DSC’s Examination Assessment of Interest Rate Risk
July 2008 Report No. AUD-08-011
Federal Deposit Insurance Corporation
The audit objectives were to
(1) determine whether the FDIC’s
examinations comply with applicable
policies and procedures for assessing
and addressing an institution’s
internal control, review, and audit
coverage of the interest rate risk
management process; and
(2) evaluate the corrective actions
pursued when significant weaknesses
are reported by examiners. Interest
rate risk, the exposure of an
institution’s earnings and capital to
adverse interest rate changes, is
fundamental to the business of
banking. The audit focused on
FDIC-supervised institutions with
indicators of elevated interest rate
risk.
Changes in interest rates can
adversely affect a financial
institution’s earnings and market
capital. The FDIC’s Division of
Supervision and Consumer Protection
(DSC) conducts periodic risk
management examinations to
ascertain, among other things, an
institution’s Sensitivity to Market
Risk, including interest rate risk.
DSC has issued guidance for
conducting these examinations.
Additionally, the Joint Agency Policy
Statement on Interest Rate Risk (IRR
SOP), issued by the FDIC and the
other federal banking agencies,
provides guidance to institutions on
prudent interest rate risk management
principles and assists bankers and
examiners in evaluating the adequacy
of an institution’s management of
interest rate risk. The IRR SOP states
that an institution’s interest rate risk
management process should be
subject to periodic independent
review to ensure the integrity,
accuracy, and reasonableness of the
institution’s overall risk management
process. Overall, the purpose of the
independent review is to ensure that
the interest rate risk measurement and
management processes are sound.
|
For the 38 sampled risk management examinations we reviewed, FDIC examiners generally
complied with applicable policies and procedures for assessing and addressing an institution’s
internal control, review, and audit coverage of the interest rate risk management process.
Generally, as depicted in the figure below, we found:
- Pre-Examination Planning memoranda listed the red flags identified by the FDIC’s Interest
Rate Risk Standard Analysis software application; and
- Reports of Examination and supporting working papers showed that examiners either
obtained for consideration a copy of the institution’s independent review report or identified a contravention of the IRR SOP.
Regarding the pursuit of corrective actions, we found that informal and formal corrective
actions generally addressed significant weaknesses reported by examiners in the area of interest
rate risk. We also noted that a provision related to interest rate risk was sometimes not included
in corrective actions, even though both the composite and Sensitivity to Market Risk component
ratings of the institutions by examiners were less than satisfactory. However, DSC showed that
provisions addressing other ratings components reasonably addressed the identified concerns.
We also identified situations where the examiner’s assessment of an institution’s independent
review and reporting to the institution’s board of directors could be improved. Specifically, we
found that examinations often did not:
- provide conclusions on the adequacy of the independent review functions, or
- assess the adequacy of the institution’s reporting on the independent reviews to its board.
Additionally, training records we reviewed for 42 interest rate risk and capital markets Subject
Matter Experts and Regional Specialists showed that some had obtained little or no training in
recent years in their areas of expertise. Targeted training could enhance the contribution of
these experts and specialists to the examination process.
Ensuring that appropriate institution and examination controls and resources are in place will
help the FDIC to assure that an institution’s interest rate risk management processes are
appropriate and functioning adequately.
[ D ]
Recommendations and Management Response |
We recommended that DSC emphasize to examiners the need to fully assess and conclude on
the adequacy of an institution’s independent review and on the adequacy of reporting on the
independent review to the bank’s board, as warranted by risk; advise examiners of the
importance of collectively considering all relevant examination guidance; and establish policies
and guidelines for the training of interest rate risk and capital markets Subject Matter Experts
and Regional Specialists. Management concurred with our recommendations and is taking
responsive action.
|
|
|
BACKGROUND |
Institution Guidance in the Statement of Policy on Interest Rate Risk |
FDIC Examination Guidance |
RESULTS OF AUDIT |
EXAMINER ASSESSMENT OF AN INSTITUTION’S INDEPENDENT REVIEW AND REPORTING TO THE BOARD OF DIRECTORS |
Joint Agency Statement of Policy on Interest Rate Risk |
Examination Guidance Related to the Independent Review |
Examiner Determination of the Adequacy of Independent Reviews |
Examiner Assessment of an Institution’s Reporting to Its Board of
Directors on the Independent Reviews |
Examiner Implementation of Guidance on Independent Reviews |
Reliance on Independent Reviews and Management Systems |
Recommendations on Examiner Assessment of an Institution’s
Independent Review and Reporting to the Board of Directors |
INTEREST RATE RISK TRAINING FOR SUBJECT MATTER EXPERTS AND REGIONAL SPECIALISTS |
Training Guidance |
Subject Matter Expert and Regional Specialist Training |
Establishment of Policy for Continuing Education |
Maintenance of Human Capital Resources |
Recommendation on Interest Rate Risk Training for Subject Matter
Experts and Regional Specialists |
CORPORATION COMMENTS AND OIG EVALUATION |
APPENDICES |
1. OBJECTIVE, SCOPE, AND METHODOLOGY |
2. CORPORATION COMMENTS |
3. MANAGEMENT RESPONSE TO RECOMMENDATIONS |
4. ACRONYMS USED IN THE REPORT |
TABLE |
Scope and Annual Reporting Expectations for an Institution’s
Independent Review |
FIGURE |
Examination Conclusions Not Provided on the Scope of the Independent
Reviews |
|
|
|
DATE: | July 7, 2008 |
|
MEMORANDUM TO: | Sandra L. Thompson, Director |
|
Division of Supervision and Consumer Protection |
|
FROM: | Russell A. Rau [Electronically produced version; original signed by Russell A. Rau] |
| Assistant Inspector General for Audits |
|
SUBJECT: | DSC’s Examination Assessment of Interest Rate Risk (Report No. AUD-08-011) |
|
This report presents the results of our audit of the Division of Supervision and Consumer
Protection’s (DSC) examination assessment of interest rate risk at FDIC-supervised
institutions. The audit objectives were to (1) determine whether the FDIC’s examinations
comply with applicable policies and procedures for assessing and addressing an
institution’s internal control, review, and audit coverage of the interest rate risk
management process; and (2) evaluate the corrective actions pursued when significant
weaknesses are reported by examiners.1 We focused the audit on those FDIC-supervised
institutions with indicators of elevated interest rate risk. We conducted this performance
audit in accordance with generally accepted government auditing standards. Appendix 1
of this report discusses our audit objectives, scope, and methodology in detail.
