Supervisory Insights by dfgh4bnmu

VIEWS: 9 PAGES: 48

									            Supervisory Insights
                            Devoted to Advancing the Practice of Bank Supervision


Vol. 3, Issue 2                                                                     Winter 2006




             Inside
             Incident Response
             Programs

             Unfair or Deceptive
             Acts or Practices

             Understanding BSA
             Violations

             Commercial Real Estate
             Underwriting Practices

             Auditor Independence
Supervisory Insights
Supervisory Insights is published by the
Division of Supervision and Consumer
Protection of the Federal Deposit
Insurance Corporation to promote
sound principles and best practices
for bank supervision.
Sheila C. Bair
Chairman, FDIC
Sandra L. Thompson
Director, Division of Supervision and
Consumer Protection
Journal Executive Board
George French, Deputy Director and
  Executive Editor
Christopher J. Spoth, Senior Deputy
  Director
John M. Lane, Deputy Director
Robert W. Mooney, Acting Deputy
  Director
William A. Stark, Deputy Director
John F. Carter, Regional Director
Doreen Eberley, Acting Regional Director
Stan R. Ivie, Regional Director
James D. LaPierre, Regional Director
Sylvia H. Plunkett, Regional Director
Mark S. Schmidt, Regional Director
Journal Staff
Bobbie Jean Norris
Managing Editor
Christy C. Jacobs
Financial Writer
Eloy A. Villafranca
Financial Writer
Supervisory Insights is available
online by visiting the FDIC’s website at
www.fdic.gov. To provide comments or
suggestions for future articles, to request
permission to reprint individual articles,
or to request print copies, send an e-mail
to SupervisoryJournal@fdic.gov.




The views expressed in Supervisory Insights are those
of the authors and do not necessarily reflect official
positions of the Federal Deposit Insurance Corporation.
In particular, articles should not be construed as defini-
tive regulatory or supervisory guidance. Some of the
information used in the preparation of this publication
was obtained from publicly available sources that are
considered reliable. However, the use of this informa-
tion does not constitute an endorsement of its accu-
racy by the Federal Deposit Insurance Corporation.
 Issue at a Glance
 Volume 3, Issue 2                                                                                                                     Winter 2006



 Letter from the Director......................................................... 2   the types of BSA-related violations cited
                                                                                       in examination reports, and clarifies the
                                                                                       difference between a significant BSA
Articles                                                                               program breakdown and technical prob-
                                                                                       lems in financial institutions. The article
Incident Response Programs: Don’t Get Caught                                   4       also provides examples of best practices
                                                                                       for maintaining strong BSA and Anti-
Without One                                                                            Money Laundering compliance programs.
The media has been filled with stories of data compromises
and security breaches at all types of organizations. A security
incident can damage corporate reputations, cause financial                             Regular Features
losses, and foster identity theft, and banks are increasingly
becoming targets for attack because they hold valuable data
                                                                                       From the Examiner’s Desk . . .
that, when compromised, allow criminals to steal an individ-
ual’s identity and drain financial accounts. To mitigate the                           Examiners Report on Commercial
effects of security breaches, organizations are finding it                             Real Estate Underwriting Practices 27
necessary to develop formal incident response programs                                 Banks are becoming increasingly reliant on
(IRPs). This article highlights the importance of IRPs to a                            commercial real estate (CRE) lending, and,
bank’s information security program and provides information                           in some markets, underwriting and admin-
on required content and best practices banks may consider                              istration of such loans have deteriorated in
when developing effective response programs.                                           the effort to gain market share. This article
                                                                                       provides an update on CRE lending nation-
Chasing the Asterisk: A Field Guide to Caveats,                                        wide by looking at examples of bank poli-
                                                                                       cies and practices in CRE concentrations
Exceptions, Material Misrepresentations, and Other                                     and presenting best practices for identify-
Unfair or Deceptive Acts or Practices              12                                  ing, monitoring, and controlling such risk.
Although the vast majority of FDIC-supervised institutions
adhere to a high level of professional conduct, the FDIC has
                                                                                       Accounting News:
seen an increase in violations of Section 5 of the Federal
Trade Commission Act (FTC Act), which prohibits unfair or                              Auditor Independence                            33
deceptive practices in or affecting commerce. The Act                                  When CPAs and their firms provide
applies to all aspects of financial products and services, and                         certain services that require them to be
this increase in violations may be the result of increased                             independent, such as audits of financial
competition among financial institutions, along with a grow-                           statements and audits of internal control
ing dependence on fee income, expansion into the subprime                              over financial reporting, they are referred
market, and the increase in the number of products with                                to as independent public accountants,
complex structures and pricing. This article outlines how                              independent auditors, or external audi-
examiners identify and address acts or practices that may                              tors. But what does “independence”
violate the prohibition against unfair or deceptive acts or prac-                      mean when external auditors provide
tices, and it provides information to help financial institutions                      these services? This article summarizes
assess their products and services and develop a plan to                               existing professional standards for auditor
avoid violations of Section 5 of the FTC Act.                                          independence, including recent develop-
                                                                                       ments on tax services and contingent
                                                                                       fees as well as the use of limitation of
Understanding BSA Violations                                                  22       liability clauses in engagement letters.
While most insured financial institutions have an adequate
system of BSA controls, high-profile cases in which large civil
money penalties have been assessed for noncompliance with                              Regulatory and
the BSA highlight the importance of banks’ efforts to ensure                           Supervisory Roundup                             43
compliance with the BSA and its implementing rules. Shortfalls                         This feature provides an overview of
in BSA controls can result in violations of the BSA and the                            recently released regulations and super-
implementing rules being cited in Reports of Examination. This                         visory guidance.
article highlights recent USA PATRIOT Act changes, discusses

                                                                                                                                                 1
Supervisory Insights                                                                                                              Winter 2006
Letter from the Director
                              t used to be that banks spent more       result in substantial harm or inconven-

                           I  money on protecting the cash they
                              held in their vaults than on anything
                           else. The bars on the windows, security
                                                                       ience to any customer. In addition, the
                                                                       guidelines require financial institutions
                                                                       to ensure that service providers with
                           guards in the lobby, and armored cars       whom they contract implement a secu-
                           were familiar signs of how important it     rity program designed to meet the
                           was to protect the cash. These days, we     guidelines’ objectives. Other laws, such
                           know that another critical asset for a      as the Fair and Accurate Credit Trans-
                           bank to protect is data.                    actions Act of 2003 and the USA
                                                                       PATRIOT Act, also require financial
                             Banks hold valuable data that, when
                                                                       institutions to have in place strong
                           compromised, allow criminals to steal
                                                                       policies and programs to safeguard
                           an individual’s identity and drain finan-
                                                                       customer data.
                           cial accounts. The potential for large
                           financial gain has driven the demand by       Another reason to protect customer
                           identity thieves for data. There are even   data is to avoid financial losses to the
                           secondary markets where thieves can         bank. The costs associated with a data
                           purchase or trade data in mass quanti-      compromise can be great. They range
                           ties. There are people in the data theft    from expensive insurance claims, to
                           industry whose “job” it is to obtain and    investigation and remediation costs, to
                           aggregate as much data as they can.         the cost of providing free monitoring
                           Others operate the elaborate black          services for those affected. As important,
                           market operations where data can be         however, banks need to safeguard data to
                           bought and sold. And other participants     protect against harm to their reputation
                           are the actual end-users of the stolen      and a loss of consumer confidence. If
                           information. Whether by manufacturing       bank customers feel their bank cannot
                           duplicate credit or debit cards, applying   be trusted to protect their confidential
                           for credit in someone else’s name, or       information, they will go somewhere
                           using stolen online banking IDs and         else. Although it has not yet happened to
                           passwords to access someone’s cash by       a financial institution, companies in
                           originating transfers, the end-users are    other industries have gone out of busi-
                           the criminals who actually convert the      ness because of serious data breaches.
                           data into cash.
                                                                         Everyone has a responsibility in safe-
                             There are many reasons for banks          guarding data. Financial institutions and
                           to safeguard data. There are, of course,    their technology service providers have a
                           the regulatory requirements. In 2001,       legal duty to protect data, but consumers
                           the Federal banking agencies imple-         also have a responsibility to protect their
                           mented section 501(b) of the Gramm-         own information. The FDIC has spon-
                           Leach-Bliley Act by promulgating            sored a number of symposiums around
                           Guidelines Establishing Standards           the country to educate consumers about
                           for Safeguarding Customer Informa-          the need to protect personal and confi-
                           tion. The objectives of the guidelines      dential information from compromise.
                           and of the written information-security     We advise consumers to always protect
                           program they require are to (1) ensure      their Social Security number, credit card
                           the security and confidentiality of         and debit card numbers, personal identi-
                           customer information, (2) protect           fication numbers, passwords, and other
                           against any anticipated threats or          personal information. They should also
                           hazards to the security or integrity        protect their incoming and outgoing
                           of such information, and (3) protect        mail, properly discard any trash that
                           against unauthorized access to or use       contains personal or financial informa-
                           of customer information that could          tion, and keep a close watch on bank


2
    Supervisory Insights                                                                               Winter 2006
account statements and credit card bills     requiring that security incidents involv-
for any abnormalities.                       ing personally identifiable information be
                                             reported within one hour after discovery.
  The FDIC also has safeguards in place
to protect our confidential data. As the       The FDIC recognizes that even the best
steward of the deposit insurance fund        information security program may not
and primary supervisor of more than          prevent every incident. A critical feature
5,200 banks, the FDIC plays a vital role     of information security programs must
in maintaining confidence in the bank-       be a plan for the bank to respond when
ing industry. In August, the FDIC issued     incidents of unauthorized access to
updated procedures to examination staff      sensitive customer information main-
as a reminder of the importance of safe-     tained by the institution or its service
guarding examination information—            providers occur. An incident response
whether in paper, electronic, or other       program provides a preplanned frame-
form. The updated procedures cover all       work for dealing with the aftermath of
documentation acquired or created in         a security breach or attack. In this issue
connection with a bank examination,          of Supervisory Insights, “Incident
such as reports of examination, exami-       Response Programs: Don’t Get Caught
nation work papers, bank information,        Without One” highlights the importance
and, especially, any sensitive bank          of incident response programs and
customer information that may be gath-       provides information on required content
ered as part of a bank examination. The      and best practices banks may consider
updated procedures (1) specify mini-         when developing effective response
mum standards for safeguarding exami-        programs.
nation information, including technical,
                                               We encourage our readers to continue
physical, and administrative safeguards;
                                             to provide comments on articles, to ask
(2) provide guidance for the implemen-
                                             follow-up questions, and to suggest topics
tation of an Information Security Inci-
                                             for future issues. All comments, ques-
dent Response Program with required
                                             tions, and suggestions should be sent to
procedures if an actual or suspected loss,
                                             SupervisoryJournal@fdic.gov.
theft, or unauthorized access of confi-
dential or sensitive examination informa-
                                                     Sandra L. Thompson
tion is detected; and (3) incorporate
                                                     Director, Division of
recently issued guidance from the U. S.
                                                     Supervision and
Office of Management and Budget
                                                     Consumer Protection




                                                                                                        3
Supervisory Insights                                                                      Winter 2006
Incident Response Programs:
Don’t Get Caught Without One
                                  veryone is familiar with the old                      a time when organizations need to be

                           E      adage “Time is money.” In the
                                  Information Age, data may be just
                           as good. Reports of data compromises
                                                                                        most prepared, many banks are finding
                                                                                        it challenging to assemble an IRP that
                                                                                        not only meets minimum requirements
                           and security breaches at organizations                       (as prescribed by Federal bank regula-
                           ranging from universities and retail                         tors), but also provides for an effective
                           companies to financial institutions and                      methodology to manage security inci-
                           government agencies provide evidence                         dents for the benefit of the bank and its
                           of the ingenuity of Internet hackers,                        customers. In response to these chal-
                           criminal organizations, and dishonest                        lenges, this article highlights the impor-
                           insiders obtaining and profiting from                        tance of IRPs to a bank’s information
                           sensitive customer information. Whether                      security program and provides informa-
                           a network security breach compromising                       tion on required content and best prac-
                           millions of credit card accounts or a lost                   tices banks may consider when
                           computer tape containing names,                              developing effective response programs.
                           addresses, and Social Security numbers
                           of thousands of individuals, a security
                           incident can damage corporate reputa-                        The Importance of an
                           tions, cause financial losses, and enable                    Incident Response Program
                           identity theft.                                                A bank’s ability to respond to security
                             Banks are increasingly becoming                            incidents in a planned and coordinated
                           prime targets for attack because they                        fashion is important to the success of its
                           hold valuable data that, when compro-                        information security program. While
                           mised, may lead to identity theft and                        IRPs are important for many reasons,
                           financial loss. This environment places                      three are highlighted in this article.
                           significant demands on a bank’s infor-                         First, though incident prevention is
                           mation security program to identify                          important, focusing solely on prevention
                           and prevent vulnerabilities that could                       may not be enough to insulate a bank
                           result in successful attacks on sensitive                    from the effects of a security breach.
                           customer information held by the bank.                       Despite the industry’s efforts at identi-
                           The rapid adoption of the Internet as a                      fying and correcting security vulnera-
                           delivery channel for electronic commerce                     bilities, every bank is susceptible to
                           coupled with prevalent and highly publi-                     weaknesses such as improperly config-
                           cized vulnerabilities in popular hardware                    ured systems, software vulnerabilities,
                           and software have presented serious                          and zero-day exploits.2 Compounding
                           security challenges to the banking indus-                    the problem is the difficulty an organiza-
                           try. In this high-risk environment, it is                    tion experiences in sustaining a “fully
                           very likely that a bank will, at some                        secured” posture. Over the long term, a
                           point, need to respond to security inci-                     large amount of resources (time, money,
                           dents affecting its customers.                               personnel, and expertise) is needed to
                             To mitigate the negative effects of secu-                  maintain security commensurate with all
                           rity breaches, organizations are finding                     potential vulnerabilities. Inevitably, an
                           it necessary to develop formal incident                      organization faces a point of diminishing
                           response programs (IRPs).1 However, at                       returns whereby the extra resources

                           1
                            In its simplest form, an IRP is an organized approach to addressing and managing the aftermath of a security
                           breach or attack.
                           2
                            A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability
                           becomes generally known.


4
    Supervisory Insights                                                                                                         Winter 2006
applied to incident prevention bring a                     devoted to incident response has made
lesser amount of security value. Even                      the development of IRPs a legal necessity.
the best information security program
                                                             Finally, IRPs are in the best interests
may not identify every vulnerability and
                                                           of the bank. A well-developed IRP that
prevent every incident, so banks are best
                                                           is integrated into an overall information
served by incorporating formal incident
                                                           security program strengthens the institu-
response planning to complement strong
                                                           tion in a variety of ways. Perhaps most
prevention measures. In the event
                                                           important, IRPs help the bank contain
management’s efforts do not prevent all
                                                           the damage resulting from a security
security incidents (for whatever reason),
                                                           breach and lessen its downstream effect.
IRPs are necessary to reduce the
                                                           Timely and decisive action can also limit
sustained damage to the bank.
                                                           the harm to the bank’s reputation,
  Second, regulatory agencies have                         reduce negative publicity, and help the
recognized the value of IRPs and have                      bank identify and remedy the underlying
mandated that certain incident response                    causes of the security incident so that
requirements be included in a bank’s                       mistakes are not destined to be repeated.
information security program. In March
2001, the FDIC, the Office of the Comp-
troller of the Currency (OCC), the Office                  Elements of an Incident
of Thrift Supervision (OTS), and the                       Response Program
Board of Governors of the Federal                            Although the specific content of an
Reserve System (FRB) (collectively, the                    IRP will differ among financial institu-
Federal bank regulatory agencies) jointly                  tions, each IRP should revolve around
issued guidelines establishing standards                   the minimum procedural requirements
for safeguarding customer information,                     prescribed by the Federal bank regula-
as required by the Gramm-Leach-Bliley                      tory agencies. Beyond this fundamental
Act of 1999.3 These standards require                      content, however, strong financial institu-
banks to adopt response programs as a                      tion management teams also incorporate
security measure. In April 2005, the                       industry best practices to further refine
Federal bank regulatory agencies issued                    and enhance their IRP. In general, the
interpretive guidance regarding response                   overall comprehensiveness of an IRP
programs.4 This additional guidance                        should be commensurate with an institu-
describes IRPs and prescribes standard                     tion’s administrative, technical, and orga-
procedures that should be included in                      nizational complexity.
IRPs. In addition to Federal regulation in
this area, at least 32 states have passed
laws requiring that individuals be notified                Minimum Requirements
of a breach in the security of computer-
                                                            The minimum required procedures
ized personal information.5 Therefore,
                                                           addressed in the April 2005 interpretive
the increased regulatory attention
                                                           guidance can be categorized into two


3
  Appendix B to Part 364 of the FDIC Rules and Regulations at www.fdic.gov/regulations/laws/rules/2000-8660
.html#2000appendixbtopart364 and FDIC FIL-22-2001, Guidelines Establishing Standards for Safeguarding
Customer Information, issued March 14, 2001. Also refer to 12 CFR 30, App. B (OCC); 12 CFR 208, App. D-2 and
12 CFR 225, App. F (FRB); and 12 CFR 570, App. B (OTS).
4
 FDIC FIL-27-2005, Guidance on Response Programs for Unauthorized Access to Customer Information and
Customer Notice, issued April 1, 2005, www.fdic.gov/news/news/financial/2005/fil2705.html. Also refer to
12 CFR 30, App. B (OCC); 12 CFR 208, App. D-2 and 12 CFR 225, App. F (FRB); 12 CFR 364, App. B (FDIC); and
12 CFR 570, App. B (OTS).
5
 “State Security Breach Notification Laws (as of June 2006),” September 15, 2006, www.thecyberangel.com/
StSecBrchNotifLaw.doc.


