|
FDIC’s Corporate Investment ProgramMay 2009
|
The subject final report is provided for your information and use. Please refer to the Executive Summary, included in the report, for the overall audit results. Our evaluation of your response is incorporated into the body of the report. Your comments on a draft of this report were responsive to all five of the report’s recommendations, which are considered resolved. The recommendations will remain open for reporting purposes until we have determined that agreed-to corrective actions have been completed and are responsive. If you have questions concerning the report, please contact me at (703) 562-6350, or Mark F. Mulholland, Deputy Assistant Inspector General for Audits, at (703) 562-6316. We appreciate the courtesies extended to the audit staff. Attachment cc: Connie A. Brindle, DOF James H. Angel, Jr., OERM
|
|
Part I
|
KPMG LLP
2001 M Street, NW Washington, DC 20036 May 14, 2009 Honorable Jon T. Rymer Re: Transmittal of Results for the Audit of FDIC’s Corporate Investment Program (Report No. AUD-09-013) Dear Mr. Rymer: This letter is to acknowledge delivery of our final report representing the results of our performance audit of the FDIC’s Corporate Investment Program in accordance with Task Assignment Number 08-08 dated September 26, 2008. The objective of this performance audit was to assess the FDIC’s controls for ensuring that the Deposit Insurance Fund (DIF) and National Liquidation Fund (NLF) are managed consistent with the FDIC’s investment policies approved by the Board of Directors (the Board). As part of our work, we interviewed key officials with responsibility for managing and implementing the Corporate Investment Program, including the Deputy to the Chairman and Chief Financial Officer (CFO) and Division of Finance (DOF) officials. We also reviewed relevant FDIC policies, procedures, guidelines, plans, and reports pertaining to the Corporate Investment Program. We conducted our performance audit in accordance with Generally Accepted Government Auditing Standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. In summary, we found that the FDIC had implemented a number of important controls designed to ensure that the DIF and NLF are managed consistent with the FDIC’s Board-approved investment policies. Of particular note, DOF had developed detailed procedures and guidelines to manage the day-to-day operations of the funds. Additionally, the FDIC had created an Investment Advisory Group to monitor the performance of the funds and advise the CFO on investment strategies pertaining to the funds. Further, the CFO and DOF officials reported regularly to the Board on the funds’ performance and were taking proactive measures to help ensure the viability of the funds in response to uncertainties in the banking industry. While these actions are positive, control improvements in some areas of the Corporate Investment Program are warranted. Specifically, the FDIC’s Corporate Investment Policy and DOF’s detailed procedures and guidelines did not reflect current investment management practices in some areas. In addition, although the FDIC had a strategy for responding to a liquidity contingency involving the DIF, the FDIC can enhance its response planning by developing a comprehensive, written contingency funding plan that describes how the Corporation will implement its strategy under the various contingency scenarios that could occur. Further, the FDIC can enhance its investment management |
controls by implementing a system of dual control over the authorization and execution of securities transactions and conducting periodic independent validations of key computer-based financial models to ensure they function as intended. We identified one additional potential control enhancement pertaining to interest rate risk management that we are reporting to the Office of Inspector General (OIG) separately because we do not consider the matter to be significant in the context of our performance audit results. We issued a draft of this report on February 25, 2009. We subsequently met with representatives of DOF and the OIG and obtained informal feedback on the draft report. Based on the informal feedback we received, we made certain changes that we deemed appropriate. On May 8, 2009, the CFO and Director, DOF, provided a formal written response to our draft report. Our work did not include an assessment of the sufficiency of deposit insurance assessments or other funding sources to cover anticipated losses from insured depository institutions. KPMG cautions that projecting the results of our audit to future periods is subject to the risks that controls may become inadequate because of changes in conditions or because compliance with controls may deteriorate. The information included in this report was obtained from the FDIC on or before February 25, 2009. We have no obligation to update our report or to revise the information contained therein to reflect events and transactions occurring subsequent to February 25, 2009. KPMG policy requires that we obtain a management representation letter associated with the issuance of a performance audit report citing Generally Accepted Government Auditing Standards. We requested a management representation letter from the Director, DOF, on February 20, 2009 and received the signed representation letter on February 25, 2009. Please contact Mark Twerdok at (412) 232-1599 if you have any questions or comments regarding this report. Sincerely, 2
|
FDIC’s Corporate Investment Program
May 14, 2009 KPMG LLP |
Table of Contents
I-1
|
