sign in sign up
<<
Home , Auditor independence

Supervisory Insights

Devoted to Advancing the Practice of Bank Supervision

Vol. 3, Issue 2 Winter 2006

Inside

Incident Response Programs

Unfair or Deceptive Acts or Practices

Understanding BSA Violations

Commercial Real Estate Underwriting Practices

Auditor Independence Supervisory Insights Supervisory Insights is published by the Division of Supervision and Consumer Protection of the Federal Deposit Insurance Corporation to promote sound principles and best practices for bank supervision. Sheila C. Bair Chairman, FDIC Sandra L. Thompson Director, Division of Supervision and Consumer Protection Journal Executive Board George French, Deputy Director and Executive Editor Christopher J. Spoth, Senior Deputy Director John M. Lane, Deputy Director Robert W. Mooney, Acting Deputy Director William A. Stark, Deputy Director John F. Carter, Regional Director Doreen Eberley, Acting Regional Director Stan R. Ivie, Regional Director James D. LaPierre, Regional Director Sylvia H. Plunkett, Regional Director Mark S. Schmidt, Regional Director Journal Staff Bobbie Jean Norris Managing Editor Christy C. Jacobs Financial Writer Eloy A. Villafranca Financial Writer Supervisory Insights is available online by visiting the FDIC’s website at www.fdic.gov. To provide comments or suggestions for future articles, to request permission to reprint individual articles, or to request print copies, send an e-mail to [email protected].

The views expressed in Supervisory Insights are those of the authors and do not necessarily reflect official positions of the Federal Deposit Insurance Corporation. In particular, articles should not be construed as defini- tive regulatory or supervisory guidance. Some of the information used in the preparation of this publication was obtained from publicly available sources that are considered reliable. However, the use of this informa- tion does not constitute an endorsement of its accu- racy by the Federal Deposit Insurance Corporation. Issue at a Glance

Volume 3, Issue 2 Winter 2006

Letter from the Director...... 2 the types of BSA-related violations cited in examination reports, and clarifies the difference between a significant BSA Articles program breakdown and technical prob- lems in financial institutions. The article Incident Response Programs: Don’t Get Caught 4 also provides examples of best practices Without One for maintaining strong BSA and Anti- Money Laundering compliance programs. The media has been filled with stories of data compromises and security breaches at all types of organizations. A security incident can damage corporate reputations, cause financial Regular Features losses, and foster identity theft, and banks are increasingly becoming targets for attack because they hold valuable data From the Examiner’s Desk . . . that, when compromised, allow criminals to steal an individ- ual’s identity and drain financial accounts. To mitigate the Examiners Report on Commercial effects of security breaches, organizations are finding it Real Estate Underwriting Practices 27 necessary to develop formal incident response programs Banks are becoming increasingly reliant on (IRPs). This article highlights the importance of IRPs to a commercial real estate (CRE) lending, and, bank’s information security program and provides information in some markets, underwriting and admin- on required content and best practices banks may consider istration of such loans have deteriorated in when developing effective response programs. the effort to gain market share. This article provides an update on CRE lending nation- Chasing the Asterisk: A Field Guide to Caveats, wide by looking at examples of bank poli- cies and practices in CRE concentrations Exceptions, Material Misrepresentations, and Other and presenting best practices for identify- Unfair or Deceptive Acts or Practices 12 ing, monitoring, and controlling such risk. Although the vast majority of FDIC-supervised institutions adhere to a high level of professional conduct, the FDIC has News: seen an increase in violations of Section 5 of the Federal Trade Commission Act (FTC Act), which prohibits unfair or Independence 33 deceptive practices in or affecting commerce. The Act When CPAs and their firms provide applies to all aspects of financial products and services, and certain services that require them to be this increase in violations may be the result of increased independent, such as of financial competition among financial institutions, along with a grow- statements and audits of ing dependence on fee income, expansion into the subprime over financial reporting, they are referred market, and the increase in the number of products with to as independent public , complex structures and pricing. This article outlines how independent , or external audi- examiners identify and address acts or practices that may tors. But what does “independence” violate the prohibition against unfair or deceptive acts or prac- mean when external auditors provide tices, and it provides information to help financial institutions these services? This article summarizes assess their products and services and develop a plan to existing professional standards for auditor avoid violations of Section 5 of the FTC Act. independence, including recent develop- ments on tax services and contingent fees as well as the use of limitation of Understanding BSA Violations 22 liability clauses in engagement letters. While most insured financial institutions have an adequate system of BSA controls, high-profile cases in which large civil money penalties have been assessed for noncompliance with Regulatory and the BSA highlight the importance of banks’ efforts to ensure Supervisory Roundup 43 compliance with the BSA and its implementing rules. Shortfalls This feature provides an overview of in BSA controls can result in violations of the BSA and the recently released regulations and super- implementing rules being cited in Reports of Examination. This visory guidance. article highlights recent USA PATRIOT Act changes, discusses