BACKGROUND
Interest rate risk is fundamental to the business of banking. Changes in interest rates can
expose an institution to adverse shifts in net interest income, increase the cost of funds,
and impair the underlying value of its assets, thereby adversely affecting an institution’s
earnings and market capital. The FDIC is responsible for ensuring that the financial
institutions it supervises operate in a safe and sound manner. To accomplish this, the
FDIC conducts risk management examinations to ascertain, among other things, an
institution’s Sensitivity to Market Risk, including interest rate risk. This assessment is
summarized in an assigned risk rating for Sensitivity to Market Risk, which is the “S” part of the CAMELS rating system.2 Failure to appropriately assess an institution’s
interest rate risk can impact the overall effectiveness of the risk management examination
and expose the institution to the risk of loss.
Institution Guidance in the Statement of Policy on Interest Rate Risk
The FDIC provides supervisory guidance to institutions and examiners, in part, through
FDIC Statements of Policy. In 1996, the federal banking agencies3 issued The Joint
Agency Policy Statement on Interest Rate Risk (IRR SOP) to provide guidance to
institutions on interest rate risk management and to assist bankers and examiners in
evaluating the adequacy of an institution’s management of interest rate risk.4 Although a
Statement of Policy (SOP) does not constitute a legal requirement, an institution’s failure
to adhere to an SOP requirement may result in a citation for contravention in the
examiner’s Report of Examination (ROE).
The IRR SOP states that effective control of the interest rate risk management process
includes an independent review and, where appropriate, internal and external audit.
According to the IRR SOP, a bank should conduct periodic reviews of its risk
management process to ensure its integrity, accuracy, and reasonableness. According to
DSC’s Risk Management Manual of Examination Policies (DSC Examination Manual),
the independent review serves as a means to independently assess the adequacy of an
institution’s measurement system. The level and depth of independent review performed
by an institution should be commensurate with the institution’s activities.
The SOP also indicates that the findings of the review should be reported annually to the
institution’s board of directors.
FDIC Examination Guidance
The DSC Examination Manual and the FDIC’s Rate Sensitivity Examination
Documentation Module (Rate Sensitivity ED Module)5 address interest rate risk
management and an institution’s independent review.
|
|
RESULTS OF AUDIT
For the 38 risk management examinations we reviewed, FDIC examiners generally
complied with applicable policies and procedures for assessing and addressing an
institution’s internal control, independent review, and audit coverage of the interest rate risk management process. Specifically, we found that:
- Pre-Examination Planning (PEP) memoranda for 37 (97 percent) of the 38
examinations we reviewed listed the “red flags”6 identified by the FDIC’s Interest
Rate Risk Standard Analysis (IRRSA) software application,7 and
- ROEs and supporting working papers for 32 (84 percent) of the 38 examinations
reviewed showed that examiners had either obtained for consideration a copy of
the institution’s independent review report or identified a contravention of the
IRR SOP.
Additionally, informal and formal corrective actions generally addressed significant
weaknesses reported by examiners in the area of interest rate risk. We sampled 50
institutions that had a Sensitivity to Market Risk component rating and composite rating
of “3,” “4,” or “5,” which are considered less than satisfactory. For 44 (88 percent) of the
50 institutions, where both the composite and Sensitivity to Market Risk component
ratings were less than satisfactory, corrective actions contained either a specific or
general provision that addressed weaknesses and/or deficiencies related to Sensitivity to
Market Risk. For the remaining six institutions (12 percent), a provision related to
Sensitivity to Market Risk was not included in an informal or formal corrective action;
however, DSC provided us reasonable explanations for these instances. In each case,
DSC showed that there were provisions related to other CAMELS components that could
improve deficiencies within the area of Sensitivity to Market Risk. In addition, we noted
that the examiners had discussed their interest rate risk concerns and recommendations
with the institutions’ management and documented those matters in the ROEs.
We also found that the examiner assessment of an institution’s independent review and
reporting of review results to its board of directors could be improved. Specifically,
some examiners for our sampled examinations did not conclude on the adequacy of an
institution’s independent review functions or on the adequacy of the institution’s
reporting of the review results to its board of directors. Adequate independent reviews
help ensure the integrity, accuracy, and reasonableness of an institution’s interest rate risk
measurement system; an institution’s safety and soundness; and the FDIC’s ability to rely on the results of an institution’s interest rate risk measurement system (Examiner
Assessment of an Institution’s Independent Review and Reporting to the Board of
Directors).