EXECUTIVE SUMMARY The FDIC Office of Inspector General (OIG) contracted with KPMG LLP (KPMG) to conduct a performance audit of the FDIC’s Corporate Investment Program. Both the OIG and FDIC management recognize that periodic, independent audits of the Corporate Investment Program are necessary and useful for sound corporate governance. The results of this audit support the OIG’s commitment to FDIC management to conduct an independent audit of the Corporate Investment Program every 3 years. The objective of this performance audit was to assess the FDIC’s controls for ensuring that the Deposit Insurance Fund (DIF) and National Liquidation Fund (NLF) are managed consistent with the FDIC’s investment policies approved by the Board of Directors (the Board). As part of our work, we interviewed key officials with responsibility for managing and implementing the Corporate Investment Program, including the Deputy to the Chairman and Chief Financial Officer (CFO) and Division of Finance (DOF) officials. We also reviewed relevant FDIC policies, procedures, guidelines, plans, and reports pertaining to the Corporate Investment Program. Our work did not include an assessment of the sufficiency of deposit insurance assessments or other funding sources to cover anticipated losses from insured depository institutions. We used the Government Accountability Office’s (GAO) November 1999 publication Standards for Internal Control in the Federal Government as the primary criteria for conducting the audit. We chose these standards because they define an overall framework for establishing and maintaining effective internal control in federal agencies. In addition, FDIC Circular 4010.3, FDIC Enterprise Risk Management Program, states that the GAO standards define the minimum acceptable level of quality for internal control and provide the basis against which internal controls should be evaluated at the FDIC. The GAO standards, which are intended to safeguard public resources and promote accountability, consist of the following five components:
We also used FDIC policies and procedures and various industry-recognized guidelines and practices as supplemental criteria in assessing the Corporate Investment Program. The Glossary in Appendix II contains definitions of the terms used in this report. In summary, we found that the FDIC had implemented a number of important controls designed to ensure that the DIF and NLF are managed consistent with the FDIC’s Board-approved investment policies. Of particular note, DOF had developed detailed procedures and guidelines to manage the day-to-day operations of the funds. Additionally, the FDIC had created an Investment Advisory Group (IAG) to monitor the performance of the funds and advise the I-2
|
CFO on investment strategies pertaining to the funds. Further, the CFO and DOF officials reported regularly to the Board on the funds’ performance and were taking proactive measures to help ensure the viability of the funds in response to uncertainties in the banking industry. While these actions are positive, control improvements in some areas of the Corporate Investment Program are warranted. Specifically, the FDIC’s Corporate Investment Policy and DOF’s detailed procedures and guidelines did not reflect current statutory definitions or current investment management practices in some areas. In addition, although the FDIC had a strategy for responding to a liquidity contingency involving the DIF, the FDIC can enhance its response planning by developing a comprehensive written contingency funding plan that describes how the Corporation will implement its strategy under the various contingency scenarios that could occur. Further, the FDIC can enhance its investment management controls by implementing a system of dual control over the authorization and execution of securities transactions and conducting periodic independent validations of key computer-based financial models to ensure they function as intended. We identified one additional potential control enhancement pertaining to interest rate risk management that we are reporting to the OIG separately because we do not consider the matter to be significant in the context of our performance audit results. We issued a draft of this report on February 25, 2009. We subsequently met with DOF and OIG representatives and obtained informal feedback on the draft report. Based on the informal feedback we received, we made certain changes that we deemed appropriate. On May 8, 2009, the CFO and Director, DOF, provided a formal written response to our draft report. We conducted this performance audit from September 2008 through January 2009 in accordance with Generally Accepted Government Auditing Standards issued by the Comptroller General of the United States. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. This performance audit did not constitute an audit of financial statements in accordance with Government Auditing Standards. KPMG was not engaged to, and did not render an opinion on, the FDIC’s internal controls over financial reporting or over financial management systems (for purposes of the Office of Management and Budget’s Circular No. A-127, Financial Management Systems, July 23, 1993, as revised). KPMG cautions that projecting the results of our audit to future periods is subject to the risks that controls may become inadequate because of changes in conditions or because compliance with controls may deteriorate. I-3
|
BACKGROUND The FDIC has statutory responsibility for managing funds in the DIF and NLF. Brief descriptions of the DIF and NLF follow. The Deposit Insurance Fund The DIF was established on March 31, 2006, following the merger of the former Bank Insurance Fund (BIF) and Savings Association Insurance Fund (SAIF). The primary purpose of the DIF is to insure the deposits and protect the depositors of FDIC-insured financial institutions and to resolve failed financial institutions in a manner that results in the least possible cost to the Corporation. In order to remain viable, the DIF must have adequate sources of liquidity to fund the Corporation’s operating costs and the resolution of failed financial institutions. The DIF is funded principally by deposit insurance assessments charged to insured financial institutions and interest earned on investments in U.S. Treasury obligations. Additional funding sources, if needed, include the Federal Financing Bank, U.S. Department of the Treasury (Treasury), Federal Home Loan Banks, and insured depository institutions. Ultimately, the full faith and credit of the U.S. Government stands behind the FDIC’s obligations. Section 13(a) of the Federal Deposit Insurance (FDI) Act provides that funds held in the DIF that are not otherwise employed shall be invested in obligations of the United States or in obligations guaranteed as to principal and interest by the United States. Further, the Treasury Secretary requires the FDIC to invest its non-appropriated cash held in U.S. Treasury accounts in non-marketable U.S. Treasury securities. Such securities include: U.S. Treasury certificates; conventional Treasury bills, notes, and bonds; callable Treasury securities; Treasury Inflation Protected Securities (TIPS); and zero-coupon Treasury securities. The FDIC purchases and sells these securities through the Bureau of Public Debt’s (BPD) Government Account Series (GAS) program. Although the GAS program is not available to the general public, securities can be purchased and sold through the program at current market prices and without transaction costs to the Corporation. GAS program investments enjoy a high degree of transactional liquidity. In early August 2008, the FDIC re-classified all of the investment securities in the DIF designated as held to maturity (HTM) to available-for-sale (AFS).1 This change was based on the FDIC’s determination that it no longer had the positive intent and ability to hold securities classified as HTM until their maturity dates due to significant actual and potential outlays related to the resolution of failed institutions. A key result of this change is that the DIF will now be accounted for at fair value and, as a result, the reserve ratio will be more volatile to changes in interest rates. To illustrate this point, the value of securities classified as AFS typically decreases in a rising interest rate environment. In such an environment, a decline in the value of the DIF investment portfolio would result in a lower reserve ratio, which could impact the Board’s deposit insurance assessment decisions.2 As of September 30, 2008, the balance of the DIF was $34.59 billion, down from $52.41 billion at the end of 2007. This decrease was primarily due to outlays associated with the failure of insured financial institutions and an increase in the FDIC’s provision for insurance losses. The DIF reserve ratio as of September 30, 2008, was 0.76 I-4
|
percent, which is below the 1.15 percent minimum level mandated by the Federal Deposit Insurance Reform Act of 2005. On October 7, 2008, the Board approved a plan to restore the DIF reserve ratio to 1.15 percent within the next 5 years as required by statute. The Board subsequently extended the restoration plan horizon to 7 years based on “extraordinary circumstances.” The National Liquidation Fund The NLF consists of all funds held by the FDIC in its receivership and corporate liquidator capacities. Investments in the NLF may include Treasury securities, federally-sponsored agency securities, overnight and term interest-bearing deposits at a designated depository, repurchase agreements, and government institutional money market funds. Among other provisions and restrictions, the term of any investment in the NLF may not exceed 1 year. When not otherwise deployed, NLF funds are deposited at the Federal Home Loan Bank of New York (FHLB-NY), the NLF’s current designated depository. FHLB-NY also acts as custodian for the NLF’s other investment securities, principally, federally-sponsored agency discount notes. As the NLF’s designated depository, FHLB-NY provides a variety of banking services that facilitate the collection of receivership funds, payment of receivership expenses, and payment of receivership dividends. In addition, the FDIC uses FHLB-NY to pay depositors of failed financial institutions. The Division of Resolutions and Receiverships’ Dallas Field Office is responsible for managing the FDIC’s banking relationship with FHLB-NY. As of September 30, 2008, the market value of the NLF was $2.86 billion, up from $393 million at the end of 2007. This increase was primarily the result of increased resolution activity. DIF and NLF Investment Governance The DIF and NLF are governed by two principal policies approved by the Board: the Corporate Investment Policy and Liquidation Investment Policy (respectively). Among other things, these policies define investment objectives for the funds, key roles and responsibilities, and reporting requirements to the Board. Of particular note, the policies designate the CFO as having primary responsibility for managing the DIF and NLF. The policies require the CFO to report quarterly to the Board on the (1) status and recent investment experience of the funds, (2) current and prospective investment strategies of the funds, (3) principal reasons for significant changes in either the investment experience or strategies of the funds, and (4) actions taken that constitute exceptions to the policies. To assist the CFO in carrying out his responsibilities, the FDIC established the IAG consisting of the CFO; the Director, DOF; and three other members not directly involved in the DIF or NLF investment operations. Among other things, the IAG advises the CFO on fund investment strategies, reviews current and projected economic conditions, investment performance, and cash flow projections for the funds, and evaluates exceptions to the Corporate Investment Policy and Liquidation Investment Policy. The IAG convenes quarterly. The Director, DOF, is responsible for implementing the funds’ investment strategies and for managing the day-to-day financial transactions of the funds, subject to the general supervision of the CFO. Within DOF, the Treasury Management Section (TMS) handles the day-to-day purchase, sale, accounting, and reporting of investment funds. TMS consists of two units, the Funding and Investments Unit (FIU) and Treasury Operations Unit (TOU). FIU is responsible for monitoring current market conditions, making investment decisions consistent with approved investment strategies, purchasing and selling investment securities, and reporting to management on the performance and risks associated with the funds. TOU is responsible for reviewing the long-term investment purchases and sales made by FIU and for recording transactions in the FDIC’s accounting systems. TOU is also responsible for the overnight investment of DIF funds. Both FIU and TOU have established detailed procedures and guidelines to implement their collective investment management responsibilities. The Figure, which follows, illustrates the investment governance framework for the DIF and NLF. I-5
|
Source: KPMG Analysis of Corporate Investment Program Documentation. [ D ] In addition, DOF staff use various software automation tools and industry information to support their investment management activities, including those listed below.