1 Supervisory Insights Winter 2006 Letter from the Director

t used to be that banks spent more result in substantial harm or inconven- money on protecting the they ience to any customer. In addition, the Iheld in their vaults than on anything guidelines require financial institutions else. The bars on the windows, security to ensure that service providers with guards in the lobby, and armored cars whom they contract implement a secu- were familiar signs of how important it rity program designed to meet the was to protect the cash. These days, we guidelines’ objectives. Other laws, such know that another critical for a as the Fair and Accurate Credit Trans- bank to protect is data. actions Act of 2003 and the USA PATRIOT Act, also require financial Banks hold valuable data that, when institutions to have in place strong compromised, allow criminals to steal policies and programs to safeguard an individual’s identity and drain finan- customer data. cial accounts. The potential for large financial gain has driven the demand by Another reason to protect customer identity thieves for data. There are even data is to avoid financial losses to the secondary markets where thieves can bank. The costs associated with a data purchase or trade data in mass quanti- compromise can be great. They range ties. There are people in the data theft from expensive insurance claims, to industry whose “job” it is to obtain and investigation and remediation costs, to aggregate as much data as they can. the cost of providing free monitoring Others operate the elaborate black services for those affected. As important, market operations where data can be however, banks need to safeguard data to bought and sold. And other participants protect against harm to their reputation are the actual end-users of the stolen and a loss of consumer confidence. If information. Whether by manufacturing bank customers feel their bank cannot duplicate credit or debit cards, applying be trusted to protect their confidential for credit in someone else’s name, or information, they will go somewhere using stolen online banking IDs and else. Although it has not yet happened to passwords to access someone’s cash by a financial institution, companies in originating transfers, the end-users are other industries have gone out of busi- the criminals who actually convert the ness because of serious data breaches. data into cash. Everyone has a responsibility in safe- There are many reasons for banks guarding data. Financial institutions and to safeguard data. There are, of course, their technology service providers have a the regulatory requirements. In 2001, legal duty to protect data, but consumers the Federal banking agencies imple- also have a responsibility to protect their mented section 501(b) of the Gramm- own information. The FDIC has spon- Leach-Bliley Act by promulgating sored a number of symposiums around Guidelines Establishing Standards the country to educate consumers about for Safeguarding Customer Informa- the need to protect personal and confi- tion. The objectives of the guidelines dential information from compromise. and of the written information-security We advise consumers to always protect program they require are to (1) ensure their Social Security number, credit card the security and confidentiality of and debit card numbers, personal identi- customer information, (2) protect fication numbers, passwords, and other against any anticipated threats or personal information. They should also hazards to the security or integrity protect their incoming and outgoing of such information, and (3) protect mail, properly discard any trash that against unauthorized access to or use contains personal or financial informa- of customer information that could tion, and keep a close watch on bank

2 Supervisory Insights Winter 2006 account statements and credit card bills requiring that security incidents involv- for any abnormalities. ing personally identifiable information be reported within one hour after discovery. The FDIC also has safeguards in place to protect our confidential data. As the The FDIC recognizes that even the best steward of the deposit insurance fund information security program may not and primary supervisor of more than prevent every incident. A critical feature 5,200 banks, the FDIC plays a vital role of information security programs must in maintaining confidence in the bank- be a plan for the bank to respond when ing industry. In August, the FDIC issued incidents of unauthorized access to updated procedures to examination staff sensitive customer information main- as a reminder of the importance of safe- tained by the institution or its service guarding examination information— providers occur. An incident response whether in paper, electronic, or other program provides a preplanned frame- form. The updated procedures cover all work for dealing with the aftermath of documentation acquired or created in a security breach or attack. In this issue connection with a bank examination, of Supervisory Insights, “Incident such as reports of examination, exami- Response Programs: Don’t Get Caught nation work papers, bank information, Without One” highlights the importance and, especially, any sensitive bank of incident response programs and customer information that may be gath- provides information on required content ered as part of a bank examination. The and best practices banks may consider updated procedures (1) specify mini- when developing effective response mum standards for safeguarding exami- programs. nation information, including technical, We encourage our readers to continue physical, and administrative safeguards; to provide comments on articles, to ask (2) provide guidance for the implemen- follow-up questions, and to suggest topics tation of an Information Security Inci- for future issues. All comments, ques- dent Response Program with required tions, and suggestions should be sent to procedures if an actual or suspected loss, [email protected]. theft, or unauthorized access of confi- dential or sensitive examination informa- Sandra L. Thompson tion is detected; and (3) incorporate recently issued guidance from the U. S. Director, Division of Office of and Supervision and Consumer Protection

3 Supervisory Insights Winter 2006 Incident Response Programs: Don’t Get Caught Without One

veryone is familiar with the old a time when organizations need to be adage “Time is money.” In the most prepared, many banks are finding EInformation Age, data may be just it challenging to assemble an IRP that as good. Reports of data compromises not only meets minimum requirements and security breaches at organizations (as prescribed by Federal bank regula- ranging from universities and retail tors), but also provides for an effective companies to financial institutions and methodology to manage security inci- government agencies provide evidence dents for the benefit of the bank and its of the ingenuity of Internet hackers, customers. In response to these chal- criminal organizations, and dishonest lenges, this article highlights the impor- insiders obtaining and profiting from tance of IRPs to a bank’s information sensitive customer information. Whether security program and provides informa- a network security breach compromising tion on required content and best prac- millions of credit card accounts or a lost tices banks may consider when computer tape containing names, developing effective response programs. addresses, and Social Security numbers of thousands of individuals, a security incident can damage corporate reputa- The Importance of an tions, cause financial losses, and enable Incident Response Program identity theft. A bank’s ability to respond to security Banks are increasingly becoming incidents in a planned and coordinated prime targets for attack because they fashion is important to the success of its hold valuable data that, when compro- information security program. While mised, may lead to identity theft and IRPs are important for many reasons, financial loss. This environment places three are highlighted in this article. significant demands on a bank’s infor- First, though incident prevention is mation security program to identify important, focusing solely on prevention and prevent vulnerabilities that could may not be enough to insulate a bank result in successful attacks on sensitive from the effects of a security breach. customer information held by the bank. Despite the industry’s efforts at identi- The rapid adoption of the Internet as a fying and correcting security vulnera- delivery channel for electronic commerce bilities, every bank is susceptible to coupled with prevalent and highly publi- weaknesses such as improperly config- cized vulnerabilities in popular hardware ured systems, software vulnerabilities, and software have presented serious and zero-day exploits.2 Compounding security challenges to the banking indus- the problem is the difficulty an organiza- try. In this high-risk environment, it is tion experiences in sustaining a “fully very likely that a bank will, at some secured” posture. Over the long term, a point, need to respond to security inci- large amount of resources (time, money, dents affecting its customers. personnel, and expertise) is needed to To mitigate the negative effects of secu- maintain security commensurate with all rity breaches, organizations are finding potential vulnerabilities. Inevitably, an it necessary to develop formal incident organization faces a point of diminishing response programs (IRPs).1 However, at returns whereby the extra resources

1 In its simplest form, an IRP is an organized approach to addressing and managing the aftermath of a security breach or attack. 2 A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known.

