vary,certain core model governance princi-ples typically will apply at all institu-tions (see Figure 1):

■ The board establishes policies provid-ing oversight throughout the organiza-tion commensurate with overallreliance on models.

■ Business line management2 providesadequate controls over each model’suse, based on the criticality andcomplexity of the model.

■ Bank staff or external parties withappropriate independence and expert-ise periodically validate that themodel is working as intended.

■ Internal audit tests model controlpractices and model validation pro-cedures to ensure compliance withestablished policies and procedures.

Supervisory Review of Models

With the industry’s growing relianceon financial modeling, regulators aredevoting additional attention to modelgovernance.3 Examiners do not typicallyreview controls and validation for allmodels, but instead select specificmodels in connection with the supervi-sory review of business activities wheremodel use is vital or increasing.

The evaluation of model use andgovernance often becomes critical tothe regulatory assessment of risk in thereviewed activities. For example, many

Model Risk Governance Framework

Model ValidationResources

Line of BusinessManagement

InternalAudit

Board andSenior Management

ModelInventories

Roles andResponsibilities

Policies

ProcessVerification

DevelopmentalEvidence

OutcomeAnalysis

ModelDocumentation

DataIntegrity

ChangeControl

SecurityControls

Oversight

Controls

Validation

Model

Supervisory Insights Winter 2005

Figure 1

2 Providing for appropriate controls may be the responsibility of senior management at smaller organizations.3 OCC Bulletin 2000-16, “Risk Modeling,” (May 30, 2000) is the primary source for formal regulatory guidance onmodel governance available at www.occ.treas.gov/occ_current.htm.

6

banks have completely integrated theuse of credit scoring models into theirretail and small business lending.Model results play a significant role inunderwriting, contributing to the deci-sions to make loans and price loans forcredit risk. Model results also typicallyare used to assign credit risk grades toloans, providing vital information usedin risk management and the determina-tion of the allowance for loan and leaselosses. Therefore, examiner assessmentof credit risk and credit risk manage-ment at banks that use integratedcredit scoring models requires a thor-ough evaluation of the use and reliabil-ity of the scoring models.

Although the supervisory review ofmodel use and governance may some-times require quantitative or informationtechnology specialists for some complexmodels, examiners can perform mostmodel reviews. Even when specialists areused, model review does not occur inisolation; the specialist’s evaluation ofmathematical theories or programcoding is integrated into the examiner’sassessment of model use. Regulatoryreview typically focuses on the corecomponents of the bank’s governancepractices by evaluating model oversight,examining model controls, and review-

ing model validation (see Figure 2). Suchreviews also would consider findings ofthe bank’s internal audit staff relative tothese areas.

Model Oversight

When evaluating board and seniormanagement oversight, examinerstypically

■ Review model governance policiesto determine (1) if the policies areadequate for the bank’s level of modeluse and control, and (2) if validationprocedures used for individual modelscomply with established policies; and

■ Review the bank’s model inventoryfor accuracy and completeness.

Model policies: A single board-approved policy governing modelsmay suffice for many banks, althoughthose with greater reliance on financialmodeling may supplement the board-approved policy with more detailedpolicies for each line of business. Suchpolicies typically

■ Define a model, identifying whatcomponents of management informa-tion systems are considered subjectto model governance procedures;

Model Governancecontinued from pg. 5


Suggested Framework for the Supervisory Review of Models

Regulatory Evaluationof Model Oversight

Policies

Inventories

Regulatory Examinationof Model Controls

ModelDocumentation

DataIntegrity

Security andChange Control

Regulatory Reviewof Model Validation


ProcessVerification

OutcomeAnalysis

Figure 2

7

■ Establish standards for controls andvalidation, either enterprise-wideminimum standards or, alternatively,varying levels of expected controlsand validation based on model criti-cality and complexity;

■ Normally require verification ofcontrol procedures and independentvalidation of model effectivenessbefore a model is implemented;4 and

■ Generally define the roles of manage-ment, business line staff, internalaudit, information technology staff,and other personnel relative tomodel development and acquisition,use, controls, and validationresponsibilities.

Model inventories: Banks of any sizeor complexity benefit from maintainingan inventory of all models used. Theinventory should catalogue each modeland describe the model’s purpose, iden-tify the business line responsible forthe model, indicate the criticality andcomplexity of the model and the statusof the model’s validation, and summa-rize major concerns identified by valida-tion procedures or internal audit review.Periodic management attestation to theaccuracy and completeness of the modelinventory is a strong practice to helpensure that the inventory is appropri-ately maintained.

Model Control Practices

When examining controls around indi-vidual models, regulators

■ Review model documentation for(1) discussion of model theory, withparticular attention to model limita-

tions and potential weaknesses, and(2) operating procedures;

■ Review data reconciliation proceduresand business line analysis of modelresults; and

■ Evaluate security and change controlprocedures.

By conducting their own review ofmodel documentation and controls,examiners gain a stronger understandingof the model’s process flow. This under-standing enables examiners to test thefindings of the bank’s validation andinternal audit review against their ownobservations.

Model documentation: Documenta-tion provides a thorough understandingof how the model works (model theory)and allows a new user to assume respon-sibility for the model’s use (operationalprocedures). Each model should haveappropriate documentation to accom-plish these two objectives, with the levelof documentation determined by themodel’s use and complexity. Generally,elements of documentation include:

■ A description of model purpose anddesign.

■ Model theory, including the logicbehind the model and sensitivity tokey drivers and assumptions.

■ Data needs.

■ Detailed operating procedures.

■ Security and change controlprocedures.

■ Validation plans and findings ofvalidations performed.


4 Banks may sometimes face compelling business reasons to use models prior to completion of these tasks. Forexample, trading of certain complex derivative products often relies on rapidly evolving valuation models.Management may, in some instances, decide the potential return from such activities justifies the additional riskaccepted through the use of a model that has not been validated. In such cases, management should

• Specifically approve the temporary use of an unvalidated model for the product.• Formalize plans for a thorough validation of the model, including a specific time frame for completion.• Establish limits on risk exposures, such as limiting the volume of trades that are permitted before vali-

dation is completed.

8

Data integrity: Maintaining dataintegrity is vital to model performance.Much of the information used in amodel is electronically extracted ormanually input from source systems;either approach provides opportunityfor error. Business line management isresponsible for the regular reconcilia-tion of source system information withmodel data to ensure accuracy andcompleteness.5

Data inputs need to be sufficient toprovide the level of data consistencyand granularity necessary for the modelto function as designed. Data lackingsufficient granularity, such as product-or portfolio-level information, may beinadequate for models that use driversand assumptions associated with trans-action-level data. For example, therobustness of an interest rate riskmodel designed to use individualsecurity-level prepayment estimatescould be compromised by the use of anaverage prepayment speed for aggregatemortgage-backed securities held in theinvestment portfolio.

Security and change control: Keyfinancial models should be subject tothe same controls as those used forother vital bank software. Securitycontrols help protect software fromunauthorized use or alteration andfrom technological disruptions. Changecontrol helps maintain model function-ality and reliability as ongoing enhance-ments occur.

Some level of security control is gener-ally appropriate for all financial models.Security controls limit access to the

program to authorized users and appro-priate information technology personnel.Control can be maintained by limitingphysical or electronic access to thecomputer or server where the programresides and by password protection.The institution should have backupprocedures to recover important model-ing programs in the event of technologi-cal disruption.

Change control may be necessaryonly for complex models. Such proce-dures are used to ensure all changesare justified, properly approved, docu-mented, and verified6 for accuracy.Events covered by such proceduresinclude the addition of new datainputs, changes in the method of dataextraction from source systems, modi-fications to formulas or assumptions,and changes in the use of the modeloutput. Typically, proposed changesare submitted for approval by businessline management before any alter-ations to the model are initiated. Tomaintain up-to-date documentation,staff may log all changes made to themodel, including the date of thechange, a description of the change,initiating personnel, approving person-nel, and verification.

When model importance and complex-ity are high, management may chooseto run parallel models — prechange andpostchange. Doing so will assist indetermining the model’s sensitivity tothe changes. Changes significantlyaffecting model output, as measuredby such sensitivity analysis, may triggerthe need for accelerated validation.



5 For example, the regular verification of data integrity for a value-at-risk model likely would include thefollowing:

• Reconciliation of trading account exposures in source information systems with model inputs toensure that all trading positions are being captured and accurately incorporated into the model.

• Reconciliation of model outputs with model inputs to ensure all data inputs are being appropriatelyused, with particular attention to handling missing, incomplete, or erroneous data fields that serve asrisk drivers in the computation of value-at-risk for each trading position.

6 Optimally, all changes to models should be verified by another party to ensure the changes were made accu-rately and within the guidelines of the approval. This does not constitute validation, but merely verification thatapproved changes were made correctly.

9

Model Validation

Validation should not be thought of as apurely mathematical exercise performedby quantitative specialists. It encom-passes any activity that assesses howeffectively a model is operating. Valida-tion procedures focus not only onconfirming the appropriateness ofmodel theory and accuracy of programcode, but also test the integrity ofmodel inputs, outputs, and reporting.

Validation is typically completed beforea model is put into use and also on anongoing basis to ensure the modelcontinues to perform as intended. Thefrequency of planned validation willdepend on the use of the model and itsimportance to the organization. Theneed for updated validation could be triggered earlier than planned by substan-tive changes to the model, to the data, orto the theory supporting model logic.

Examiners do not validate bankmodels; validation is the responsibility ofthe bank. However, examiners do test theeffectiveness of the bank’s validationfunction by selectively reviewing variousaspects of validation work performed onindividual models.7 When reviewing vali-dation, examiners

■ Evaluate the scope of validation workperformed;

■ Review the report summarizing valida-tion findings and any additional workpapers needed to understand findings;

■ Evaluate management’s response tothe report summarizing the findings,including remediation plans and timeframes; and

■ Assess the qualifications of staff orvendors performing the validation.

This process is analogous to regulatoryreview of bank lending. When looking atloan files, examiners do not usually relyexclusively on the review work performed

by loan officers and loan review staff, butalso look at original financial statementsand other documents to verify the loanwas properly underwritten and riskgraded. Similarly, examiners review devel-opmental evidence, verify processes, andanalyze model output not to validate themodel, but to assess the adequacy of thebank’s ongoing validation (see Figure 3).

