Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434

DATE: July 24, 2002

TO: Michael J. Zamorski, Director, Division of Supervision and Consumer Protection

FROM: Russell A. Rau [Electronic version; original signed by Stephen M. Beard for Russell A. Rau], Assistant Inspector General for Audits

SUBJECT: The FDIC's Assessment of Corrective Action Work Performed by Third-Party Contractors (Audit Report Number 02-016)

This report presents the results of an Office of Inspector General audit of the Federal Deposit Insurance Corporation's (FDIC) assessment of corrective action work performed by third-party contractors for financial institutions supervised by the FDIC. The objective of the audit was to determine whether work performed by the third-party contractors for FDIC-supervised institutions met the requirements of corrective actions instituted by the FDIC's Division of Supervision (DOS). (Note: Third-party contractors are those hired by the bank in response to formal or informal actions required by the FDIC to address safety and soundness concerns in insured depository institutions. At December 31, 2000, the FDIC supervised 5,093 of the 8,315 commercial banks and 523 of the 1,590 savings banks. As the result of a reorganization that became effective June 30, 2002, this office was merged with the Division of Compliance and Consumer Affairs to become the Division of Supervision and Consumer Protection (DSC).)

Corrective actions are agreements (informal) or legally enforceable orders (formal) that the FDIC may institute against a financial institution or individual respondent to obtain correction of noted safety and soundness or compliance deficiencies. The FDIC may pursue formal corrective action under either Section 38 (prompt corrective action) or Section 8 of the FDI Act. The FDIC may also enter into a memorandum of understanding as a means of seeking informal corrective administrative action from institutions considered to be of supervisory concern, but which have not deteriorated to the point where they warrant formal administrative action. The audit concentrated on corrective actions where third-party contractors were used to address the requirements of individual provisions of the corrective actions. A detailed discussion of the objective, scope, and methodology of our audit is included in Appendix I.

In general, we found that the FDIC accepted work performed by third parties as meeting the requirements of the corrective actions instituted by the Corporation, and third-party work was completed within established timeframes. Also, DOS reviewed the corrective actions to ensure their completeness in addressing the underlying safety and soundness concerns. Accordingly, we are not making recommendations in this report.

BACKGROUND

The FDIC generally institutes corrective actions to address weaknesses and problems found in insured depository institutions during the examination process. (Note: An on-site examination allows the regulator to determine the condition of an institution and supplies the regulator with an understanding of the nature, relative seriousness, and ultimate cause of any problems identified, and thus provides a factual foundation on which to base corrective measures, recommendations, and instructions. The FDIC performs on-site examinations of state-chartered banks that are not members of the Federal Reserve System; national banks are supervised by the Office of the Comptroller of the Currency; state and federally chartered savings associations are supervised by the Office of Thrift Supervision; and banks with state charters that belong to the Federal Reserve System are supervised by the Board of Governors of the Federal Reserve System. ) When an institution with safety and soundness weaknesses is identified, the FDIC initiates a corrective action process requiring the institution to address its weaknesses. Under provisions of the Federal Deposit Insurance Act (FDI Act), the FDIC has been granted broad enforcement powers to correct practices, conditions, or violations of law that threaten a bank's safety and soundness. Depending on the extent and severity of the identified problems, the FDIC may initiate informal and/or formal corrective action. For institutions with significant weaknesses or those operating in a deteriorated financial condition, the FDIC may oversee the re-capitalization, merger, closure, or other resolution of the institution.

Corrective actions can prescribe that a third-party professional be engaged to provide assistance in the corrective process. For example, a corrective action may require that a bank make arrangements for an external audit of its financial statements to be performed by an independent public accountant. Another corrective action might prescribe that a specialist be retained to perform a loan portfolio analysis to assess the accuracy and methodology of the bank's internal loan grading system and its implementation and effectiveness in recognizing and identifying problem loans.