4 Supervisory Insights Winter 2006 applied to incident prevention bring a devoted to incident response has made lesser amount of security value. Even the development of IRPs a legal necessity. the best information security program Finally, IRPs are in the best interests may not identify every vulnerability and of the bank. A well-developed IRP that prevent every incident, so banks are best is integrated into an overall information served by incorporating formal incident security program strengthens the institu- response planning to complement strong tion in a variety of ways. Perhaps most prevention measures. In the event important, IRPs help the bank contain management’s efforts do not prevent all the damage resulting from a security security incidents (for whatever reason), breach and lessen its downstream effect. IRPs are necessary to reduce the Timely and decisive action can also limit sustained damage to the bank. the harm to the bank’s reputation, Second, regulatory agencies have reduce negative publicity, and help the recognized the value of IRPs and have bank identify and remedy the underlying mandated that certain incident response causes of the security incident so that requirements be included in a bank’s mistakes are not destined to be repeated. information security program. In March 2001, the FDIC, the Office of the Comp- troller of the Currency (OCC), the Office Elements of an Incident of Thrift Supervision (OTS), and the Response Program Board of Governors of the Federal Although the specific content of an Reserve System (FRB) (collectively, the IRP will differ among financial institu- Federal bank regulatory agencies) jointly tions, each IRP should revolve around issued guidelines establishing standards the minimum procedural requirements for safeguarding customer information, prescribed by the Federal bank regula- as required by the Gramm-Leach-Bliley tory agencies. Beyond this fundamental 3 Act of 1999. These standards require content, however, strong financial institu- banks to adopt response programs as a tion management teams also incorporate security measure. In April 2005, the industry best practices to further refine Federal bank regulatory agencies issued and enhance their IRP. In general, the interpretive guidance regarding response overall comprehensiveness of an IRP 4 programs. This additional guidance should be commensurate with an institu- describes IRPs and prescribes standard tion’s administrative, technical, and orga- procedures that should be included in nizational complexity. IRPs. In addition to Federal regulation in this area, at least 32 states have passed laws requiring that individuals be notified Minimum Requirements of a breach in the security of computer- The minimum required procedures ized personal information.5 Therefore, addressed in the April 2005 interpretive the increased regulatory attention guidance can be categorized into two

3 Appendix B to Part 364 of the FDIC Rules and Regulations at www.fdic.gov/regulations/laws/rules/2000-8660 .html#2000appendixbtopart364 and FDIC FIL-22-2001, Guidelines Establishing Standards for Safeguarding Customer Information, issued March 14, 2001. Also refer to 12 CFR 30, App. B (OCC); 12 CFR 208, App. D-2 and 12 CFR 225, App. F (FRB); and 12 CFR 570, App. B (OTS). 4 FDIC FIL-27-2005, Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, issued April 1, 2005, www.fdic.gov/news/news/financial/2005/fil2705.html. Also refer to 12 CFR 30, App. B (OCC); 12 CFR 208, App. D-2 and 12 CFR 225, App. F (FRB); 12 CFR 364, App. B (FDIC); and 12 CFR 570, App. B (OTS). 5 “State Security Breach Notification Laws (as of June 2006),” September 15, 2006, www.thecyberangel.com/ StSecBrchNotifLaw.doc.

5 Supervisory Insights Winter 2006 Incident Response Programs continued from pg. 5

broad areas: “reaction” and “notifica- with the likelihood of and the potential tion.” In general, reaction procedures are damage from such threats. An institu- the initial actions taken once a compro- tion’s information security risk assess- mise has been identified. Notification ment can be useful in identifying some procedures are relatively straightforward of these potential threats. The contain- and involve communicating the details or ment procedures developed should focus events of the incident to interested on responding to and minimizing poten- parties; however, they may also involve tial damage from the threats identified. some reporting requirements. Figure 1 Not every incident can be anticipated, lists the minimum required procedures but institutions should at least develop of an IRP as discussed in the April 2005 containment procedures for reasonably interpretive guidance. foreseeable incidents.

Reaction Procedures Notification Procedures Assessing security incidents and iden- An institution should notify its primary tifying the unauthorized access to or Federal regulator as soon as it becomes misuse of customer information essen- aware of the unauthorized access to or tially involve organizing and developing misuse of sensitive customer information a documented risk assessment process or customer information systems. Notify- for determining the nature and scope of ing the regulatory agency will help it the security event. The goal is to effi- determine the potential for broader rami- ciently determine the scope and magni- fications of the incident, especially if the tude of the security incident and incident involves a service provider, as identify whether customer information well as assess the effectiveness of the has been compromised. institution’s IRP. Containing and controlling the security Institutions should develop procedures incident involves preventing any further for notifying law enforcement agencies access to or misuse of customer informa- and filing SARs in accordance with their tion or customer information systems. As primary Federal regulator’s require- there are a variety of potential threats to ments.6 Law enforcement agencies may customer information, organizations serve as an additional resource in should anticipate the ones that are more handling and documenting the incident. likely to occur and develop response and Institutions should also establish proce- containment procedures commensurate dures for filing SARs in a timely manner

Figure 1 Minimum Requirements Develop reaction procedures for Establish notification procedures for assessing security incidents that have the institution’s primary Federal regulator; occurred; appropriate law enforcement agencies (and identifying the customer information and filing Suspicious Activity Reports [SARs], if information systems that have been accessed necessary); and or misused; and affected customers. containing and controlling the security incident.