Components of Validation:

■ Developmental evidence: The reviewof developmental evidence focuses onthe reasonableness of the conceptualapproach and quantification tech-niques of the model itself. This reviewtypically considers the following:• Documentation and support for the

appropriateness of the logic andspecific risk quantification tech-niques used in the model.

• Testing of model sensitivity to keyassumptions and data inputs used.

• Support for the reasonableness andvalidity of model results.

• Support for the robustness ofscenarios used for stress testing,when stress testing is performed.

■ Process verification: Process verifica-tion considers data inputs, the work-ings of the model itself, and modeloutput reporting. It includes an evalu-ation of controls, the reconciliation ofsource data systems with modelinputs, accuracy of program coding,and the usefulness and accuracy ofmodel outputs and reporting. Suchverification also may include bench-marking of model processes againstindustry practices for similar models.

■ Outcome analysis: Outcome analysisfocuses on model output and report-ing to assess the predictiveness of themodel. It may include both qualitativeand quantitative techniques:• Qualitative reasonableness checks

consider whether the model is


7 This review may require the use of quantitative specialists, depending on the complexity of the model.

10

generally producing expectedresults.

• Back-testing is a direct comparisonof predicted results to observedactual results.

• Benchmarking of model outputcompares predicted results gener-ated by the model being validatedwith predicted results from othermodels or sources.

Expertise and independence ofmodel staff: The criticality andcomplexity of a model determine thelevel of expertise and independencenecessary for validation staff, as well asthe scope and frequency of validations.The more vital or complex the model,the greater the need for frequent anddetailed validations performed by inde-pendent, expert staff.

The complexity of some models mayrequire validation staff to have special-ized quantitative skills and knowledge.The extent of computer programmingin the model design may requirespecialized technological knowledgeand skills as well.

Optimally, validation work is performedby parties completely independent fromthe model’s design and use. They may bean independent model validation groupwithin the bank, internal audit, staff withmodel expertise from other areas of thebank, or an external vendor. However, forsome models with limited importance,achieving complete independence whilemaintaining adequate expertise may notalways be practical or necessary. In suchcases, however, management and inter-nal audit should pay particular attentionto the appropriateness of scope andprocedures.

Validation work can incorporate combi-nations of model expertise and skilllevels. For example, management mayrely on the bank’s own internal auditstaff to verify the integrity of data inputs,adequacy of model controls, and appro-priateness of model output reporting,while using an outside vendor withmodel expertise to validate a model’stheory and code.

Third-party validation: Vendors aresometimes used to meet the need for a high level of independence and


Ongoing Validation

ExtractedData

VariousSource

Systems

Model: Theory Drivers and Assumptions Calculations

Model Output Reportsto End Users

Model Output DataUsed in Validation

Process Verification


Outcome Analysis

Mapping of source systems tomodel inputs performed to

ensure accuracy andcompleteness.

Model structure andassumptions are

optimized.

Back-testing/benchmarkingresults used to improve model.

Figure 3


11

expertise. They can bring a broadperspective from their work at otherfinancial institutions, providing a usefulsource for theory and process bench-marking. When using external sourcesto validate models, appropriate bankpersonnel should determine thatvendor review procedures meet policystandards and are appropriate to thespecific model.

Banks sometimes use third parties forvalidation when they purchase vendormodels. The validation of the modeltheory, mathematics, assumptions, andcode for purchased models can becomplicated, as vendors sometimes areunwilling to share key model formulasand assumptions or program code withclients. In such cases, vendors typicallysupply clients with validation reportsperformed by independent parties. Suchwork can be relied on if management hasadequate information to determine thescope is adequate and findings are appro-priately conveyed to and acted on by themodel vendor. Management may alsoincrease its comfort with vendor-suppliedmodels through a greater emphasis onregular outcome analysis. However,management cannot rely exclusively on avendor’s widespread industry acceptanceas evidence of reliability.

Supervisory Evaluation ofModel Use and Governance

Bank management is responsible forestablishing an effective model gover-nance program to recognize, understand,and limit the risks involved in the use ofthese important management tools. Theexaminer’s role is to evaluate model useand governance practices relative to theinstitution’s complexity and the overallimportance of models to its businessactivities. Examiners incorporate their

findings into their assignment of super-visory ratings to the bank.

For example, regulatory guidelinesfor rating the sensitivity to market riskcomponent under the Uniform FinancialInstitutions Rating System include anassessment of management’s ability toidentify, measure, monitor, and controlexposure to changes in interest rates ormarket conditions.8 Any significantexaminer concerns with the effective-ness of a model used to measure andmonitor this risk, such as the failure tovalidate the model or a lack of under-standing of model output, would havesome negative effect on the rating.Conversely, if the model improves inter-est rate risk management, this would bepositively reflected in the rating.

Other component ratings also can beinfluenced by model use, such as theevaluation of credit scoring models’effects on loan underwriting proce-dures and credit risk management inassigning an asset quality rating. Themanagement component rating alsomay be influenced if governance pro-cedures over critical models are weak.

The use of financial modeling inthe banking industry will continue toexpand. By necessity, supervisoryattention to the adequacy of governancepractices designed to assess and limitassociated model risk also will increase.

Robert L. Burns, CFA, CPA

Senior Examiner

Potential bank governance practicesand supervisory activities described inthis article are consistent with existingregulatory guidance, but represent thethoughts of the author and should notbe considered regulatory policy orformal examination guidance.


8 Relative to the evaluation of a bank’s sensitivity to market risk, the FDIC Manual of Examination Policies states,“While taking into consideration the institution’s size and the nature and complexity of its activities, the assess-ment should focus on the risk management process, especially management’s ability to measure, monitor, andcontrol market risk” available at www.fdic.gov/regulations/safety/manual/section7-1.html#rating.

12

Much media attention recentlyhas been focused on identitytheft. Some of this publicity

may suggest the Internet has evolvedfrom a trusted tool for conductingresearch and legitimate businesstransactions to a medium wherebyconsumers’ sensitive personal infor-mation can be stolen and used forcriminal purposes. Social Security andcredit card numbers, as well as bankaccount access data (such as pass-words), are examples of some of themost sought-after information, provid-ing perpetrators of identify theft accessto bank balances and credit lines.

Many insured financial institutionsrely heavily on the Internet to reachtheir customers, offering a wide varietyof online banking services. In somecases, this practice has allowed banksand thrifts to consider scaling backbrick-and-mortar facilities and staffrequired to conduct face-to-face bank-

ing transactions. However, security andprivacy issues loom large in the mindsof Internet users (see Chart 1). If finan-cial institutions are to retain existingcustomers and attract new ones, theymust create an online banking experi-ence in which customers feel secureand have confidence their assets andpersonal information will not becompromised.

Highlighting another area of concernto customers of financial institutions,the results of a survey conducted bythe Gartner Group in June 20051

show “the number of phishing attacke-mail recipients grew 28 percent thisyear….These and other breaches areexacting a steep toll on consumer con-fidence and will inhibit three-yeare-commerce growth rates by 1 percentto 3 percent.”2 Issues concerning onlineusers are highlighted in Chart 2, whichemphasizes the level of concern aboutfraud and identity theft.

Online Delivery of Banking Services:Making Consumers Feel Secure

1 Avivah Litan, “Increased Phishing and On-Line Attacks Cause Dip in Consumer Confidence,” Gartner (June 22,2005).2 The common phishing scenario is sending a fake e-mail (e-mail spoofing) purporting to come from a legitimatesource and requesting information (such as a bank account number and password) or directing the victim to afake Internet site where this information can be captured.


Concerns Are Affecting Online Financial BehaviorTo what extent do you agree with the following statement:“Concern about phishing has caused me to…“

Base: US online consumes who answered “agree” or “strongly agree”Sources: Forrester’s Consumer Technographics® August 2004 North American Finance Online Study

0 5 10 15 20 25 30Percent

Not apply online for a financial product 26

Stop using online banking or bill pay 14

Not enroll in online banking or bill pay 19

No longer open emails that saythey are from my financial provider 20

Chart 1

13

Concerns such as those identifiedin the Gartner Group survey and thehigh level of interest in preventing iden-tity theft and safeguarding consumers’personal financial informationprompted the FDIC to conduct its ownstudy. The results of the study werereleased in mid-December 2004 in apublication entitled Putting an End toAccount-Hijacking Identity Theft.3

The study has fostered debate amongbankers, consumers, and regulatorsabout how the risks posed by Internet-based financial services can be mini-mized. Following the publication ofthe study, the FDIC conducted severalidentity theft symposia featuring repre-sentatives from the banking industry,regulatory agencies, and consumergroups.4 Participants considered theimplications of conducting business onthe Internet and initiatives for enhanc-ing Internet security. Discussion focusedon the areas of consumer privacy andprotections, maintaining trust in thefinancial services industry, and the

potential burden on smaller insuredinstitutions that rely on external Inter-net service providers.

The overarching sentiment expressedduring the symposia is that the prob-lem of identity theft is not going awayanytime soon. Although consumerprotections are becoming more effec-tive, hackers are becoming moresophisticated as well. In addition, whileconsumers want tightened security,they often are not willing to pay for iteither through increased fees or anyloss of convenience.

Many symposia participants recog-nized the banking industry must do abetter job of self-regulating, for exam-ple, strengthening standards requiringcompanies to notify consumers whosedata may have been lost or stolen.Participants acknowledged banks mustdo everything possible to prevent high-profile security breaches, such as thoseat ChoicePoint, LexisNexis, and Bankof America. Should more of these


Online Users Are Concerned Personal Information Will Be Compromised

Source: Gartner Group, June 22, 2005, survey

Percent0 10 20 30 40 50 60

Unauthorized Access toCredit Report, Other Data 50

Computer Viruses,Other Online Attacks 40

Spyware 35

Phishing 27

Chart 2

3 Federal Deposit Insurance Corporation, Putting an End to Account-Hijacking Identity Theft (December 14, 2004)available at www.fdic.gov/news/news/financial/2004/fil13204.html. A supplement to the study was released inJune 2005 and is available at www.fdic.gov/news/news/financial/2005/fil5905.html. For purposes of this article,the results of the study and the supplement will be discussed as the results of the “study.”4 The symposia were conducted in 2005 in Washington, D.C., (February 11), Atlanta (May 13), Los Angeles (June17), and Chicago (September 22).