Further, the FDIC could enhance its training for Subject Matter Experts and Regional
Specialists. Some Subject Matter Experts and Regional Specialists had obtained little or
no recent training in their designated areas of expertise—interest rate risk and capital
markets. These individuals are an important resource for examiners seeking advice and
guidance on an institution’s Sensitivity to Market Risk during the examination process
(Interest Rate Risk Training for Subject Matter Experts and Regional Specialists).
|
|
EXAMINER ASSESSMENT OF AN INSTITUTION’S INDEPENDENT REVIEW AND REPORTING TO THE BOARD OF DIRECTORS
Examiner assessment of an institution’s independent review and reporting of the review
results to the board of directors could be improved. Specifically, we found that FDIC
examiners did not:
- provide conclusions on the adequacy of the independent review functions for
15 (39 percent) of the 38 examinations reviewed.
- assess the adequacy of the institution’s reporting on the independent reviews to its
board of directors for 26 (68 percent) of the 38 examinations reviewed.
An inadequate independent review could reduce both (1) an institution’s assurance that
its interest rate risk management processes and system are appropriate and functioning
adequately and (2) DSC’s ability to rely on the results of that system for examination
purposes.
Joint Agency Statement of Policy on Interest Rate Risk
Although not a legal requirement, the IRR SOP states that an institution should conduct
periodic independent reviews of its risk management process to ensure its integrity,
accuracy, and reasonableness. The policy statement identifies the scope and annual
reporting expectations for an independent review as shown in the following table:
Scope and Annual Reporting Expectations for an Institution’s Independent Review
Minimum Areas for Review and
Validation During the Independent Review
|
|
Minimum Areas for Review and
Validation During the Independent Review
|
The adequacy of, and personnel’s compliance
with, the institution’s internal control system.
|
|
The findings of the review.
|
The appropriateness of the institution’s risk
measurement system given the nature, scope,
and complexity of its activities.
|
|
A brief summary of the institution’s interest
rate risk measurement techniques and
management practices.
|
The accuracy and completeness of the data
inputs into the institution’s risk measurement system.
|
|
The identification of major critical
assumptions used in the risk measurement
process.
|
The reasonableness and validity of scenarios
used in the risk measurement system.
|
|
A discussion of the process used to derive
major critical assumptions.
|
The validity of the risk measurement calculations.
|
|
An assessment of the impact of major critical
assumptions on the institution’s measured
exposure.
|
Source: Office of Inspector General (OIG) analysis of the IRR SOP.
Examination Guidance Related to the Independent Review
The DSC Examination Manual emphasizes that, at a minimum, each institution should
have procedures in place to independently review its input process, assumptions, and
system output reports. To illustrate, among other things, the institution’s:
- system-input process review should evaluate the adequacy and appropriateness of
the level of knowledge and skill of the individuals responsible for the
measurement system;
- assumption review should address the process of developing assumptions for all
material asset, liability, and off-balance sheet exposures; and
- system output and reporting assessment should include coverage of the timeliness
and frequency of reporting to management and the board.
In addition, the DSC Examination Manual states that individuals responsible for
performing the independent review should not be involved in the interest rate risk
measurement process. Institutions may use internal staff, an outsourcing arrangement, or
a combination of the two, to independently appraise the measurement system.
The FDIC’s Rate Sensitivity ED Module incorporates an examiner assessment of an
institution’s independent review. In particular, one of the module’s core analysis
decision factors asks, “Are the audit or independent review functions adequate?” In
addition, the corresponding core analysis procedures include the following examiner
determinations:
- Determine that the scope of the audit or independent review is sufficient to
identify policy, reporting, internal control, and compliance deficiencies.
- Determine that the scope includes a review and validation of risk measurement
calculations and tests for reasonableness and accuracy of assumptions and data
inputs.
- Determine that results are reported to the board on a timely basis.
- If recent reviews disclosed any deficiencies, determine if management responses
are reasonable.
Although the IRR SOP and the DSC Examination Manual describe specific independent
review procedures, the Rate Sensitivity ED Module does not describe all of the minimum
scoping procedures for the independent review or all of elements to be included in the
institution’s reporting to the board of directors as prescribed by the IRR SOP and DSC
Examination Manual. Further, the Rate Sensitivity ED Module does not refer the
examiner to the IRR SOP. According to DSC management, examiners are expected to
consider all sources of guidance and would not rely solely on the Rate Sensitivity ED
Module when reviewing interest rate risk.
Examiner Determination of the Adequacy of Independent Reviews
To assess examiner coverage of the IRR SOP and compliance with applicable
examination procedures for interest rate risk, we sampled 38 examinations for
FDIC-supervised institutions with indicators of an elevated interest rate risk
profile. These
sampled institutions had from one to seven “red flags” identified by the FDIC’s
IRRSA
application.
For 23 of the 38 examinations for which examiners provided a conclusion on the
adequacy of the institution’s independent review, we saw evidence that the examiners
had concluded on the adequacy of the review either in the ROEs or in examination
working papers. We accepted examiners’ conclusions and observations on the adequacy
of the institution’s independent review in various forms, such as a check mark on a
procedural step, a declaration of adequacy or inadequacy, and/or a citation of a
contravention of the IRR SOP.