I-6
|
CORPORATE INVESTMENT PROGRAM POLICIES, PROCEDURES, AND GUIDELINES The Corporate Investment Policy and Liquidation Investment Policy provide a comprehensive framework for the management and oversight of the DIF and NLF investment portfolios, respectively. In addition, DOF has established detailed procedures and guidelines to implement the Corporate Investment Policy and Liquidation Investment Policy and to manage the day-to-day activities of the funds. However, the Corporate Investment Policy and DOF’s detailed procedures and guidelines do not reflect current statutory definitions pertaining to the DIF or current investment management practices in some areas. Up-to-date policies, procedures, and guidelines are an important internal control for ensuring that processes are repeatable, consistent, and disciplined and for reducing operational risk associated with changes in staff. GAO’s Standards for Internal Controls in the Federal Government state that policies and procedures are an integral part of an organization’s operations and a key control for ensuring that management’s directives are carried out. In addition, Circular 4010.3, FDIC Enterprise Risk Management System, requires divisions and offices to maintain current policies and procedures. The table below identifies key Corporate Investment Program policies, procedures, and guidelines and their status. Key Corporate Investment Program Policies, Procedures, and Guidelines
X - Policy, procedure, or guideline does not reflect current statutory definitions and/or investment practices in one or more areas. Source: KPMG analysis of the FDIC’s Corporate Investment Program Policies, Procedures, and Guidelines. We noted the following areas of the FDIC’s Corporate Investment Program policies, procedures, and guidelines that needed to be updated:
I-7
|
DOF officials advised us that the Corporate Investment Policy and Liquidation Investment Policy are typically updated and approved by the Board on a 3-year cycle, or when the membership of the Board changes.6 Updates to DOF’s detailed procedures and guidelines occur on a periodic basis. However, the introduction of legislation pertaining to the DIF, together with the high visibility of the DIF to the public and the Congress, warrant more frequent reviews and updates of the Corporate Investment Program policies, procedures, and guidelines. In the financial services industry, investment policies are typically reviewed at least annually. Once the Corporate Investment Policy and DOF’s procedures and guidelines are updated, it would be prudent for DOF to conduct periodic independent internal assessments of the effectiveness of the program’s controls, including assessing whether the program’s policies, procedures, and guidelines are current, accurate, and complete. DOF officials told us that an internal assessment of the Corporate Investment Program was last conducted in December 2006. Such reviews would promote sound governance and further the internal control and monitoring principles defined in Circular 4010.3. Recommendations We recommend that the CFO:
I-8
|
We recommend that the Director, DOF:
CONTINGENCY RESPONSE PLANNING The FDIC has taken a number of proactive steps to prepare for a potential liquidity contingency involving the DIF in which the FDIC would need to borrow funds from outside sources to meet the fund’s liquidity needs. Such steps include executing a formal borrowing agreement with the Federal Financing Bank, recommending to the Congress that the Corporation’s statutory line of credit with the Treasury be increased to ensure the continued viability of the fund, and developing a strategy for borrowing funds from outside sources (components of which are defined in the Large Bank Resolution Strategy and Action Plan and various other briefing materials). Although not mandated by statute or regulation, the FDIC can further enhance its contingency response planning for the DIF by developing a comprehensive, written contingency funding plan that describes how the Corporation will implement its strategy for borrowing from outside sources under the various contingency scenarios that could occur. Such a plan would represent a proactive risk response planning control for reducing operational risk, including risk associated with the unavailability of key individuals during a contingency. A comprehensive contingency funding plan would also promote transparency and communication throughout the Corporation regarding potential funding contingencies associated with current and emerging business programs. The contingency funding plan should be reviewed and approved by the Board which, by statute, has responsibility for managing the Corporation, and thus has the ultimate responsibility for authorizing outside borrowing decisions on behalf of the Corporation. The DIF is funded principally by deposit insurance assessments charged to insured financial institutions and interest earned on investments in U.S. Treasury obligations. To ensure the DIF maintains adequate liquidity, the CFO and DOF officials regularly monitor projected sources and uses of funds and purchase or sell investment securities as needed. In addition, the Board may, under certain circumstances and consistent with its statutory authority, raise deposit insurance premiums and impose special assessments on insured financial institutions when additional funds are needed to replenish the DIF. However, circumstances can occur in which these funding sources would not be sufficient to meet the immediate liquidity needs of the DIF. To ensure the DIF remains liquid during such contingencies, the FDIC may use its statutory authority to borrow funds from the Federal Financing Bank, Treasury, Federal Home Loan Banks, and insured depository institutions (collectively referred to herein as outside sources). We