14

incidents occur in the near term, thepublic may call for greater Federalgovernment intervention, such asregulating where and how SocialSecurity numbers are available on theInternet. Consumers also could begiven the right to have their confiden-tial information removed fromcomputer systems of companies thathave processed transactions for themor from systems maintained by data-brokering firms.

Another area of significant interestthat emerged during the symposiarelates to mitigating the level of riskinherent in conducting online transac-tions. Key questions posed during thesymposia fall into four categories:

■ Risk reduction and risk mitigation —What tools, policies, and procedureshave proven most effective and canbe considered best practices?

■ Risk transference — Can insurancepolicies be designed to help protectconsumers engaging in online finan-cial transactions?

■ Risk acceptance — Even though thegoal of bankers and regulators is tominimize the level of risk inherentin online financial transactions,some level of risk always exists. Howmuch risk are consumers willing toaccept?

■ Risk avoidance — How can the bank-ing industry and regulators ensureconsumers’ confidential informationis shared only with those who need it?

The following sections summarize theresults of the FDIC study and key compo-nents of recently issued interagencyguidance focusing on authentication5 inan Internet environment.

What Level of AuthenticationIs Appropriate?

The FDIC study finds that traditionalpasswords consumers use to access theirbank accounts via the Internet are tooeasily compromised and no longer repre-sent an effective means to authenticateusers. Once an Internet thief steals apassword through phishing e-mails orother techniques, the consumer’saccounts and personal informationare at risk.

The study suggests a risk-basedapproach to identifying specific weak-nesses in an insured institution’s Inter-net banking system. For example, ifonline customers can view only non-sensitive information and are unableto transfer funds, the risk of harm tothe customer is lower and, conse-quently, a less robust authenticationmethod would be appropriate. On theother hand, if customers can transferfunds to other parties, this higher-risktransaction requires strong authentica-tion procedures.

Authentication is based on the use ofone or more of the following:

■ Something you know, such as apassword

■ Something you have, such as anATM card (a token)

■ Something you are, such as a finger-print (biometrics)

The vast majority of Internet-basedfinancial services rely on single-factorauthentication, usually a password, forcustomers to access their accounts. Ifan institution relies only on single-factorauthentication, transactions are relativelyeasily compromised and lack adequateprotection for sensitive consumer


Identity Theftcontinued from pg. 13

5 The process of identifying an individual traditionally based on a username and password. In security systems,authentication is distinct from authorization, the process of giving individuals access to system objects based ontheir identity. Authentication merely ensures the individual is who he or she claims to be, but says nothing aboutthe individual’s access rights.

15

information and funds. When a customeris tricked into disclosing a password, thethief could use the information to accessthe customer’s accounts and potentiallytransfer funds.

A password combined with anotherform of authentication (i.e., two-factorauthentication), such as an ATM card,provides much more reliable authentica-tion. Multifactor authentication requiresthe user to supply at least one additionalidentification factor, such as a token-generated one-time password, USBtoken, smart card, or fingerprint.6 With-out the additional factor(s), a thief wouldnot possess all credentials required togain access to a customer’s account.Therefore, multifactor authenticationprovides a more secure defense againstidentity theft.

The study describes one-time-password tokens, USB tokens, deviceauthentication, geo-location, biomet-rics, and several other authenticationtechnologies. The study also shedslight on how institutions may decidewhat technologies are right for them.Certain technologies present uniquechallenges. For example, the use ofbiometrics may not be appropriate forlarge, geographically dispersedcustomer bases. Biometrics (e.g.,finger prints, iris structure, and facialfeatures) are better suited to a captiveaudience, such as employees of a busi-ness housed in a single building.Insured financial institutions consider-

ing an authentication strategy shouldassess portability, ease of customeruse, cost, effectiveness, ease of imple-mentation, and the maturity of thetechnology.

In addition to discussing the shortcom-ings of traditional password authentica-tion, the study concludes that financialinstitutions should

■ Consider scanning software to identifyand defend against phishing attacks;

■ Strengthen education programs thatadvise customers about creating safeInternet experiences and recognizingattacks; and

■ Continue to emphasize informationsharing among the financial servicesindustry, government, and technologyservice providers.

Regulators Work Together toIssue Guidance

Building on the results of the studyand issues highlighted during the iden-tity theft symposia, the Federal Finan-cial Institutions Examination Council7

(FFIEC) agencies issued guidance onOctober 12, 2005, entitled Authen-tication in an Internet BankingEnvironment.8 This guidance adoptsthe findings of the FDIC study relatingto what constitutes effective customerauthentication and recommends banksand thrifts offering Internet-basedproducts and services use reliable and


6 Tokens are small portable devices attached to a key ring carried by bank customers. One-time-password (OTP)tokens contain a small screen displaying several numbers. The token generates a random number every minuteor so, which the customer enters into the online banking application. The financial institution receives theentered number and compares it with its records. A correctly entered number authenticates the customer andallows access. USB (universal serial bus) tokens, which can be plugged into the USB port of a bank customer’scomputer, contain unique identifying information that authenticates the customer. 7 The Council is a formal interagency body empowered to prescribe uniform principles, standards, and reportforms for the Federal examination of financial institutions by the Board of Governors of the Federal ReserveSystem (FRB), the FDIC, the National Credit Union Administration (NCUA), the Office of the Comptroller of theCurrency (OCC), and the Office of Thrift Supervision (OTS) and to make recommendations to promote uniformityin the supervision of financial institutions.8 See FIL-103-2005: Financial Institution Letter “Authentication in an Internet Banking Environment” (October 12,2005) available at www.fdic.gov/news/news/financial/2005/fil10305.html.

16

effective methods to authenticatecustomers’ identities. The authentica-tion techniques explored should beappropriate to the risks associated withthe products and services. As discussedpreviously, single-factor password basedauthentication is inadequate for high-risk transactions involving access tocustomer information or the movementof funds to other parties. In theseinstances, insured institutions shoulduse multifactor authentication, layeredsecurity,9 or other appropriatecontrols.10 Examiners may criticize insti-tutions that have not properly mitigatedrisks identified in the assessment.

As insured financial institutions beginto assess their risks as outlined in theinteragency authentication guidance,they should consider each type of trans-action consumers can initiate online.The types of transactions may includethe following:

■ Access to the bank’s website for newproduct offerings or CD rates

■ Access to an individual depositaccount

■ Access to a deposit account and anautomatic bill-paying option

■ Ability to transfer money from oneaccount to a related account

■ Ability to transfer money to a thirdparty

The above transactions are ranked bylevel of risk (beginning with the lowestlevel) they represent to the institutionand the customer. The first transactionallows access only to general bank

information; customer information orbank accounts cannot be accessed.This transaction is considered relativelylow risk and would not require strongaccess controls.

However, the last transaction, whichallows an online customer to wire ortransfer money to another party, shouldrequire more than a password to initiate.In this case the bank should require thecustomer to supply authenticationcredentials such as a one-time passwordtoken. This layered approach to authenti-cation matches low-risk transactions withless robust solutions and higher-risktransactions with stronger solutions.Risks falling in the middle would beaddressed according to the potential forcompromise of sensitive data or assets.

Insured financial institutions mustcomply with the interagency authentica-tion guidance by December 31, 2006. Todo so, they should begin performing riskassessments as soon as possible and,based on the results of these assess-ments, implement stronger authentica-tion strategies by year-end 2006.

The FDIC and the other bank regula-tory agencies are aware of the time andeffort required to comply with the newauthentication guidance. However,compliance with this guidance will helpensure that customers continue using anInternet delivery channel in which manybanks and thrifts have invested a signifi-cant amount of capital.

Robert D. Lee

Senior Technology Specialist


9 Layered security refers to the layers of risk, from low to high, as well as the layers of authentication imple-mented, from weak to strong. Layers of authentication processes are matched with corresponding layers of risk.10 See “Industry Initiatives” box at the end of this article for examples of industry initiatives targeted at deterringInternet theft and fraud, including the implementation of multifactor authentication procedures.

Identity Theftcontinued from pg. 15


11 Daniel Wolfe, “Online Banks Are Taking to Authentication Tokens,” American Banker (June 6, 2005).

Industry InitiativesDuring the past couple of years, a number of banks and technology service providers have implemented multifactor authentication products

for Internet-based financial services. For example, E-bank, a large thrift, piloted a one-time password token program for its commercialcustomers during 2004 and has now made the tokens available to all its Internet banking customers. Bank of America recently implementednew software-based authentication technologies that provide its 13 million Internet banking customers with another authentication factor.11

Multifactor authentication represents an effective strategy for protecting customers’ funds and sensitive information, in addition to promotingconfidence in Internet-based financial services.

Consumer education also is an effective deterrent to Internet theft and fraud. Many financial institutions disseminate brochures offering tipsabout avoiding scams and suggesting steps customers should take if they believe they have become victims. Consumers also are urged to useregularly updated antivirus software, firewalls, anti-spyware, and other tools to avoid having their personal information compromised.

staff and subject to the officer’s manipu-lation. The effects of the bank’s inade-quate internal controls and ineffectiveinternal audit program were exacer-bated by the officer’s intimidationof employees and the bank’s level ofstaffing, which did not keep pace withsignificant asset growth. Moreover,although senior management officialsbegan to notice irregularities in theofficer’s activities, they failed to notifythe board of directors, regulators, orlaw enforcement authorities in a timelymanner, allowing the misconduct tocontinue.

The officer engaged in unsafe andunsound practices and breached hisfiduciary duty to the bank. He commit-ted a series of improper transactionsinvolving customer loan or depositaccounts to fund his personal assets,improve his cash flow, and concealhis improper activities. The examplesbelow describe a few of the instancesof his misconduct.

■ The officer extended a new loanto an existing bank customer torefinance a legitimate debt thecustomer owed to the bank. Thesettlement statement provided atclosing was inconsistent with theamounts actually disbursed; that is,the statement reflected a loanpayment that exceeded the actualamount paid. The officer used thisdifference and others to issue acashier’s check deposited in hisaccount. The officer later used theproceeds to pay a personal debt andexpenses, fund investments, andprovide a loan payment for anotherborrower. All this was done withoutthe first borrower’s knowledge.