The results of our analysis for 15 (39 percent) of the 38 examinations with no conclusions
on the adequacy of the institutions’ independent reviews are presented below.
[ D ]
Examiner Assessment of an Institution’s Reporting to Its Board of Directors on the
Independent Reviews
For 26 (68 percent) of the 38 examinations reviewed, we found that FDIC examiners did
not conclude on the adequacy of the institution’s reporting on the independent review to
its board. In accordance with the IRR SOP, the institution’s report to the board on the
review results should address all five elements described earlier in this report. For 12
examinations, we accepted examiners’ conclusions and observations on the adequacy of
the institution’s reporting on the independent review in various forms—either in the
ROEs or the examination working papers, such as a check mark on a procedural step, a
declaration of adequacy or inadequacy, an affirmative statement that the independent
review was reported to the institution’s board, and/or a citation of a contravention of the
IRR SOP.
Examiner Implementation of Guidance on Independent Reviews
We interviewed 13 DSC field examiners, from 3 field offices, who explained their
understanding of DSC’s examination policies and procedures and described their
assessment process for independent reviews and the institution’s reporting on the reviews
to its board of directors. In particular, field examiners stated that an institution’s
compliance with the IRR SOP should be evaluated at every examination. The examiners
also stated that in assessing an institution’s compliance with the IRR SOP, they would
always check for an independent review. Although the examiners stated that they
believed that an institution’s independent review should be reviewed at all examinations, the depth of review deemed necessary varied. Some examiners stated that it was
necessary to validate an institution’s compliance with all of the provisions of the IRR
SOP, while other examiners stated it was necessary to validate only that an independent
review had been conducted and that the institution had reported the independent review
to the institution’s board.
Although the IRR SOP is not a legal requirement, the IRR SOP provides that examiners
should consider certain risk factors in conducting their review, as follows:
When evaluating the applicability of specific guidelines provided in this
Statement … bank management and examiners should consider factors such as
the size of the bank, the nature and complexity of its activities, and the adequacy
of its capital and earnings in relation to the bank’s overall risk profile.
The extent of an independent review should be commensurate with the bank’s activities;
however, as risk increases, we believe that an examination should more thoroughly assess
an institution’s implementation of the IRR SOP. An adequate independent review should
provide the institution assurance that its interest rate risk management processes and
systems are commensurate with the institution’s activities and permit DSC reliance on the
review. Therefore, it is important for examiners to conclude on the adequacy of the
independent reviews and to assess whether the institution’s reporting to the board on the
independent review addressed all IRR SOP elements.
Reliance on Independent Reviews and Management Systems
Independent reviews serve as a significant element of an institution’s interest rate risk
management process because such reviews are an objective source of verification and
assessment. The absence of or a weak independent review could compromise the
integrity, accuracy, and reasonableness of an institution’s interest rate risk measurement
system and even the safety and soundness of the institution. Adequate independent
review and board oversight increases the FDIC’s ability to rely on the results of an
institution’s interest rate risk measurement system.
FDIC emphasis on the need for examiners to fully assess and conclude on the adequacy
of the scope of an institution’s independent review and on the extent of an institution’s
reporting to its board on review results could achieve improvement in controls and
interest rate risk measurement systems at FDIC-supervised institutions. This is
particularly the case in institutions with indicators of elevated interest rate risk, such as
those assessed in this audit. In turn, the independent reviews and board reporting could
provide the FDIC and examiners greater assurance and reliance on the results of
institutions’ interest rate risk management and systems during on-site examinations.
Recommendations on Examiner Assessment of an Institution’s Independent Review
and Reporting to the Board of Directors
We recommend that the Director, DSC:
- Emphasize to examiners the need to fully assess and conclude on the adequacy of an
institution’s independent review and on the adequacy of reporting on the independent
review to the institution’s board as warranted by risk.
- Advise examiners of the importance of collectively considering the IRR SOP, the
DSC Examination Manual, and the Rate Sensitivity ED Module in scoping
examination coverage of IRR independent reviews and the institution’s reporting on
the independent reviews to its board.
|
|
INTEREST RATE RISK TRAINING FOR SUBJECT MATTER EXPERTS AND REGIONAL SPECIALISTS
Our review of available training records8 and follow-up discussions with DSC indicated
that some Subject Matter Experts and Regional Specialists had obtained little or no
training in recent years in their designated areas of expertise—interest rate risk and
capital markets. These individuals are an important resource for examiners seeking
advice and guidance on an institution’s sensitivity to market risk during the examination
process.
Training Guidance
DSC has not established policies or guidelines on the training of interest rate risk and
capital markets Subject Matter Experts and Regional Specialists. However, the FDIC’s
Corporate Performance Objectives for 2007 and 2008 identified that the FDIC has a
“Resource Management” objective to ensure that the FDIC has the necessary skills in its
workforce, on an ongoing basis, to effectively address current and emerging safety and
soundness risk. These corporate performance objectives highlight senior management’s
goals in improving the knowledge and depth of employee skills and ensuring the transfer
and succession of knowledge.
Also of note, the Government Accountability Office (GAO) issued Standards for Internal
Control in the Federal Government, dated November 1999, which contains internal
control guidance for the federal government. In part, one of the internal control standards
states the following:
All personnel need to possess and maintain a level of competence that allows
them to accomplish their assigned duties … . Management needs to identify
appropriate knowledge and skills needed for various jobs and provide needed
training … .