                                                                                                                             5
Supervisory Insights                                                                                           Winter 2006
Incident Response Programs
continued from pg. 5

                           broad areas: “reaction” and “notifica-                         with the likelihood of and the potential
                           tion.” In general, reaction procedures are                     damage from such threats. An institu-
                           the initial actions taken once a compro-                       tion’s information security risk assess-
                           mise has been identified. Notification                         ment can be useful in identifying some
                           procedures are relatively straightforward                      of these potential threats. The contain-
                           and involve communicating the details or                       ment procedures developed should focus
                           events of the incident to interested                           on responding to and minimizing poten-
                           parties; however, they may also involve                        tial damage from the threats identified.
                           some reporting requirements. Figure 1                          Not every incident can be anticipated,
                           lists the minimum required procedures                          but institutions should at least develop
                           of an IRP as discussed in the April 2005                       containment procedures for reasonably
                           interpretive guidance.                                         foreseeable incidents.

                           Reaction Procedures                                            Notification Procedures
                             Assessing security incidents and iden-                         An institution should notify its primary
                           tifying the unauthorized access to or                          Federal regulator as soon as it becomes
                           misuse of customer information essen-                          aware of the unauthorized access to or
                           tially involve organizing and developing                       misuse of sensitive customer information
                           a documented risk assessment process                           or customer information systems. Notify-
                           for determining the nature and scope of                        ing the regulatory agency will help it
                           the security event. The goal is to effi-                       determine the potential for broader rami-
                           ciently determine the scope and magni-                         fications of the incident, especially if the
                           tude of the security incident and                              incident involves a service provider, as
                           identify whether customer information                          well as assess the effectiveness of the
                           has been compromised.                                          institution’s IRP.
                             Containing and controlling the security                        Institutions should develop procedures
                           incident involves preventing any further                       for notifying law enforcement agencies
                           access to or misuse of customer informa-                       and filing SARs in accordance with their
                           tion or customer information systems. As                       primary Federal regulator’s require-
                           there are a variety of potential threats to                    ments.6 Law enforcement agencies may
                           customer information, organizations                            serve as an additional resource in
                           should anticipate the ones that are more                       handling and documenting the incident.
                           likely to occur and develop response and                       Institutions should also establish proce-
                           containment procedures commensurate                            dures for filing SARs in a timely manner

                           Figure 1
                                                                    Minimum Requirements
                               Develop reaction procedures for                           Establish notification procedures for
                               s assessing security incidents that have                  s the institution’s primary Federal regulator;
                                 occurred;
                                                                                         s appropriate law enforcement agencies (and
                               s identifying the customer information and                   filing Suspicious Activity Reports [SARs], if
                                 information systems that have been accessed                necessary); and
                                 or misused; and                                         s affected customers.
                               s containing and controlling the security
                                 incident.


                           6
                            An institution’s obligation to file a SAR is specified in the regulations of its primary Federal regulator. Refer to 12
                           CFR 21.11 (OCC), 12 CFR 208.62 (FRB), 12 CFR 353 (FDIC), and 12 CFR 563.180 (OTS).


6
    Supervisory Insights                                                                                                             Winter 2006
because regulations impose relatively        practices addressed below are not all
quick filing deadlines. The SAR form7        inclusive, nor are they regulatory require-
itself may serve as a resource in the        ments. Rather, they are representative of
reporting process, as it contains specific   some of the more effective practices and
instructions and thresholds for when to      procedures some institutions have imple-
file a report. The SAR form instructions     mented. For organizational purposes, the
also clarify what constitutes a “computer    best practices have been categorized into
intrusion” for filing purposes. Defining     the various stages of incident response:
procedures for notifying law enforce-        preparation, detection, containment,
ment agencies and filing SARs can            recovery, and follow-up.
streamline these notification and report-
ing requirements.                            Preparation
  Institutions should also address             Preparing for a potential security
customer notification procedures in          compromise of customer information
their IRP. When an institution becomes       is a proactive risk management prac-
aware of an incident involving unautho-      tice. The overall effectiveness and effi-
rized access to sensitive customer infor-    ciency of an organization’s response is
mation, the institution should conduct a     related to how well it has organized and
reasonable investigation to determine        prepared for potential incidents. Two
the likelihood that such information has     of the more effective practices noted in
been or will be misused. If the institu-     many IRPs are addressed below.
tion determines that sensitive customer
information has been misused or that         s   Establish an incident response team.
misuse of such information is reasonably       A key practice in preparing for a poten-
possible, it should notify the affected      tial incident is establishing a team that is
customer(s) as soon as possible. Devel-      specifically responsible for responding
oping standardized procedures for noti-      to security incidents. Organizing a team
fying customers will assist in making        that includes individuals from various
timely and thorough notification. As a       departments or functions of the bank
resource in developing these proce-          (such as operations, networking, lend-
dures, institutions should reference the     ing, human resources, accounting,
April 2005 interpretive guidance, which      marketing, and audit) may better posi-
specifically addresses when customer         tion the bank to respond to a given inci-
notification is necessary, the recom-        dent. Once the team is established,
mended content of the notification, and      members can be assigned roles and
the acceptable forms of notification.        responsibilities to ensure incident
                                             handling and reporting is comprehen-
                                             sive and efficient. A common responsi-
Best Practices—Going                         bility that banks have assigned to the
Beyond the Minimum                           incident response team is developing a
  Each bank has the opportunity to go        notification or call list, which includes
beyond the minimum requirements and          contact information for employees,
incorporate industry best practices into     vendors, service providers, law enforce-
its IRP. As each bank tailors its IRP to     ment, bank regulators, insurance
match its administrative, technical, and     companies, and other appropriate
organizational complexity, it may find       contacts. A comprehensive notification
some of the following best practices rele-   list can serve as a valuable resource
vant to its operating environment. The       when responding to an incident.


7
    See www.fincen.gov/reg_bsaforms.html.


                                                                                                          7
Supervisory Insights                                                                        Winter 2006
Incident Response Programs
continued from pg. 7

                           s   Define what constitutes an incident.                       the monitoring process and for the
                                                                                          IRP in general. Identifying potential
                             An initial step in the development of a
                                                                                          indicators of unauthorized system
                           response program is to define what
                                                                                          access within these activity or security
                           constitutes an incident. This step is
                                                                                          reports can assist in the detection
                           important as it sharpens the organiza-
                                                                                          process.
                           tion’s focus and delineates the types of
                           events that would trigger the use of the                       s   Involve legal counsel.
                           IRP. Moreover, identifying potential
                                                                                            Because many states have enacted
                           security incidents can also make the
                                                                                          laws governing notification require-
                           possible threats seem more tangible,
                                                                                          ments for customer information secu-
                           and thus better enable organizations to
                                                                                          rity compromises, institutions have
                           design specific incident-handling proce-
                                                                                          found it prudent to involve the institu-
                           dures for each identified threat.
                                                                                          tion’s legal counsel when a compro-
                                                                                          mise of customer information has been
                           Detection                                                      detected. Legal guidance may also be
                             The ability to detect that an incident is                    warranted in properly documenting
                           occurring or has occurred is an impor-                         and handling the incident.
                           tant component of the incident response
                           process. This is considerably more                             Containment
                           important with respect to technical
                                                                                            During the containment phase,
                           threats, since these can be more difficult
                                                                                          the institution should generally imple-
                           to identify without the proper technical
                                                                                          ment its predefined procedures for
                           solutions in place. If an institution is not
                                                                                          responding to the specific incident
                           positioned to quickly identify incidents,
                                                                                          (note that containment procedures
                           the overall effectiveness of the IRP may
                                                                                          are a required minimum component).
                           be affected.8 Following are two detection-
                                                                                          Additional containment-related proce-
                           related best practices included in some
                                                                                          dures some banks have successfully
                           institutions’ IRPs.
                                                                                          incorporated into their IRPs are
                           s   Identify indicators of unauthorized                        discussed below.
                               system access.
                                                                                          s   Establish notification escalation
                             Most banks implement some form                                   procedures.
                           of technical solution, such as an intru-
                                                                                            If senior management is not already
                           sion detection system or a firewall, to
                                                                                          part of the incident response team,
                           assist in the identification of unautho-
                                                                                          banks may want to consider developing
                           rized system access. Activity reports
                                                                                          procedures for notifying these individu-
                           from these and other technical solu-
                                                                                          als when the situation warrants. Provid-
                           tions (such as network and application
                                                                                          ing the appropriate executive staff
                           security reports) serve as inputs for

                           8
                             Pursuant to section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), the FDIC, the Office
                           of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Office of Thrift
                           Supervision, the National Credit Union Administration, and the Federal Trade Commission, have jointly proposed
                           (1) guidelines for financial institutions and creditors identifying patterns, practices, and specific forms of activity,
                           that indicate the possible existence of identity theft, and (2) regulations requiring each financial institution and
                           creditor to establish reasonable policies and procedures for implementing the guidelines. The notice of
                           proposed rulemaking (NPR) also includes provisions requiring credit and debit card issuers to assess the validity
                           of a request for a change of address under certain circumstances, and, pursuant to section 315 of the FACT Act,
                           guidance regarding reasonable policies and procedures that a user of consumer reports must employ when such
                           a user receives a notice of address discrepancy from a consumer reporting agency. The NPR was published on
                           July 18, 2006, at 71 Fed. Reg. 40786, and the comment period ended on September 18, 2006. The agencies are
                           reviewing the comments received in preparation for a final rule.


8
    Supervisory Insights                                                                                                             Winter 2006
and senior department managers with         communications with both the media
information about how containment           and the institution’s customers.
actions will affect business operations
or systems and including these individu-    Recovery
als in the decision-making process can
help minimize undesirable business            Recovering from an incident essentially
disruptions. Institutions that have expe-   involves restoring systems to a known
rienced incidents have generally found      good state or returning processes and
that the management escalation process      procedures to a functional state. Some
(and resultant communication flow)          banks have incorporated the following
was not only beneficial during the          best practices related to the recovery
containment phase, but also proved          process in their IRPs.
valuable during the later phases of the     s   Determine whether configurations
incident response process.                      or processes should be changed.
s   Document details, conversations,          If an institution is the subject of a
    and actions.                            security compromise, the goals in the
  Retaining documentation is an             recovery process are to eliminate the
important component of the incident         cause of the incident and ensure that
response process. Documentation can         the possibility of a repeat event is mini-
come in a variety of forms, including       mized. A key component of this process
technical reports generated, actions        is determining whether system configu-
taken, costs incurred, notifications        rations or other processes should be
provided, and conversations held. This      changed. In the case of technical
information may be useful to external       compromises, such as a successful
consultants and law enforcement for         network intrusion, the IRP can prompt
investigative and legal purposes, as        management to update or modify
well as to senior management for filing     system configurations to help prevent
potential insurance claims and for          further incidents. Part of this process
preparing an executive summary of           may include implementing an effective,
the events for the board of directors       ongoing patch management program,
or shareholders. In addition, documen-      which can reduce exposure to identified
tation can assist management in             technical vulnerabilities. In terms of
responding to questions from its            non-technical compromises, the IRP
primary Federal regulator. It may be        can direct management to review opera-
helpful during the incident response        tional procedures or processes and
process to centralize this documenta-       implement changes designed to prevent
tion for organizational purposes.           a repeat incident.

s   Organize a public relations             s   Test affected systems or procedures
    program.                                    prior to implementation.

  Whether a bank is a local, national, or     Testing is an important function in the
global firm, negative publicity about a     incident response process. It helps
security compromise is a distinct possi-    ensure that reconfigured systems,
bility. To address potential reputation     updated procedures, or new technologies
risks associated with a given incident,     implemented in response to an incident
some banks have organized public rela-      are fully effective and performing as
tions programs and designated specific      expected. Testing can also identify
points of contact to oversee the program.   whether any adjustments are necessary
A well-defined public relations program     prior to implementing the updated
can provide a specific avenue for open      system, process, or procedure.



                                                                                                       9
Supervisory Insights                                                                     Winter 2006
Incident Response Programs
continued from pg. 9

                            Follow-up                                                – determine if updated training is
                                                                                       necessary regarding any new
                              During the follow-up process, an institu-
                                                                                       procedures or updated policies that
                            tion has the opportunity to regroup after
                                                                                       have been implemented; and
                            the incident and strengthen its control
                            structure by learning from the incident.                 – determine if the bank needs addi-
                            A number of institutions have included                     tional personnel or technical
                            the following best practice in their IRPs.                 resources to be better prepared
                                                                                       going forward.
                            s   Conduct a “lessons-learned”
                                meeting.                                           The preceding best practices focused
                                                                                 on the more common criteria that have
                              Successful organizations can use the               been noted in actual IRPs, but some
                            incident and build from the experience.              banks have developed other effective
                            Organizations can use a lessons-learned              incident response practices. Examples
                            meeting to                                           of these additional practices are listed in
                               – discuss whether affected controls               Figure 2. Organizations may want to
                                  or procedures need to be strength-             review these practices and determine if
                                  ened beyond what was imple-                    any would add value to their IRPs given
                                  mented during the recovery phase;              their operating environments.
                               – discuss whether significant prob-
                                  lems were encountered during the
                                  incident response process and how              What the Future Holds
                                  they can be addressed;                           In addition to meeting regulatory
                               – determine if updated written poli-              requirements and addressing applicable
                                  cies or procedures are needed for              industry best practices, several character-
                                  the customer information security              istics tend to differentiate banks. The
                                  risk assessment and information                most successful banks will find a way to
                                  security program;                              integrate incident response planning into


                            Figure 2
                                                            Additional IRP Best Practices

                            s Test the incident response plan (via walk-            have established phone numbers and
                                through or tabletop exercises) to assess            e-mail distribution lists for reporting possi-
                                thoroughness.                                       ble incidents.

                            s Implement notices on login screens for             s Inform users about the status of any compro-
                                customer information systems to establish           mised system they may be using.
                                a basis for disciplinary or legal action.
                                                                                 s Establish a list of possible consultants, in
                            s Develop an incident grading system that               case the bank does not have the expertise
                                quantifies the severity of the incident, helps      to handle or investigate the specific inci-
                                determine if the incident response plan             dent (especially regarding technical
                                needs to be activated, and specifies the            compromises).
                                extent of notification escalation.
                                                                                 s Establish evidence-gathering and handling
                            s Provide periodic staff awareness training             procedures aimed at preserving evidence
                                on recognizing potential indicators of unau-        of the incident and aiding in prosecution
                                thorized activity and reporting the incident        activities.
                                through proper channels. Some institutions




10
     Supervisory Insights                                                                                               Winter 2006
normal operations and business                              man-made disasters, sound IRPs will be
processes. Assimilation efforts may                         necessary to combat new and existing
include expanding security awareness                        data security threats facing the banking
and training initiatives to reinforce inci-                 community. Given the high value placed
dent response actions, revising business                    on the confidential customer information
continuity plans to incorporate security                    held within the financial services indus-
incident responses, and implementing                        try, coupled with the publicized success
additional security monitoring systems                      of known compromises, one can reason-
and procedures to provide timely inci-                      ably assume that criminals will continue
dent notification. Ultimately, the                          to probe an organization’s defenses in
adequacy of a bank’s IRP reflects on                        search of weak points. The need for
the condition of the information secu-                      response programs is real and has been
rity program along with management’s                        recognized as such by not only state and
willingness and ability to manage infor-                    Federal regulatory agencies (through
mation technology risks. In essence,                        passage of a variety of legal require-
incident response planning is a manage-                     ments), but by the banking industry
ment process, the comprehensiveness                         itself. The challenges each bank faces
and success of which provide insight into                   are to develop a reasonable IRP provid-
the quality and attentiveness of manage-                    ing protections for the bank and the
ment. In this respect, the condition of a                   consumer and to incorporate the IRP
bank’s IRP, and the results of examiner                     into a comprehensive, enterprise-wide
review of the incident response planning                    information security program. The most
process, fit well within the objectives of                  successful banks will exceed regulatory
the information technology examination                      requirements to leverage the IRP for
as described in the Information Technol-                    business advantages and, in turn,
ogy–Risk Management Program.9                               improved protection for the banking
                                                            industry as a whole.
  An IRP is a critical component of a
well-formed and effective information                                  Eric R. Morris
security program and has the potential to                              Information Technology
provide tangible value and benefit to a                                Examiner, Chicago, IL
bank. Similar to the importance of a
business continuity planning program as                                John J. Sosnowski II
it relates to the threat of natural and                                Examiner, Indianapolis, IN




9
  The Information Technology–Risk Management Program (IT–RMP) is the approach for conducting information
technology examinations at FDIC-supervised institutions, regardless of size and complexity. FIL 81-2005, Informa-
tion Technology–Risk Management Program New Information Technology Examination Procedures, August 18,
2005, www.fdic.gov/news/news/financial/2005/fil8105.html.




                                                                                                                                  11
Supervisory Insights                                                                                                Winter 2006
Chasing the Asterisk: A Field Guide
to Caveats, Exceptions, Material Misrepresentations,
and Other Unfair or Deceptive Acts or Practices
                                  ection 5 of the Federal Trade                         Depending on the severity of their

                            S     Commission (FTC) Act prohibits
                                  “unfair or deceptive practices in
                            or affecting commerce.”1 Although
                                                                                      nature and scope, violations of the FTC
                                                                                      Act may adversely affect an institution’s
                                                                                      compliance rating, as well as result in
                            enforced generally by the FTC against                     an enforcement action and restitution.
                            nonbank entities, the authority for                       Evidence of such violations may also
                            enforcing Section 5 as it relates to FDIC-                cause a downgrade of an institution’s
                            supervised institutions rests with the                    Community Reinvestment Act (CRA)
                            FDIC, pursuant to Section 8 of the                        rating. Public knowledge that a financial
                            Federal Deposit Insurance Act,2 which                     institution engaged in unfair or deceptive
                            permits the FDIC and the other Federal                    acts or practices—from publication of a
                            banking agencies to enforce “any law.”                    cease and desist order, a statement in
                              The prohibition against unfair and                      the institution’s public CRA Performance
                            deceptive acts or practices (UDAPs)                       Evaluation, or reports in the media—may
                            applies to all products and services                      result in reputational harm to the institu-
                            offered by a financial institution, directly              tion, lawsuits, and financial damages. In
                                                                                      light of these risks, failure to prevent or
                            or indirectly. The prohibition applies to
                                                                                      address potential UDAPs may, in turn,
                            every stage and activity: from product
                                                                                      expose the institution to questions regard-
                            development to the creation and rollout of
                                                                                      ing the adequacy of its management and
                            the marketing campaign; from servicing
                                                                                      the safety and soundness of its operations.
                            and collections all the way through to the
                            termination of the customer relationship.                   This article provides insights into how
                                                                                      examiners identify and address acts or
                              Although the vast majority of FDIC-
                                                                                      practices that may violate the prohibi-
                            supervised institutions adhere to a high
                            level of professional conduct, the FDIC                   tion against UDAPs found in Section 5
                            has seen an increase in violations of                     of the FTC Act. Financial institutions
                            Section 5 of the FTC Act. This may be                     can use this information to conduct
                            the result of increased competition                       assessments of their products and serv-
                            among financial institutions, along with                  ices and to develop a blueprint for
                                                                                      avoiding Section 5 violations.
                            a growing dependence on fee income
                            and increased reliance on third parties.
                            Expansion into the subprime market may                    FDIC Enforcement of
                            be another factor, as well as the prolifera-
                                                                                      Section 5 of the FTC Act
                            tion of products with complex structures
                            and pricing. Examiners have identified                     A number of agencies have authority
                            various acts and practices that violate                   to combat UDAPs. While the FTC
                            Section 5, including deceptive marketing                  has broad authority to enforce the
                            and solicitations, misleading billing state-              requirements of Section 5 of the
                            ments, and failure to adequately disclose                 FTC Act, banks and certain other busi-
                            material terms and conditions for both                    nesses are exempted from the FTC’s
                            credit and deposit products.                              authority.3 In a Financial Institution
                                                                                      Letter (FIL) dated May 30, 2002,4
                            1
                                15 U.S.C. § 45(a).
                            2
                                12 U.S.C. § 1818(b).
                            3
                                15 U.S.C. § 45.
                            4
                              FIL-57-2002, Guidance on Unfair or Deceptive Acts or Practices, May 30, 2002, www.fdic.gov/news/news/
                            financial/2002/fil0257.html.