18

An article in the Summer 2005issue of Supervisory Insightspresented an overview of the

enforcement action process as it relatesto individuals and provided the statutorybasis for administrative enforcementactions.1 The article focused on fraud-related cases and noted that these casesgenerally fall into one of two categories:embezzlement or loan fraud. Althoughpersonal financial gain often was themotivating factor, a common aspect ofa number of loan fraud cases was thedesire to hide delinquencies or decliningcredit quality. The second in this seriesof articles builds on this information andpresents two case studies that illustratehow embezzlement or loan fraud canoccur, the effect it can have on aninsured depository institution, and theimportance of effective controls andoversight in helping prevent internalmalfeasance.

Embezzlement Facilitated byInadequate Internal Controls

A retail institution in a small city heldless than $500 million in assets. Thebank was consistently profitable. Duringa two-year period, a senior executiveofficer (“the officer”) exerted signifi-cant influence over the loan function aswell as the bank’s operations. He had anauthoritarian management style andwas responsible for administration ofmore than half of the loan portfolio.The bank’s board of directors hadgranted authority to the officer for avery high lending limit. Furthermore,the board usually reviewed andapproved loans only after the fact, anddelinquent-loan reports provided to theboard were manually prepared by bank

1 Scott S. Patterson and Zachary S. Nienus, “Enforcement Actions Against Individuals in Fraud-Related Cases:An Overview,” Supervisory Insights, Volume 2, No. 1 (Summer 2005).


Enforcement Actions Against Individuals: Case Studies


■ The officer established an unautho-rized loan in the name of an exist-ing bank customer and apparentlyforged the customer’s signature.The officer used the loan proceedsto make a payment on a personaldebt, pay personal expenses, makedeposits in his personal accounts,and obtain cash.

■ The officer made unauthorizedadvances on customers’ legitimate,existing lines of credit. He advancedthe unauthorized funds to make adeposit into one of his accounts andpay other personal expenses.

■ The officer misappropriated fundsfrom customer deposit accounts bytransferring funds from a customer’saccount or depositing customerchecks into his own account. The offi-cer later reversed the misappropria-tions by transferring other,illegitimately obtained funds into thecustomers’ accounts.

Through his misconduct, the officeracquired personal benefit of more than$1,000,000. However, the officer’smisconduct combined with his efforts toconceal his activities resulted in losses ofnearly $5,000,000 to the insured institu-tion. Moreover, his departure left a signif-icant void in management. Subsequently,the bank merged with another institutionand no longer exists as an independententity. The officer pled guilty to viola-tions of Federal law, including embezzle-ment and misapplication of bank funds.The FDIC issued an Order of Prohibitionagainst the officer to help ensure he doesnot participate in the affairs of anotherinsured institution.

Loan Fraud Went UndetectedDue to Lax Audit Function

Another consistently profitable retailinstitution in a small urban area heldless than $500 million in assets. For

nearly three years, a managementofficial (“the officer”) was alleged tohave engaged in unsafe and unsoundpractices and to have breached hisfiduciary duty to the bank by commit-ting a series of improper transactionsinvolving customer loan accounts. Heinitiated these transactions to coverdelinquencies and credit problems.

The alleged misconduct involvedhundreds of instances where loanaccounts received illegitimate pay-ments from improperly obtained funds.The bank’s ineffective internal controlswere a key contributing factor to theseirregular activities. The officer was atrusted, long-time employee of thebank with reasonable lending author-ity; the seriousness of the situationwas compounded by lax bookkeepingand scrutiny by one customer whoseaccounts he targeted. The officerinitiated the advances and postedpayments with only his signature andwas authorized to correct “accountingerrors.” The bank’s audit functionfailed to detect the alleged misappro-priations in a timely manner.

Although the officer targeted onelegitimate borrower for most of thewrongful advances, he used more thana dozen accounts as sources of funds.His scheme worked as follows. The offi-cer made an advance from a current,performing loan (typically for less than$1,000) and applied the proceeds aspayments to delinquent credits. Theofficer made improper advances ofmore than $150,000. The officertargeted one borrower who he knewhad an active line of credit and didnot scrutinize his transactions closely.When the targeted borrower questionedan advance, the officer blamed it on an“accounting error.” He would thendraw from another borrower’s line ofcredit to cover the questioned advance.The delinquent borrowers who had


payments applied to their loans appar-ently had no knowledge of the officer’sactivities.

Although this officer did not personallybenefit from his wrongdoing, other thanpossibly maintaining his position at thebank, the insured institution incurredcredit losses and costs for investigatingthe misconduct. The problem creditspaid off through the misappropriatedfunds required extensive collectionefforts because the bank had previouslyreleased any collateral when the loanwas fraudulently extinguished. In addi-tion, by making improper paymentson the delinquent loans, the officerprevented the bank from recognizingthe borrowers’ problem status andtaking remedial action. These illegiti-mate payments also resulted in inaccu-rate financial statements and erroneousregulatory reports. The FDIC issued anOrder of Prohibition against the officer,preventing him from moving to anotherinstitution.

The Bottom Line

These case studies illustrate what theFDIC may face as it carries out its super-visory obligations. Although the two offi-cers’ motivations differed, the effect wasthe same — both financial institutionssuffered monetary losses and investiga-tion costs. Long-time bank employees ina position of trust exploited internalcontrol weaknesses to conduct improperactivities. This situation was exacerbatedwhen one employee was able to intimi-date other employees into cooperating.Proper controls and oversight must be inplace to help prevent internal malfea-sance, and timely response by manage-ment is needed to limit the impact. Aneffective audit program (components ofwhich appear in the shaded text box onthe next page) can help identify anddeter wrongdoing.

Scott S. Patterson

Review Examiner

Enforcement Actionscontinued from pg. 19


Internal AuditThe internal audit function is a critical element in assessing the effectiveness of an institution’s internal control system. The internal audit

consists of procedures to prevent or identify significant inaccurate, incomplete, or unauthorized transactions; deficiencies in safeguardingassets; unreliable financial reporting; and deviations from laws, regulations, and institution policies. When properly designed and imple-mented, internal audits provide directors and senior management with timely information about weaknesses in the internal control system,facilitating prompt remedial action. Each institution should have an internal audit function appropriate to its size and the nature and scopeof its activities. The FDIC has adopted minimum standards for an internal audit program.2

In addition, The Interagency Policy Statement on the Internal Audit Function and Its Outsourcing3 discusses, among other things, keycharacteristics of the internal audit function. Although the board of directors and senior management cannot delegate responsibility foran effective internal control system and audit function, they may delegate the design, implementation, and monitoring of specific internalcontrols to lower-level management and the testing and assessment of internal controls to others. An institution’s internal audit functionshould address the following.

Structure — The internal audit function should be positioned within an institution’s organizational structure to allow staff to perform theirduties impartially. The audit committee4 should oversee the internal audit function, evaluate performance, and assign responsibility for thisfunction to a member of management (the internal audit manager). The internal audit manager should understand the internal audit function,but have no responsibility for operating the internal control system. For example, the internal audit manager should not approve or implementan institution’s operating policies. Ideally, the internal audit manager should report directly to the audit committee about audit issues andadministrative matters (e.g., compensation or budgeting).

Management, Staffing, and Audit Quality — The internal audit function should be supervised and staffed by employees with sufficientexpertise and resources to identify the risks in an institution’s operations and to assess the adequacy and effectiveness of internal controls.The internal audit manager should oversee audit staff and establish appropriate internal audit policies and procedures. The internal auditmanager is responsible for the following:■ A control risk assessment documenting the internal auditor’s understanding of significant business activities and associated risks.

These assessments typically analyze the risks inherent in a given business line, the mitigating control processes, and the resultingresidual risk exposure.

■ An internal audit plan responsive to results of the control risk assessment. This plan typically specifies key internal control summarieswithin each business activity, timing and frequency of internal audit work, and the resource budget.

■ An internal audit program that describes audit objectives and specifies procedures performed during each internal audit review.■ An audit report presenting the purpose, scope, and results of the audit. Work papers should be maintained to document the work

performed and support audit findings.

Scope — The frequency and extent of internal audit review and testing should be consistent with the nature, complexity, and risk of aninstitution’s on- and off-balance-sheet activities. The audit committee and management should conduct a cost-benefit analysis to determinethe appropriate extent of the audit function. A small institution without an internal auditor can maintain an objective internal audit functionby implementing a comprehensive set of independent reviews of significant internal controls by person(s) not responsible for managing oroperating those controls. At least annually, the audit committee should review and approve the internal audit’s control risk assessment andthe scope of the audit plan (including any reliance on an outsourcing vendor). The audit committee also should periodically review the internalaudit staff’s adherence to the audit plan and consider requests for expansion of audit work when significant issues arise or when substantivechanges occur in an institution’s environment, structure, activities, risk exposures, or systems.

Communication — Internal auditors should immediately report internal control deficiencies to the appropriate level of management, andshould report significant matters directly to the board of directors or the audit committee and senior management. The audit committeeshould give the internal audit manager the opportunity to discuss his or her findings without management being present, and the auditcommittee should establish procedures allowing employees to submit concerns about questionable accounting, internal accountingcontrol, or auditing matters confidentially and anonymously.

Contingency Planning — Insured institutions should develop and implement a contingency plan to address any significant discontinuityin audit coverage, particularly for high-risk areas.

2 12 CFR Part 364, Appendix A, FDIC Rules and Regulations, Interagency Guidelines Establishing Standards for Safety and Soundness. 3 FIL-21-2003: Financial Institution Letter, “Interagency Policy Statement on the Internal Audit Function and its Outsourcing” (March 17, 2003).4 Depository institutions subject to Section 36 of the Federal Deposit Insurance Act and Part 363 of the FDIC’s regulations must maintain independent auditcommittees composed of directors who are not members of management. The FDIC encourages the board of directors of each depository institution notrequired to do so by Section 36 to establish an audit committee consisting entirely of outside directors.

and received cooperation from eachState banking department involved inthe pilot (see inset box on next page).The pilot addressed three key principlesof the Program: (1) a RelationshipManager is the local point of contact foreach FDIC-supervised institution;(2) supervisors have the flexibility toconduct examination activities over theexamination cycle;2 and (3) a RiskManagement Consolidated Report ofExamination will cover Risk Manage-ment, applicable specialty areas, and, ifthe findings are significant, Complianceand the Community Reinvestment Act(CRA). As expected with any pilotprogram, some adjustments were neces-sary (as explained below). Feedback waspositive, and the pilot was continueduntil the Program was implementednationwide in October 2005.