6 An institution’s obligation to file a SAR is specified in the regulations of its primary Federal regulator. Refer to 12 CFR 21.11 (OCC), 12 CFR 208.62 (FRB), 12 CFR 353 (FDIC), and 12 CFR 563.180 (OTS).

6 Supervisory Insights Winter 2006 because regulations impose relatively practices addressed below are not all quick filing deadlines. The SAR form7 inclusive, nor are they regulatory require- itself may serve as a resource in the ments. Rather, they are representative of reporting process, as it contains specific some of the more effective practices and instructions and thresholds for when to procedures some institutions have imple- file a report. The SAR form instructions mented. For organizational purposes, the also clarify what constitutes a “computer best practices have been categorized into intrusion” for filing purposes. Defining the various stages of incident response: procedures for notifying law enforce- preparation, detection, containment, ment agencies and filing SARs can recovery, and follow-up. streamline these notification and report- ing requirements. Preparation Institutions should also address Preparing for a potential security customer notification procedures in compromise of customer information their IRP. When an institution becomes is a proactive prac- aware of an incident involving unautho- tice. The overall effectiveness and effi- rized access to sensitive customer infor- ciency of an organization’s response is mation, the institution should conduct a related to how well it has organized and reasonable investigation to determine prepared for potential incidents. Two the likelihood that such information has of the more effective practices noted in been or will be misused. If the institu- many IRPs are addressed below. tion determines that sensitive customer information has been misused or that Establish an incident response team. misuse of such information is reasonably A key practice in preparing for a poten- possible, it should notify the affected tial incident is establishing a team that is customer(s) as soon as possible. Devel- specifically responsible for responding oping standardized procedures for noti- to security incidents. Organizing a team fying customers will assist in making that includes individuals from various timely and thorough notification. As a departments or functions of the bank resource in developing these proce- (such as operations, networking, lend- dures, institutions should reference the ing, human resources, accounting, April 2005 interpretive guidance, which marketing, and ) may better posi- specifically addresses when customer tion the bank to respond to a given inci- notification is necessary, the recom- dent. Once the team is established, mended content of the notification, and members can be assigned roles and the acceptable forms of notification. responsibilities to ensure incident handling and reporting is comprehen- Best Practices—Going sive and efficient. A common responsi- bility that banks have assigned to the Beyond the Minimum incident response team is developing a Each bank has the opportunity to go notification or call list, which includes beyond the minimum requirements and contact information for employees, incorporate industry best practices into vendors, service providers, law enforce- its IRP. As each bank tailors its IRP to ment, bank regulators, insurance match its administrative, technical, and companies, and other appropriate organizational complexity, it may find contacts. A comprehensive notification some of the following best practices rele- list can serve as a valuable resource vant to its operating environment. The when responding to an incident.

7 See www.fincen.gov/reg_bsaforms.html.

7 Supervisory Insights Winter 2006 Incident Response Programs continued from pg. 7

Define what constitutes an incident. the monitoring process and for the IRP in general. Identifying potential An initial step in the development of a indicators of unauthorized system response program is to define what access within these activity or security constitutes an incident. This step is reports can assist in the detection important as it sharpens the organiza- process. tion’s focus and delineates the types of events that would trigger the use of the Involve legal counsel. IRP. Moreover, identifying potential Because many states have enacted security incidents can also make the laws governing notification require- possible threats seem more tangible, ments for customer information secu- and thus better enable organizations to rity compromises, institutions have design specific incident-handling proce- found it prudent to involve the institu- dures for each identified threat. tion’s legal counsel when a compro- mise of customer information has been Detection detected. Legal guidance may also be The ability to detect that an incident is warranted in properly documenting occurring or has occurred is an impor- and handling the incident. tant component of the incident response process. This is considerably more Containment important with respect to technical During the containment phase, threats, since these can be more difficult the institution should generally imple- to identify without the proper technical ment its predefined procedures for solutions in place. If an institution is not responding to the specific incident positioned to quickly identify incidents, (note that containment procedures the overall effectiveness of the IRP may are a required minimum component). be affected.8 Following are two detection- Additional containment-related proce- related best practices included in some dures some banks have successfully institutions’ IRPs. incorporated into their IRPs are Identify indicators of unauthorized discussed below. system access. Establish notification escalation Most banks implement some form procedures. of technical solution, such as an intru- If senior management is not already sion detection system or a firewall, to part of the incident response team, assist in the identification of unautho- banks may want to consider developing rized system access. Activity reports procedures for notifying these individu- from these and other technical solu- als when the situation warrants. Provid- tions (such as network and application ing the appropriate executive staff security reports) serve as inputs for

8 Pursuant to section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), the FDIC, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Office of Thrift Supervision, the National Credit Union Administration, and the Federal Trade Commission, have jointly proposed (1) guidelines for financial institutions and creditors identifying patterns, practices, and specific forms of activity, that indicate the possible existence of identity theft, and (2) regulations requiring each financial institution and creditor to establish reasonable policies and procedures for implementing the guidelines. The notice of proposed rulemaking (NPR) also includes provisions requiring credit and debit card issuers to assess the validity of a request for a change of address under certain circumstances, and, pursuant to section 315 of the FACT Act, guidance regarding reasonable policies and procedures that a user of consumer reports must employ when such a user receives a notice of address discrepancy from a consumer reporting agency. The NPR was published on July 18, 2006, at 71 Fed. Reg. 40786, and the comment period ended on September 18, 2006. The agencies are reviewing the comments received in preparation for a final rule.