12
     Supervisory Insights                                                                                                    Winter 2006
the FDIC confirmed the applicability                         To assist in determining whether a
of Section 5 of the FTC Act to state                       particular act or practice is unfair or
nonmember banks and their institu-                         deceptive, the FTC has issued policy
tion-affiliated parties, as well as the                    statements on both unfairness and
FDIC’s intention to cite violations of                     deception.9 In most cases, Section 5
this law and take appropriate action                       violations involve deception, although
under Section 8 of the Federal Deposit                     there have been a few instances where
Insurance Act5 (FDI Act) when it                           a particular act or practice, or the sum
discovers unfair or deceptive acts                         of a variety of acts and practices, have
or practices.                                              been found to be unfair.
  On March 11, 2004, the FDIC with
the Board of Governors of the Federal                      Unfairness
Reserve System (FRB) jointly issued                         An act or practice may be found to be
guidance on UDAP (Joint Guidance)                          unfair where it
to state-chartered banks outlining the
standards the FDIC and the FRB will                        (1) Causes or is likely to cause sub-
consider when applying the prohibitions                        stantial injury to consumers, which
against UDAPs found in the FTC Act and                     (2) Is not reasonably avoidable by
providing advice on managing risks                             consumers themselves, and
relating to UDAPs.6
                                                           (3) Is not outweighed by counter-
  In determining the appropriate                               vailing benefits to consumers or
response to a Section 5 violation, the                         to competition.
FDIC consults with other state and
federal agencies depending on the issue                      Public policy may also be considered in
and their jurisdiction over the parties                    the analysis of whether a particular act
involved. Where necessary to address                       or practice is unfair.
the UDAP and provide an appropriate
remedy for consumers, the FDIC will                        Deception
also pursue a joint action with other                       A three-part test is used to assess
government entities.7                                      whether a representation, omission, or
                                                           practice is deceptive:
Standards for Determining                                  (1) The representation, omission, or
What Is Unfair or Deceptive                                    practice must mislead or be likely
                                                               to mislead the consumer;
  As stated in the Joint Guidance,8 the
standards for unfairness and deception                     (2) The consumer’s interpretation of
are independent of each other. While                           the representation, omission, or
a specific act or practice may be both                         practice must be reasonable under
unfair and deceptive, an act or practice                       the circumstances. If a representa-
is prohibited by the FTC Act if it is either                   tion or practice is targeted to a partic-
unfair or deceptive.                                           ular group—for example, the elderly

5
    12 U.S.C. § 1818(a).
6
 FIL-26-2004, Unfair or Deceptive Acts or Practices by State-Chartered Banks, March 11, 2004 (Joint Guidance),
www.fdic.gov/news/news/financial/2004/fil2604.html.
7
    Ibid., footnote 6, page 1.
8
    Ibid., footnote 6, page 2.
9
 See FTC Policy Statement on Unfairness (December 17, 1980), www.ftc.gov/bcp/policystmt/ad-unfair.htm, and
FTC Policy Statement on Deception (October 14, 1983), www.ftc.gov/bcp/policystmt/ad-decept.htm.



                                                                                                                               13
Supervisory Insights                                                                                             Winter 2006
Chasing the Asterisk: A Field Guide
continued from pg. 13



                                                       Unfairness Based upon Lack of Utility
       A bank advertised a credit card with no application or annual fees. However, consumers were charged a “refundable acceptance fee,”
     which completely exhausted the available credit line. According to the terms of the card, this acceptance fee would be “refunded” in incre-
     ments of $50 every three months, assuming the consumer paid the minimum amount due on a timely basis, making available an equal amount
     of credit. As opposed to an annual fee, a monthly maintenance charge of $10 was charged against the account, along with an interest rate of
     almost 20 percent against the outstanding balance.

      The FDIC found that the “refundable acceptance fee” was nothing more than a bookkeeping entry used by the bank to create a balance
     upon which it could assess interest and other charges. At a minimum, consumers were paying $120 a year plus interest in exchange for the
     use of a credit line made available to them in $50 increments. Account activity reports showed little or no purchases or charges, only the
     assessment of monthly fees, interest, and other charges.

       The card program was determined to be “unfair.” The fees associated with the program made any benefit negligible, and the program was
     structured so that only a very small percentage of account holders would receive any initial or subsequent credit. Moreover, with no out-of-
     pocket money at risk and the limited utility of the card, a high delinquency rate was foreseeable. Within six months from the initial offering of
     the product, nearly 50 percent of all accounts opened were delinquent.


                                                        or troubled borrowers—its reason-                    examiners may be unaware of any
                                                        ableness must be evaluated from the                  potential unfair or deceptive concerns
                                                        vantage point of that group; and,                    prior to their examination of a bank.
                                                (3) The misleading representation, omis-                     FDIC examiners may identify potential
                                                    sion, or practice must be material.                      UDAPs during the course of an exami-
                                                                                                             nation, through a consumer complaint,
                                                 A deceptive representation can be                           or through referrals from state or local
                                                expressed, implied, or involve a material                    agencies or consumer protection
                                                omission. The overall impression is key—
                                                                                                             organizations. Reports of unfair or
                                                written disclosures in the text or fine
                                                                                                             deceptive acts or practices in the
                                                print in a footnote may be insufficient to
                                                                                                             media—print, TV, and the Internet—
                                                correct a misleading headline.10
                                                                                                             may trigger investigations.
                                                  As can be seen from the examples in
                                                the text box above and on the facing                           The scope of an examination or inves-
                                                page, and as stated in the Joint Guid-                       tigation to determine whether an insti-
                                                ance, whether an act or practice is unfair                   tution is engaging in UDAPs involves a
                                                or deceptive depends upon a careful                          review of the institution’s products, serv-
                                                analysis of the facts and circumstances.                     ices, target markets, operations, and
                                                In analyzing a particular act or practice,                   compliance management systems and
                                                the FDIC is guided by the body of law                        programs. Examiners first develop a risk
                                                and official interpretations for defining                    profile for the institution using informa-
                                                UDAPs developed by the courts and the                        tion about the institution’s business
                                                FTC, as well as factually similar cases                      lines, organizational structure, opera-
                                                brought by other enforcement and regu-                       tions, and past supervisory performance.
                                                latory agencies, including other federal                     Then they investigate any identified high-
                                                bank regulatory agencies.11                                  risk areas, such as subprime lending and
                                                                                                             third-party relationships.
                                                Identifying UDAP Issues                                       Identifying red flags and high-risk
                                                 UDAPs are not always apparent or                            areas, and investigating them, is a key
                                                easily discovered. In most instances,                        part of any UDAP review or investigation.

                                                10
                                                     FTC Policy Statement on Deception, p. 5, October 14, 1983, www.ftc.gov/bcp/policystmt/ad-decept.htm.
                                                11
                                                 Joint Guidance at page 2; FIL-57-2002, Guidance on Unfair or Deceptive Acts or Practices, May 30, 2002,
                                                www.fdic.gov/news/news/financial/2002/fil0257.html.

14
      Supervisory Insights                                                                                                                           Winter 2006
                                                         Deceptive Advertising and Billing
      On one bank’s home page was a large multicolored advertisement that prominently displayed a series of credit cards and a large blue ball.
     Alternately flashing across the ball, in bold white letters outlined in red, were the statements “NO COLLECTION CALLS*!” and “NO LATE
     FEES*!” Although each statement contained an asterisk, there were no explanatory notes on this page.
       A consumer who clicked on the blue ball or one of the credit cards would be linked to an application page containing the online application
     form. At the top of this page, the statements “NO collection calls*” and “NO late fees*” again appeared as static text, along with the statement,
     “NO Nonsense.” The phrases “NO COLLECTION CALLS*,” “NO LATE FEES*,” and “APPLY NOW!” appeared a second time on this page as flashing
     text in a red banner. The following text appeared in small print in the middle of the page, largely obscured by other promotional information:
               Late fees may apply and you may receive collection calls if payments are past due on your credit account and charges or
               fees incurred cause your credit account balance to exceed its credit line (over limit) or any portion of your credit line
               becomes unsecured . . .
       If the consumer clicked the site on or near “APPLY NOW!” the online application moved from the middle to the top of the screen, covering
     over this qualification. If, instead of clicking “APPLY NOW!” the consumer clicked the “Important Terms and Conditions” link appearing at
     the top of the application page, they would be taken to another web page containing the general terms and conditions, again with the flash-
     ing statements “NO COLLECTION CALLS*,” “NO LATE FEES*,” and “APPLY NOW” appearing at the top of the page. In this instance, as with
     the original statements on the bank’s home page, there were no qualifying disclosures.
      The FDIC found the statements to be deceptive. The qualifications, printed in small text and largely obscured, contradicted the prominently
     advertised terms. Additionally, while the banner headlines appeared multiple times on each of the three pages, the qualifying language
     appeared only once, could easily be skipped, and was completely covered if the consumer clicked the link for the online application.
       In a similar case, the bank sent out billing statements to its delinquent credit card account holders featuring a prominently placed
     message, located in a box in the center of the statement, advising the consumer that if they paid a specific sum, they could avoid additional
     fees and further collection efforts. Upon investigation, the examiners determined that the amount stated in the message box was the amount
     past due, not the larger minimum payment amount, and that payment of this amount would result in additional charges as well as continua-
     tion of the consumer’s delinquent status.
        Although the minimum amount due was stated elsewhere on the billing statement, the bank’s practice was deceptive because it used an
     alternative amount in the message box to direct the consumer’s attention away from the correct minimum payment amount necessary to
     restore their account to a current status. Moreover, despite the bank’s explicit claims to the contrary, payment of the amount the bank spec-
     ified in the message box would subject the consumer to what they were told they would avoid: additional fees and collection efforts.
      The bank was directed to immediately terminate this practice and reimburse those consumers who incurred late charges and other fees
     as a result of this practice.



                                                               review consumer complaints. At the
Red Flags That Could Warrant                                   FDIC, complaints received regarding
a UDAP Review                                                  state nonmember banks are maintained
                                                               in an automated database and are avail-
Consumer Complaints                                            able directly to examiners. In addition
 Consumer complaints are often a key                           to reviewing complaints received by
source of information on possible                              the FDIC, on-site examinations always
UDAPs.12                                                       include a review of the complaints
                                                               received by the institution and its pro-
 As part of the pre-examination                                cedures for addressing them.14
process,13 examiners are required to

12
   For agencies that do not have authority to perform on-site examinations, such as the FTC or a state attorney
general, consumer complaints often serve as the primary basis for their investigations.
13
     FDIC Compliance Examination Handbook, “Compliance Examinations—Pre-examination Planning,” page II-3.1.
14
     Ibid., “Compliance Examinations—Analysis,” page II-4.1.

                                                                                                                                                         15
Supervisory Insights                                                                                                                    Winter 2006
Chasing the Asterisk: A Field Guide
continued from pg. 15


                              When reviewing complaints, examiners                      Investigations by Other Federal
                            also look for trends: for example, how                      or State Agencies
                            many of the same or similar type of
                            complaints did the bank receive? While                        The FDIC gives serious attention to
                            a large volume of complaints will fre-                      investigations initiated by other govern-
                            quently indicate an area of concern,                        ment agencies such as state banking
                            the number of complaints received is                        departments or attorneys general offices.
                            not a determining factor in and of itself                   The regional offices are often notified
                            of whether there is a potential unfair or                   directly by the investigating agency,
                            deceptive issue. A small number of                          although notice may first come from
                            complaints do not undermine the validity                    the target bank once it has learned it is
                            of the complaints or the seriousness of                     under investigation.16
                            the allegations raised. If even a single                      Where a state or other agency asserts
                            complaint raises apparent valid concerns
                                                                                        that an FDIC-insured institution has
                            relative to a potential UDAP, the exam-
                                                                                        violated state consumer protection law,
                            iner may determine that a Section 5
                                                                                        the FDIC office in the Region, in consul-
                            review is warranted. Consequently,
                                                                                        tation with the Washington office,
                            examiners focus on the issues raised in
                                                                                        reviews the allegations to determine if
                            complaints, not just the number of
                                                                                        they involve potential UDAPs. Although
                            complaints.
                                                                                        such assertions may be based on state
                              Because many consumers may not                            law, they nonetheless may also involve
                            be aware that the FDIC and the other                        potential violations of Section 5 of the
                            bank regulatory agencies have con-                          FTC Act.
                            sumer protection offices responsible
                            for investigating consumer complaints,15                    Criticism of Institution, Product,
                            examiners may contact other entities
                                                                                        or Service in the Media
                            more generally known to consumers
                            as places to file a complaint. These                          Newspaper articles, radio programs, and
                            include the Better Business Bureau, the                     television consumer reports can provide
                            FTC, and state agencies, such as a state                    information on potential UDAP issues.
                            banking department or an attorney                           For example, during the course of one
                            general’s office.                                           bank examination, a local news station
                                                                                        did a special report on a consumer’s
                             When reviewing complaints, examiners
                            pay particular attention not only to the                    complaint of deceptive practices at the
                            immediate concerns of the consumer,                         bank’s mortgage subsidiary. This informa-
                            but the broader implications. Allegations                   tion further corroborated issues examin-
                            or claims that may indicate possible                        ers noted in consumer complaints.
                            UDAPs include                                                Internet searches for information on
                            • Misleading or false statements,                           an institution or a particular product
                                                                                        or service it offers (such as a credit
                            • Missing disclosures or information,                       card or other loan product) can be
                            • Undue or excessive fees,                                  another source of information on
                                                                                        possible UDAPs. There are many
                            • Inability to reach customer service, or
                                                                                        websites and blogs where consumers
                            • Previously undisclosed charges.                           write about the problems they have

                            15
                              Congress amended the FTC Act in 1975 to require that each of the bank regulatory agencies establish a division
                            of consumer affairs to address complaints. See 15 U.S.C. § 57a.
                            16
                              As part of the Compliance Information and Document Request (CIDR) sent to institutions prior to a compliance
                            examination, financial institutions are asked whether they are subject to any investigation by a state or govern-
                            ment entity or other legal action.