spoke with the CFO and DOF officials regarding how the FDIC would obtain funds from outside sources in response to a liquidity contingency involving the DIF. These officials described a strategy wherein the FDIC would first borrow up to $100 billion (on an as-needed basis and subject to statutory limitations) from the Federal Financing Bank pursuant to a Note Purchase Agreement (NPA), dated December 15, 2006 (as amended), between the FDIC and the Federal Financing Bank. The NPA defines the terms and conditions in which the Federal Financing Bank will purchase notes from the FDIC and the FDIC will request and repay advances. The current NPA is set to expire on September 30, 2009. The Board has authorized the CFO, with the concurrence of the General Counsel, to execute, renew, maintain, and make future minor modifications to the NPA and to execute and deliver future advance promissory notes. The Board has also authorized the CFO, or designee, subject to the I-9
|
conditions of the NPA, to request and repay advances up to, but not exceeding, $100 billion.7 Should the FDIC require funding in excess of the NPA, the FDIC would then borrow from the Treasury. DOF officials informed us that although the FDIC has statutory authority to borrow from the Federal Home Loan Banks and insured depository institutions, it is unlikely such borrowing sources would be used.8 To its credit, the FDIC has developed the Large Bank Resolution Strategy and Action Plan, which defines, among other things, activities for obtaining cash and other funding assistance to operate a receivership and fund a bridge bank. While the Large Bank Resolution Strategy and Action Plan addresses key aspects of a contingency funding plan, it was developed prior to the current financial crisis and its focus is on one principal contingency—a large institution failure. The FDIC can strengthen its contingency response planning for the DIF by developing a comprehensive, written contingency funding plan that describes how the Corporation will implement its strategy for borrowing from outside sources under multiple contingencies. FDIC Financial Institution Letter (FIL) 84-2008, Liquidity Risk Management, dated August 26, 2008, recommends that FDIC-supervised institutions develop formal contingency funding plans that address the various contingency scenarios that can occur and the factors that might influence funding options. While we recognize that the FDIC’s liquidity risk profile differs from the institutions it supervises, FIL 84-2008 identifies elements of a contingency funding plan that, if tailored to the unique business needs of the FDIC, would benefit the Corporation’s liquidity response planning efforts. The following points summarize key elements of a contingency funding plan as defined in FIL 84-2008 and how these elements could apply to the FDIC.
I-10
|
Many of the above concepts are also referenced in the Basel Committee on Banking Supervision’s September 2008 publication Principles for Sound Liquidity Risk Management and Supervision. For example, the Basel publication states that financial institutions should maintain formal contingency funding plans that contain clearly defined strategies for addressing liquidity shortfalls in emergency situations. The publication also states that contingency funding plans should outline policies for managing a range of contingencies, establish clear lines of responsibility, define clear invocation and escalation procedures, and be regularly updated to ensure that the plans remain operationally robust. The FDIC has not needed to draw on outside funding sources since 1991.10 However, the deteriorating economic and industry conditions of the past year underscore the importance of proactive contingency response planning to cover unexpected developments in the financial services industry. A liquidity contingency involving the DIF would likely attract significant public and congressional attention. Accordingly, it would be prudent for the FDIC to develop a comprehensive, written contingency funding plan that describes how the Corporation will implement its strategy for borrowing from outside sources under the various contingency scenarios that could occur. Such a plan would represent an important control for mitigating the risk associated with the unavailability of key individuals during an actual liquidity contingency and for promoting transparency and communication throughout the Corporation. In addition, a contingency funding plan could aid in assessing the impact of new corporate programs, such as the TLGP and loss sharing agreements. The CFO and DOF officials should provide the contingency funding plan to the FDIC’s Board which, by statute, has responsibility for managing the Corporation, and thus has the ultimate responsibility for authorizing outside borrowing decisions on behalf of the Corporation. Recommendation We recommend that the Director, DOF:
I-11
|
AUTHORIZATIONS TO PURCHASE AND SELL INVESTMENT SECURITIES DOF implemented a number of important controls over the purchase and sale of investment securities in the DIF and NLF. Such controls include preparing trade tickets to document the rationale and details pertaining to securities transactions, documenting trade confirmations, and performing regular reconciliations to help ensure securities transactions were properly recorded. However, DOF’s investment procedures do not define a dual control over the authorization and execution of securities transactions wherein the authorization is documented in advance of the transaction by an individual other than the person responsible for executing the transaction. Management authorizations to purchase and sell investment securities are based on consensus discussions. While our work did not identify any instances of inappropriate securities