8 Supervisory Insights Winter 2006 and senior department managers with communications with both the media information about how containment and the institution’s customers. actions will affect business operations or systems and including these individu- Recovery als in the decision-making process can help minimize undesirable business Recovering from an incident essentially disruptions. Institutions that have expe- involves restoring systems to a known rienced incidents have generally found good state or returning processes and that the management escalation process procedures to a functional state. Some (and resultant communication flow) banks have incorporated the following was not only beneficial during the best practices related to the recovery containment phase, but also proved process in their IRPs. valuable during the later phases of the Determine whether configurations incident response process. or processes should be changed. Document details, conversations, If an institution is the subject of a and actions. security compromise, the goals in the Retaining documentation is an recovery process are to eliminate the important component of the incident cause of the incident and ensure that response process. Documentation can the possibility of a repeat event is mini- come in a variety of forms, including mized. A key component of this process technical reports generated, actions is determining whether system configu- taken, costs incurred, notifications rations or other processes should be provided, and conversations held. This changed. In the case of technical information may be useful to external compromises, such as a successful consultants and law enforcement for network intrusion, the IRP can prompt investigative and legal purposes, as management to update or modify well as to senior management for filing system configurations to help prevent potential insurance claims and for further incidents. Part of this process preparing an executive summary of may include implementing an effective, the events for the board of directors ongoing patch management program, or shareholders. In addition, documen- which can reduce exposure to identified tation can assist management in technical vulnerabilities. In terms of responding to questions from its non-technical compromises, the IRP primary Federal regulator. It may be can direct management to review opera- helpful during the incident response tional procedures or processes and process to centralize this documenta- implement changes designed to prevent tion for organizational purposes. a repeat incident. Organize a public relations Test affected systems or procedures program. prior to implementation. Whether a bank is a local, national, or Testing is an important function in the global firm, negative publicity about a incident response process. It helps security compromise is a distinct possi- ensure that reconfigured systems, bility. To address potential reputation updated procedures, or new technologies risks associated with a given incident, implemented in response to an incident some banks have organized public rela- are fully effective and performing as tions programs and designated specific expected. Testing can also identify points of contact to oversee the program. whether any adjustments are necessary A well-defined public relations program prior to implementing the updated can provide a specific avenue for open system, process, or procedure.

9 Supervisory Insights Winter 2006 Incident Response Programs continued from pg. 9 Follow-up – determine if updated training is necessary regarding any new During the follow-up process, an institu- procedures or updated policies that tion has the opportunity to regroup after have been implemented; and the incident and strengthen its control structure by learning from the incident. – determine if the bank needs addi- A number of institutions have included tional personnel or technical the following best practice in their IRPs. resources to be better prepared going forward. Conduct a “lessons-learned” meeting. The preceding best practices focused on the more common criteria that have Successful organizations can use the been noted in actual IRPs, but some incident and build from the experience. banks have developed other effective Organizations can use a lessons-learned incident response practices. Examples meeting to of these additional practices are listed in – discuss whether affected controls Figure 2. Organizations may want to or procedures need to be strength- review these practices and determine if ened beyond what was imple- any would add value to their IRPs given mented during the recovery phase; their operating environments. – discuss whether significant prob- lems were encountered during the incident response process and how What the Future Holds they can be addressed; In addition to meeting regulatory – determine if updated written poli- requirements and addressing applicable cies or procedures are needed for industry best practices, several character- the customer information security istics tend to differentiate banks. The risk assessment and information most successful banks will find a way to security program; integrate incident response planning into

Figure 2 Additional IRP Best Practices

Test the incident response plan (via walk- have established phone numbers and through or tabletop exercises) to assess e-mail distribution lists for reporting possi- thoroughness. ble incidents.

Implement notices on login screens for Inform users about the status of any compro- customer information systems to establish mised system they may be using. a basis for disciplinary or legal action. Establish a list of possible consultants, in Develop an incident grading system that case the bank does not have the expertise quantifies the severity of the incident, helps to handle or investigate the specific inci- determine if the incident response plan dent (especially regarding technical needs to be activated, and specifies the compromises). extent of notification escalation. Establish evidence-gathering and handling Provide periodic staff awareness training procedures aimed at preserving evidence on recognizing potential indicators of unau- of the incident and aiding in prosecution thorized activity and reporting the incident activities. through proper channels. Some institutions

10 Supervisory Insights Winter 2006 normal operations and business man-made disasters, sound IRPs will be processes. Assimilation efforts may necessary to combat new and existing include expanding security awareness data security threats facing the banking and training initiatives to reinforce inci- community. Given the high value placed dent response actions, revising business on the confidential customer information continuity plans to incorporate security held within the financial services indus- incident responses, and implementing try, coupled with the publicized success additional security monitoring systems of known compromises, one can reason- and procedures to provide timely inci- ably assume that criminals will continue dent notification. Ultimately, the to probe an organization’s defenses in adequacy of a bank’s IRP reflects on search of weak points. The need for the condition of the information secu- response programs is real and has been rity program along with management’s recognized as such by not only state and willingness and ability to manage infor- Federal regulatory agencies (through mation technology risks. In essence, passage of a variety of legal require- incident response planning is a manage- ments), but by the banking industry ment process, the comprehensiveness itself. The challenges each bank faces and success of which provide insight into are to develop a reasonable IRP provid- the quality and attentiveness of manage- ing protections for the bank and the ment. In this respect, the condition of a consumer and to incorporate the IRP bank’s IRP, and the results of examiner into a comprehensive, enterprise-wide review of the incident response planning information security program. The most process, fit well within the objectives of successful banks will exceed regulatory the information technology examination requirements to leverage the IRP for as described in the Information Technol- business advantages and, in turn, ogy–Risk Management Program.9 improved protection for the banking industry as a whole. An IRP is a critical component of a well-formed and effective information Eric R. Morris security program and has the potential to Information Technology provide tangible value and benefit to a Examiner, Chicago, IL bank. Similar to the importance of a business continuity planning program as John J. Sosnowski II it relates to the threat of natural and Examiner, Indianapolis, IN

9 The Information Technology–Risk Management Program (IT–RMP) is the approach for conducting information technology examinations at FDIC-supervised institutions, regardless of size and complexity. FIL 81-2005, Informa- tion Technology–Risk Management Program New Information Technology Examination Procedures, August 18, 2005, www.fdic.gov/news/news/financial/2005/fil8105.html.