16
     Supervisory Insights                                                                                                        Winter 2006
had with particular entities or prod-
ucts. These websites may be used by                                 Analyzing Third-Party
examiners to supplement information                                    Relationships
in the complaints received by the FDIC
                                                             In reviewing third-party arrangements,
and state authorities.
                                                            examiners consider

                                                            • The types of services or products
High-Risk Areas Requiring                                     provided by the third party and their
Scrutiny for UDAPs                                            potential for possible UDAP concerns;

                                                            • The due diligence conducted by the bank
Subprime Products
                                                              prior to entering into an agreement with
  Subprime lending, by its nature,                            the third party;
involves the extension of credit to
                                                            • The extent of the bank’s oversight and
borrowers who may be among the more
                                                              monitoring of the third party; particularly
economically vulnerable or less finan-
                                                              whether the bank’s oversight goes beyond
cially sophisticated. While the presence
                                                              “rubber-stamping” disclosures or solicita-
of subprime products does not automati-
                                                              tions produced by the third party; and
cally equate to unfairness or deception,
the complexity of many of these prod-                       • Whether the bank reviews customer serv-
ucts and their pricing structure may                          ice and collection activity for compliance
raise Section 5 concerns.                                     with Section 5.
  Subprime products are sometimes                             Financial institutions also can consider
specifically marketed to consumers                          these issues when assessing a potential or
with lower levels of financial sophis-                      ongoing relationship with a third party.
tication, creating greater risk for
Section 5 problems. Products targeted
to the elderly, recent immigrants, or a                   provides advertising services, issues
specific ethnic or racial group are also                  credit cards through the bank, sells
subject to scrutiny for Section 5 viola-                  insurance, brokers loans, or purchases
tions, as well as for violations of the                   loans or receivables from the bank.
Equal Credit Opportunity and Fair                         Collection activity is another activity
Housing Acts.                                             frequently conducted by unaffiliated
                                                          third parties.
Third-Party Relationships
                                                            Examiners analyze all third-party rela-
  The prohibitions against UDAPs found                    tionships, affinity agreements, contracts,
in the FTC Act apply to state-chartered                   or partnerships in which the bank is
banks, their subsidiaries and institution-                involved or anticipates involvement. In
affiliated parties, and third-party con-                  particular, examiners focus on what func-
tractors.17 Third-party relationships, both               tions the third party performs for the
affiliated and unaffiliated, are one of the               bank and the bank’s oversight and moni-
most common features in the Section 5                     toring of the relationship.
violations found by FDIC examiners.
                                                           If the bank is involved with a third
                                                          party that offers products or services
Unaffiliated Third Parties                                that raise concerns about UDAP, such
 An unaffiliated third-party relation-                    as subprime loans, examiners closely
ship could include a company that                         review the agreement between the bank

17
   FIL-57-2002, Guidance on Unfair or Deceptive Acts or Practices, May 30, 2002, www.fdic.gov/news/news/
financial/2002/fil0257.html


                                                                                                                          17
Supervisory Insights                                                                                        Winter 2006
Chasing the Asterisk: A Field Guide
continued from pg. 17


                            and the third party to fully understand                   the bank’s organizational culture. Previ-
                            its scope and to identify important                       ously independent entities and independ-
                            terms and conditions, such as indem-                      ent vendors frequently have difficulty
                            nification clauses and limitations on                     assimilating and conforming to the
                            liability, that may have an impact on                     supervisory compliance structure of
                            the redress for consumers. Moreover,                      regulated institutions.
                            if the agreement provides for the perfor-
                                                                                        If weaknesses are seen in the oversight
                            mance of significant activities by the
                                                                                      and controls of a bank subsidiary or affil-
                            third party—such as marketing, loan
                                                                                      iate, and the types of products or serv-
                            processing, or collections—examiners
                                                                                      ices the subsidiary or affiliate offers have
                            may need to conduct an on-site visita-
                                                                                      the potential for possible unfair or decep-
                            tion of the third party.
                                                                                      tive practices, examiners may review
                                                                                      related files, documents, disclosures, or
                            Affiliated Third Parties                                  information on-site at the offices of the
                              Examiners will want to be apprised of                   subsidiary or affiliate instead of at the
                            all subsidiaries and affiliates and the                   bank. As with any examination, examin-
                            types of products and services each                       ers on-site observe how the subsidiary or
                            offers. Other important factors in the                    affiliate operates, the business culture,
                            examiner’s analysis include                               and how well-versed employees dealing
                                                                                      directly with consumers are with applica-
                            • Level of control and oversight the                      ble laws and regulations.
                              banks exert over the subsidiary;

                            • Types of reporting mechanisms in                        Analyzing an Unfair or
                              place;                                                  Deceptive Case
                            • Origin of the relationship between                        Section 5 of the FTC Act does not
                              the bank and the affiliated third party                 impose any specific requirements on
                              (i.e., was the subsidiary or affiliate                  banks.18 The policies and procedures
                              “homegrown” or was it an independ-                      necessary to avoid engaging in unfair or
                              ent entity purchased by the bank?).                     deceptive activities will largely depend
                              Regarding the relationship between                      on an institution’s business strategy, its
                            the bank and the affiliated third party,                  target markets, its products and services,
                            it can sometimes take a long time to                      and its relationships with third parties.
                            implement bank policies and procedures                     The UDAP examination procedures
                            and integrate a purchased subsidiary into                 cover various topics to assist examiners


                                                     Importance of Strong Oversight and Control
                                   In some cases involving UDAP issues, the banks involved had affinity agreements with unaffili-
                                 ated third-party providers to issue credit cards via a rent-a-BIN arrangement. In this type of
                                 arrangement, the financial institution permits a third party to use its Bank Identification Number
                                 (which is required to issue credit cards) to issue credit cards on its behalf. Generally, in rent-a-
                                 BIN relationships, the institution sells its credit card receivables to the third party, although the
                                 bank remains the issuer. In both small and large institutions involved in these arrangements,
                                 examiners have at times found a lack of oversight and control, resulting in unchecked UDAPs in
                                 connection with the subprime credit card product issued under the bank’s name.



                            18
                                 FDIC Compliance Examination Handbook, “Abusive Practices—Federal Trade Commission Act,” page VII-1.5.


18
     Supervisory Insights                                                                                                   Winter 2006
in their review: product structure and        raise questions about whether a product
terms, advertising and solicitation,          fulfills its various marketing promises—
repricing and change of terms, servic-        claims often based upon building or
ing and collections, and monitoring           improving a borrower’s credit. Account
the conduct of third parties. A               activity reports, with fees and interest
Section 5 analysis is not based upon a        broken out, may also raise questions.
particular checklist, but is fact specific.   In several credit card products reviewed
The examination procedures provide,           by FDIC examiners, the limited credit
as guidelines, questions for examiners        lines were largely exhausted by various
to consider when evaluating a particular      account opening fees and other fees.
act or practice, developed largely based      As a result, there was no purchase or
upon past Section 5 violations. When-         other normal credit activity because
ever an examiner determines a product         there was little or no available credit.
or practice is potentially unfair or decep-   Activity reports for deposit products,
tive, he or she will analyze it using the     such as stored-value cards, are also often
standards for unfairness and deception        reviewed to assess consumer usage,
summarized in the examination proce-          access to account information, and the
dures and discussed more fully in the         assessment of fees and other charges and
Joint Guidance.                               their impact on the deposited balance.
  In addition to setting forth the stan-        Enforcement actions brought by the
dards for evaluating a potential              FDIC, other banking agencies, and the
Section 5 situation, the Joint Guidance       FTC on similar issues, and guidance
addresses a number of other topics            issued by the FDIC and these agencies
examiners consider when evaluating            provide an important framework for
a product or practice. The Joint Guid-        analyzing potential Section 5 violations.
ance further discusses the interplay          State investigations and actions may also
between the FTC Act and other laws,           be useful in evaluating an unfairness or
and cautions that even though a bank          deception claim. The FDIC’s examination
may be in technical compliance with           procedures provide a reference section
other laws, such as the Truth in Lend-        on cases and guidance on unfairness or
ing or Truth in Savings Acts, a product       deception issues relating to specific areas,
or practice may still violate Section 5.      such as mortgage and credit card lending,
For example, a bank’s credit card adver-      and servicing and collections.19
tisement may contain all the required
                                                Given the dynamic nature of the
Truth in Lending Act disclosures, but
                                              market and the constant emergence of
obscured or inadequately disclosed
                                              new products and practices that may
material limitations and restrictions
                                              raise unfairness or deception issues, it
could lead to a Section 5 violation.
                                              is important to remain alert to any new
  In analyzing a product or service that      case law or guidance on a given topic.
raises unfairness or deception concerns,
examiners will often look beyond the
compliance aspects and evaluate the           Corrective Action
product or practice from a safety and           As with any violation of law or regula-
soundness perspective. For example,           tion, the response to a violation of the
high default and delinquency rates identi-    FTC Act will depend on a number of
fied through profitability reports, aging     factors, including
and delinquency reports, or re-aging and
negative amortization practices may           • The nature of the violation;


19
     Ibid., page VII-1.7.


                                                                                                           19
Supervisory Insights                                                                         Winter 2006
Chasing the Asterisk: A Field Guide
continued from pg. 19


                            • Whether it is a repeat violation or                   with constant new products and services
                              a variation of a previously cited                     emerging, it is critical that UDAP situa-
                              violation;                                            tions be evaluated with a national
                                                                                    perspective. The FDIC recognizes the
                            • The harm, or potential harm, suffered
                                                                                    seriousness of violations involving
                              by consumers;
                                                                                    UDAPs and the potential impact of such
                            • The number of parties affected; and                   violations on consumers, the institution,
                                                                                    and the community at large. Therefore,
                            • The institution’s overall compliance
                                                                                    examiners are required to consult with
                              posture and history, both in general
                                                                                    both the regional and headquarters
                              and with respect to UDAPs.
                                                                                    offices when they first identify a product
                              Significant violations not only may                   or service that raises deception or
                            require discontinuance of the practice                  unfairness concerns. Headquarters
                            and reimbursement of consumers, but                     concurrence, which may include consul-
                            may also result in a downgrade of the                   tation with the FDIC’s Legal Division
                            bank’s compliance (and possibly CRA20)                  and the FTC, must be obtained before a
                            rating as well as an enforcement action.                violation of the FTC Act may be cited in
                                                                                    an examination report.

                            UDAP—a Priority at the FDIC                               The FDIC has made identification of
                                                                                    products and services with UDAP impli-
                              Unlike most consumer compliance                       cations a key priority in its efforts to
                            laws and regulations, which tend to be                  combat predatory lending practices. The
                            prescriptive, Section 5 of the FTC Act is               significance and seriousness of these
                            a broadly written law subject to inter-                 violations should not be underestimated:
                            pretation. While Section 5 is specific in               they are raised to the highest levels of
                            the criteria that must be met for an act                the FDIC, and can adversely affect the
                            or practice to be considered unfair or                  institution’s overall compliance, CRA,
                            deceptive, determining whether any                      and safety and soundness ratings.
                            particular act or practice is unfair or                 Depending on their severity, violations
                            deceptive requires a review of applicable               may result in a costly formal enforce-
                            law and judgment. In a dynamic market                   ment action and restitution for


                                              Corrective Action in the Case of Overdraft Protection and
                                                            Erroneous ATM Disclosures
                                   In several cases involving overdraft protection, examiners found that the bank provided only a
                                 single account balance at its ATMs reflecting the consumer’s actual balance plus the amount of
                                 overdraft protection. If consumers did not have adequate information at the time of their ATM
                                 transaction to determine the amount of funds they had available, they could inadvertently over-
                                 draw their accounts and incur overdraft protection fees as well as other charges.

                                   In some instances, the FDIC determined that this practice was deceptive based upon an omis-
                                 sion of material information necessary for the consumer to consider in making an informed
                                 decision. The affected banks corrected the problem in different ways: some posted signs at
                                 ATMs that alerted customers that withdrawals might overdraw accounts and trigger fees;
                                 others took steps to ensure that ATMs showed actual account balances. The FDIC required
                                 banks to identify and reimburse all consumers who were charged overdraft protection and
                                 other fees as a result of the initial practice.


                            20
                                 12 C.F.R. § 345.28(2).


20
     Supervisory Insights                                                                                                Winter 2006
consumers. These actions, in turn, may         The authors acknowledge the assis-
damage the institution’s reputation,           tance provided by the following FDIC
expose it to litigation risk, and result in    staff in the preparation of this article:
substantial financial loss. Financial insti-   Todd L. Hendrickson, Field Office
tutions should use this information and        Supervisor (Compliance) and Denise
prior guidance on unfairness and decep-        R. Beiswanger, Senior Compliance
tion issued by the FDIC and other agen-        Examiner, Sioux Falls Field Office;
cies to educate their staffs on how to         Greg Gore, Counsel, Richard Bogue,
avoid UDAPs and to strengthen their            Counsel, and Hugo Zia, Counsel,
compliance management system overall.          Washington Office Legal Division;
                                               Mira Marshall, Senior Policy Analyst,
         Deirdre Foley                         Compliance Policy Section, Washing-
         Senior Policy Analyst                 ton Office; and Patricia W. Farrell,
         Washington, DC                        Acting Field Office Supervisor
                                               (Compliance) and Robert M. Macrae,
         Kara L. Ritchie                       Field Office Supervisor (Compli-
         Review Examiner, Boston, MA           ance), Philadelphia Field Office.




                                                                                                         21
Supervisory Insights                                                                       Winter 2006
Understanding BSA Violations                                               1




                                   he Bank Secrecy Act (BSA) and its                      Secrecy Act” or “BSA.” The BSA estab-

                            T      implementing rules are not new;
                                   the BSA has been part of the bank
                            examination process for more than three
                                                                                          lished basic recordkeeping and reporting
                                                                                          requirements for private individuals,
                                                                                          banks and other financial institutions.
                            decades.2 In recent years, a number of                        The complexity of the BSA expanded in
                            financial institutions have been assessed                     subsequent years with legislative changes
                            large civil money penalties for noncom-                       requiring banks to establish procedures
                            pliance with the BSA. While most                              to ensure BSA compliance. Provisions
                            insured financial institutions examined                       were also added establishing criminal
                            demonstrate an adequate system of BSA                         liability against persons or banks that
                            controls, these high profile cases high-                      knowingly assist in money laundering
                            light the importance of banks’ efforts to                     or structuring or that avoid BSA report-
                            ensure compliance with the BSA and its                        ing requirements.
                            implementing rules. Nevertheless, where
                                                                                            The most sweeping changes in the BSA
                            an institution falls short of these require-
                                                                                          occurred shortly after the September 11,
                            ments, these shortfalls can result in viola-
                                                                                          2001, terrorist attacks with the passage
                            tions of the BSA and the implementing
                                                                                          of the Patriot Act in October 2001.3 The
                            rules being cited in Reports of Examina-
                                                                                          Patriot Act criminalized the financing of
                            tion (ROE).
                                                                                          terrorism and augmented the BSA by
                              This article discusses the evolution of                     strengthening customer identification
                            the BSA, including a brief overview of the                    procedures; prohibiting financial institu-
                            USA PATRIOT Act (Patriot Act) changes.                        tions from engaging in business with
                            The article also discusses the types of                       foreign shell banks; requiring financial
                            BSA-related violations cited in examina-                      institutions to have due diligence proce-
                            tion reports, provides examples of best                       dures, and, in some cases, enhanced due
                            practices for maintaining a strong Bank                       diligence procedures for foreign corre-
                            Secrecy Act/Anti-Money Laundering                             spondent and private banking accounts;
                            (BSA/AML) compliance program, and                             and improving information sharing
                            clarifies the distinctions between a signif-                  between financial institutions and the
                            icant BSA program breakdown and tech-                         U.S. government. The Patriot Act and its
                            nical problems in financial institutions.                     implementing regulations also
                                                                                          • Expanded the AML program require-
                            Evolution of the BSA                                            ments to all financial institutions;

                             The first Anti-Money Laundering                              • Increased the civil and criminal penal-
                            (AML) statute, enacted in the U.S. in                           ties for money laundering;
                            1970, was titled Currency and Foreign                         • Provided the Secretary of the Trea-
                            Transactions Reporting Act and has                              sury with the authority to impose
                            become commonly known as the “Bank

                            1
                             This article reflects the FDIC’s practices to date and is not intended to be a legal interpretation. Information is
                            provided to assist banks in complying with the law but is subject to adjustment as examination practices are
                            reviewed or refined.
                            2
                             By regulation, authority to examine for BSA compliance has been delegated to the regulator of each category
                            of financial institution (i.e., the banking regulators for banks, the Securities and Exchange Commission for broker-
                            dealers), and to the IRS for institutions that do not have a primary regulator. 31 CFR 103.56(b). The first rules dele-
                            gating this authority were finalized in 1972. See 37 FR 6912, April 5, 1972.
                            3
                              Refer to the Supervisory Insights, From the Examiner’s Desk… Summer 2004 edition for a discussion of the USA
                            PATRIOT Act and new regulations affecting the industry. See www.fdic.gov/regulations/examinations/supervisory/
                            insights/sisum04/sisum04.pdf.



22
     Supervisory Insights                                                                                                            Winter 2006
      “special measures” on jurisdictions,                 In addition, the Patriot Act required
      institutions, or transactions that are of          banks to establish a customer identifica-
      “primary money laundering concern”;                tion program, which must include risk-
                                                         based procedures that enable the
• Facilitated records access and
                                                         institution to form a reasonable belief
  required banks to respond to regula-
                                                         that it knows the true identity of its
  tory requests for information within
                                                         customers. Referred to as the “fifth
  120 hours; and
                                                         pillar,” this requirement was imple-
• Required the Federal banking agen-                     mented in October 2003.
  cies to consider a bank’s AML record
                                                           Examiners assess compliance in these
  when reviewing bank mergers, acqui-
                                                         areas during BSA/AML examinations.
  sitions, and other applications for
                                                         Relevant findings from transaction test-
  business combinations.
                                                         ing and recommendations to strengthen
  To ensure consistency in the BSA/AML                   the bank’s BSA/AML compliance
examination process and provide guid-                    program, including its policies, proce-
ance to the examination staff, the                       dures, and processes, are reflected
Federal banking agencies, the Financial                  within the ROE, and are an integral part
Crimes Enforcement Network (FinCEN),                     of the FDIC’s risk management examina-
and the Office of Foreign Assets Control                 tion process. Examination findings may
released the Federal Financial Institu-                  include violations of the BSA and the
tions Examination Council’s Bank                         implementing rules. The next section
Secrecy Act/Anti-Money Laundering                        takes a closer look at the different types
Examination Manual in June 2005.                         of violations and discusses the signifi-
The manual was updated and re-released                   cance of these types of violations in an
in July 2006.4                                           overall BSA/AML program.


Required Elements of                                     BSA-Related Violations
a BSA/AML Program                                          For state-chartered, nonmember banks
  Federal law requires each financial                    supervised by the FDIC, applicable BSA-
institution to establish and maintain a                  related violations include infractions of
BSA/AML compliance program. This                         FDIC Rules and Regulations (12 CFR
program must provide for the following                   326.8 and 12 CFR 353), as well as, the
minimum requirements (also referred to                   Department of Treasury Regulations
as “pillars”) as outlined in Part 326.8 of               (31 CFR 103). These regulations, in
FDIC Rules and Regulations:                              addition to other applicable legal require-
                                                         ments, are summarized as
1) A system of internal controls to
   ensure ongoing compliance.                                A body of statutes, regulations and
                                                             administrative rulings, both Federal
2) Independent testing of BSA                                and State, is an element of the regu-
   compliance.                                               latory framework within which banks
3) A specifically designated person or                       operate. Their underlying rationale is
   persons responsible for managing                          the protection of the general public
   BSA compliance (i.e., BSA compli-                         (depositors, consumers, investors,
   ance officer).                                            creditors, etc.) by establishing bound-
                                                             aries and standards within which
4) Training for appropriate personnel.                       banking activities may be conducted.