Relationship Managers: Keyto the Success of the Program

Commissioned examiners3 are assignedas the Relationship Manager for four tosix banks, and their role is paramount inthe Program. (See inset box “Perspec-tives from an FDIC Examiner” for theviews of one examiner who is now a Rela-tionship Manager.) The RelationshipManager has three primary responsibili-ties. First, the Relationship Manager isthe institution’s local point of contact —

This regular feature focuses on develop-ments that affect the bank examinationfunction. We welcome ideas for futurecolumns, and readers can e-mail sugges-tions to [email protected].

Consider this scenario: Every FDIC-supervised institution has a localpoint of contact, a Relationship

Manager who is familiar with the institu-tion’s financial condition, operations,management team, and local economicenvironment. Bank management meetswith its Relationship Manager, who isalso available by phone or e-mail to getanswers to questions about regulatoryissues or examination scheduling. Thisscenario is happening right now. Theagency implemented the RelationshipManager Program on October 1, 2005,to further strengthen relationshipsbetween the FDIC and bank manage-ment and continue to improve the effec-tiveness of the supervisory process.1

FDIC Pilot: Building aSuccessful Program

The FDIC’s Division of Supervision andConsumer Protection piloted the Rela-tionship Manager Program with 390banks in eight states across the countrybeginning in April 2004. Coordinationwith State banking authorities is alwayscritical; consequently, the FDIC sought


1 See FIL-98-2005: Financial Institution Letter “Relationship Manager Program Enhancements to the SupervisionProgram” (October 6, 2005). This FIL states that (1) all FDIC-supervised institutions will have an assigned localpoint of contact; (2) the Relationship Manager Program will enable examiners to conduct interim examinationactivities; (3) financial institutions will receive a Report of Examination that incorporates all Risk Management andspecialty examination findings during an examination cycle; (4) separate Compliance/Community ReinvestmentAct frequency requirements and reports will continue to be issued, but examination activities will be closely coordinated with other supervisory activities; and (5) separate examination cycles for specialty examinations arenow integrated into the Risk Management examination cycle. 2 12 USC 1820 (d) requires FDIC-insured institutions to be examined every 12 or 18 months, depending on size andfinancial condition. This 12- or 18-month period is referred to as the institution’s “examination cycle.”3 FDIC examiners must complete a training program consisting of on-the-job training, classroom sessions, and atechnical evaluation. The commissioning process generally takes three years, and Compliance and Risk Manage-ment examiners can begin serving as Relationship Managers approximately one year after being commissioned.

From the Examiner’s Desk…The FDIC’s Relationship Manager Program:A Win/Win Situation


a direct resource for bank management’squestions about regulatory issues or newbank products. During the pilot, bankersreported that their Relationship Managergenerally understood their bank’s opera-tions and could provide valuable supervi-sory insights.

Second, the Relationship Managerdevelops a supervisory plan at thebeginning of the examination cyclewhich includes a risk assessment ofthe institution and a supervisoryagenda and timeline. This plan incorpo-rates Risk Management, Compliance,and CRA, as well as specialty areassuch as Information Technology, Trust,Registered Transfer Agent, MunicipalSecurities Dealer, and GovernmentSecurities Dealer. The plan establishesthe overall supervisory approach for theinstitution and documents examinationand off-site monitoring activities sched-uled during that cycle. Most banks areexamined on a rotating basis by theFDIC and the chartering State author-ity. During the State authority’s exami-nation cycle, the Relationship Managerwill prepare an abbreviated supervisoryplan listing the State’s proposed exami-nation date and any off-site monitoringevents scheduled during the period. Incases where the State authority doesnot examine for Bank Secrecy Act(BSA) compliance, the supervisory

plan will address plans for the FDIC toconduct a separate BSA/Anti-MoneyLaundering examination.

Finally, Relationship Managers partici-pate in examinations of their assignedinstitutions. Generally, the RelationshipManager will be the examiner-in-chargefor his examination discipline (such asRisk Management or Compliance/CRA)or will serve in a prominent role andwork closely with the examination staff.However, if the Relationship Manager isnot available, another commissionedexaminer could serve as the examiner-in-charge, with the Relationship Managerparticipating in the examination to theextent possible. During the pilot, examin-ers and bankers recognized the benefitof the Relationship Manager serving asthe examiner-in-charge or, at the veryleast, in an important role during theexamination. Mark Yates, Field Supervi-sor for the FDIC’s Columbus, Ohio, Field Office, stated that having the Rela-tionship Manager participate in theexamination “provided for the Relation-ship Manager’s continued awareness ofthe institution and resulted in a moreeffective and better focused examina-tion.” However, having a different exam-iner serve as the examiner-in-charge mayfoster objectivity if the RelationshipManager has dealt with the bank forsome time. Examiner independence is

Coordination with State Banking Departments: A Key Aspect of the Relationship Manager Program

The FDIC is the primary Federal regulator for State-chartered nonmember banks, and supervision of these banks is a partnership effortbetween the FDIC and the respective State banking departments. For the most part, examinations are conducted on a rotating basis by theFDIC and the State. Agreements between the FDIC and each State banking department specifying examination responsibilities are in place,and financial institutions will continue to be supervised according to these agreements.

Communication and coordination with State authorities was critical in the development of the Relationship Manager Program. To facilitatesecure communication with the State banking departments, the FDIC worked with State banking supervisors to develop technological solu-tions that foster the sharing of confidential information. The importance of this secure network to an initiative that relies on coordinationbetween the FDIC and the State banking authorities cannot be overstated. To facilitate communication with State authorities, copies of super-visory plans will be provided, and State examiners will continue to have access to FDIC work papers. Relationship Managers will contactState officials according to the protocol established by the FDIC Regional Office and that State.


crucial, and field supervisors will rotateexaminer-in-charge assignments periodi-cally to ensure fair and objective treat-ment for all institutions.

Flexibility andCommunication Improvethe Supervisory Process

The Relationship Manager Programdoes not change examination proce-dures. Rather, it promotes flexibility in,and emphasizes coordination of, exami-nation activities and strengthens lines ofcommunication between bankers andthe FDIC. During the pilot, examinationstaff experimented with conductingexamination activities throughout theexamination cycle instead of relying on asingle point in time examination at theend of the cycle.

Under this approach, the examinerdoes not have to wait until the nextexamination begins to assess manage-ment’s response to significant examina-tion concerns and issues, resulting inmore timely communication about areasof regulatory concern. Performingcertain examination activities through-out the cycle also helps the FDIC usepersonnel and respond to bankers’ needsefficiently. For example, field supervisorsperiodically receive banker requests toreschedule an examination owing to acomputer conversion or other plannedevents that significantly impact opera-tions. This flexible examination approachfacilitates these requests by allowinginterim examination activities to beconducted rather than having to resched-ule an entire examination.

Conducting interim examination activi-ties was found to be especially beneficialin large, complex institutions. For exam-ple, a partial loan review was conductedat an institution that purchases largepools of problem loans. The examinersconducted their review 60 to 90 daysafter the pools were purchased, allowing

for the seasoning of the loans and there-fore a more effective review of the qualityof the portfolio. Although this flexibilityremains in the Program, this approachwill not be the norm. During the pilot,we determined that for the vast majorityof institutions, particularly small, lesscomplex institutions, a point in timeexamination remains the most efficientapproach.

The Relationship Manager’s knowledgeof a specific bank’s operations alsoshould improve the overall effectivenessand efficiency of the FDIC’s supervisionprogram. For example, if a bank reportssignificant quarterly growth in deposits,the Relationship Manager may haveinformation about a new product thatthe bank was developing, and, as aresult, only limited supervisory follow-upmay be necessary. This follow-up maypresent an opportunity for the Relation-ship Manager to call on bank manage-ment to review the product’s success ordiscuss potential regulatory considera-tions that may be prompted by thedeposit growth.

Risk ManagementConsolidated Reportof Examination:A Comprehensive,Consistent Message

The use of one consolidated Report ofExamination for Risk Management,specialty examination areas, and Compli-ance/CRA was tested during the pilot.Based on the success of the pilot, sepa-rate reports for specialty areas — such asInformation Technology, Trust, Govern-ment Securities Dealers, and MunicipalSecurities Dealers — generally no longerwill be completed; examination findingsfor specialty areas now will be detailed inthe Risk Management ConsolidatedReport of Examination (ConsolidatedReport). However, incorporating RiskManagement and Compliance/CRA

From the Examiner’s Desk…continued from pg. 23


findings into one consolidated Report ofExamination proved more difficult.Compliance/CRA and Risk Managementexaminations may need to be conductedat different times during the cycle, andconsolidating Compliance/CRA andRisk Management into one Report ofExamination would delay the transmis-sion of important examination findingsto bank management. Therefore, sepa-rate Compliance/CRA reports will stillbe prepared but material findingscontained in the Compliance/CRAReport of Examination will be summa-rized in the Consolidated Report.Consolidating examination findings forRisk Management and specialty areas,

including material Compliance/CRAfindings, will provide a bank’s board acomprehensive overview of the risks andregulatory issues facing the institution.The Consolidated Report also willinclude the assigned ratings for RiskManagement, Compliance, CRA, andany applicable specialty areas.

Coordination of all aspects of a bank’ssupervision and the use of a supervisoryplan and Consolidated Report shouldimprove coordination and consistency ofmessage among examination disciplines.For example, Risk Management examin-ers will be more aware of an institution’sCompliance risks and how they may

Perspectives from an FDIC ExaminerAs a commissioned Risk Management examiner, I have been involved in the Relationship Manager Program since April 2004. I was initially

assigned a portfolio of six banks. One of my first duties as a Relationship Manager was to contact each bank, inform management that I wasnow the local point of contact, and describe the Program and its benefits. Initial reaction from bankers was favorable, and the Programcontinues to be well received. When asked if “having a Relationship Manager as the designated local point of contact improves the relation-ship between the institution and the FDIC,” 69 percent of responding bankers strongly agreed and 28 percent somewhat agreed.