The FDIC generally uses informal actions to correct less severe problems that do not present an immediate threat to an institution's viability and when it is believed that corrective action will be taken without formal actions. Informal corrective actions are not legally enforceable. These include board resolutions issued by the bank’s board of directors and memorandums of understanding (MOUs) issued jointly by a bank’s board and a bank regulator. According to the FDIC’s Formal and Informal Action Tracking system (FIAT), 811 informal actions were issued in 1999 and 2000, including 340 memorandums of understanding.

The FDIC generally uses formal actions to address unsafe and unsound banking practices, to correct violations of law, and to remove individuals who present an immediate threat to an institution's safety and soundness. Formal actions also can be pursued in the event an informal action proves to be ineffective in securing necessary corrective action. Formal actions are notices and orders issued against insured depository institutions and individuals. Formal corrective actions issued under Section 8 of the FDI Act are legally enforceable. These include, for example, Section 8(b) orders to cease and desist (C&D) an unsafe or unsound practice or violation of law and Section 8(c) temporary C&D orders. According to FIAT, 225 formal actions were issued in 1999 and 2000, including 68 C&D orders. Formal actions also include prompt corrective action directives related to undercapitalized banks, as provided in Section 38 of the FDI Act and orders to correct safety and soundness deficiencies as provided under Section 39 of the Act.

RESULTS OF AUDIT

The FDIC accepted work performed by third-party contractors for FDIC-supervised institutions as generally meeting the requirements of the FDIC’s corrective actions. In addition, corrective actions were generally completed on time.

Our sample of 33 corrective actions, including 13 MOUs and 20 C&D orders, contained 48 provisions with work performed by third parties:

• Twenty-five required the preparation of management plans and reports. These usually required a bank’s board of directors to hire outside contractors to review and assess the abilities of bank management and employees, salaries, and other personnel matters, or to formulate bank policy.
• Five provisions required other types of plans – two strategic plans, a profit plan, an interest rate risk plan, and one funds management plan.
• Twelve of the provisions required external audits, such as full-scope financial, balance sheet, or other types.
• Six provisions required reviews of specific areas such as compliance with the Bank Secrecy Act, loans, collateral, assets, or contracts.

Work Performed by Third-Parties Met FDIC Requirements

In 45 of the 48 provisions reviewed, the FDIC accepted third-party products or services as meeting its requirements. For two of the remaining provisions, the FDIC accepted actions taken instead of those prescribed. The final provision reviewed was not addressed before the bank’s next examination, when its composite rating improved and the FDIC terminated the corrective action order to facilitate sale of the bank.

One of the in-lieu-of actions accepted by the FDIC in fulfillment of a corrective action provision was related to a management plan. In that instance, the bank’s board elected to implement all recommendations from its contractor rather than prepare a written report addressing the contractor's recommendations. The other in-lieu-of action accepted by the FDIC was related to an external audit. The FDIC required the bank to hire an outside auditor to perform a full-scope audit of the bank. Instead, the bank’s board contracted for an "agreed-upon procedures review," which is not as comprehensive. The FDIC accepted the review in fulfillment of the provision, and the bank’s composite rating improved at its next exam.

The provision that was not fulfilled was also related to a management plan. In that instance, the plan had not been completed before the bank’s next examination when its composite rating improved and the C&D order was terminated to facilitate the sale of the bank, thus eliminating any further response regarding the provision.

Provisions Were Completed on Time

The corrective action provisions reviewed were completed timely. Specifically, 41 of 48 provisions we reviewed specified a timeframe for completion. Corrective actions addressing 38 of those 41 provisions were completed timely. The three provisions that were not completed timely were all related to one management plan that was not completed. However, as explained previously, there was no adverse effect in that instance, as the bank’s rating improved and its C&D order was terminated.

DOS Reviewed the Corrective Actions

DOS regional office personnel reviewed the corrective actions included in our sample. In all cases except one, there was evidence of review by DOS personnel, such as correspondence from DOS, margin notes, underlining, and highlighting. However, in making our request for documents, we did not request that regions provide the entire file. We only requested copies of products produced by third-party contractors and any correspondence between the banks and the FDIC. Thus, we could not conclude on the evidence of review for one action.