11 Supervisory Insights Winter 2006 Chasing the Asterisk: A Field Guide to Caveats, Exceptions, Material Misrepresentations, and Other Unfair or Deceptive Acts or Practices

ection 5 of the Federal Trade Depending on the severity of their Commission (FTC) Act prohibits nature and scope, violations of the FTC S“unfair or deceptive practices in Act may adversely affect an institution’s or affecting commerce.”1 Although compliance rating, as well as result in enforced generally by the FTC against an enforcement action and restitution. nonbank entities, the authority for Evidence of such violations may also enforcing Section 5 as it relates to FDIC- cause a downgrade of an institution’s supervised institutions rests with the Community Reinvestment Act (CRA) FDIC, pursuant to Section 8 of the rating. Public knowledge that a financial Federal Deposit Insurance Act,2 which institution engaged in unfair or deceptive permits the FDIC and the other Federal acts or practices—from publication of a banking agencies to enforce “any law.” cease and desist order, a statement in The prohibition against unfair and the institution’s public CRA Performance deceptive acts or practices (UDAPs) Evaluation, or reports in the media—may applies to all products and services result in reputational harm to the institu- offered by a financial institution, directly tion, lawsuits, and financial damages. In or indirectly. The prohibition applies to light of these risks, failure to prevent or every stage and activity: from product address potential UDAPs may, in turn, development to the creation and rollout of expose the institution to questions regard- the marketing campaign; from servicing ing the adequacy of its management and and collections all the way through to the the safety and soundness of its operations. termination of the customer relationship. This article provides insights into how Although the vast majority of FDIC- examiners identify and address acts or supervised institutions adhere to a high practices that may violate the prohibi- level of professional conduct, the FDIC tion against UDAPs found in Section 5 has seen an increase in violations of of the FTC Act. Financial institutions Section 5 of the FTC Act. This may be can use this information to conduct the result of increased competition assessments of their products and serv- among financial institutions, along with ices and to develop a blueprint for a growing dependence on fee income avoiding Section 5 violations. and increased reliance on third parties. Expansion into the subprime market may FDIC Enforcement of be another factor, as well as the prolifera- Section 5 of the FTC Act tion of products with complex structures and pricing. Examiners have identified A number of agencies have authority various acts and practices that violate to combat UDAPs. While the FTC Section 5, including deceptive marketing has broad authority to enforce the and solicitations, misleading billing state- requirements of Section 5 of the ments, and failure to adequately disclose FTC Act, banks and certain other busi- material terms and conditions for both nesses are exempted from the FTC’s credit and deposit products. authority.3 In a Financial Institution Letter (FIL) dated May 30, 2002,4

1 15 U.S.C. § 45(a). 2 12 U.S.C. § 1818(b). 3 15 U.S.C. § 45. 4 FIL-57-2002, Guidance on Unfair or Deceptive Acts or Practices, May 30, 2002, www.fdic.gov/news/news/ financial/2002/fil0257.html.

12 Supervisory Insights Winter 2006 the FDIC confirmed the applicability To assist in determining whether a of Section 5 of the FTC Act to state particular act or practice is unfair or nonmember banks and their institu- deceptive, the FTC has issued policy tion-affiliated parties, as well as the statements on both unfairness and FDIC’s intention to cite violations of deception.9 In most cases, Section 5 this law and take appropriate action violations involve deception, although under Section 8 of the Federal Deposit there have been a few instances where Insurance Act5 (FDI Act) when it a particular act or practice, or the sum discovers unfair or deceptive acts of a variety of acts and practices, have or practices. been found to be unfair. On March 11, 2004, the FDIC with the Board of Governors of the Federal Unfairness Reserve System (FRB) jointly issued An act or practice may be found to be guidance on UDAP (Joint Guidance) unfair where it to state-chartered banks outlining the standards the FDIC and the FRB will (1) Causes or is likely to cause sub- consider when applying the prohibitions stantial injury to consumers, which against UDAPs found in the FTC Act and (2) Is not reasonably avoidable by providing advice on managing risks consumers themselves, and relating to UDAPs.6 (3) Is not outweighed by counter- In determining the appropriate vailing benefits to consumers or response to a Section 5 violation, the to competition. FDIC consults with other state and federal agencies depending on the issue Public policy may also be considered in and their jurisdiction over the parties the analysis of whether a particular act involved. Where necessary to address or practice is unfair. the UDAP and provide an appropriate remedy for consumers, the FDIC will Deception also pursue a joint action with other A three-part test is used to assess 7 government entities. whether a representation, omission, or practice is deceptive: Standards for Determining (1) The representation, omission, or What Is Unfair or Deceptive practice must mislead or be likely to mislead the consumer; As stated in the Joint Guidance,8 the standards for unfairness and deception (2) The consumer’s interpretation of are independent of each other. While the representation, omission, or a specific act or practice may be both practice must be reasonable under unfair and deceptive, an act or practice the circumstances. If a representa- is prohibited by the FTC Act if it is either tion or practice is targeted to a partic- unfair or deceptive. ular group—for example, the elderly

5 12 U.S.C. § 1818(a). 6 FIL-26-2004, Unfair or Deceptive Acts or Practices by State-Chartered Banks, March 11, 2004 (Joint Guidance), www.fdic.gov/news/news/financial/2004/fil2604.html. 7 Ibid., footnote 6, page 1. 8 Ibid., footnote 6, page 2. 9 See FTC Policy Statement on Unfairness (December 17, 1980), www.ftc.gov/bcp/policystmt/ad-unfair.htm, and FTC Policy Statement on Deception (October 14, 1983), www.ftc.gov/bcp/policystmt/ad-decept.htm.