transactions, establishing a dual control over the authorization and execution of securities transactions would promote appropriate separation of duties in the FDIC’s investment activities and mitigate the risk of intentional or unintentional errors. The purchase and sale of DIF and NLF investment securities is principally handled by FIU. Although the number of investment transactions that FIU processes per month varies, the size of the transactions during the period October 1, 2007 through September 30, 2008 ranged from approximately $5 million to $1.4 billion. DOF employs similar processes for executing securities transactions for the DIF and NLF. To illustrate these processes, the following summarizes how an investment security is purchased or sold in the DIF. As a matter of practice, FIU’s team leader or a senior financial analyst (collectively referred to herein as the FIU) selects specific securities for purchase or sale after taking into consideration various factors, including, but not limited to:
After considering these factors, FIU, in consultation with the TMS manager, tentatively identifies specific securities and dollar amounts for purchase or sale and prepares a preliminary trade ticket. FIU forwards the preliminary trade ticket to TOU, which enters the information into PORTIA®. After obtaining current pricing information on the securities under consideration, FIU, in consultation with the TMS manager, decides which securities will be purchased or sold. FIU then executes the securities purchase or sale using BPD’s FedInvest Web site and prepares a final trade ticket to document the transaction.11 FIU forwards the final trade ticket and a transaction confirmation generated by FedInvest to TOU to ensure the transaction is properly recorded in PORTIA®. TOU also enters the transaction information into the FDIC’s New Financial Environment (the FDIC’s principal financial system) and performs daily and monthly reconciliations to help ensure that the FDIC’s accounting records are current, accurate, and complete and consistent with BPD’s records. Establishing a system of dual control wherein the authorization to execute a security transaction is documented in advance by an individual other than a person responsible for executing the transaction is a recognized control I-12
|
practice in the financial services industry. Such a control helps ensure appropriate separation of duties in operations and mitigates the risk of errors. Trading policies for financial services firms typically identify specific individuals or positions with the delegated authority to authorize and execute securities transactions. Such delegations are generally based on the relative size and complexity of the transaction. For example, significant dollar-value transactions typically require a higher-level management authorization than smaller dollar transactions. Such control practices are also consistent with GAO’s Standards for Internal Control in the Federal Government. Recommendation We recommend that the Director, DOF:
VALIDATION OF COMPUTER-BASED FINANCIAL MODELS DOF relies extensively on PORTIA® and certain Microsoft Excel®-based spreadsheets to monitor and report on the performance of investment securities in the DIF and to support the Corporation’s strategic and tactical investment management decisions. Although DOF has taken steps to help ensure the integrity of these computer-based financial models, periodic independent validations had not been performed on them to ensure they function as intended. Periodic independent validations of computer-based financial models is a recognized practice in the financial services industry for ensuring the reliability of the information that the models produce. PORTIA® is the principal computer-based financial model DOF uses to manage overnight funds and investment securities. PORTIA® uses built-in financial algorithms and securities pricing information from a third-party service provider12 to calculate the maturity, yield, value, and modified duration of investment securities. DOF uses PORTIA® to generate reports on the performance of investment securities in the DIF and to support key strategic and day-to-day investment management decisions. DOF also uses Excel®-based spreadsheets, some of which may be considered key, to support its investment management activities and to brief senior FDIC management. For example, DOF uses an Excel®-based spreadsheet to generate the Projected Monthly Cash Flow for the DIF. The spreadsheet uses mathematical formulas to determine whether anticipated cash receipts and disbursements will result in a cash flow surplus or deficit for the DIF. Such information is used to manage the DIF’s daily cash positions and support overnight and long-term investment management decisions. DOF has taken steps to help ensure the integrity of PORTIA® and the Excel®-based spreadsheets it uses to monitor and report on the performance of investment securities. For example, DOF maintains these models on an access-restricted network shared drive that is regularly backed up. Additionally, DOF reviews data contained in the models to help ensure the accuracy of the data processed. While such steps are positive, DOF has not established a procedure to have periodic independent validations performed of PORTIA® and its key Excel®-based spreadsheets to help ensure the models function as intended. I-13
|