In a separate audit survey, we reviewed DOS’s efforts to monitor and ensure compliance with corrective actions, including those performed by third-party contractors. In a memorandum to the DOS Director, dated March 20, 2002, we reported that the DOS monitoring systems and procedures were working as intended and that case managers were following applicable DOS policies. A copy of this memorandum is provided as Appendix II of our report.

Our report does not include recommendations for corrective actions. However, we provided our draft report to the Director of DOS. On July 8, 2002, the DOS Director provided a written response to the draft report. Management’s response, concurring with our conclusions, is presented in Appendix III to this report.

OBJECTIVE, SCOPE, AND METHODOLOGY

The objective of the audit was to determine whether work performed by third-party contractors for FDIC-supervised institutions met the requirements of corrective actions instituted by the FDIC’s Division of Supervision (DOS). The audit concentrated on corrective actions where third-party contractors were used to fulfill the requirements of individual provisions of the corrective actions.

The audit included formal and informal corrective actions issued between January 1, 1999 and December 31, 2000 that were still outstanding on December 31, 2000.

To accomplish our objective, we:

• Reviewed applicable laws, regulations, and guidelines, including the FDI Act, the DOS Manual of Examination Policies, Case Manager Handbook, the DOS Memorandum System, FDIC Directive System, and Financial Institution Letters (FILs).
• Reviewed the Formal and Informal Actions Procedures (FIAP) Manual.
• Accessed and became familiar with FDIC management systems and systems of record used to monitor and track corrective actions, such as:
  • BITS – Banking Information Tracking System – an umbrella system containing a number of related banking systems that provide users access to a variety of FDIC banking information data bases,
  • FIAT – Formal and Informal Action Tracking System – a subsystem of BITS used to track the progress of formal and informal actions,
  • ViSION – FDIC’s Virtual Supervisory Information On the Net which will replace the BITS system, and
  • The FDIC’s external Web site, http://www.fdic.gov/, which contains information on all insured institutions, including outstanding formal corrective actions issued against them.
• Identified all 1,036 corrective actions issued by the FDIC in 1999 and 2000 using the FIAT system.
• Judgmentally selected a sample of formal and informal corrective actions from those issued in all eight FDIC regions during 1999 and 2000 that were still outstanding on December 31, 2000.
• Reviewed a sample of 33 corrective actions consisting of 13 memorandums of understanding and 20 cease and desist orders containing a total of 48 provisions with work that was performed by third parties.

For each of the 48 provisions, we reviewed FDIC files, including:

• Monthly or quarterly progress reports from banks and related documents,
• Examination reports issued prior and subsequent to issuance of corrective actions and related documents,
• Bank and FDIC correspondence and other management information data,
• Problem bank memorandums, and
• Summary analyses of examination reports.

We limited our assessment of DOS’s system of internal controls to gaining an understanding of the division’s corrective action procedures when a third-party contractor is suggested or required by the FDIC to assist an institution in fulfilling the requirements of an informal or formal corrective action intended to address weaknesses. We did not test internal controls because in a separate audit survey, Survey of the Division of Supervision’s Monitoring of Corrective Actions (Assignment Number 2001-205), we reviewed the efforts of the DOS to monitor and ensure compliance with corrective actions. Additionally, we did not review Government Performance and Results Act reporting, test for fraud or illegal acts, or test for compliance with laws and regulations because these items were not part of our audit objective. Finally, although we used available information from FDIC’s computerized systems, we did not test the accuracy of data generated by those systems because our focus was on the work performed by the third-party contractors and the use of data was limited to determining the sample of corrective actions that we reviewed. This audit was suspended from August 2001 through February 2002 during our work on issues related to the failure of Superior Bank, FSB, Hinsdale, Illinois. We conducted our audit from May 2001 through June 2002. The audit was conducted in accordance with generally accepted government auditing standards.