In implementing this standard, the GAO recommends, in part, that agencies consider
whether an appropriate training program exists to meet the needs of all employees,
emphasize the need for continuing training, and have a control mechanism in place to
help ensure that all employees receive appropriate training.
Subject Matter Expert and Regional Specialist Training
Based on our review of available training records, we found that 12 (29 percent) of 42
interest rate risk and capital markets Subject Matter Experts (who are also examiners) and
Regional Specialists from two regions appeared to have had little or no capital markets
training over the last 2 years,9 and in some cases, for up to 5 years. For these examiners,
we noted the following:
- four individuals had no direct capital markets training10 and no indirectly-related
training11 within the last 5 years.
- four individuals had no direct capital markets training within the last 5 years and
no indirectly-related training within the last 2 years.
- four individuals had no direct capital markets training and no indirectly-related
training within the last 2 years.
We discussed the lack of recent training with one of the Subject Matter Experts from our
sample. She reviewed and verified the accuracy of her training data available from the
Corporate University. Additionally, the Subject Matter Expert’s Field Supervisor
indicated that a similar situation exists with another designated Subject Matter Expert
from another field office. Although the Field Supervisor recognized the importance of
the Subject Matter Expert positions, he also expressed concern with the need to balance the level of training provided to Subject Matter Experts with the level of time these
examiners need to perform examinations.
We also asked DSC to provide information on any additional related training not
included in the Corporate University’s training data for the 12 Subject Matter Experts and
Regional Specialists. DSC indicated that two individuals were no longer designated as
interest rate risk or capital markets Subject Matter Experts or Regional Specialists. One
of the individuals had been designated as a capital markets expert until recently but was
not conducting work in that area. In addition, some of the remaining individuals had
attended capital markets-related sessions at regional training and other conferences but no
extended training in their designated areas of expertise.
Establishment of Policy for Continuing Education
The lack of recent training may be attributable to the lack of expectations and guidance
related to the training for Subject Matter Experts and Regional Specialists, who are
involved in providing technical support for examination teams. Additionally, DSC
indicated that examination scheduling often is a deciding factor as to whether a Subject
Matter Expert will be available for specialized training opportunities. We found that
DSC has no formal policies for the training of Subject Matter Experts or Regional
Specialists. DSC senior managers stated that the experience level and qualification of the
individuals who hold those positions varies widely. The managers expressed that
establishing more formalized standards and policies in this area would be beneficial and
generally supported the idea of providing more consistent training through a shared effort
with Corporate University.
Maintenance of Human Capital Resources
Field office Subject Matter Experts are an important resource in an examination of an
institution’s sensitivity to market risk because these individuals are the first point of
contact for other examiners who are seeking guidance during the examination process.
Regional Specialists are also an important resource as a secondary point of contact. In
this regard, establishing policies and guidelines for the training of interest rate risk and
capital markets Subject Matter Experts and Regional Specialists will help to ensure that
examiners have access to effective resources during the examination process. When
designated Subject Matter Experts and Regional Specialists do not attend pertinent
training to further their understanding and knowledge, they can lose proficiency in their
designated area of expertise and diminish the FDIC’s ability to successfully manage its
resources and to ensure the proper succession of knowledge and skills.
Recommendation on Interest Rate Risk Training for Subject Matter Experts and Regional
Specialists
We recommend that the Director, DSC:
(3) Establish policies and guidelines for the training of interest rate risk and capital
markets Subject Matter Experts and Regional Specialists.
|
|
CORPORATION COMMENTS AND OIG EVALUATION
On July 3, 2008, the Director, DSC, provided a written response to the draft of this
report. Management’s response is presented in its entirety in Appendix 2. Management
concurred with our findings and recommendations. A summary of management’s
response to the recommendations is in Appendix 3.
In response to recommendation 1, DSC stated that it will re-emphasize that
examination staff should assess and conclude on the adequacy of institutions’
independent reviews,
and the reporting of such reviews, as directed by examination guidance. For
recommendation 2, DSC stated that it will re-emphasize that examiners should
collectively consider outstanding guidance, policies, and examiner resources
in risks-coping examination coverage of an institution’s management of its
rate sensitivity.
Regarding recommendation 3, DSC will recommend the establishment of training
policies and guidelines for capital markets Subject Matter Experts and Regional
Specialists to the appropriate FDIC training oversight groups and will assist
with the development and implementation of the applicable policies and training
curriculum.
DSC’s planned actions are responsive to our recommendations. The recommendations
are resolved but will remain open until we determine that the agreed-to corrective actions
have been completed and are responsive.
APPENDIX 1
OBJECTIVE, SCOPE, AND METHODOLOGY
Objectives
The objectives of this audit were to (1) determine whether the FDIC’s examinations
comply with applicable policies and procedures for assessing and addressing an
institution’s internal control, review, and audit coverage of the interest rate risk
management process; and (2) evaluate the corrective actions pursued when significant
weaknesses are reported by examiners.
We conducted this performance audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence obtained
provided a reasonable basis for our findings and conclusions. We performed the audit
from August 2007 through April 2008.
Scope and Methodology
To achieve our objectives we performed the following:
- Reviewed supervisory examination guidance for coverage of interest rate risk and
the issuance of formal and informal corrective actions. In particular, we
performed a review of the:
- FDIC Statement of Policy entitled, Joint Agency Policy Statement on Interest
Rate Risk;
- Risk Management Manual of Examination Policies;
- Formal and Informal Action Procedures Manual;
- Case Manager Procedures Manual;
- ED Modules entitled, Risk Scoping and Rate Sensitivity;
- Regional Directors Memoranda; and
- Financial Institution Letters.