Bankers particularly like the opportunity to address their concerns to someone familiar with their unique situation, and, in fact, manybankers frequently call and e-mail me. Some questions are outside my area of expertise; however, I identify a subject matter expert andensure the bank’s questions are answered. When bankers feel comfortable asking questions, the potential for problems to occur down the road is minimized.

The development of supervisory plans requires strong communication with examiners working in other disciplines. As a result, informationsharing between myself and Compliance examiners has increased significantly. For example, a Compliance examiner recently finished anexamination at one of the banks in my portfolio. He informed me that the Compliance examination revealed significant violations of Part 339 —Flood Insurance, which resulted in proposed civil money penalties. The information helped me assess the institution’s overall risk profilebefore I conducted the Risk Management examination.

The FDIC and the West Virginia Division of Banking (WVDOB) have always worked well together. We share work papers, discuss institution-specific concerns, and coordinate examination activities; the Relationship Manager Program strengthened this partnership. The WVDOBpreviously developed a similar program designating a State examiner as a “CPC” (central point of contact) for each State-supervised insuredfinancial institution. Regular contact with the State examiner helps me gather information about the environment in which a particular bankoperates as well as its overall risk profile.

The Relationship Manager Program has enhanced my understanding of the insured institutions in my portfolio and has strengthened mycommunication with bank management and State banking authorities. Bankers express their appreciation for the FDIC’s willingness to listenand respond to their concerns, and the Program has fostered in me a sense of “ownership” of banks in my portfolio. This is indeed a“win/win” situation for the FDIC, insured institutions, and State regulators.

Dan Langdon

Examiner, Scott Depot, West Virginia, Field Office


improve the quality, continuity, and time-liness of the supervisory process andpromote the efficient use of FDICresources. Finally, everyone will benefitfrom enhanced communication betweenbankers and the FDIC.

Louis J. Bervid III

Senior Examination Specialist

The author acknowledges the assis-tance provided by the following individu-als in the preparation of this article:

Members of the FDIC’s

Relationship Manager

Development Group

Julie D. Howland

Special Assistant to the DeputyDirector of Special Projects,Division of Supervision andConsumer Protection

Daniel J. Langdon

Examiner, Scott Depot,West Virginia, Field Office

From the Examiner’s Desk…continued from pg. 25

affect its overall risk profile. In turn,Compliance examiners become morefamiliar with the institution’s operationsand related risks in specialty areas, suchas Information Technology and Trust.

An Evolving Relationshipbetween Banks andSupervisors

The FDIC’s Relationship ManagerProgram is a natural next step in theevolution of the relationship betweenbanks and regulatory agencies. Althoughtheir perspectives may at times differ,bankers and regulators generally have acommon objective: safe, profitable insti-tutions that provide fair and reliable serv-ice to consumers. Bank managementnow will benefit from having a local pointof contact at the FDIC familiar with theinstitution’s operations and overall riskprofile. The Consolidated Report willprovide the board with a comprehensiveview of the bank’s condition andoutstanding supervisory issues. The flexibility fostered by the Program will


This regular feature focuses on criticalbank capital and accounting issues.Comments on this column and suggestionsfor future columns may be e-mailed [email protected].

The Basel II Capital Accord repre-sents a major shift in internationalcapital policy. As Europe moves

rapidly ahead with its legislative processto adopt Basel II, attention has focusedon U.S. implementation. Some commen-tators have criticized the U.S. Basel IIimplementation process for being bothslower in pace and more conservative inits approach to required capital than theapproach taken across the Atlantic. Thisarticle reviews some of the highlights ofthe U.S. banking agencies’ recent capitalimpact study to provide some context tothe agencies’ recently announced imple-mentation plans.

On September 30, 2005, the U.S. agen-cies announced a revised timeline formoving ahead with the implementationof Basel II in the United States.1 Therevised plan includes more time to imple-ment the framework and floors on banks’risk-based capital requirements duringa three-year transitional period. Therevised plan was driven in substantial partby the results of the agencies’ recentQuantitative Impact Study (QIS-4).Specifically, at present the Basel II frame-work appears likely to recommend capitallevels that may not be sufficient to addressthe risks banks face. It also appears likelythere will be substantial challenges inimplementing the framework consistentlyacross banks. The agencies have indi-cated that to address such issues, futurechanges to the framework are likely.

Evolution of Capital Standards

The 1988 Basel I Accord was thefirst attempt at capital regulation thatproduced risk-based capital require-ments. It represented a significantchange from earlier standards. Through-out the 1990s, a shift has occurredin banking regulation that furtherenhances the risk sensitivity of capitalrequirements. In 1996, as market riskmanagement techniques evolved, amodels-based, risk-sensitive approachwas established for banks and bank hold-ing companies conducting significanttrading activity. The Market Risk Rulewas based on value-at-risk measures usedby the most sophisticated market practi-tioners; it created a separate market riskcapital charge equal to the banks’ inter-nal calculations. Similarly, credit andoperational risk advancements have beenincorporated into the proposed Basel IIframework to better assess capitalcharges related to underlying risk andalign regulatory capital with internalcapital allocation methodologies.

During the development of the proposedBasel II framework, the Basel Committeeon Banking Supervision (Basel Commit-tee) published three consultative papersfor the purpose of incorporating enhance-ments to the framework. Domestically, theU.S. banking regulatory agencies releasedan Advance Notice of Proposed Rulemak-ing (ANPR) in August 2003.2 Shortlythereafter, the participating countriesagreed to the Madrid Proposal, whichintroduced a fundamental shift in capitalpolicy toward an unexpected-loss (UL)-based framework (a concept of

1 Joint Press Release, Board of Governors of the Federal Reserve, Federal Deposit Insurance Corporation, Office ofthe Comptroller of the Currency, Office of Thrift Supervision, Banking Agencies Announce Revised Plan for Imple-mentation of Basel II Framework (September 30, 2005) available at www.fdic.gov/news/news/Press/2005/pr9805.html.2 This document is available at www.fdic.gov/regulations/laws/publiccomments/ANPR.html.

Capital and Accounting News . . .Basel II and the Potential Effect on Insured

Institutions in the United States: Results of theFourth Quantitative Impact Study (QIS-4)


capital to be held for unexpected lossesonly, with expected losses covered byreserves).3 In June 2004, the BaselCommittee published the InternationalConvergence of Capital Measurementand Capital Standards: A RevisedFramework, also known as the Mid-YearText, which will serve as the basis fornational implementation of the Basel IIframework. Currently, the U.S. bankingregulatory agencies are drafting the Noticeof Proposed Rulemaking (NPR), as well asguidance for the various portfolios, toapply the Mid-Year Text domestically.

Principles of Basel II

The new capital framework establishesa “three-pillar” approach to bank capitalregulation:

■ Pillar 1 sets the standards for comput-ing regulatory capital requirements,consisting of credit, market, and oper-ational risk.4

■ Pillar 2 is a supervisory reviewprocess that examines factors notconsidered under Pillar 1, such asboard oversight, internal controls,and assessment of risk to ensurecapital adequacy.

■ Pillar 3 encourages market disciplinethrough a public disclosure process.

In addition, Basel II differs from thecurrent framework in various ways. Oper-ational risk was implicit in the capitalrequirement under Basel I; however,separate operational risk and credit riskcapital charges exist under Basel II.Changes also have been made in themeasurement of credit risk. Instead of

a flat, 100 percent risk weight for corpo-rate exposures regardless of actual risk,Basel II enhances risk sensitivity byfocusing on differences among individualcredits recognized through banks’ inter-nal ratings.5 A similar approach isapplied to retail portfolios, in which capi-tal is assigned to segments based on vari-ous loan characteristics.

Various risks are not captured underthe Pillar 1 requirements. The proposedframework quantifies only credit, opera-tional, and market risk, strengtheningthe need to retain the leverage ratio for the Pillar 1 requirements, as thecomputed capital requirements forthese risks will be lower than if all riskswere captured. Interest rate risk, liquid-ity risk, and concentration risk, amongothers, are not included in minimumregulatory capital. These risk categoriesmust be considered in the “assessmentof risk” under Pillar 2. The quantitativeimpact studies have focused solely onPillar 1 requirements.

Quantitative Impact Studies

Significant differences exist betweenBasel I and Basel II. Therefore, regula-tors must determine and evaluate thepotential effects before new capitalpolicy is enacted. As a result, quantita-tive studies have been designed tomeasure the change in capital likely tooccur once the proposed framework isimplemented. Various studies have beencompleted during the past five years,both domestically and internationally.The third Quantitative Impact Study(QIS-3), undertaken internationally in2002, showed a decline of roughly

Capital and Accounting News . . .continued from pg. 27

3 Basel Committee on Banking Supervision, Madrid Proposal, October 10, 2003, available at www.bis.org.4 Various approaches for credit and operational risk are allowed under the framework, but only the advancedapproaches will be implemented in the United States at the largest, most complex institutions.5 Economic Capital and the Assessment of Capital Adequacy, Supervisory Insights, Winter 2004, (description ofinternal ratings and the Basel II Pillar 1 computation), available at www.fdic.gov/ regulations/examinations/supervisory/Insights/siwin04/siwin04.pdf.

29

6 percent in minimum required capital(MRC) among U.S. participants.

The most recent quantitative impactstudy, QIS-4, began in fourth quarter2004 and consisted of instructions, aworkbook for data collection, and aquality questionnaire to assist in under-standing the methodologies behind theresults. Twenty-six institutions, includ-ing banks and consolidated bank hold-ing companies, submitted materialsduring first quarter 2005. This group ofinstitutions represented more than 57

percent of banking assets and roughly44 percent of insured deposits. Theaggregate QIS-4 results for these insti-tutions are shown in Table 1 anddescribed below.