4
    See FFIEC BSA/AML Examination Manual InfoBase, www.ffiec.gov/bsa_aml_infobase/default.htm.



                                                                                                                     23
Supervisory Insights                                                                                   Winter 2006
Understanding BSA Violations
continued from pg. 23

                                The FDIC assigns a high priority to                       all BSA/AML program. BSA program
                                the detection and prompt correction                       violations must be supported by at
                                of violations in its examination and                      least one pillar violation. Violations
                                supervisory programs.5                                    of individual pillars might, or might
                                                                                          not, lead to the conclusion that the
                             In general, there are three broad cate-
                                                                                          bank has suffered an overall BSA/AML
                            gories of violations that reflect noncom-
                                                                                          program violation. A BSA/AML pro-
                            pliance with BSA-related regulations:
                                                                                          gram failure exposes the institution to
                            (I) Lack of an effective overall compli-                      an unnecessarily high level of potential
                                ance program,6 or specified compo-                        risk to money laundering or other
                                nents of a program (“pillar”);7                           illicit financial transactions. The first
                                                                                          possible indication that a BSA program
                            (II) Systemic and recurring noncompli-
                                                                                          has failed is by the absence of one or
                                 ance with the BSA and implement-
                                                                                          more of the required pillars. For exam-
                                 ing regulations; and
                                                                                          ple, a bank might have a lengthy
                            (III) Isolated and technical noncompli-                       period when there is no designated
                                  ance with the BSA.                                      BSA compliance officer, or may have
                                                                                          failed to provide necessary training.
                              Examiners document in the ROE
                            instances of noncompliance with the                             A BSA/AML program failure can also
                            BSA to develop and provide for the                            be demonstrated by significant noncom-
                            continued administration of a BSA/AML                         pliance, on a recurring or systemic basis,
                            compliance program reasonably                                 with the primary elements of the BSA
                            designed to assure and monitor com-                           related to recordkeeping and reporting
                            pliance with the BSA. However, BSA                            of critical financial information,8 as
                            compliance deficiencies range from                            outlined in the Department of Treasury
                            isolated instances of noncompliance                           Regulations 31 CFR 103. Generally,
                            within an effective overall BSA/AML                           examination reports citing BSA/AML
                            compliance program to serious weak-                           program failures would include violations
                            nesses exposing the institution to an                         that demonstrate noncompliance with
                            unacceptable level of risk for potential                      one or more of the primary elements of
                            money laundering or other illicit finan-                      the minimum financial recordkeeping or
                            cial activity. The distinction between                        reporting requirements. These require-
                            these violations types is outlined below.                     ments include
                            (I) Program Violations. Violations of                         s   Reporting suspicious transactions by
                            the FDIC’s BSA/AML program rule are                               filing Suspicious Activity Reports
                            cited when failure occurs in the over-                            (SARs) [31 CFR 103.18];9

                            5
                             From the FDIC’s Risk Management Manual of Examination Policies and applies to violations that may be cited
                            for all types of examinations (e.g., Safety and Soundness, BSA, Information Technology).
                            6
                             12 CFR 326.8(b)(1) requires that each bank develop and provide for the continued administration of a program
                            reasonably designed to assure and monitor compliance with recordkeeping and reporting requirements.
                            7
                              12 CFR 326.8(b)(2) and (c)(1) through (c)(4) require that a program specifically include: implementing a customer
                            identification program; establishing system of internal controls; providing independent testing; designating a BSA
                            Officer; and instituting a training program.
                            8
                              The BSA, Titles I and II of Public Law 91-508, as amended, modified at 12 D.S.C. 1829b, 12 D.S.C. 1951-1959, and
                            31 D.S.C. 5311-5332, authorizes the Secretary of the Treasury, inter alia, to require financial institutions to keep
                            records and file reports that are determined to have a high degree of usefulness in criminal, tax, and regulatory
                            investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, to protect
                            against international terrorism, and to implement counter-money laundering programs and compliance proce-
                            dures. Regulations implementing Title II of the Bank Secrecy Act appear at 31 CFR 103.
                            9
                             Part 353 of the FDIC Rules and Regulations parallels 31 CFR 103.18, related to suspicious activity reporting
                            requirements.


24
     Supervisory Insights                                                                                                           Winter 2006
s   Implementing a program to obtain        • Consistently failing to obtain critical
    and verify customer identification        customer identification information at
    [31 CFR 103.121];                         account opening; and
s   Establishing procedures for respond-    • Systems and programs that do not
    ing to information requests made by       allow for proper aggregation of multi-
    law enforcement through the FinCEN,       ple cash transactions for regulatory
    in accordance with the process            reporting purposes.
    provided for in Section 314(a) of the
    Patriot Act [31 CFR 103.100];             Systemic violations of the BSA repre-
                                            sent significant noncompliance with
s   Reporting large cash transactions       financial recordkeeping and reporting
    through accurate and timely Currency    requirements or reflect failures within
    Transaction Report filings (CTRs)       one or more pillars of a BSA/AML
    [31 CFR 103.22]; and/or                 program, if not the overall BSA/AML
s   Documenting purchases and sales of      program.
    monetary instruments and incom-
                                            (III) Isolated and Technical
    ing/outgoing wire transfers [31 CFR
                                            Violations. Isolated and technical
    103.29 and 31 CFR 103.33].
                                            violations are those limited instances of
 To affect corrective action when a         noncompliance with the financial record-
BSA/AML program violation is cited, the     keeping or reporting requirements of
FDIC will issue a cease and desist order    the BSA that occur within an otherwise
as required under Section 8(s) of the       adequate system of policies, procedures,
Federal Deposit Insurance Act.              and processes. Despite the adequacy of
                                            the overall program, examiners may
(II) Systemic and Recurring
                                            note minor violations regarding limited,
Violations. Regardless of whether
                                            isolated individual transactions and will
a program failure which falls under
                                            focus ROE comments on critical missing
Section 8(s) is found, an examiner
                                            or incorrectly reported information for
could find systemic violations which
                                            those transactions. These types of viola-
relate to ineffective systems or controls
                                            tions do not generally result in signifi-
to maintain necessary documentation
                                            cant concerns over management’s
or reporting of customers, accounts, or
                                            administration of the overall BSA/AML
transactions, as required under various
                                            program. Further, when such violations
provisions of 31 CFR 103. Determining
                                            are correctable and management is will-
whether such violations are systemic
                                            ing and able to implement appropriate
may be influenced by the number of
                                            corrective steps, a formal supervisory
customers, accounts, or transactions
                                            response may not be warranted.
affected; the importance of the unavail-
able or unrecorded information; the
pervasive nature of noncompliance; the      The Best Defense Is a
predominance of violations throughout
                                            Good Offense
the organization; and/or certain program
elements that do not adequately provide       The steps a bank should take to ensure
for an effective system of reporting.       compliance with the BSA and its imple-
Examples of violations that may result      menting rules are documented exten-
in systemic violations include              sively and are consistent with guidelines
                                            that existed before the implementation
• Habitually late CTR filings across the    of the Patriot Act: To avoid the most
  organization;                             serious violations and the implica-
• A significant number of CTRs or SARs      tions that can result when those viola-
  with errors or omissions of critical      tions are cited, banks must have a
  data elements;                            strong BSA/AML compliance program.

                                                                                                      25
Supervisory Insights                                                                    Winter 2006
Understanding BSA Violations
continued from pg. 25

                            Financial institutions should ensure they     the board of directors to oversee BSA
                            have a well-developed and documented          functions and ensure that regulatory
                            risk assessment that accurately captures      requirements and bank policies are
                            the risk exposures of their products,         being followed on a day-to-day basis.
                            services, customers, and geographic
                                                                            While banks have long been required
                            locations. Exposures identified through
                                                                          to have an appropriate BSA program,
                            the risk assessment should be addressed
                                                                          including policies, procedures, and
                            in policies and procedures making sure
                                                                          processes in place to ensure BSA
                            all identified risks are addressed. Moni-
                                                                          compliance, passage of the Patriot Act
                            toring programs should be in place to
                                                                          has resulted in a number of sweeping
                            ensure account and transaction activity
                                                                          changes to the BSA. Understanding
                            is consistent with expectations and to
                                                                          the main components of a strong BSA
                            identify and report suspicious activity.
                                                                          compliance program will help banks to
                            A strong training program should ensure
                                                                          appropriately implement these changes
                            that appropriate personnel are familiar
                                                                          and future amendments.
                            with regulatory requirements and bank
                            policies. The compliance program should         For additional information on
                            be subjected to a periodic independent        BSA/AML, refer to the Federal Financial
                            test of BSA/AML controls to verify            Institutions Examination Council’s
                            compliance with the financial institution’s   (FFIEC’s) BSA/AML InfoBase. (See
                            BSA/AML program. The test plan and its        http://www.ffiec.gov/bsa_aml_infobase/
                            results should be reviewed by manage-         default.htm.) The InfoBase is intended to
                            ment to ensure corrective action is taken     be a one-stop resource for BSA compli-
                            and the scope of testing meets the bank’s     ance. In addition to the FFIEC BSA/AML
                            requirements. Finally, the bank should        Examination Manual, the InfoBase
                            have a qualified employee designated by       includes, for example, a list of frequently
                                                                          asked questions, various forms needed
                                                                          for meeting BSA/AML compliance
                            Table                                         responsibilities, and links to the various
                                                                          BSA/AML laws and regulations.
                                Best Practices for BSA/AML
                                        Compliance                                 Debra L. Novak
                            1) Comprehensive Risk Assessment                       Chief, Anti-Money Laundering
                            2) Appropriate Policies and Procedures                 Section
                            3) Adequate Monitoring Programs                        Washington, D.C.
                            4) Strong Training Programs
                            5) Thorough Independent Testing                        Charles W. Collier
                                                                                   Senior Program Analyst,
                            6) Qualified Employee Overseeing Day-to-Day
                               Operations                                          Anti-Money Laundering Section
                                                                                   Washington, D.C.




26
     Supervisory Insights                                                                                 Winter 2006
                                                             From the Examiner’s Desk . . .
                                                         Examiners Report on Commercial
                                                         Real Estate Underwriting Practices
This regular feature focuses on devel-                        these issues in their assessments of
opments that affect the bank exami-                           banks’ risk management practices.
nation function. We welcome ideas
for future columns. Readers are
encouraged to e-mail suggestions to                           FDIC-Supervised Banks Are
SupervisoryJournal@fdic.gov.                                  Becoming Increasingly Reliant
         uch has been written about the
                                                              on CRE Lending

M        increase in commercial real
         estate (CRE) lending. The FDIC
has published numerous articles over the
                                                                The writers’ field examination experi-
                                                              ence, as well as information from other
                                                              examiners, indicates that many of the
last few years reporting increased levels                     institutions experiencing moderate to
of CRE and construction and develop-                          rapid growth in CRE lending see such
ment (C&D) loans as a percentage of                           loans as their particular market niche.
total capital.1 The Federal banking regu-                     Larger financial institutions and other
lators2 have each alerted their supervised                    market participants have gained pricing
financial institutions to the risks associ-                   advantages over community banks in
ated with this rapid growth and the                           other areas of lending, particularly tradi-
potential erosion of prudent underwrit-                       tional residential mortgages, home
ing practices in the effort to capture                        equity lines of credit, and other
market share. In 2004, an article in this                     consumer financing. In addition, the use
journal discussed a CRE lending review                        of predictive credit scoring models for
program conducted in the FDIC’s                               small and medium-sized business loans
Atlanta Region, where a relatively high                       continues to gain wider acceptance
number of banks reported significant                          among larger lenders and leasing compa-
levels of CRE exposure.3                                      nies. Community banks can, however,
                                                              compete for CRE loans because of their
  In this article, we take a closer look at
                                                              knowledge of local markets and borrow-
CRE underwriting and loan administra-
                                                              ers. This characteristic has enabled
tion practices, present recurring exami-
                                                              community banks to expand their share
nation findings, and discuss best
                                                              of the CRE market nationwide. Growth
practices for managing CRE portfolios
                                                              in CRE concentrations among FDIC-
in the current environment. This infor-
                                                              supervised banks is detailed in Table 1.
mal review suggests that examiners are
observing weaknesses in CRE under-
writing and loan administration fairly                        Examiners Report on CRE
frequently. A strong economy has thus                         Underwriting
far helped protect insured banks against
the risks associated with CRE. Neverthe-                        In an effort to identify changes in
less, the FDIC is concerned about trends                      underwriting practices for CRE concen-
in the underwriting and management of                         trations, we requested information on
CRE risks. Examiners are considering                          examination findings from each of the

1
    FDIC Outlook, Summer 2006; FDIC Quarterly Banking Profile, First Quarter 2006.
2
 Office of the Comptroller of the Currency; Board of Governors of the Federal Reserve System; Federal Deposit
Insurance Corporation; Office of Thrift Supervision.
3
  Assessing Commercial Real Estate Portfolio Risk, Supervisory Insights, Vol. 1, Issue 1, Summer 2004,
www.fdic.gov/regulations/examinations/supervisory/insights/sisum04/index.html.


                                                                                                                              27
Supervisory Insights                                                                                            Winter 2006
From the Examiner’s Desk . . .
continued from pg. 27

                                                  Table 1

                                                                    Percentage of FDIC-Supervised Institutions with
                                                                  CRE Loans/Total Capital Ratios > 300% by FDIC Region
                                                   Region               June-00     June-01      June-02      June-03      June-04      June-05      June-06
                                                   San Francisco         42.0        46.8         51.8         54.1         55.2         60.0         59.8
                                                   Atlanta               21.9        28.6         35.7         40.4         44.1         47.6         50.9
                                                   Chicago               12.6        15.3         20.1         20.8         24.8         28.2         30.4
                                                   New York              10.5        12.1         17.7         19.2         21.7         24.8         27.6
                                                   Dallas                11.5        13.3         15.9         17.7         20.4         22.8         24.8
                                                   Kansas City            7.4         8.1          8.8         10.2         12.2         14.7         17.1
                                                   Note: Data from June 2000 through June 2006 Reports of Condition.


                                                  six FDIC Regional Offices. Examiners
                                                  responded either with examples of indi-                    CRE Monitoring and
                                                  vidual institutions from recent examina-                   Management Information
                                                  tions or with a synopsis of recurrent                      Systems Can Mitigate Risk
                                                  findings.
                                                                                                               Examiners indicated that many institu-
                                                    The most common deficiencies noted                       tions have increased their exposure to
                                                  were of institutions failing to monitor                    CRE lending without a formal monitor-
                                                  their CRE portfolios properly and fail-                    ing system or adequate consideration of
                                                  ing to comply with the requirements of                     concentration risk. Some institutions did
                                                  Part 365 of the FDIC Rules and Regula-                     not know what percentage of their CRE
                                                  tions—Real Estate Lending Standards                        portfolio was concentrated in more risky
                                                  (see text box, Major Provisions of Part                    speculative C&D loans. Common defi-
                                                  365). Other areas of concern were the                      ciencies include
                                                  lack of effective oversight of construc-
                                                                                                             • Failure to consider or establish limits
                                                  tion projects, weak appraisal review
                                                                                                               of exposure by type (e.g., condo-
                                                  programs, inadequate knowledge of
                                                                                                               minium conversion, multifamily) or
                                                  lending markets, and poor loan struc-
                                                                                                               geographic market;
                                                  turing. While noting such deficiencies,
                                                  examiners also reported many best                          • Preparing reports of activity for senior
                                                  practices that mitigate the risk.                            management and the board of direc-
                                                                                                               tors that do not provide sufficient


                                     Major Provisions of Part 365—Real Estate Lending Standardsa
     • Written lending policies must establish
       – Diversification standards
         – Prudent underwriting standards that include clear and measurable loan-to-value limits
         – Loan administration procedures
         – Guidelines for monitoring loan policy compliance

     • Market conditions must be monitored.

     • Real estate lending policies should reflect consideration of the Interagency Guidelines for Real Estate Lending Policies (Appendix A to
       Part 365).
     a
      Part 365 of the FDIC Rules and Regulations prescribes real estate lending standards to be used in a state nonmember bank’s lending policies. See
     12 CFR 365.2.



28
         Supervisory Insights                                                                                                                        Winter 2006
    information to enable management to
    make informed decisions;                                         Supervisory Loan-to-Value
• Inadequate or nonexistent interest                                          Limits a
  rate stress testing; and                                         Institutions should establish their own
                                                                 internal loan-to-value limits for real estate
• Failure to prepare timely or consistent                        loans. These internal limits should not
  concentrations reports.                                        exceed the following supervisory limits:
  This lack of oversight often caused                                                        Loan-to-value
examiners to cite contraventions of FDIC                         Loan category               limit (percent)
Rules and Regulations, specifically                               Raw land                          65
Appendix A to Part 365—Interagency                                Land development                  75
Guidelines for Real Estate Lending Poli-                          Construction:
cies4 at safety and soundness examina-                            Commercial, multifamily,b
tions. Examiners provided examples of                                and other nonresidential       80
institutions failing to monitor the loan                          1- to 4-family residential        85
portfolio appropriately for loan-to-value                         Improved property                 85
exceptions (see text box, Supervisory
                                                                  Owner-occupied 1- to 4-family –
Loan-to-Value Limits). The following                                 and home equityc
were common deficiencies:
                                                                 a
                                                                  Appendix A to Part 365 of FDIC Rules and
• Failure to track exceptions;                                   Regulations, www.fdic.gov/regulations/laws/
                                                                 rules/2000-8700.html#2000appendixatopart365.
• Failure to track the aggregate amount                          b
                                                                   Multifamily construction includes condomini-
  of loans in excess of loan-to-value limits;                    ums and cooperatives.
                                                                 c
• Originating numerous loans in excess                             A loan-to-value limit has not been established
                                                                 for permanent mortgage or home equity loans
  of loan-to-value limits without docu-
                                                                 on owner-occupied 1- to 4-family residential
  mentation of credit factors that                               property. However, for any such loan with a
  support the underwriting decision;                             loan-to-value ratio that equals or exceeds 90
                                                                 percent at origination, an institution should
• Failure to consider commitment                                 require appropriate credit enhancement in the
  amounts when computing loan-to-                                form of either mortgage insurance or readily
  value limits;                                                  marketable collateral.

• Underwriting raw land loans in excess
  of prescribed loan-to-value limits                          tion of Appendix A of Part 365.5
  based on “As Complete” appraised                            Several examiners reported that banks
  values; and                                                 were granting extensions of credit of
                                                              up to 75 percent of value to acquire
• Failure to provide timely and suffi-                        raw land although the borrowers had
  ciently complete reports to the board                       no plans to develop this property in
  of directors as required by Part 365.                       the near term. Certain institutions in
  There were numerous reports of insti-                       high-growth areas had concentrations
tutions whose aggregate amount of all                         in excess of 150 percent of total capi-
loans in excess of the supervisory loan-                      tal for land development loans, but
to-value limits routinely exceeded 100                        for purposes of measuring risk, inter-
percent of total capital, in contraven-                       nal monitoring did not differentiate
4
  Appendix A identifies prudent practices an institution should include in its policies in the areas of loan portfolio
management, underwriting, and administration. In addition, the appendix provides supervisory loan-to-value
limits. See www.fdic.gov/regulations/laws/rules/2000-8700.html#2000appendixatopart365.
5
  Appendix A to Part 365 requires that the aggregate amount of loans in excess of the supervisory loan-to-value
limits should not exceed 100 percent of total capital. Within this aggregate limit, total loans for commercial, agri-
cultural, multifamily, or other non-1–4 family residential properties should not exceed 30 percent of total capital.
An institution that approaches or exceeds the aggregate limits is subject to increased supervisory scrutiny.