- Reviewed safety and soundness examination reports and working paper
documentation on a non-statistical12 sample of 38 institutions related to the
examiner assessment of an institution’s internal control, independent review, and
audit coverage of the interest rate risk management process; and use of IRRSA
reports during the pre-examination planning process. We selected the sample
based on institutions that had elevated indicators of interest rate risk.
- Reviewed safety and soundness examination reports and corresponding corrective
actions on a non-statistical sample of 50 institutions for the corrective action
provisions pursued when significant weaknesses related to interest rate risk were
reported by examiners. The sample was selected based on institutions that had a Sensitivity to Market Risk component rating and a composite rating of “3,” “4,”
or “5.”
- Described and compared the examiners’ assessments of an institution’s internal
control, review, and audit coverage of the interest rate risk management process
against the examination procedures provided in the FDIC’s policies and
procedures noted above.
- Interviewed DSC officials in Washington, D.C., and regional and field offices;
and interviewed Division of Insurance and Research officials in Washington, D.C.
- Performed our audit work at the FDIC’s Headquarters offices in Washington,
D.C., and the Philadelphia and San Juan Field Offices.
Internal Control
We gained an understanding of the relevant control activities (related to the examination
coverage of the Sensitivity to Market Risk component) by reviewing applicable policies
and procedures as detailed under the Scope and Methodology section of this report. In
particular, we identified that DSC had established the following process controls related
to the examination review of the Sensitivity to Market Risk component:
- Employee training
- Assistant Examiner Schools
- On-the-job training
- Updates and refresher training
- Examination policies and procedures
- Pre-examination planning
- Examiner review and assessment
- Examiner-in-Charge/Operational Manager Review
- Field Supervisor/Case Manager Review
- Institution management response and appeal process
- DSC's field office and regional office internal reviews
In assessing these controls, we:
- Reviewed DSC’s training policies and directives.
- Reviewed employee training programs that cover interest rate risk for DSC
personnel in various stages of career development, such as assistant
examiners/financial institution specialists, commissioned examiners, Subject
Matter Experts, and Regional Specialists.
- Reviewed the recent level of completed training (based on available training
records) on interest rate risk by selecting a non-statistical sample of Subject
Matter Experts and Regional Specialists. The sample was selected based on all
Subject Matter Experts and Regional Specialists identified within the New York
and San Francisco regions as of the time of our audit.
- Reviewed DSC’s examination policies and procedures, as noted in the Scope and
Methodology section of this report.
- Reviewed DSC’s internal assessment of the safety and soundness examination
process – concerning the examination of Sensitivity to Market Risk – by
selecting a non-statistical sample of DSC regional and field office reviews. We
selected the sample of DSC regional office reviews from all reviews conducted
from 2004 to 2006. We selected the sample of DSC field office reviews from the
reviews completed in the New York and San Francisco regions from 2006 to
2007. For the samples selected, we reviewed the Internal Control and Review
Section’s Internal Review Reports, regional and field office review audit
programs, and the working papers completed on the field office reviews.
Overall, controls for examiner assessment of interest rate risk appeared to be adequate
except for those areas discussed in this report.
Reliance on Computer-processed Information
Our audit objective did not require that we separately assess the reliability
of computer-processed information. However, we conducted tests to determine
the reliability of
computer-processed information obtained from the IRRSA application. Based on
our review of information in IRRSA, we noted that the application failed to
correctly identify
an institution’s “red flags.” We notified DSC of our concerns, and the application’s
software program was corrected during the audit. The processing errors were caused
by a recent IRRSA application software update. This condition was not a long-standing
problem and did not affect our sample of examinations. For the other aspects
of our
audit, we did not rely on computer-processed information to support our significant
findings, conclusions, or recommendations. Our assessment centered on reviews
of PEP
Memoranda, ROEs, examination working papers, on-site reviews, and interviews.
Performance Measurement
The Government Performance and Results Act of 1993 directs federal agencies to
develop a strategic plan and annual performance goals and objectives to help improve
federal program effectiveness and service delivery. In fulfilling the FDIC’s supervisory
responsibilities, the FDIC pursues two strategic goals: (1) FDIC-supervised institutions
are safe and sound, and (2) consumers’ rights are protected and FDIC-supervised
institutions invest in their communities. Related to the safety and soundness strategic
goal, there is one strategic objective: FDIC-supervised institutions appropriately manage
risk. This strategic objective has various corresponding annual performance goals.
Specifically, there are two annual performance goals related to our audit, in that the FDIC
will:
- Conduct on-site risk management examinations to assess the overall financial
condition, management practices and policies, and compliance with applicable
laws and regulations of FDIC-supervised depository institutions.
- Take prompt and effective supervisory action to address problems identified
during the FDIC examination of FDIC-supervised institutions that receive a
composite rating of “4” or “5” (problem institution). Monitor FDIC-supervised
and insured depository institutions’ compliance with formal and informal
enforcement actions.
Additionally, the FDIC’s Corporate Performance Objectives for 2007 and 2008 identified
that the FDIC has a “Resource Management” objective to ensure that the FDIC has the
necessary skills in its workforce, on an ongoing basis, to effectively address current and
emerging safety and soundness risk.