QIS-4 Shows SignificantDecline in Capital Levels

In aggregate, the sample reportedan average decline of 15.5 percentin minimum capital requirementscompared with the current framework


Table 1

Average Percent Median PercentChange in Change in

Portfolio Portfolio MRC Portfolio MRCWholesale Credit (24.6%) (24.5%)

Corporate, Bank, Sovereign (21.9%) (29.7%)Small Business (26.6%) (27.1%)High Volatility Commercial Real Estate (33.4%) (23.2%)Income Producing Real Estate (41.4%) (52.5%)

Retail Credit (25.6%) (49.8%)Home Equity (HELOC) (74.3%) (78.6%)Residential Mortgage (61.4%) (72.7%)Credit Card (QRE) 66.0% 62.8%Other Consumer (6.5%) (35.2%)Retail Business Exposures (5.8%) (29.2%)

Equity 6.6% (24.4%)Other Assets (11.7%) (3.2%)Securitization (17.9%) (39.7%)Operational RiskTrading Book 0.0% 0.0%Portfolio Total (12.5%) (23.8%)

Change in Effective MRC (15.5%) (26.3%)

This is the change in the amount of Tier 1 capital and Tier 2 elements other than reserves needed tomeet the minimum capital requirement.MRC = minimum required capitalOperational risk, a new measure reported under Basel II, represented roughly 10.5 percent of theBasel II capital charge. Because the Market Risk Rule amended domestic capital rules in 1996, capitalrequirements for the trading book remained unchanged at the time QIS-4 was conducted. Since thatperiod, a number of trading book modifications have been made to the Basel II framework followingwork by the Basel/International Organization of Securities Commissions (IOSCO) group. However, theeffects of these changes are unknown pending further domestic analysis and the results of the nextimpact study.

Preliminary Change in Minimum Capital Requirements: Basel I to Basel II

30

(see Figure 1). The median declinein regulatory capital was even moredramatic at 26.3 percent, as a fewof the larger participants weightedthe average higher. The greatestcontributors to this decline were thecorporate, bank and sovereign, resi-dential mortgage, and home equityportfolios. Only credit card and equityportfolios showed increases in mini-mum capital requirements under thenew framework.

Recent FDIC analysis of QIS-4 indi-cates the leverage ratio would becomethe binding constraint for most QIS-4participants as their Basel II minimumcapital requirements generally fellsubstantially below current PromptCorrective Action thresholds. TheFDIC views the QIS-4 levels of capitalreported by many participating institu-tions as inadequate, as noted in recentcongressional testimony.6

QIS-4 Also Shows SignificantDispersion

The overall QIS-4 results reveal notonly a decline in aggregate capitalrequirements, but also a wide disper-sion of capital requirements amongthe participants and the various port-folios. Although some variation inresults can be expected as a resultof differences in risk profiles acrossinstitutions, the extent of varianceshown in QIS-4 is cause for concern.Changes in effective MRC ranged froma 47 percent decline to a 55 percentincrease across institutions. Withinportfolios, wholesale requirementsranged from a decline of 80 percentto an increase of 56 percent. All insti-tutions in the study would experiencea drop in capital held for residentialmortgages under Basel II, withdeclines ranging from 18 percent to99 percent (see Appendix).

6 Donald Powell, Chairman, Federal Deposit Insurance Corporation, Testimony Before the Senate BankingCommittee (testimony focused on U.S. implementation of Basel II Framework), November 10, 2005, available atwww.fdic.gov/news/news/speeches/chairman/spnov1005.html.


~~

5.0%

4.0%

3.0%

2.0%

1.0%

0.0%

Well Capitalized

Adequately Capitalized

Undercapitalized

SignificantlyUndercapitalized

CriticallyUndercapitalized

Tier 1 Capital to beWell Capitalized(% Avg. Assets)

Current Risk-BasedRequirement

QIS-4Requirement

Source: FDIC estimates based on QIS-4 data.Twenty-six dots appear in each column, one for each QIS-4 banking organization. Each dot represents the insured bank totalswithin the organization. The insured bank share of QIS-4 risk-weighted assets (RWA) is estimated as total insured bank RWAdivided by total Y-9 RWA, using current capital rules, at the report date. For a bank to be considered well capitalized, its Tier 1capital requirement is 6 percent of estimated insured bank RWA, plus the insured bank share of any reserve shortfall, ifsuch a shortfall was reported.

Basel II Sharply Lowers Insured Bank Capital RequirementsConflicts with Prompt Corrective Action Standards

Figure 1


31

Within benchmarking studies of corpo-rate credits and mortgage loans on QIS-4data, the agencies found that loans withthe same or similar characteristics wereassigned very different risk parameters,and consequently were receiving materi-ally different capital requirements underQIS-4. Publication of guidance, the rule-making process, and further develop-ment of bank systems to conform toregulatory standards will address someof the dispersion; however, variability isinherent in the proposed capital frame-work and may need to be addressed.

Extended Analysis

Due to concern with the magnitudeof the decline and the dispersion of theinitial results, the U.S. banking agenciesissued a press release on April 29, 2005,suggesting further analysis be performedbefore publication of the NPR.7 To clar-ify these issues, additional work hasfocused on determining whether theresults reflect differences in risk, reveallimitations of QIS-4, identify variationsin the stages of bank implementationefforts (particularly related to data avail-ability), or suggest the need for adjust-ments to the Basel II framework.

Additional analysis focused on bench-marking select portfolios, a qualitativequestionnaire review, and sensitivityanalysis for the top six or seven manda-tory institutions participating in thestudy, as these institutions are believedto be further along in the implementa-tion process. The results of the analysissuggest that the level of decline isexplained in part by the economic cycleresulting from the inherent risk sensitiv-ity of the new Basel II accord and thestrong economic conditions in the

United States at the time of the study.With regard to the dispersion, theassessment of risk parameters resultingfrom differences in banks’ data andmethodologies, as well as portfolio mix,contributed to the variation. It is possiblethat limitations in QIS-4 instructions,which were based on draft guidance andthe Mid-Year Text, contributed to theresults as well.

Next Steps

The additional QIS-4 analysis hasbeen completed and will be commu-nicated to the industry and the BaselCommittee, although further analysismay be needed to address issues raisedduring QIS-4. QIS-5 will be completedinternationally during fourth quarter2005,8 and the effects of the proposedframework on capital levels across allcountries will be analyzed in 2006 todetermine if changes to the frameworkare warranted. In addition, the BaselCommittee has tasked a Dynamic Oper-ations Project team, consisting of asmall group of international bank regu-lators, to examine the effects of cyclical-ity on Basel II capital requirements.Results are due back to the BaselCommittee in 2006.

As the U.S. rulemaking process wasdelayed until the QIS-4 analysis wascompleted, the U.S. agencies arecurrently discussing options for thetiming of the NPR and domestic imple-mentation. The regulators are committedto working through issues to continuewith Basel II implementation in theUnited States.

Andrea Plante

Senior Quantitative RiskAnalyst

7 Joint Press Release, Board of Governors of the Federal Reserve, Federal Deposit Insurance Corporation, Officeof the Comptroller of the Currency, Office of Thrift Supervision, Banking Agencies To Perform Additional AnalysisBefore Issuing Notice of Proposed Rulemaking Related To Basel (April 29, 2005), available at www.fdic.gov/news/news/press/2005/pr3705.html.8 The United States will not participate in QIS-5. Most countries other than the United States, Germany and Japandid not participate in QIS-4, but rather waited until 2005 to complete an impact study. The U.S. QIS-4 results willbe rolled into the international analysis.


Appendix



100%

50%

0%

–50%

–100%

Changein MRC

(Extreme values were excluded.)

TotalWholesale

Corporate,Bank,

Sovereign

SmallBusiness

HighVolatility

CRE

IncomeProducing

RE

Range of Minimum Required Capital Changesfor Wholesale Portfolios

Figure A-1

150%

100%

50%

0%

–50%

–100%

(Extreme values were excluded.)

TotalRetail

HomeEquity

ResidentialMortgage

OtherRetail

SmallRetail

Exposures

CreditCards

Changein MRC

Range of Minimum Required Capital Changesfor Retail Portfolios

Figure A-2


This section provides an overview of recently released regulations and supervisory guidance, arranged inreverse chronological order. Press Release (PR) or Financial Institution Letter (FIL) designations areincluded so the reader may obtain more information.

Overview of Selected Regulations and Supervisory Guidance

SubjectAssistance to Financial Institutionsand Customers Affected by Hurricanes

SummaryVarious initiatives have been implemented to reduce regulatory burden on financialinstitutions in areas recently affected by hurricanes. These include providing flexibility in theadministration of regulatory requirements for brokered deposit waivers, main office andbranch relocations and closings, and appraisals. Other ongoing efforts to assist financialinstitutions and their customers include establishing regulatory agency hotlines, issuingguidance to assist with the recovery process, and disseminating critical information on theregulators’ websites.The Federal Financial Institutions Examination Council (FFIEC) announced the formation ofan interagency Supervisory Policy Working Group on September 19, 2005, to enhance theagencies’ coordination and communication on, and supervisory responses to, issues facingthe banking industry in the aftermath of the recent hurricanes. The FFIEC’s website(www.ffiec.gov/katrina) provides links to all member agencies’ websites where additionalinformation is available.

Comments Requested on SuggestedDomestic Risk-Based CapitalModifications (PR-105-2005 andFederal Register, Vol. 70, No. 202, page61068, October 20, 2005)

Authentication in an Internet BankingEnvironment (FIL-103-2005, October 12,2005)

Relationship Manager Program(FIL-98-2005, October 6, 2005)

Revised Plan for Implementation ofBasel II Framework (PR-98-2005,September 30, 2005)

The Federal financial institution regulatory agencies (the Board of Governors of the FederalReserve System, the FDIC, the OCC, the OTS, and the National Credit Union Administration)issued guidance for banks offering Internet-based financial services. This guidancedescribes enhanced methods regulators expect banks to use when authenticating theidentity of customers using online products and services. Financial institutions are expectedto comply by year-end 2006.

The FDIC has implemented the Relationship Manager Program (RMP) for all FDIC-supervised financial institutions. The RMP is designed to strengthen lines of communicationbetween bankers and the FDIC, as well as improve the coordination, continuity, andeffectiveness of FDIC supervision.

The four Federal banking agencies announced revised plans for the U.S. implementation ofBasel II. The agencies plan to introduce in a notice of proposed rulemaking additionalprudential safeguards to address concerns raised by the Fourth Quantitative Impact Study.

The four Federal banking agencies (the Board of Governors of the Federal Reserve System,the Federal Deposit Insurance Corporation [FDIC], the Office of the Comptroller of theCurrency [OCC], and the Office of Thrift Supervision [OTS]) published an interagencyAdvance Notice of Proposed Rulemaking regarding potential revisions to the existing risk-based capital framework. These changes would apply to banks, bank holding companies,and savings associations. Comments must be received by January 18, 2006.