                                                                                                                                       29
Supervisory Insights                                                                                                     Winter 2006
From the Examiner’s Desk . . .
continued from pg. 29

                            actual land development loans from
                            raw land loans or speculative invest-       Market Analysis Is Often
                            ment land loans.                            Overlooked
                            Mitigation Practices. Despite these           Examiners report that management
                            weaknesses, examiners cited a number        could improve its practices of monitor-
                            of best practices focusing on effective     ing market conditions in its lending
                            internal controls and management            areas. There were numerous reports of
                            information systems that monitor the        institutions that either did not prepare
                            activity and control the associated risk.   a market analysis or prepared one that
                            Establishing policy limits appropriate      was incomplete or flawed.
                            to the bank’s size, sophistication, and     Mitigation Practices. Some boards of
                            appetite for risk is fundamental to         directors, directors’ committees, or loan
                            managing CRE concentration risk.            committees mitigate this risk by main-
                            The primary element of a useful moni-       taining contact with real estate brokers,
                            toring process is the integration of        developers, and builders and using the
                            quantitative and qualitative data that      resulting information to establish maxi-
                            provide a summary of the overall activ-     mum exposure limits.
                            ities in the CRE portfolio in order to
                            measure risk across all dimensions of         Real estate markets and economic
                            the portfolio. The size of the portfolio    cycles are dynamic, and policy guidelines
                            should not be the sole consideration.       that were once adequate may, over time,
                                                                        become overly liberal. Management
                            Factors such as geographic diversifica-
                                                                        needs to monitor both local and regional
                            tion, types of property held as collat-
                                                                        economic trends, as well as any national
                            eral, and underwriting practices should
                                                                        trend that could impact the local econ-
                            be considered in the development of
                                                                        omy, and adjust policy guidelines accord-
                            any risk management process.
                                                                        ingly. Market analysis should include a
                              Institutions with active and meaning-     review of concentrations by type of
                            ful monitoring programs depended            property compared to projects through-
                            on a number of in-depth reports that        out the market, including completed,
                            were reviewed periodically either by        pipeline, and proposed developments.
                            committees of the board of directors
                            or by the full board. In addition, some
                            institutions included these reports as      Lenient Terms and Weak Loan
                            a regular agenda item at monthly            Structuring Carry Risks
                            board meetings. The most common              Examiners described a number of inci-
                            quantitative reports included descrip-      dents in which institutions had relaxed
                            tions of CRE concentration by type          underwriting standards for CRE loans.
                            and geographic diversification. Limits      Conditions included
                            were established, and the reports
                            provided a mechanism to review expo-        • Overreliance on collateral values
                            sure and design risk mitigation strate-       instead of cash flow,
                            gies. Some of the qualitative reports       • Liberal use of interest reserves,
                            included quarterly raw land, lot devel-
                            opment, and construction loan reports       • Loans with one- to two-year balloon
                            with a detailed narrative summary of          maturities secured by undeveloped
                            each project’s current status, percent-       land, and
                            age of completion, expected comple-         • Unsecured loans and letters of credit
                            tion date, and any completion or              granted for the purpose of investing
                            absorption issues. Repayment sources          in units of condominium projects
                            were described, as were other risk            (located primarily in the Southeast-
                            mitigation items of interest.                 ern United States).

30
     Supervisory Insights                                                                               Winter 2006
 Examiners also reported that many                            In certain markets, banks had
borrowers were not required or were                         extended funds predicated on expected
unable to put equity into development                       future gross sell-out values of condo-
projects, and material deposit relation-                    minium conversion and construction,
ships were either not required or                           as well as other development projects.
unavailable.
                                                            Mitigation Practices. Institutions
Mitigation Practices. Repayment of                          that avoided these problems generally
any CRE loan is dependent upon the                          had strong internal appraisal review
borrower’s ability to produce cash flow                     programs that provided an independent
from the project through either rental                      analysis of appraisals or internal eval-
income or the sale of the property.                         uations prior to funding. In addition,
Collateral value, while possibly providing                  these institutions reviewed the qualifi-
certain protection, does not provide cash                   cations of their appraisers on an ongo-
flow. Sound lending guidelines should                       ing basis and removed those that did
help reduce exposure to borrowers with                      not consistently provide a product that
insufficient cash flow to meet the repay-                   conformed to the requirements outlined
ment terms. Along with good credit                          in 12 CFR 323—Appraisals. Loan poli-
selection, an institution should develop                    cies and practices established guide-
strong policy guidelines with respect to                    lines for types of appraisals required on
loan-to-values, allowable exceptions, and                   the basis of the type of project (specula-
reporting requirements. Slow or no prin-                    tive versus owner-occupied). These
cipal reduction can erode the institu-                      internal requirements were often more
tion’s collateral protection by allowing                    conservative than the standards estab-
the loan-to-value to increase above                         lished by 12 CFR 323.
prudent levels in depressed real estate
markets. This is especially true of specu-
lative construction lending, where slow-                    Conclusions
ing sales may prevent borrowers from
carrying the debt for a period of time.                       Anecdotal information provided by
                                                            the examiners suggests that many insti-
                                                            tutions would benefit from enhancements
Oversight of the Appraisal                                  to their existing monitoring systems. The
Process May Be Weak                                         recently reported softening of real estate
                                                            markets also implies that increased
  Examination findings indicated that                       attention is warranted, given the risk
oversight of the appraisal process was                      exposure inherent in CRE lending. A
lacking in some institutions. Problems                      robust program of measuring and moni-
included                                                    toring CRE portfolios, with special atten-
• Inadequate or missing internal                            tion to C&D exposure, is fundamental to
  reviews of appraisals,                                    effective risk mitigation.

• Violations of FDIC Rules and Regula-                        While examiners have noted some
  tions concerning appraisals (12 CFR                       degree of deterioration in underwriting
  323—Appraisals6) for absent or inade-                     practices, these practices have not
  quate appraisals,                                         adversely impacted the overall condition
                                                            of most of the institutions. Capital levels
• Funding loans prior to receipt of                         are reported to be high, with over 99 per-
  appraisals, and                                           cent of all insured institutions placing in
• Including the proposed loan amounts                       the highest regulatory capital category at
  on appraisal engagement letters.                          year-end 2005.7 The levels of adversely

6
    See www.fdic.gov/regulations/laws/rules/2000-4300.html.
7
    FDIC Quarterly Banking Profile, Division of Insurance and Research, December 2005.


                                                                                                                        31
Supervisory Insights                                                                                      Winter 2006
From the Examiner’s Desk . . .
continued from pg. 31

                                               classified assets and past-due loans are                 institutions that strong risk management
                                               nominal, and earnings performance is                     practices and appropriate levels of capi-
                                               strong, with net interest income provid-                 tal are important elements of a sound
                                               ing most of the profit reported. A strong                lending progrm and reinforces and
                                               CRE market has also mitigated the poten-                 enhances existing regulations and guide-
                                               tial ill effects of weakening lending stan-              lines for safe and sound sound real estate
                                               dards over the past few years.                           lending. Many of the best practices iden-
                                                                                                        tified in this article reflect long-standing
                                                 Where significant deficiencies were
                                                                                                        supervisory expectations presented in
                                               found, examiners made recommenda-
                                                                                                        Table 2.
                                               tions for corrective action. Many institu-
                                               tions initiated their own corrective action                         Marianne Lester
                                               programs based upon those recommen-                                 Examiner, Shelby, AL
                                               dations or upon the advice of internal
                                               and external auditors. In very few cases,                           Lawrence J. Nicastro
                                               informal and formal enforcement actions                             Examiner, Atlanta, GA
                                               were necessary. On December 6, 2006,
                                               after careful consideration of comments                             Tracy E. Fitzgerald
                                               received on proposed guidance on                                    Examination Specialist,
                                               commercial real estate lending issued on                            Tulsa, OK
                                               January 13, 2006,8 the Federal banking
                                               agencies issued Final Guidance on                                   Brian D. Regan
                                               Concentrations in Commercial Real                                   Examiner (Retired),
                                               Estate Lending.9 The guidance reminds                               Sacramento, CA
Table 2

                                Sound Practices for Commercial Real Estate Portfolio Oversight

         The board of directors should approve the scope of                          Lending policies should reflect the level of risk that is
          lending activities and the way real estate loans are                         acceptable to the board of directors and provide clear
          made, serviced, and collected. Market conditions,                            and measurable limits that include the maximum loan
          concentrations, and lending activity should be moni-                         amount and maturities by type of property, amortization
          tored, and timely and adequate reports should be made                        schedules, pricing structure for different types of real
          to the board of directors.                                                   estate loans, loan-to-value limits by type of property,
                                                                                       pre-leasing and pre-sale requirements, requirements
         Internal and external factors should be considered in
                                                                                       for takeout commitments, and minimum covenants for
          the formulation of loan policies and of a strategic plan
                                                                                       loan agreements.
          considering the size and financial condition of the insti-
          tution, the expertise and size of the lending staff, and                    Loan administration procedures should address the
          market conditions.                                                           type and frequency of financial statements required,
                                                                                       type and frequency of collateral evaluations, collateral
         Prudent underwriting standards should be developed
                                                                                       administration, requirements for adequate construction
          that consider relevant credit factors, including the
                                                                                       inspections and loan disbursements, and collections
          capacity of the borrower, income from the underlying
                                                                                       and foreclosure.
          property to service the debt, the value of collateral, the
          creditworthiness of the borrower, the level of equity                  Refer to Part 365 of the FDIC Rules and Regulations—Real Estate
          invested, and any secondary sources of repayment.                      Lending Standards; Appendix A to Part 365—Interagency Guide-
                                                                                 lines for Real Estate Lending Policies.


                                               8
                                                FIL-4-2005, Commercial Real Estate Lending Proposed Interagency Guidance, January 13, 2006,
                                               www.fdic.gov/news/news/financial/2006/fil06004.html.
                                               9
                                                 PR-114-2006, Joint Release/Federal Banking Agencies Issue Final Guidance on Concentrations in Commercial
                                               Real Estate Lending, December 6, 2006, www.fdic.gov/news/news/press/2006/pr06114.html.


32
     Supervisory Insights                                                                                                                      Winter 2006
                                                                                            Accounting News:
                                                                                        Auditor Independence
This regular feature focuses on topics of                      influences that compromise
critical importance to bank accounting.                        professional judgment, thereby
Comments on this column and sugges-                            allowing an individual to act
tions for future columns can be e-mailed                       with integrity and exercise
to SupervisoryJournal@fdic.gov.                                objectivity and professional
                                                               skepticism.
       he words “independent” and

T      “independence” are often used
       in conjunction with the services
certified public accountants (CPAs or
                                                           b. Independence in appearance.
                                                              The avoidance of circumstances
                                                              that would cause a reasonable
external auditors) provide to their                           and informed third party,
clients, including insured depository                         having knowledge of relevant
institutions (banks or financial institu-                     information, including safe-
tions). When CPAs and their firms                             guards applied, to reasonably
provide certain services that require                         conclude that the integrity,
them to be independent, such as audits                        objectivity, or professional skep-
of financial statements and audits of                         ticism of a firm or member of
internal control over financial reporting,                    the attest engagement team has
they are referred to as independent                           been compromised.1
public accountants, independent audi-
                                                           For financial institutions, the most
tors, or external auditors. But what does
                                                         common services performed by external
“independence” mean when external
                                                         auditors that require independence
auditors provide these services? It is
                                                         include audits of financial statements,
useful for examiners to have an under-
                                                         audits of internal control over financial
standing of the general principles and
                                                         reporting, and attestations on manage-
concepts embodied in “independence”
                                                         ment’s assessment of internal control
because examiners are expected to
                                                         over financial reporting. Therefore, the
review and evaluate institutions’ exter-
                                                         primary focus of this discussion will be
nal auditing programs. This article
                                                         on the independence standards related
summarizes existing professional stan-
                                                         to financial statement audits and internal
dards for auditor independence, includ-
                                                         control audits/attestations.
ing recent developments regarding tax
services and contingent fees as well as
the use of limitation of liability clauses               Importance of Auditor
in engagement letters.                                   Independence
  The American Institute of Certified                      Why is it important for the external
Public Accountants’ (AICPA) Concep-                      auditor to be independent? A properly
tual Framework for AICPA Indepen-                        conducted audit provides an independ-
dence Standards (Conceptual                              ent and objective view of the reliability
Framework) defines independence as                       of a financial institution’s financial state-
    a. Independence of mind. The                         ments. The external auditor’s objective
       state of mind that permits the                    in an audit is to form an opinion on the
       performance of an attest serv-                    financial statements taken as a whole.
       ice without being affected by                     When planning and performing the


1
 ET Section 100.01, Conceptual Framework for AICPA Independence Standards, paragraph 6. The Conceptual
Framework for AICPA Independence Standards was adopted by the AICPA’s Professional Ethics Executive
Committee (PEEC) on January 30, 2006, and is available on the AICPA’s website. See www.aicpa.org/download/
ethics/Ethics_Interpretation_101-1_and_Conceptual_Framework.pdf.


                                                                                                                           33
Supervisory Insights                                                                                         Winter 2006
Accounting News
continued from pg. 33

                            audit, the external auditor considers the                     cies rely on the results of audits as part
                            financial institution’s internal control                      of their assessment of the safety and
                            over financial reporting. Generally, the                      soundness of a financial institution.
                            external auditor communicates any iden-
                                                                                            Reliable financial reports, such as
                            tified deficiencies in internal control to
                                                                                          audited financial statements, are neces-
                            management, which enables manage-
                                                                                          sary for a financial institution to raise
                            ment to take appropriate corrective
                                                                                          capital. They provide data on an institu-
                            action. In addition, certain financial insti-
                                                                                          tion’s financial position and results of
                            tutions are required to file audited finan-
                                                                                          operations for stockholders, depositors,
                            cial statements and internal control
                                                                                          and other funds providers, borrowers,
                            audit/attestation reports with one or
                                                                                          and potential investors. Such information
                            more of the Federal banking agencies.2
                                                                                          is critical to effective market discipline of
                            The Federal Financial Institutions Exami-
                                                                                          an institution.
                            nation Council’s (FFIEC) Interagency
                            Policy Statement on External Auditing                           For audits to be effective, the external
                            Programs of Banks and Savings Associa-                        auditors must be independent in both
                            tions3 notes that “an institution’s internal                  fact and appearance, and must perform
                            and external audit programs are critical                      all necessary procedures to comply with
                            to its safety and soundness.” The                             auditing and attestation standards estab-
                            FFIEC’s policy statement also says that                       lished by either the AICPA or, if applica-
                            an effective external auditing program                        ble, the Public Company Accounting
                            “can improve the safety and soundness                         Oversight Board (PCAOB).
                            of an institution substantially and lessen
                            the risk the institution poses to the insur-
                            ance funds administered by the Federal                        Independence
                            Deposit Insurance Corporation.”                               Standard-Setters
                              Many financial institutions are                               Currently, the independence standard-
                            required to have their financial state-                       setters include the AICPA, the U.S.
                            ments audited, and others voluntarily                         Securities and Exchange Commission
                            choose to undergo such audits. For                            (SEC), and the PCAOB. Depending
                            example, banks and savings associa-                           upon the audit client, an external audi-
                            tions with $500 million or more in total                      tor is subject to the independence stan-
                            assets are required to have annual inde-                      dards issued by one or more of these
                            pendent audits.4 Certain savings asso-                        standard-setters. For nonpublic finan-
                            ciations (for example, those with a                           cial institutions6 that are not required
                            CAMELS rating of 3, 4, or 5) and                              to have annual independent audits
                            savings and loan holding companies are                        pursuant to either Part 363 of the FDIC
                            also required by the Office of Thrift                         regulations or Section 562.4 of the OTS
                            Supervision (OTS) regulations to have                         regulations, the external auditor must
                            annual independent audits.5 The Agen-                         comply with the AICPA’s independence


                            2
                             The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB),
                            the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS), collectively
                            referred to as the Agencies.
                            3
                                Published in the Federal Register on September 28, 1999 (64 FR 52319).
                            4
                             See Section 36(d) of the Federal Deposit Insurance Act (12 U.S.C. 1831m) and Sections 363.1(a) and 363.2(a) of
                            Part 363 of the FDIC’s regulations (12 CFR 363).
                            5
                                See OTS regulation at 12 CFR 562.4.
                            6
                             Nonpublic financial institutions are companies that are not, or whose parent companies are not, subject to the
                            reporting requirements of the Securities Exchange Act of 1934.