OIG MARCH 2002 MEMORANDUM REGARDING THE DIVISION OF SUPERVISION’S MONITORING OF CORRECTIVE ACTIONS

Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434

DATE: March 20, 2002

MEMORANDUM TO: Michael J. Zamorski, Director, Division of Supervision

FROM: Russell A. Rau [Electronically produced version; original signed by Russell Rau], Assistant Inspector General for Audits

SUBJECT: Survey of the Division of Supervision‘s Monitoring of Corrective Actions (Assignment Number 2001-205)

The Office of Inspector General is terminating a survey of the Division of Supervision’s (DOS) monitoring of corrective actions by FDIC-supervised financial institutions (assignment number 2001-205). Our survey reviewed (1) DOS’s efforts to monitor and ensure compliance with corrective actions and (2) the corrective action process.

Based on the information gathered during the survey, we concluded that no further audit work is warranted at this time. In our 1994 audit of this area (Note: Audit of the Division of Supervision’s Corrective Action Monitoring Process, October 17, 1994.), we found inconsistencies in tracking corrective actions, untimely reporting by banks on the status of their corrective actions, and inconsistent on-site follow-up examinations. These concerns have been addressed by a number of DOS actions. Following the 1994 audit, DOS developed the Formal and Informal Actions Procedures (FIAP) manual to provide consistency among the various regions for handling corrective actions. The FIAP manual contains the policies and procedures to be followed in initiating, monitoring and terminating corrective actions.

DOS also uses the Formal and Informal Actions Tracking (FIAT) system to track corrective actions. The automated FIAT system allows for more effective monitoring of provisions and target completion dates for various corrective actions.

We found that the DOS systems and procedures are working as intended and that case managers are following DOS policies. We reached this conclusion based on the following audit work:

• We selected a total of 16 corrective action files from the 110 active files in the Dallas and Memphis Regional Offices for detailed review of examination reports, correspondence files, bank progress reports, problem bank memoranda, and legal files. We found that required quarterly bank reports were on file and there was evidence that case managers had reviewed the reports. In addition, the administrative and examination files were well organized and provided a clear record of monitoring actions.
  
  
• The FIAT system tracks due dates for quarterly reports required of the respective institutions, the dates of the case manager’s review and the case managers response to the institution. We found that exception reports are generated by the FIAT system and distributed to case managers if required reporting dates are not met.
  
  
• We reviewed 15 quarterly reports that institutions were required to submit to DOS under the terms of the corrective actions. All required reports had been submitted to DOS and the reports addressed each provision of the respective corrective action.
  
  
• We reviewed 15 Reports of Examination that were issued after a corrective action was initiated and found that each report described the conditions that prompted the corrective action and addressed the status of the institution’s efforts to implement each provision.

Thank you for the cooperation and assistance provided us during the survey. We would especially like to acknowledge the efforts of Ronald M. Williams, Senior Examination Specialist with the Dallas Regional Office, in assisting us in this survey. If you have any questions, please contact me at (202) 416-2543 or Vernon Davis, Director, at (202) 416-2508.

cc: Simona L. Frank
John M. Lane
Mark S. Schmidt
Rae-Ann Miller
John V. Carter
Cottrell L. Webster
Phyllis J. Zumbrun
Doug F. Jones, Legal Division
Vijay C. Deshpande, OICM

CORPORATION COMMENTS

Federal Deposit Insurance Corporation
550 17th St. NW Washington DC, 20429
Division of Supervision

July 8, 2002

TO: Stephen M. Beard, Deputy Assistant Inspector General for Audits

FROM: Michael J. Zamorski [Electronically produced version; original signed by John M. Lane for Michael J. Zamorski], Director, Division of Supervision

SUBJECT: Draft Report on the Audit of the FDIC’s Assessment of Corrective Action Work Performed by Third-Party Contractors

Thank you for the opportunity to review and comment on the subject draft report. The objective of the audit was to determine whether work performed by third-party contractors for FDIC-supervised institutions met the requirements of corrective actions instituted by the Division of Supervision (Division).

Although the report does not include any findings or recommendations, I concur with its general conclusions that where required by formal and informal enforcement actions, third-party contractors perform their work in an acceptable manner, meeting the requirements of the provision of the action. The Division’s staff appropriately monitors enforcement actions to ensure that work performed by third-party contractors is in accord with stated timeframes and reviews necessary documentation to ensure that the work is performed to our satisfaction.