Compliance with Laws and Regulations
In conducting the audit, we considered the following laws and regulations:
- Federal Deposit Insurance Corporation Improvement Act (FDICIA). This
Act (Public Law 102-242) added section 39 to the Federal Deposit Insurance Act
(FDI Act) (12 United States Code § 1811 et seq.), which requires bank regulators
to prescribe standards relating to interest rate exposure. FDICIA also contains a
provision (section 305(b)) which, as amended in 1994 by Public Law 103-325,
required bank regulators to revise, within 18 months, their risk-based capital
standards to ensure that those standards take adequate account of interest rate and
other risks.
- FDIC Rules and Regulations, Part 325 – Capital Maintenance and
Appendix A to Part 325—Statement of Policy on Risk-Based Capital. In order
to comply with section 305(b) of FDICIA, Appendix A to Part 325 was revised in
1995, and the Joint Agency Policy Statement on Interest Rate Risk was issued in
1996 to address how interest rate risk will be considered with respect to the
adequacy of an institution’s capital. Interest rate risk is also addressed in
Appendix C to Part 325—Risk-Based Capital for State Non-Member Banks:
Market Risk, published subsequent to the joint agency policy statement.
- FDIC Rules and Regulations, Part 364 – Standards for Safety and Soundness.
This regulation and Appendix A to Part 364—Interagency Guidelines
Establishing Standards for Safety and Soundness implement section 39 of the
FDI Act. Appendix A to Part 364 states that an institution should:
- Manage interest rate risk in a manner that is appropriate to the size of the
institution and the complexity of its assets and liabilities.
- Provide for periodic reporting to management and the board of directors
regarding interest rate risk with adequate information for management and the
board to assess the level of risk.
- FDIC Statements of Policy. Although FDIC SOPs are detailed within the
FDIC’s Rules and Regulations, the SOPs are not technically considered laws or
regulations. Regardless, the joint agency policy statement, Joint Agency Policy
Statement on Interest Rate Risk, was published on June 26, 1996 to provide
guidance to banks regarding prudent interest rate risk management principles and
to assist bankers and examiners in evaluating the adequacy of a bank’s
management of interest rate risk.
In addressing our audit objectives, we did not specifically test for compliance with
section 39 nor with FDIC Rules and Regulations parts 325 and 364 or their appendices,
and no specific violations were reported within the ROEs sampled, and none came to our
attention. However, we did specifically test for compliance with certain sections of the
Joint Agency Policy Statement on Interest Rate Risk. The results of our review are
discussed throughout this report.
We assessed the risk of fraud and abuse related to the audit objective in the course of
evaluating audit evidence.
|
|
APPENDIX 2
CORPORATION COMMENTS
|
DATE: | July 3, 2008 |
|
TO: | Russell A. Rau |
| Assistant Inspector General for Audits |
|
FROM: | Sandra L. Thompson [Electronically produced version; original signed by Sandra L. Thompson] |
| Director |
|
SUBJECT: | Response to Draft Report Entitled: Examination Assessment of Interest Rate Risk
(Assignment No. 2007-031) |
|
This memorandum represents the Federal Deposit Insurance Corporation, Division of Supervision and Consumer Protection's (DSC) response to the draft report entitled Examination Assessment of Interest Rate Risk (Assignment No. 2007-031) (Draft Report), prepared by the FDIC's Office of Inspector General (OIG). We are pleased that the OIG found that FDIC examiners generally complied with applicable policies and procedures for assessing and addressing an institution's internal control, review, and audit coverage of the interest rate risk (IRR) management process, and that informal and formal corrective actions generally addressed significant weaknesses reported by examiners in the area of IRR.
DSC's responses to the report recommendations are discussed below.
OIG Recommendations:
- Emphasize to examiners the need to fully assess and conclude on the adequacy of an institution's independent review and on the adequacy of reporting on the independent review to the institution's board as warranted by risk.
DSC concurs. We will re-emphasize that examination staff should assess and conclude on the adequacy of institutions' independent reviews, and the reporting of such reviews, as directed by examination guidance. We will include a discussion of this topic during an upcoming FFIEC Capital Markets Specialists Conference, to be held August 12-15, 2008. The conference includes an "FDIC-only" break-out session which is attended by capital markets subject matter experts and the regional capital markets specialists. Participants will be directed to relay this information to field and regional staff.
- Advise examiners of the importance of collectively considering the IRR SOP, the DSC Examination Manual, and the Rate Sensitivity ED Module in scoping examination coverage of IRR independent reviews and the institution's reporting on the independent reviews to its board.
DSC concurs. We will re-emphasize that examiners should collectively consider outstanding guidance, policies and examiner resources in risk-scoping examination coverage of an institution's management of its rate sensitivity. We will include a discussion of this topic during an upcoming FFIEC Capital Markets Specialists Conference, to be held August 12-15, 2008. The conference includes an "FDIC-only" break-out session which is attended by capital markets subject matter experts and the regional capital markets specialists. Participants will be directed to relay this information to field and regional staff.
- Establish policies and guidelines for the training of interest rate risk and capital markets Subject Matter Experts and Regional Specialists.