Implementation of the Central DataRepository (FIL-93-2005, September 15,2005)

The FDIC, OCC, and Board of Governors of the Federal Reserve System will implement theCentral Data Repository (CDR) to process the Reports of Condition and Income (CallReports) beginning with third quarter 2005. The CDR will require banks to validate their CallReport data before they will be accepted. The new CDR system will be the only methodavailable for banks to submit Call Reports. Banks were advised via FIL-55-2005, June 29,2005, and PR-59-2005, June 30, 2005, of the need to enroll in the CDR to file their CallReport data via the new system.


Regulatory and Supervisory Roundupcontinued from pg. 33

SubjectResidential Tract DevelopmentLending Frequently Asked Questions(FIL-90-2005, September 8, 2005)

SummaryThe Federal financial institution regulatory agencies issued guidance on residential tractdevelopment lending to assist institutions in complying with the agencies’ appraisal andreal estate lending requirements.

List of Distressed and UnderservedNonmetropolitan Middle-IncomeGeographies (PR-82-2005, August 30,2005)

The Board of Governors of the Federal Reserve System, the FDIC, and the OCC announcedthe availability of the list of distressed and underserved nonmetropolitan middle-incomegeographies in which bank revitalization or stabilization activities will receive CommunityReinvestment Act (CRA) consideration as “community development,” pursuant to therevised CRA rules issued by the agencies on August 2, 2005. The list is available atwww.ffiec.gov/cra.

New Information TechnologyExamination Procedures (FIL-81-2005,August 18, 2005)

Guidance on Implementing a FraudHotline (FIL-80-2005, August 16, 2005)

Recommendations Sought forReducing Regulatory Burden (FederalRegister, Vol. 70, No. 154, Page 46779,August 11, 2005, and FIL-82-2005,August 19, 2005)

Proposed New Rule on Insurability ofFunds Underlying Stored Value Cards(Federal Register, Vol. 70, No. 151,Page 45571, August 8, 2005, andFIL-83-2005, August 22, 2005)

The FDIC has updated its risk-focused information technology (IT) examination proceduresfor FDIC-supervised financial institutions. The IT-Risk Management Program examinationprocedures apply to all FDIC-supervised banks, regardless of size, technical complexity, orprior examination rating.

The FDIC is providing guidance to financial institutions on implementing a fraud hotline tominimize potential and actual fraud risks as part of a bank’s governance and enterpriserisk management program.

The Federal financial institution regulatory agencies asked for recommendations on howto reduce regulatory burden in rules related to Banking Operations; Directors, Officers,and Employees; and Rules of Procedure. Comments were due by November 9, 2005.

The FDIC proposed a new rule on the insurability of funds subject to transfer or withdrawalthrough the use of stored value cards and other nontraditional access devices, such ascomputers. This proposed rule replaces the proposed rule issued in April 2004. Commentswere due by November 7, 2005.

Bank Secrecy Act Anti-MoneyLaundering Examination InfoBase(FIL-76-2005, August 9, 2005)

The FFIEC introduced its Bank Secrecy Act/Anti-Money Laundering Examination (BSA/AML)InfoBase, an automated tool for examiners and the industry. This automated tool featuresthe FFIEC’s BSA/AML Examination Manual, examination procedures and appendixes,frequently asked questions, and links to resources that may be helpful in understandingBSA/AML requirements and examination expectations. The InfoBase is available atwww.ffiec.gov/bsa_aml_infobase.

Proposed Rules on Post-EmploymentRestrictions for Senior Examiners(PR-74-2005, August 4, 2005, andFederal Register, Vol. 70, No. 150,Page 45323, August 5, 2005)

The Federal banking agencies issued proposed rules to implement a special post-employmentrestriction for one year on certain senior examiners employed by an agency or FederalReserve Bank. Comments were due by October 4, 2005.


Guidance on How FinancialInstitutions Can Protect Against“Pharming” Attacks (FIL-64-2005,July 18, 2005)

The FDIC issued guidance describing the practice of “pharming,” how it occurs, andpotential preventive approaches. Financial institutions offering Internet banking shouldassess potential threats posed by pharming attacks and protect Internet domain names,which — if compromised — can heighten risks to the institutions.

Identity Theft Study Supplement on“Account-Hijacking” Identity Theft(FIL-59-2005, July 5, 2005)

The FDIC issued a supplement to its December 14, 2004, study on account-hijackingidentity theft (see FIL-132-2004). The supplement reviews and responds to publiccomments on the original study, surveys recent trends in identity theft and accounthijacking, and discusses authentication technologies.

Bank Secrecy Act/Anti-MoneyLaundering Examination Manual(FIL-56-2005, June 30, 2005)

The FFIEC has issued the BSA/AML Examination Manual. The Manual, which BSA/AMLexaminers began using during third quarter 2005, is available at www.ffiec.gov/press/pr063005.htm.

SubjectSupervisory Guidance on the Eligibilityof Asset-Backed Commercial PaperLiquidity Facilities and the ResultingRisk (FIL-74-2005, August 4, 2005)

Final Community Reinvestment ActRules (Federal Register, Vol. 70,No. 147, Page 44256, August 2, 2005,and FIL-79-2005, August 9, 2005)

Proposed Amendment to Part 363 -Annual Independent Audits andReporting Requirements (FederalRegister, Vol. 70, No. 147, Page 44293,and FIL-72-2005, August 2, 2005)

Guidance on Risks of Voice OverInternet Protocol (VoIP) (FIL-69-2005,July 27, 2005)

Guidance on Mitigating Risks FromSpyware (FIL-66-2005, July 22, 2005)

The FDIC, OCC, and the Board of Governors of the Federal Reserve System issued final CRArules intended to reduce regulatory burden on community banks while making CRAevaluations more effective in encouraging banks to meet community development needs.The final rules raise the small-bank asset threshold to less than $1 billion without regard toholding company affiliation. The new rules also reduce data collection and reporting burdenfor “intermediate small banks” (banks with assets of at least $250 million but less than$1 billion). The final rules took effect September 1, 2005.

The FDIC is proposing to raise the asset threshold from $500 million to $1 billion for require-ments relating to internal control assessments and reports by management and externalauditors, and the requirement that members of the audit committee, who must be outsidedirectors, be independent of management. Comments were due by September 16, 2005.

The FDIC issued guidance to financial institutions on the security risks associated withvoice over Internet protocol (VoIP). VoIP refers to the delivery of traditional telephone voicecommunications over the Internet.

The FDIC issued guidance recommending an effective spyware prevention and detectionprogram based on an institution’s risk profile. Spyware is software that collects informationwithout the prior knowledge or informed consent of the data’s owner. This guidancediscusses the risks associated with spyware from both a bank and consumer perspectiveand provides recommendations to mitigate these risks.

SummaryThe Federal financial institution regulatory agencies issued supervisory guidance clarifyingthe application of the asset quality test for liquidity facilities that provide support to anasset-backed commercial paper (ABCP) program. This guidance supplements the “FinalRule on Capital Requirements for Asset-Backed Commercial Paper Programs” issued July28, 2004 (see FIL-87-2004).

Regulatory and Supervisory Roundupcontinued from pg. 35


Credit Risk Management Guidance forHome Equity Lending (FIL-45-2005,May 24, 2005)

The Federal financial institution regulatory agencies issued guidance promoting soundrisk management practices for home equity lines of credit and loans. In some cases, theagencies have found that credit risk management practices for home equity lending havenot kept pace with the product’s rapid growth and eased underwriting standards.

Guidance on Developing an EffectivePre-employment BackgroundScreening Process (FIL-46-2005,June 1, 2005)

The FDIC’s guidance can be an effective risk management tool that provides managementwith a degree of certainty that the information provided in the background screening isaccurate and the applicant does not have a criminal background.

SubjectFair Credit Reporting Act MedicalInformation Interim Final Rules(Federal Register, Vol. 70, No. 111,Page 33996, June 10, 2005, andFIL-51-2005, June 16, 2005)

SummaryThe Federal financial institution regulatory agencies issued interim final rules under the

Fair Credit Reporting Act that create exceptions to the statutory prohibition againstobtaining or using medical information in connection with credit eligibility determinations.The interim final rules also address the sharing of medical information among affiliates.The interim final rules will take effect on March 7, 2006.

Unsafe and Unsound Use of Limitationof Liability Provisions in ExternalAudit Engagement Letters (FIL-41-2005,and Federal Register, Vol. 70, No. 89,Page 24576, May 10, 2005)

The Federal financial institution regulatory agencies are seeking public comment on aproposed advisory that alerts financial institutions’ boards of directors, audit committees,management, and external auditors to the safety and soundness implications of provisionsthat limit the external auditor’s liability in a financial statement audit. Comments were dueby June 9, 2005.

International Banking Final Rule(FIL-40-2005, May 6, 2005 and FederalRegister, Vol. 70, No 65, Page 17550,April 6, 2005)

The FDIC has adopted various amendments and revisions to its international banking rules,effective July 1, 2005. The final rule amends Parts 303, 325, and 327 relating to internationalbanking and revises Part 347, Subparts A and B.

Accounting and Reporting forCommitments to Originate and SellMortgage Loans (FIL-39-2005, May 3,2005)

The Federal financial institution regulatory agencies issued guidance on the applicationof Statement of Financial Accounting Standards No. 133, Accounting for DerivativeInstruments and Hedging Activities, as amended, to mortgage loan commitments. Theguidance also addresses related regulatory reporting requirements and valuationconsiderations.

Subscription FormTo obtain a subscription to Supervisory Insights, please print or type the following information:

Institution Name __________________________________________________________________________________

Contact Person __________________________________________________________________________________

Telephone __________________________________________________________________________________

Street Address __________________________________________________________________________________

City, State, Zip Code __________________________________________________________________________________

Please fax or mail this order form to: FDIC Public Information Center801 17th Street, N.W., Room 100Washington, D.C. 20434Fax Number (202) 416-2076

Subscription requests also may be placed by calling 1-877-ASK-FDIC or 1-877-275-3342.

Federal Deposit Insurance CorporationWashington, DC 20429-9990

OFFICIAL BUSINESSPENALTY FOR PRIVATE USE, $300

PRESORTEDSTANDARD

MAILPostage &Fees Paid

FDICPermit No. G-36

✁

supervisory insights: vol. 2, issue 2 - winter 2005 · the views expressed in supervisory...

Documents