The Office of the Comptroller of Currency (OCC) has published guidance for the national banks it supervises on the importance of conducting periodic independent validations of computer-based financial models (Bulletin 2000-16 regarding model validation).13 According to the bulletin, periodic independent validation of computer-based financial models is a leading practice for mitigating the risk of relying on erroneous information. The bulletin identifies three generic procedures that apply to any model validation: (1) an independent review of the model’s logical and conceptual soundness, (2) a comparison of the model against other models, and (3) a comparison of the model’s predictions against subsequent real-world events. Depending on the circumstances, any or all three of these generic procedures apply when validating a model’s input (i.e., assumptions and data), processing (i.e., mathematical computations and formulas), and reporting components. The OCC Bulletin also describes a common misconception that validations are not necessary for vendor models because the models have already “met the market test.” The bulletin states that validations of vendor models often identify material processing errors, illustrating that validation principles should be applied regardless of whether a model is purchased from a vendor or developed in house. A key concept contained in the OCC bulletin is that the depth and frequency of model validation procedures should be consistent with the level of risk being managed and the complexity of the model being validated. With respect to the Excel®-based spreadsheets used by DOF, such models have relatively simple code that can be inexpensively checked to ensure that mathematical computations and code are correct. Although PORTIA® contains more complex mathematical algorithms, the integrity of the model’s computations, such as its modified duration computations, could be checked against an independent source, such as the Bloomberg Professional14 system, to help ensure computations are reliable. Because of its organizational independence, DOF’s Administration and Internal Controls Section could conduct validations of PORTIA® and DOF’s key Excel®-based spreadsheets as part of the internal assessments recommended earlier in this report. Recommendation We recommend that the Director, DOF:
I-14
|
Appendix I
OBJECTIVE, SCOPE, AND METHODOLOGY
Objective The objective of this performance audit was to assess the FDIC’s controls for ensuring that the DIF and NLF are managed consistent with the FDIC’s investment policies approved by the Board. We conducted this performance audit from September 2008 through January 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Scope and Methodology To accomplish our objective, we:
Our work did not include an assessment of the sufficiency of deposit insurance assessments or other funding sources to cover anticipated losses from insured depository institutions. I-15
|
Internal Control We assessed the Corporation’s internal controls and practices pertaining to investment activities in the DIF and NLF for consistency with relevant portions of the criteria listed below. These criteria, or portions thereof, may not be legally binding on the FDIC. However, we considered them during the audit because they define prudent business practices.
Reliance on Computer-processed Information Our audit objective did not require that we separately assess the reliability of computer-processed data to support our findings, conclusions, and recommendations. Additionally, in performing this performance audit, we did not consider it necessary to evaluate the effectiveness of information system controls in order to obtain sufficient, appropriate evidence. Performance Measurement The FDIC’s 2008 Annual Performance Plan did not contain performance goals directly related to our audit objective. However, DOF had developed a Balanced Scorecard containing performance measurement information for both the DIF and NLF. Among other things, the Balanced Scorecard measured the total return of the DIF investment portfolio against the Merrill Lynch 1-10 Year U.S. Treasury Index and the total return of the NLF investment portfolio against the average yield of the generic 3-month U.S. Treasury bill. We considered information contained in DOF’s Balanced Scorecard in planning and conducting our audit work. I-16
|
Compliance with Laws and Regulations We determined that the following statutory provisions were relevant to our audit objective. The FDI Act:
We found no instances of noncompliance with these statutory provisions. In addition, we assessed the risk of fraud and abuse related to the audit objective in the course of evaluating audit evidence. Prior Coverage We considered the FDIC OIG’s July 2005 report, entitled The FDIC’s Investment Policies (Report No. 05-025), in planning and conducting our work. The objective of this prior audit was to determine whether the FDIC’s investment strategy and portfolio management procedures provide the highest possible investment returns for the FDIC, taking into consideration the applicable legal and regulatory framework established for investments by the BIF, SAIF, and Federal Savings and Loan Insurance Corporation Resolution Fund. The report contained five recommendations, all of which were resolved and closed prior to the start of our work. I-17
|
Appendix II
GLOSSARY OF TERMS
Available-for-Sale (AFS) Bureau of Public Debt (BPD) Committee on Uniform Security Identification Procedures (CUSIP®) Designated Reserve Ratio (DRR) Duration Financial Accounting Standard (FAS) 115
I-18
|
Federal Financing Bank (FFB) Government Account Series (GAS) Program Held-to-Maturity (HTM) Interest Rate Risk Liquidity Liquidity Risk
I-19
|
Liquidity Risk Management Maximum Obligation Limitation Reserve Ratio I-20
|
Appendix III
ACRONYMS USED IN THE REPORT
I-21
|
Corporation Comments and OIG Evaluation |