DSC concurs and offers the following action that addresses the intent of your recommendation. We will recommend the establishment of training policies and guidelines for capital markets subject matter experts and regional specialists to the Course Oversight Group and the Training Oversight Committee by August 31, 2008, after which we will assist with development and implementation of policies and training curriculum.
|
| |
APPENDIX 3
MANAGEMENT RESPONSE TO RECOMMENDATIONS
This table presents the management response on the recommendations in our report and the status of the recommendations as of the date of report issuance.
Rec. No. |
Corrective Action: Taken or Planned |
Expected Completion Date |
Monetary Benefits |
Resolved:a Yes or No |
Open or Closedb |
1 |
DSC will re-emphasize that
examination staff should
assess and conclude on the
adequacy of institutions’
independent reviews, and the
reporting of such reviews, as
directed by examination
guidance.
|
08/15/2008 |
$0 |
Yes |
Open |
2 |
DSC will re-emphasize that
examiners should
collectively consider
outstanding guidance,
policies, and examiner
resources in risk-scoping
examination coverage of an
institution’s management of
its rate sensitivity.
|
08/15/2008 |
$0 |
Yes |
Open |
3 |
DSC will recommend the
establishment of training
policies and guidelines for
capital markets Subject
Matter Experts and Regional
Specialists to the appropriate
FDIC training oversight
groups and will assist with
the development and
implementation of the
applicable policies and
training curriculum.
|
08/31/2008 |
$0 |
Yes |
Open |
a Resolved – |
(1) Management concurs with the recommendation, and the planned corrective action is
consistent with the recommendation. |
|
(2) Management does not concur with the recommendation, but planned alternative action is
acceptable to the OIG.
|
|
(3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0)
amount. Monetary benefits are considered resolved as long as management provides an
amount.
|
b Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.
|
|
APPENDIX 4
ACRONYMS USED IN THE REPORT
CAMELS | Capital Adequacy, Asset Quality, Management, Earnings,
Liquidity, and Sensitivity to Market Risk |
DSC | Division of Supervision and Consumer Protection |
ED | Examination Documentation |
FDI Act | Federal Deposit Insurance Act |
FDICIA | Federal Deposit Insurance Corporation Improvement Act |
FFIEC | Federal Financial Institutions Examination Council |
GAO | Government Accountability Office |
IRR | Interest Rate Risk |
IRR SOP | Joint Agency Policy Statement on Interest Rate Risk |
IRRSA | Interest Rate Risk Standard Analysis |
OIG | Office of Inspector General |
PEP | Pre-Examination Planning |
ROE | Report of Examination |
SOP | Statement of Policy |
UFIRS | Uniform Financial Institutions Rating System |
|
Footnotes
1 The FDIC generally initiates informal or formal corrective action against institutions with a composite
safety and soundness rating (see footnote 2) of “3,” “4,” or “5,” unless specific circumstances warrant
otherwise.
2 Under the Uniform Financial Institutions Rating System (UFIRS), during a regulatory examination,
federal regulators assign each financial institution a composite rating based on an evaluation of six essential
components of an institution's financial condition and operations: Capital Adequacy, Asset Quality,
Management, Earnings, Liquidity, and Sensitivity to Market Risk (CAMELS). A composite rating of 1
through 5 is given, with 1 having the least regulatory concern and 5 having the greatest concern.
3 The FDIC, Board of Governors of the Federal Reserve System, and Office of the Comptroller of the
Currency.
4 Refer to the Compliance with Laws and Regulations section in Appendix 1 for further information about
the IRR SOP.
5 According to the DSC Examination Manual, an ED Module is an examination tool that focuses on risk
management practices and guides examiners to establish the appropriate examination scope. Each module
contains a series of decision factors and examination procedures for examiners to consider when evaluating
an institution’s risk. The examiner’s use of the ED Modules and the need to provide a documented
response to individual decision factors and examination procedures is discretionary.
6 A red flag is not an indication of a supervisory concern but rather is intended only to focus examiner
attention and to identify potential issues that can be addressed either in the working papers or, if material,
in the examination comments.
7IRRSA is not an interest rate risk model and does not attempt to estimate a bank’s specific interest rate
risk option. Rather, IRRSA is a tool that assists examiner identification of areas that may warrant
additional review in the assessment of an institution’s interest rate risk. IRRSA’s red flag system identifies
institutions that exceed certain thresholds compared to established risk benchmarks.
8 The FDIC’s Corporate University provided us 5-year training histories for our sample of DSC Subject
Matter Experts and Regional Specialists. However, not all training is captured in the Corporate
University’s training server, especially training that is conducted at regional training conferences or at the
regional/field offices.
9 In the absence of specific training guidance, we performed our audit assessment based on an assumption
that continuing education should be obtained at least once every 2 years. Good business practices suggest
that in order to help employees maintain and improve their competence for their assigned positions, a
minimum level of continuing education should be sought and maintained.
10
We considered training as “direct training” that was provided by the Federal Financial Institutions
Examination Council and that was described as the Capital Markets Conference or the Capital Markets
Specialists Conference.
11
We considered “indirect training” as training that included any of the following:
derivatives, asset-backed securities, interest rate risk, market risk measurement,
asset securitization, modeling, supervisory
updates, and asset management. Based on discussions with DSC senior management,
we also considered training obtained by examiners who attended the Asset Liability
Management Models Lab that was
conducted by the Chicago Federal Reserve and the Interagency Symposium on Financial
Risk Modeling
that was sponsored by the FDIC’s Corporate University.
12
The results of a non-statistical sample cannot be projected to the intended population by standard
statistical methods.
|