13 Supervisory Insights Winter 2006 Chasing the Asterisk: A Field Guide continued from pg. 13

Unfairness Based upon Lack of Utility A bank advertised a credit card with no application or annual fees. However, consumers were charged a “refundable acceptance fee,” which completely exhausted the available credit line. According to the terms of the card, this acceptance fee would be “refunded” in incre- ments of $50 every three months, assuming the consumer paid the minimum amount due on a timely basis, making available an equal amount of credit. As opposed to an annual fee, a monthly maintenance charge of $10 was charged against the account, along with an interest rate of almost 20 percent against the outstanding balance. The FDIC found that the “refundable acceptance fee” was nothing more than a entry used by the bank to create a balance upon which it could assess interest and other charges. At a minimum, consumers were paying $120 a year plus interest in exchange for the use of a credit line made available to them in $50 increments. Account activity reports showed little or no purchases or charges, only the assessment of monthly fees, interest, and other charges. The card program was determined to be “unfair.” The fees associated with the program made any benefit negligible, and the program was structured so that only a very small percentage of account holders would receive any initial or subsequent credit. Moreover, with no out-of- pocket money at risk and the limited utility of the card, a high delinquency rate was foreseeable. Within six months from the initial offering of the product, nearly 50 percent of all accounts opened were delinquent.

or troubled borrowers—its reason- examiners may be unaware of any ableness must be evaluated from the potential unfair or deceptive concerns vantage point of that group; and, prior to their examination of a bank. (3) The misleading representation, omis- FDIC examiners may identify potential sion, or practice must be material. UDAPs during the course of an exami- nation, through a consumer complaint, A deceptive representation can be or through referrals from state or local expressed, implied, or involve a material agencies or consumer protection omission. The overall impression is key— organizations. Reports of unfair or written disclosures in the text or fine deceptive acts or practices in the print in a footnote may be insufficient to media—print, TV, and the Internet— correct a misleading headline.10 may trigger investigations. As can be seen from the examples in the text box above and on the facing The scope of an examination or inves- page, and as stated in the Joint Guid- tigation to determine whether an insti- ance, whether an act or practice is unfair tution is engaging in UDAPs involves a or deceptive depends upon a careful review of the institution’s products, serv- analysis of the facts and circumstances. ices, target markets, operations, and In analyzing a particular act or practice, compliance management systems and the FDIC is guided by the body of law programs. Examiners first develop a risk and official interpretations for defining profile for the institution using informa- UDAPs developed by the courts and the tion about the institution’s business FTC, as well as factually similar cases lines, organizational structure, opera- brought by other enforcement and regu- tions, and past supervisory performance. latory agencies, including other federal Then they investigate any identified high- bank regulatory agencies.11 risk areas, such as subprime lending and third-party relationships. Identifying UDAP Issues Identifying red flags and high-risk UDAPs are not always apparent or areas, and investigating them, is a key easily discovered. In most instances, part of any UDAP review or investigation.

10 FTC Policy Statement on Deception, p. 5, October 14, 1983, www.ftc.gov/bcp/policystmt/ad-decept.htm. 11 Joint Guidance at page 2; FIL-57-2002, Guidance on Unfair or Deceptive Acts or Practices, May 30, 2002, www.fdic.gov/news/news/financial/2002/fil0257.html.

14 Supervisory Insights Winter 2006 Deceptive Advertising and Billing On one bank’s home page was a large multicolored advertisement that prominently displayed a series of credit cards and a large blue ball. Alternately flashing across the ball, in bold white letters outlined in red, were the statements “NO COLLECTION CALLS*!” and “NO LATE FEES*!” Although each statement contained an asterisk, there were no explanatory notes on this page. A consumer who clicked on the blue ball or one of the credit cards would be linked to an application page containing the online application form. At the top of this page, the statements “NO collection calls*” and “NO late fees*” again appeared as static text, along with the statement, “NO Nonsense.” The phrases “NO COLLECTION CALLS*,” “NO LATE FEES*,” and “APPLY NOW!” appeared a second time on this page as flashing text in a red banner. The following text appeared in small print in the middle of the page, largely obscured by other promotional information: Late fees may apply and you may receive collection calls if payments are past due on your credit account and charges or fees incurred cause your credit account balance to exceed its credit line (over limit) or any portion of your credit line becomes unsecured . . . If the consumer clicked the site on or near “APPLY NOW!” the online application moved from the middle to the top of the screen, covering over this qualification. If, instead of clicking “APPLY NOW!” the consumer clicked the “Important Terms and Conditions” link appearing at the top of the application page, they would be taken to another web page containing the general terms and conditions, again with the flash- ing statements “NO COLLECTION CALLS*,” “NO LATE FEES*,” and “APPLY NOW” appearing at the top of the page. In this instance, as with the original statements on the bank’s home page, there were no qualifying disclosures. The FDIC found the statements to be deceptive. The qualifications, printed in small text and largely obscured, contradicted the prominently advertised terms. Additionally, while the banner headlines appeared multiple times on each of the three pages, the qualifying language appeared only once, could easily be skipped, and was completely covered if the consumer clicked the link for the online application. In a similar case, the bank sent out billing statements to its delinquent credit card account holders featuring a prominently placed message, located in a box in the center of the statement, advising the consumer that if they paid a specific sum, they could avoid additional fees and further collection efforts. Upon investigation, the examiners determined that the amount stated in the message box was the amount past due, not the larger minimum payment amount, and that payment of this amount would result in additional charges as well as continua- tion of the consumer’s delinquent status. Although the minimum amount due was stated elsewhere on the billing statement, the bank’s practice was deceptive because it used an alternative amount in the message box to direct the consumer’s attention away from the correct minimum payment amount necessary to restore their account to a current status. Moreover, despite the bank’s explicit claims to the contrary, payment of the amount the bank spec- ified in the message box would subject the consumer to what they were told they would avoid: additional fees and collection efforts. The bank was directed to immediately terminate this practice and reimburse those consumers who incurred late charges and other fees as a result of this practice.

review consumer complaints. At the Red Flags That Could Warrant FDIC, complaints received regarding a UDAP Review state nonmember banks are maintained in an automated database and are avail- Consumer Complaints able directly to examiners. In addition Consumer complaints are often a key to reviewing complaints received by source of information on possible the FDIC, on-site examinations always UDAPs.12 include a review of the complaints received by the institution and its pro- As part of the pre-examination cedures for addressing them.14 process,13 examiners are required to

12 For agencies that do not have authority to perform on-site examinations, such as the FTC or a state attorney general, consumer complaints often serve as the primary basis for their investigations. 13 FDIC Compliance Examination Handbook, “Compliance Examinations—Pre-examination Planning,” page II-3.1. 14 Ibid., “Compliance Examinations—Analysis,” page II-4.1.