34
     Supervisory Insights                                                                                                       Winter 2006
standards; the financial institution’s                       For financial institutions and bank hold-
external auditor is not required to                        ing companies that are public compa-
comply with the independence stan-                         nies,7 regardless of size, the external
dards of the SEC and the PCAOB.                            auditor should be in compliance with the
                                                           SEC’s and the PCAOB’s independence
  In contrast, for financial institutions
                                                           standards as well as the AICPA’s inde-
subject to the audit requirements either
                                                           pendence standards.
in Part 363 of the FDIC regulations (i.e.,
those with $500 million or more in total                     The table below illustrates the applica-
assets) or in Section 562.4 of the OTS                     bility of the AICPA, SEC, and PCAOB
regulations, the external auditor should                   independence standards.
be in compliance with the AICPA’s Code
of Professional Conduct and also meet
the independence requirements and                          Independence Standards
interpretations of the SEC and its staff.                    The independence standards and inter-
The SEC’s independence requirements                        pretations of the AICPA, the SEC, and
encompass the independence standards                       the PCAOB8 set forth rules and provide
and rules adopted by the PCAOB and                         guidance regarding many facets of the
approved by the SEC.                                       external auditor’s relationship with and

         Applicability of                 AICPA                      SEC                     PCAOB
     Auditor Independence             Independence              Independence              Independence
            Standards                   Standards                 Standards                 Standards
            Scenario 1
     Nonpublic institutions                 YES                       NO                         NO
     not subject to Part 363
    of the FDIC regulations
     or Section 562.4 of the
         OTS regulations
            Scenario 2
      Public and nonpublic                  YES                       YES                       YES
       institutions subject
        to Part 363 of the
       FDIC regulations or
       Section 562.4 of the
         OTS regulations
            Scenario 3
    Institutions and holding                YES                       YES                       YES
       companies that are
        public companies
       (regardless of size)

7
 Public companies are companies, or subsidiaries of companies, that are subject to the reporting requirements
of the Securities Exchange Act of 1934.
8
 For the AICPA, refer to the AICPA’s Code of Professional Conduct, ET Section 101, Independence; ET Section
191, Ethics Rulings on Independence, Integrity, and Objectivity; and Interpretations under Rule 101 - Indepen-
dence. For the SEC, refer to Rule 2-01 of Regulation S-X (17 CFR Section 210.2-01); the Codification of Financial
Reporting Policies - Section 600 - Matters Relating to Independent Accountants; and the Office of the Chief
Accountant’s Frequently Asked Questions: Application of the Commission’s Rules on Auditor Independence. See
www.sec.gov/info/accountants/ocafaqaudind121304.htm. For the PCAOB, refer to the following PCAOB Rules and
Professional Standards: Rule 3500T—Interim Ethics Standards; Rule 3520—Auditor Independence; Rule 3521—
Contingent Fees; Rule 3522—Tax Transactions; Rule 3523—Tax Services for Persons in Financial Reporting Over-
sight Roles; Rule 3524—Audit Committee Pre-approval of Certain Tax Services; and Rule 3600T—Interim
Independence Standards. See www.pcaobus.org/Rules/Rules of_the_Board/Section_3.pdf.



                                                                                                                                  35
Supervisory Insights                                                                                                Winter 2006
Accounting News
continued from pg. 35

                            performance of services for an audit                          comply with applicable professional stan-
                            client, including                                             dards and the firm’s standards of qual-
                                                                                          ity.”10 The AICPA’s standards further set
                            (1) which members of the audit engage-
                                                                                          forth five broad elements of appropriate
                                ment team are subject to the inde-
                                                                                          quality control in a public accounting
                                pendence rules (referred to as
                                                                                          firm, which relate to maintaining inde-
                                “Covered Members or Persons”);
                                                                                          pendence, integrity, and objectivity;
                            (2) financial relationships of Covered                        managing personnel; establishing guide-
                                Members/Persons or their immedi-                          lines for accepting and continuing
                                ate families;                                             clients; performing engagements; and
                                                                                          monitoring the existing quality control
                            (3) financial interests in nonclients
                                                                                          policies and procedures.
                                having investor or investee relation-
                                ships with clients;                                         Audit firms that provide audit/attest
                                                                                          services to nonpublic clients are subject
                            (4) financial interests of audit firm part-
                                                                                          to peer reviews performed in accordance
                                ners and professional employees,
                                                                                          with applicable AICPA standards, and
                                their immediate families, and close
                                                                                          audit firms that provide audit/attest
                                relatives;
                                                                                          services to public clients are subject to
                            (5) employment relationships of the                           inspections performed by the PCAOB.11
                                audit firm’s partners, professional                       Peer reviews and inspections include an
                                employees, and their immediate                            examination and/or review of an audit
                                family and close relatives; and                           firm’s quality controls. However, for any
                                                                                          particular audit client, the most visible
                            (6) the performance of nonaudit serv-
                                                                                          and apparent independence concerns
                                ices to audit clients.
                                                                                          would be manifested in the services (audit
                              However, while the independence                             and nonaudit) provided to the client.
                            rules and interpretations provide guid-
                            ance and establish a framework for                            AICPA Independence Standards
                            auditors to follow, they do not—nor
                            were they meant or designed to—                                 The AICPA’s professional standards
                            consider all circumstances that raise                         require audit firms, including the firms’
                            independence concerns.                                        partners and professional employees, to
                                                                                          be independent in accordance with
                              The AICPA, the SEC, and the PCAOB                           AICPA Rule 101, Independence,12 of the
                            also require audit firms to have quality                      Code of Professional Conduct (Rule 101)
                            controls for their audit practices.9 The                      whenever an audit firm performs an
                            AICPA’s standards define quality control                      attest service for a client. Attest services
                            as “a process to provide the firm with                        include financial statement audits, finan-
                            reasonable assurance that its personnel                       cial statement reviews, and other attest


                            9
                              For the AICPA, refer to its Quality Control (QC) Standards, QC Section 20—System of Quality Control for a CPA
                            Firm’s Accounting and Auditing Practice; QC Section 30—Monitoring a CPA Firm’s Accounting and Auditing Prac-
                            tice; and QC Section 40—The Personnel Management Element of a Firm’s System of Quality Control—Competen-
                            cies Required by a Practitioner-in-Charge of an Attest Engagement. On July 28, 2006, the AICPA’s Auditing
                            Standards Board issued an Exposure Draft of a proposed Statement of Quality Control Standards that will
                            replace all the existing QC Standards. For the SEC, refer to Rule 2-01(d) of Regulation S-X. For the PCAOB, refer
                            to Rule 3400T—Interim Quality Control Standards—of its Rules and Professional Standards.
                            10
                                 Refer to QC Section 20.03 of the AICPA’s QC Standards.
                            11
                             The public portions of these peer review and inspection reports are available on the AICPA’s and the PCAOB’s
                            websites. See www.aicpa.org/centerprp/publicfile01.htm and
                            www.pcaobus.org/Inspections/Public_Reports/index.aspx, respectively.
                            12
                                 AICPA, Professional Standards, ET Section 101.01.


36
     Supervisory Insights                                                                                                       Winter 2006
services as defined in the AICPA’s State-                • Corporate finance consulting or
ments on Standards for Attestation                         advisory services,
Engagements. For all financial institution
                                                         • Appraisal, valuation, or actuarial
audits (whether the audit is voluntary or
                                                           services,
required; whether or not the financial
institution is subject to Part 363 of the                • Executive or employee search services,
FDIC regulations or Section 562.4 of the
                                                         • Business risk consulting, and
OTS regulations; and whether the finan-
cial institution is a public or a nonpublic              • Information systems design, installa-
company), the financial institution’s                      tion, or integration.
external auditor must comply with the                      Before an audit firm performs non-
AICPA’s Independence Standards.                          attest services for an audit client, the
  Independence is not required when an                   AICPA’s Rule 101 requires the audit
audit firm performs services that are not                firm to meet certain general require-
attest services, if those services—for                   ments. If certain nonattest services (for
example, tax preparation and consulting                  example, internal audit assistance) are
services—are the only services an audit                  to be performed, the audit firm must
firm provides to a particular client.                    also satisfy service-specific require-
However, Rule 101 requires an auditor to                 ments. In cases where the general or
comply with the independence regula-                     service-specific requirements for non-
tions of authoritative regulatory bodies                 attest services are not met, the audit
(such as the SEC and state boards of                     firm’s independence would be impaired
accountancy) when the auditor performs                   with respect to the attest services the
nonattest services for an attest client and              audit firm provides to that audit client.13
is required to be independent of the                       The general requirements for perform-
client under the regulations of the appli-               ing nonattest services for audit clients
cable regulatory body. The auditor’s fail-               under Rule 101 include
ure to comply with the nonattest services
                                                         s   The audit firm should not perform
provisions contained in the independ-
                                                             management functions or make
ence rules of the applicable regulatory
                                                             management decisions for the audit
body that are more restrictive than the
                                                             client.
provisions of Rule 101 would constitute
a violation of Rule 101.                                 s   The audit client must agree to perform
                                                             the following functions in connection
 The AICPA’s Rule 101 imposes limits
                                                             with the nonattest services:
on the nature and scope of nonattest
                                                             – Make all management decisions
services an audit firm may provide to an
                                                                and perform all management
audit (attest) client. Rule 101 specifically
                                                                functions;
addresses the following nonattest services:
                                                             – Designate an individual who
• Bookkeeping services,                                         possesses suitable knowledge
                                                                and/or experience to oversee the
• Payroll and other disbursement
                                                                services;
  services,
                                                             – Evaluate the adequacy and results
• Internal audit assistance,                                    of the services performed;
• Benefit plan administration,                               – Accept responsibility for the results
                                                                of the services; and
• Investment advisory or management
                                                             – Establish and maintain internal
  services,
                                                                controls, including monitoring
• Tax services,                                                 ongoing activities.

13
     AICPA, Professional Standards, ET Section 101.05.


                                                                                                                     37
Supervisory Insights                                                                                   Winter 2006
Accounting News
continued from pg. 37

                            s     Before performing nonattest services,                      and/or experience to be responsible
                                  the audit firm should establish and                        for the internal audit function;
                                  document the following in writing
                                                                                         s   Determines the scope, risk, and
                                  with the client:
                                                                                             frequency of internal audit activities,
                                  – Objectives of the engagement,
                                                                                             including those to be performed by
                                  – Services to be performed,                                the external auditor providing internal
                                  – Client’s acceptance of its                               audit assistance services;
                                     responsibilities,
                                                                                         s   Evaluates the findings and results aris-
                                  – Audit firms’ responsibilities, and
                                                                                             ing from the internal audit activities;
                                  – Any limitation of the engagement.                        and
                              Internal audit services, sometimes                         s   Evaluates the adequacy of the audit
                            referred to as “internal audit outsourc-                         procedures performed and the find-
                            ing,” are one of the more common                                 ings resulting from the performance
                            nonaudit services audit firms provide                            of those procedures by, among other
                            to financial institutions. In evaluating                         things, obtaining reports from the
                            whether independence would be                                    external auditor.
                            impaired with respect to an audit client
                                                                                           As previously indicated, it is impossible
                            that is not a public company and is not
                                                                                         to enumerate all circumstances in which
                            subject to Part 363 of the FDIC regula-
                                                                                         the appearance of independence might
                            tions or Section 562.4 of the OTS regu-
                                                                                         be questioned. In the absence of an
                            lations, the nature of the internal audit
                                                                                         independence interpretation or ruling
                            services to be provided to the client
                                                                                         under the AICPA’s rules that addresses a
                            needs to be considered.14 Assisting the
                                                                                         particular circumstance, a member
                            client in performing financial and opera-
                                                                                         (auditor) should consider whether that
                            tional internal audit activities would
                                                                                         circumstance would lead a reasonable
                            impair independence unless the external
                                                                                         person aware of all of the relevant facts
                            auditor takes appropriate steps to ensure
                                                                                         to conclude there is an unacceptable
                            that the client understands its responsi-
                                                                                         threat to the member’s and the firm’s
                            bilities for establishing and maintaining
                                                                                         independence. The AICPA’s Conceptual
                            the internal control system and directing
                                                                                         Framework provides a risk-based
                            the internal audit function, including the
                                                                                         approach for making that evaluation.
                            management thereof. Accordingly, any                         The risk-based approach involves three
                            outsourcing of the internal audit func-                      steps: (1) the auditor should identify
                            tion to the external auditor whereby the                     and evaluate threats to independence;
                            external auditor in effect manages the                       (2) the auditor should determine
                            internal audit activities of the client                      whether safeguards already eliminate or
                            would impair independence.                                   sufficiently mitigate identified threats
                             In addition to the general requirements                     and whether threats that have not yet
                            of Rule 101 for performing nonattest                         been mitigated can be eliminated or
                            services for an audit client, the external                   sufficiently mitigated by safeguards; and
                            auditor should ensure that client                            (3) if no safeguards are available to elim-
                            management                                                   inate an unacceptable threat or reduce
                                                                                         it to an acceptable level, the auditor
                            s     Designates an individual or individuals                should conclude that independence
                                  who possess suitable skill, knowledge,                 would be considered impaired.15

                            14
                              For audit clients that are public companies or that are subject to Part 363 of the FDIC regulations or Section
                            562.4 of the OTS regulations, internal audit outsourcing to the external auditor is generally impermissible under
                            the SEC’s independence rules.
                            15
                                 ET Section 100.01, Conceptual Framework for AICPA Independence Standards, paragraph 5.


38
     Supervisory Insights                                                                                                         Winter 2006
  Many different circumstances (or                          ing with the SEC’s independence rules,
combinations of circumstances) can                          the SEC’s Office of the Chief Accoun-
create threats to an auditor’s independ-                    tant has also issued and periodically
ence. It is impossible to identify every                    updates a document titled Application
situation that threatens independence.                      of the Commission’s Rules on Auditor
However, seven broad categories of                          Independence—Frequently Asked
threats should always be evaluated                          Questions.
when threats to independence are
                                                              Unlike the AICPA’s independence rules,
being identified and assessed. They are
                                                            the SEC’s independence rules provide
(1) self review (auditors reviewing the
                                                            that an accountant is not independent if,
results of their own nonattest work);
                                                            at any point during the audit and profes-
(2) advocacy (actions by the auditor to
                                                            sional engagement period,18 the account-
promote the client’s interests or posi-
                                                            ant provides any of the following
tion); (3) adverse interest (actions or
                                                            nonaudit services to an audit client:
interests between the auditor and the
client that are in opposition); (4) famil-                  • Bookkeeping or other services related
iarity (auditors having a close or long-                      to the accounting records or financial
standing relationship with an attest                          statements of the audit client;
client); (5) undue influence (attempts
                                                            • Financial information systems design
by the client’s management to coerce
                                                              and implementation;
or exercise excessive influence over the
auditor); (6) financial self-interest                       • Appraisal or valuation services, fair-
(potential benefit to the auditor from a                      ness opinions, or contribution-in-kind
financial interest in, or from some                           reports;
other financial relationship with the
                                                            • Actuarial services;
client); and (7) management participa-
tion (the auditor taking the role of                        • Internal audit outsourcing services;
client management or performing
                                                            • Management functions;
management functions on behalf of the
client).16                                                  • Human resources services;
                                                            • Broker-dealer, investment adviser, or
SEC Independence Standards                                    investment banking services;
  The SEC’s independence rules are                          • Legal services; or
set forth in Rule 2-01 of Regulation S-X
(Rule 2-01).17 Rule 2-01 was amended                        • Expert services unrelated to the audit.
in January 2003 by Release No. 33-                            The SEC’s rules state that bookkeep-
8183, Strengthening the Commission’s                        ing, financial information systems
Requirements Regarding Auditor Inde-                        design and implementation, appraisal or
pendence, to fulfill the mandate of                         valuation services, actuarial services,
Title II of the Sarbanes-Oxley Act of                       and internal audit outsourcing services
2002. To assist practitioners in comply-


16
     ET Section 100.01, Conceptual Framework for AICPA Independence Standards, paragraphs 12 to 19.
17
     See 17 CFR 210.2-01.
18
  Under Rule 2-01(f)(5), the audit and professional engagement period includes both: (1) the period covered by
any financial statements being audited or reviewed (the “audit period”); and (2) the period of the engagement to
audit or review the audit client’s financial statements to prepare a report filed with the SEC (the “professional
engagement period”). The professional engagement period begins when the accountant either signs an initial
engagement letter (or other agreement to review or audit a client’s financial statements) or begins audit, review,
or attest procedures, whichever is earlier; and the professional engagement period ends when the audit client or
the accountant notifies the SEC that the client is no longer that accountant’s audit client.


                                                                                                                                   39
Supervisory Insights                                                                                                 Winter 2006
Accounting News
continued from pg. 39

                            are prohibited “unless it is reasonable                         PCAOB Independence Standards
                            to conclude that the results of these
                                                                                              Title I of the Sarbanes-Oxley Act of
                            services will not be subject to audit
                                                                                            2002 established the PCAOB and
                            procedures during an audit of the audit
                                                                                            charged it with the responsibility of
                            client’s financial statements.”19 This
                                                                                            overseeing the audits of public compa-
                            limited exception to the general prohibi-
                                                                                            nies that are subject to the U.S. Federal
                            tion regarding nonaudit services is quite
                                                                                            securities laws. Only accounting firms
                            narrow in the SEC’s view, establishing
                                                                                            that register with the PCAOB (registered
                            a rebuttable presumption that these
                                                                                            public accounting firms) may audit
                            services are subject to audit procedures.
                                                                                            public companies. The PCAOB’s duties
                            In other words, the SEC presumes that,
                                                                                            include the establishment of auditing,
                            when an accountant audits an audit
                                                                                            quality control, ethics, independence,
                            client’s financial statements, the accoun-
                                                                                            and other standards relating to public
                            tant will end up auditing the work he or
                                                                                            company audits.
                            she performed when rendering the
                            aforementioned nonaudit services for                              The PCAOB adopted all of the inde-
                            the audit client.                                               pendence standards described in the
                                                                                            AICPA’s Code of Professional Conduct
                              Like the AICPA’s independence rules,
                                                                                            Rule 101, and the interpretations and
                            the SEC’s independence rules do not
                                                                                            rulings thereunder, as in existence on
                            purport to consider all circumstances
                                                                                            April 16, 2003, as the PCAOB’s Interim
                            that raise independence concerns. In
                                                                                            Independence Standards. These Interim
                            this regard, the SEC considers whether a
                                                                                            Independence Standards also include
                            relationship or the provision of a service
                                                                                            Standards Nos. 1, 2, and 3 and Interpre-
                            (a) creates a mutual or conflicting inter-
                                                                                            tations 99-1, 00-1, and 00-2 of the former
                            est between the accountant and the audit
                                                                                            Independence Standards Board. Gener-
                            client (b) places the accountant in a
                                                                                            ally, this means that the PCAOB applies
                            position of auditing his or her own work
                                                                                            the independence standards/principles
                            (c) results in the accountant acting as
                                                                                            discussed under the “AICPA Indepen-
                            management or an employee of the audit
                                                                                            dence Standards” section of this article
                            client or (d) places the accountant in a
                                                                                            to registered public accounting firms.
                            position of being an advocate for the
                            audit client.                                                     The PCAOB’s Interim Independence
                                                                                            Standards do not supersede the SEC’s
                              The SEC will not recognize an account-
                                                                                            auditor independence rules. Therefore,
                            ant as independent, with respect to an
                                                                                            to the extent that a provision of the
                            audit client, if the accountant is not, or a
                                                                                            SEC’s rules is more or less restrictive
                            reasonable investor with knowledge of all
                                                                                            than a provision of the PCAOB’s Interim
                            relevant facts and circumstances would
                                                                                            Independence Standards, a registered
                            conclude that the accountant is not,
                                                                                            public accounting firm must comply with
                            capable of exercising objective and impar-
                                                                                            the more restrictive rule.
                            tial judgment on all issues encompassed
                            within the accountant’s engagement. In                            The PCAOB’s interim standards will
                            determining whether an accountant is                            remain in effect until modified or super-
                            independent, the SEC will consider all                          seded, either by PCAOB action approved
                            relevant circumstances, including rela-                         by the SEC, or by SEC action pursuant
                            tionships between the accountant and the                        to its independent authority under the
                            audit client, and not just those relating to                    Federal securities laws to establish inde-
                            reports filed with the SEC.                                     pendence standards for auditors of
                                                                                            public companies.