CORPORATION COMMENTS AND OIG EVALUATION On May 8, 2009, the CFO and Director, DOF, provided a written response to a draft of this report. Management’s response is presented in its entirety beginning on the next page. Management generally concurred with KPMG’s findings and recommendations. In response to recommendation 1, the CFO plans to update the Corporate Investment Policy (where appropriate) and present it to the Board for review and approval by October 31, 2009. When updating the policy, the CFO will discuss with the Board its preference with respect to the appropriate interval between investment policy updates and incorporate the Board’s preferences for making such updates into the policy. In addition, the CFO plans to update DOF’s detailed investment procedures and guidelines (where appropriate) by December 31, 2009. The CFO will periodically bring these updated procedures and guidelines, as appropriate, to the IAG for review and approval. In response to recommendation 2, the Director, DOF, plans to conduct independent internal reviews of the Corporate Investment Program every 18 months, or more frequently if conditions warrant. DOF will conduct the first of these reviews in the second half of 2009. In response to recommendation 3, the CFO and Director, DOF, will strengthen the FDIC’s contingency funding plans by incorporating appropriate language regarding FDIC’s contingency funding authorities and strategies into the Corporate Investment Policy and present it to the Board for approval in the fourth quarter of 2009. In response to recommendation 4, the Director, DOF, will amend existing procedures for purchasing and selling Treasury securities to require an original approval signature of an authorized DOF staff member on the trade ticket. In addition, the individual who approves the purchase and sale of a security will not be the same individual who subsequently executes the transaction. DOF plans to implement this new control for all securities transactions occurring after June 30, 2009. In response to recommendation 5, DOF will verify key computations within PORTIA® (such as its modified duration computations) whenever the software is upgraded. Such verifications will be performed as part of the periodic internal reviews described in DOF’s response to recommendation 2. In addition, DOF will ensure that formulas contained in key Excel®-based spreadsheets that DOF has developed for regular analysis and reporting on investments are periodically verified as a part of the division’s periodic internal reviews. A summary of management’s response to the recommendations is on page II-6. DOF’s planned actions are responsive to KPMG’s recommendations. The recommendations are resolved, but will remain open until we determine that the agreed-to corrective actions have been completed and are responsive. II-1
|
CORPORATION COMMENTS
|
May 8, 2009
We would like to thank you, your staff, and the staff of KPMG for the hard work and diligence in conducting this audit of FDIC’s Investment Program. We are pleased that you agree FDIC management has implemented a number of important controls designed to ensure that both the Deposit Insurance Fund (DIF) and the National Liquidation Fund (NLF) are managed consistent with FDIC Board-approved policies. Further, we appreciate your highlighting in your findings that FDIC management regularly reports to the Board on the funds’ performance and that it is taking proactive steps to ensure the funds’ viability in the difficult financial environment in which we now find ourselves. Your report made five recommendations to management to strengthen controls surrounding the investment program. We address each one separately below: Recommendation #1: That the CFO update the Corporate Investment Policy and DOF’s detailed investment procedures and guidelines and, where appropriate, obtain FDIC Board of Directors (Board) review and approval. As part of this effort, define the frequency with which the Corporate Investment Program policies will be reviewed for possible updates. Management Response: We concur with the recommendation as noted below. The Corporate Investment Policy was last presented to the Board for its review and approval in October 2006. As discussed in the audit report, the CFO and DOF periodically update the FDIC’s two investment program policy statements—the Corporate Investment Policy and the Liquidation Investment Policy— and present them |
II-3
|
II-4
|
II-5
|
MANAGEMENT RESPONSE TO RECOMMENDATIONS
|
Rec. No. | Corrective Action: Taken or Planned | Expected Completion Date | Monetary Benefits | Resolved:a Yes or No | Open or Closedb |
---|---|---|---|---|---|
1 | The CFO will update the Corporate Investment Policy, as appropriate, and present it to the Board for approval in late 2009. In addition, DOF will periodically update procedures and guidelines for investing the Corporate and liquidation investment portfolios to reflect current practices and terminology and present them, as appropriate, to the IAG for review and approval. | December 31, 2009 | $0 | Yes | Open |
2 | DOF plans to conduct internal reviews every 18 months, or more frequently if conditions warrant, and will conduct the first of these reviews in the second half of 2009. | December 31, 2009 | $0 | Yes | Open |
3 | DOF will incorporate appropriate language regarding the FDIC’s contingency funding authorities and strategies into the Corporate Investment Policy. | October 31, 2009 | $0 | Yes | Open |
4 | DOF will amend existing procedures for securities transactions by requiring an original approval signature of an authorized DOF staff member on trade tickets and subsequent transaction execution by a different DOF staff member. | June 30, 2009 | $0 | Yes | Open |
5 | DOF will ensure that verifications are performed, as appropriate, of PORTIA® and key Excel®-based spreadsheets as part of DOF’s periodic internal reviews described under Recommendation 2. | December 31, 2009 | $0 | Yes | Open |
a Resolved – | (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation. |
(2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG. | |
(3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount. |
|