                            19
                                 See Rule 2-01(c)(4)(i) through (v) of SEC Regulation S-X (17 CFR 210-01).


40
     Supervisory Insights                                                                                                   Winter 2006
                                                           Letters.20 The Interagency Advisory
Recent Developments in                                     applies to audit engagement letters
Auditor Independence                                       executed on or after February 9, 2006,
                                                           and provides that the inclusion of indem-
Recent AICPA Developments                                  nification and limitation of liability provi-
                                                           sions in external audit engagement
  On September 8, 2006, the AICPA’s
                                                           letters will generally be considered an
Professional Ethics Executive Committee
                                                           unsafe and unsound practice. Appen-
(PEEC) re-exposed its Proposed Interpre-
                                                           dix A of the Interagency Advisory con-
tation 101-16 under Rule 101: Indemnifi-
                                                           tains examples of unsafe and unsound
cation, Limitation of Liability, and ADR
                                                           limitation of liability provisions.
Clauses in Engagement Letters. The
comment period for the revised Exposure                      While the Interagency Advisory
Draft (ED) ended on December 8, 2006.                      addresses indemnification and limitation
The AICPA’s initial ED on this subject was                 of liability from a safety and soundness
issued on September 15, 2005.                              perspective, rather than from an auditor
                                                           independence perspective, it is fairly
  The revised ED is significantly differ-
                                                           consistent with the PEEC’s September
ent from the September 2005 ED. The
                                                           2005 ED. However, the PEEC’s Septem-
revised ED has an underlying principle
                                                           ber 2006 revised ED is generally incon-
that would permit external auditors to
                                                           sistent with its September 2005 ED and
include indemnification and limitation
                                                           the Interagency Advisory.
of liability provisions in audit engage-
ment letters if such provisions are
contingent upon the related services                       Recent PCAOB Developments
being performed in compliance with                           On April 19, 2006, the SEC approved
professional standards, in all material                    the PCAOB’s proposed ethics and inde-
respects. However, the revised ED would                    pendence rules concerning independ-
also permit certain indemnification and                    ence, tax services, and contingent fees.
limitation of liability provisions to be                   These rules have varying effective dates,
included in audit engagement letters                       most of which are in 2006.
and not be subject to the underlying
principle. For example, under the                            Besides establishing general rules
revised ED, the audit client could waive                   with respect to ethics and independ-
the right to seek punitive damages and                     ence, these new PCAOB rules restrict
indemnify the auditor for third-party                      certain types of tax services a regis-
punitive damage awards, the time                           tered public accounting firm may
period for the client to file a claim for                  provide to an audit client and certain
damages could be limited, and the                          members of the client’s management,
client’s right to assign or transfer a                     and prohibit contingent fee arrange-
claim could be limited.                                    ments for any services a registered
                                                           public accounting firm provides to an
  On February 3, 2006, the Federal bank-                   audit client, in order for the firm to
ing agencies, together with the National                   maintain its independence with respect
Credit Union Administration, issued an                     to that client. Nonpublic financial insti-
Interagency Advisory on the Unsafe and                     tutions subject to Part 363 of the FDIC
Unsound Use of Limitation of Liability                     regulations or Section 562.4 of the
Provisions in External Audit Engagement                    OTS regulations and their auditors


20
  FIL-13-2006, External Audit Engagement Letters: Unsafe and Unsound Use of Limitation of Liability Provisions,
February 9, 2006, www.fdic.gov/news/news/financial/2006/fil06013.html. Also see the February 3, 2006, Joint Press
Release, www.fdic.gov/news/news/press/2006/pr06011.html and the Federal Register, Volume 71, Page 6847,
www.fdic.gov/regulations/laws/federal/2006/06notice29.pdf.


                                                                                                                                  41
Supervisory Insights                                                                                                Winter 2006
Accounting News
continued from pg. 41

                            should note that these new independ-          Accordingly, as noted in the February
                            ence rules from the PCAOB apply to          2006 Interagency Advisory and the
                            institutions’ external auditors.            1999 Interagency Policy Statement on
                                                                        External Auditing Programs of Banks
                                                                        and Savings Associations, examiners
                            Examiner Considerations                     should consider an institution’s policies
                              Auditor independence is the corner-       and processes surrounding its external
                            stone for CPAs and audit firms that         auditing program, including those for
                            provide audit/attestation services to       determining whether the auditor main-
                            financial institutions. Sometimes           tains appropriate independence in its
                            concerns regarding an auditor’s inde-       relationship with the institution under
                            pendence with respect to a specific audit   applicable professional standards, when
                            client are “black and white” and a deci-    they evaluate the institution’s program.
                            sion as to whether the auditor’s inde-      Examiners should also review external
                            pendence is impaired can be reached         audit engagement letters to determine
                            rather easily. However, many times, the     whether they include any limitation of
                            resolution of concerns regarding auditor    liability provisions of the types that are
                            independence requires a thorough and        deemed unsafe and unsound by the
                            complete analysis of all of the relevant    Interagency Advisory.
                            facts and circumstances before a conclu-
                            sion can be made. In the end, ensuring               Harrison E. Greene, Jr.
                            auditor independence is a responsibility             CPA, CBA, Accounting and
                            of both the auditor and the client finan-            Securities Disclosure Section
                            cial institution.                                    Washington, DC




42
     Supervisory Insights                                                                               Winter 2006
Overview of Selected Regulations
and Supervisory Guidance
This section provides an overview of recently released regulations and supervisory guidance, arranged in
reverse chronological order. Press Release (PR) or Financial Institution Letter (FIL) designations are
included so the reader may obtain more information.

  Subject                                    Summary
  Comments Requested on Proposed             The FDIC, the Board of Governors of the Federal Reserve System (Federal Reserve Board),
  Illustrations of Consumer Information      the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS),
  for Nontraditional Mortgage Product        and the National Credit Union Administration (NCUA) (collectively, the Federal financial
  Risks (PR-93-2006, October 18, 2006;       regulatory agencies) sought comment on proposed Illustrations of Consumer Information
  FIL-90-2006, October 5, 2006; and          for Nontraditional Mortgage Product Risks (the illustrations). The illustrations were intended
  Federal Register Vol. 71, No. 192,         to assist institutions in implementing the consumer protection portion of the Interagency
  p. 58672, October 4, 2006)                 Guidance on Nontraditional Mortgage Product Risks. Comments were due December 4, 2006.


  Final Rule Issued to Provide One-Time      The FDIC issued the final rule to implement the One-Time Assessment Credit, as required by
  Assessment Credits to Insured              the Federal Deposit Insurance Reform Act of 2005. Under this rule, eligible institutions will
  Institutions (PR-91-2006, October 10,      share in an aggregated one-time deposit insurance assessment credit of $4,707,580,238.19.
  2006; FIL-93-2006, October 18, 2006; and   The final rule took effect November 17, 2006.
  Federal Register Vol. 71, No. 201,
  p. 61374, October 18, 2006)


  Final Rule Issued on Assessment            The FDIC issued the final rule to implement assessment dividends, as required by the
  Dividends (FIL-92-2006, October 18,        Federal Deposit Insurance Reform Act of 2005. The Act generally requires the FDIC to
  2006; and Federal Register Vol. 71, No.    pay dividends from the Deposit Insurance Fund (DIF) to insured institutions when the DIF
  201, p. 61385, October 18, 2006)           reserve ratio at the end of a calendar year exceeds 1.35 percent. The final rule takes effect
                                             January 1, 2007.


  Interagency Guidance Issued on Non-        The Federal financial regulatory agencies issued Interagency Guidance on Nontraditional
  traditional Mortgage Product Risks,        Mortgage Product Risks and an Addendum to the Credit Risk Management Guidance for
  and an Addendum to Credit Risk             Home Equity Lending. These documents describe how financial institutions should both
  Management Guidance for Home Equity        address the risks associated with underwriting nontraditional mortgage loan products and
  Lending Issued (PR-86-2006, September      provide consumers with clear and balanced information before they make a product or
  29, 2006; FIL-89-2006, October 5, 2006;    payment choice.
  and Federal Register Vol. 71, No. 192,
  p. 58609, October 4, 2006)


  Final Rule Issued Covering Changes         The FDIC Board of Directors permanently adopted the final rule implementing provisions
  to Deposit Insurance Coverages             of the Federal Deposit Insurance Reform Act of 2005 pertaining to deposit insurance
  (FIL-83-2006, September 18, 2006; and      coverage. The final rule took effect October 12, 2006.
  Federal Register Vol. 71, No. 176,
  p. 53547, September 12, 2006)


  Comments Requested on a Proposed           The FDIC, Federal Reserve Board, OCC, and OTS (collectively, the Federal bank and thrift
  Rule on Risk-Based Capital Standards:      regulatory agencies) jointly issued a notice of proposed rulemaking (NPR) on possible
  Market Risk (PR-82-2006, September 5,      modifications to the risk-based capital standards for market risk. The proposed rule would
  2006; FIL-87-2006, September 25, 2006;     incorporate improvements to the current trading book regime as proposed by the Basel
  and Federal Register Vol. 71, No. 185,     Committee on Bank Supervision and the International Organization of Securities Commis-
  p. 55958, September 25, 2006)              sions in the joint document The Application of Basel II to Trading Activities and the Treat-
                                             ment of Double Default Effects, published in July 2005. The proposed rule would also apply
                                             to certain savings associations, which currently are not covered under the rule. The FDIC
                                             will accept comments on the NPR through January 23, 2007.


                                                                                                                                              43
Supervisory Insights                                                                                                          Winter 2006
Regulatory and Supervisory Roundup
continued from pg. 43




     Comments Requested on a Proposed          The Federal bank and thrift regulatory agencies jointly issued and sought comment on
     Rule on Risk-Based Capital Standards:     an NPR concerning the domestic application of selected elements of the Basel II capital
     Advanced Capital Adequacy                 framework. The proposed rule would require some core banks, and permit other banks, to
     Framework (PR-82-2006, September 5,       use an internal ratings-based approach to calculate regulatory credit risk capital require-
     2006; FIL-86-2006, September 25, 2006;    ments and an advanced measurement approach to calculate regulatory operational risk
     and Federal Register Vol. 71, No. 185,    capital requirements. The FDIC will accept comments on the NPR through January 23, 2007.
     p. 55830, September 25, 2006)



     Comments Requested on Wide-               The FDIC sought public comment on wide-ranging issues involving industrial loan
     Ranging Issues Related to Industrial      company charters. Comments were due by October 10, 2006.
     Loan Companies (PR-77-2006,
     August 17, 2006; FIL-79-2006, August
     29, 2006; and Federal Register Vol. 71,
     No. 163, p. 49456, August 23, 2006)



     Frequently Asked Questions Published      The Federal Financial Institutions Examination Council (FFIEC) published frequently asked
     Regarding Authentication in an            questions to assist financial institutions and their technology service providers in conform-
     Internet Environment (FIL-77-2006,        ing to the FFIEC guidance entitled Authentication in an Internet Banking Environment,
     August 21, 2006)                          which was issued on October 12, 2005.



     Revised Bank Secrecy Act/Anti-Money       The FFIEC released a revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML)
     Laundering Examination Manual             Examination Manual on July 28, 2006. The manual can be accessed on the FFIEC BSA/AML
     Released (FIL-71-2006, August 2, 2006)    InfoBase at http://www.ffiec.gov/bsa_aml_infobase/default.htm.



     Revisions Issued to the FDIC              The FDIC revised its Statement of Policy (SOP) Regarding the National Historic Preserva-
     Statement of Policy Regarding the         tion Act of 1966. The purpose of the SOP is to inform affected parties of the FDIC’s prac-
     National Historic Preservation Act        tices in applying the requirements of the National Historic Preservation Act and its imple-
     (FIL-70-2006, August 1, 2006; and         menting regulations. The SOP is relevant to applications for deposit insurance for de novo
     Federal Register Vol. 71, No. 143,        institutions, applications for establishment of domestic branches, and applications for the
     p. 42399, July 26, 2006)                  relocation of domestic branches or main offices.



     Comments Requested on Proposed            The FDIC sought comment on three proposed rules. The first proposed rule would create
     Deposit Insurance Rules (PR-70-2006,      a new system for risk-based assessments. The second proposed rule would set the desig-
     July 11, 2006; FIL-65-2006, July 25,      nated reserve ratio at 1.25 percent. The third proposed rule would govern the penalties for
     2006; and Federal Register Vol. 71, No.   failure to pay assessments. Comments on the first two proposed rules were due September
     141, p. 41910, July 24, 2006)             22, 2006; comments on the third proposed rule were due September 18, 2006.



     Comments Requested on Proposed            The Federal financial regulatory agencies and the Federal Trade Commission requested
     Guidelines for Identity Theft             public comment on the proposed regulation to implement sections 114 and 315 of the Fair
     Procedures (PR-71-2006, July 18, 2006;    and Accurate Credit Transactions Act of 2003 (FACT Act). The proposed regulation would
     FIL-64-2006, July 18, 2006; and Federal   require financial institutions and creditors to adopt reasonable policies and procedures to
     Register Vol. 71, No. 137, p. 40786,      indicate the possible existence of identity theft and to validate addresses under certain
     July 18, 2006)                            circumstances. Comments were due September 18, 2006.



44
     Supervisory Insights                                                                                                           Winter 2006
  Revisions Issued to the Uniform            The Federal financial regulatory agencies issued a statement notifying regulated institutions
  Standards of Professional Appraisal        of the Appraisal Standards Board’s issuance of the 2006 version of the Uniform Standards of
  Practice (FIL-53-2006, June 23, 2006)      Professional Appraisal Practice. These changes were effective July 1, 2006.


  Guidance Issued on Managing Risks          The FDIC issued guidance to address the risks inherent in outsourcing relationships
  in Relationships with Foreign-Based        between U.S. financial institutions and foreign-based third-party service providers. The
  Third-Party Service Providers              guidance outlines steps institutions should take to manage reputational, operational/
  (FIL-52-2006, June 21, 2006)               transactional, compliance, strategic, and country risks.


  Standard Flood Hazard Determination        The FDIC notified FDIC-supervised institutions that the Federal Emergency Management
  Form Updated (FIL-51-2006, June 21,        Agency had issued a revised Standard Flood Hazard Determination Form, which included
  2006)                                      a new Office of Management and Budget control number and a revised expiration date of
                                             October 31, 2008. The form’s format and content have not changed. Institutions were
                                             required to use the updated form beginning July 1, 2006.



  Booklet Issued to Institutions on          The FFIEC and the Conference of State Bank Supervisors jointly issued a booklet of the
  Lessons Learned from Hurricane             lessons that financial institutions learned in the aftermath of Hurricane Katrina. Institutions
  Katrina (FIL-49-2006, June 15, 2006)       can use the booklet in preparing to respond to a catastrophic event. The booklet can be
                                             found at http://www.fdic.gov/regulations/resources/lessons/index.html.


  Examination Procedures Issued for          The FFIEC Task Force on Consumer Compliance issued examination procedures to assess
  New Regulations on Medical                 compliance with the medical information regulations that became effective on April 1,
  Information (FIL-47-2006, May 25, 2006)    2006. The regulations implement the Protection of Medical Information provisions of the
                                             Fair Credit Reporting Act, as amended by the FACT Act. The new procedures were effec-
                                             tive May 25, 2006.



  Comments Requested on a Revised            The Federal bank and thrift regulatory agencies and the Securities and Exchange Commis-
  Statement Concerning Elevated Risk in      sion requested public comment on a revised proposed statement on the complex struc-
  Complex Structured Finance Activities      tured finance activities of financial institutions. The revised statement describes the types
  (PR-44-2006, May 9, 2006; FIL-45-2006,     of internal controls and risk management procedures that should help financial institutions
  May 16, 2006; and Federal Register         identify, manage, and address the heightened legal and reputational risks that may arise
  Vol. 71, No. 94, p. 28326, May 16, 2006)   from certain complex structured finance transactions. Comments were due June 16, 2006.



  Comments Requested on Access to            The FDIC notified FDIC-supervised institutions that the Department of the Treasury’s
  Banking Services by Money Services         Financial Crimes Enforcement Network had issued a request for public comment on an
  Businesses (FIL-37-2006, May 2, 2006;      Advance Notice of Proposed Rulemaking regarding the impact of Bank Secrecy Act
  and Federal Register Vol. 71, No. 47,      regulations on the ability of money services businesses to open and maintain accounts
  p. 12308, March 10, 2006)                  and obtain other banking services at banks and other depository institutions. Comments
                                             were due July 9, 2006.




                                                                                                                                               45
Supervisory Insights                                                                                                            Winter 2006
¡
                                                          Subscription Form
    To obtain a subscription to Supervisory Insights, please print or type the following information:


    Institution Name                   __________________________________________________________________________________


    Contact Person                     __________________________________________________________________________________


    Telephone                          __________________________________________________________________________________


    Street Address                     __________________________________________________________________________________


    City, State, Zip Code              __________________________________________________________________________________



    Please fax or mail this order form to:                      FDIC Public Information Center
                                                                3501 North Fairfax Drive, Room E-1022
                                                                Arlington, VA 22226
                                                                Fax Number (703) 562-2296



    Subscription requests also may be placed by calling 1-877-ASK-FDIC or 1-877-275-3342.



                                                                                                                  PRESORTED
                                                                                                                   STANDARD
Federal Deposit Insurance Corporation                                                                                 MAIL
Washington, DC 20429-9990                                                                                          Postage &
OFFICIAL BUSINESS                                                                                                   Fees Paid
PENALTY FOR PRIVATE USE, $300                                                                                         FDIC
                                                                                                                 Permit No. G-36

								
To top