15 Supervisory Insights Winter 2006 Chasing the Asterisk: A Field Guide continued from pg. 15

When reviewing complaints, examiners Investigations by Other Federal also look for trends: for example, how or State Agencies many of the same or similar type of complaints did the bank receive? While The FDIC gives serious attention to a large volume of complaints will fre- investigations initiated by other govern- quently indicate an area of concern, ment agencies such as state banking the number of complaints received is departments or attorneys general offices. not a determining factor in and of itself The regional offices are often notified of whether there is a potential unfair or directly by the investigating agency, deceptive issue. A small number of although notice may first come from complaints do not undermine the validity the target bank once it has learned it is of the complaints or the seriousness of under investigation.16 the allegations raised. If even a single Where a state or other agency asserts complaint raises apparent valid concerns that an FDIC-insured institution has relative to a potential UDAP, the exam- violated state consumer protection law, iner may determine that a Section 5 the FDIC office in the Region, in consul- review is warranted. Consequently, tation with the Washington office, examiners focus on the issues raised in reviews the allegations to determine if complaints, not just the number of they involve potential UDAPs. Although complaints. such assertions may be based on state Because many consumers may not law, they nonetheless may also involve be aware that the FDIC and the other potential violations of Section 5 of the bank regulatory agencies have con- FTC Act. sumer protection offices responsible for investigating consumer complaints,15 Criticism of Institution, Product, examiners may contact other entities or Service in the Media more generally known to consumers as places to file a complaint. These Newspaper articles, radio programs, and include the Better Business Bureau, the television consumer reports can provide FTC, and state agencies, such as a state information on potential UDAP issues. banking department or an attorney For example, during the course of one general’s office. bank examination, a local news station did a special report on a consumer’s When reviewing complaints, examiners pay particular attention not only to the complaint of deceptive practices at the immediate concerns of the consumer, bank’s mortgage subsidiary. This informa- but the broader implications. Allegations tion further corroborated issues examin- or claims that may indicate possible ers noted in consumer complaints. UDAPs include Internet searches for information on • Misleading or false statements, an institution or a particular product or service it offers (such as a credit • Missing disclosures or information, card or other loan product) can be • Undue or excessive fees, another source of information on possible UDAPs. There are many • Inability to reach customer service, or websites and blogs where consumers • Previously undisclosed charges. write about the problems they have

15 Congress amended the FTC Act in 1975 to require that each of the bank regulatory agencies establish a division of consumer affairs to address complaints. See 15 U.S.C. § 57a. 16 As part of the Compliance Information and Document Request (CIDR) sent to institutions prior to a compliance examination, financial institutions are asked whether they are subject to any investigation by a state or govern- ment entity or other legal action.

16 Supervisory Insights Winter 2006 had with particular entities or prod- ucts. These websites may be used by Analyzing Third-Party examiners to supplement information Relationships in the complaints received by the FDIC In reviewing third-party arrangements, and state authorities. examiners consider • The types of services or products High-Risk Areas Requiring provided by the third party and their Scrutiny for UDAPs potential for possible UDAP concerns;

Subprime Products • The due diligence conducted by the bank prior to entering into an agreement with Subprime lending, by its nature, the third party; involves the extension of credit to • The extent of the bank’s oversight and borrowers who may be among the more monitoring of the third party; particularly economically vulnerable or less finan- whether the bank’s oversight goes beyond cially sophisticated. While the presence “rubber-stamping” disclosures or solicita- of subprime products does not automati- tions produced by the third party; and cally equate to unfairness or deception, the complexity of many of these prod- • Whether the bank reviews customer serv- ucts and their pricing structure may ice and collection activity for compliance raise Section 5 concerns. with Section 5. Subprime products are sometimes Financial institutions also can consider specifically marketed to consumers these issues when assessing a potential or with lower levels of financial sophis- ongoing relationship with a third party. tication, creating greater risk for Section 5 problems. Products targeted to the elderly, recent immigrants, or a provides advertising services, issues specific ethnic or racial group are also credit cards through the bank, sells subject to scrutiny for Section 5 viola- insurance, brokers loans, or purchases tions, as well as for violations of the loans or receivables from the bank. Equal Credit Opportunity and Fair Collection activity is another activity Housing Acts. frequently conducted by unaffiliated third parties. Third-Party Relationships Examiners analyze all third-party rela- The prohibitions against UDAPs found tionships, affinity agreements, contracts, in the FTC Act apply to state-chartered or partnerships in which the bank is banks, their subsidiaries and institution- involved or anticipates involvement. In affiliated parties, and third-party con- particular, examiners focus on what func- tractors.17 Third-party relationships, both tions the third party performs for the affiliated and unaffiliated, are one of the bank and the bank’s oversight and moni- most common features in the Section 5 toring of the relationship. violations found by FDIC examiners. If the bank is involved with a third party that offers products or services Unaffiliated Third Parties that raise concerns about UDAP, such An unaffiliated third-party relation- as subprime loans, examiners closely ship could include a company that review the agreement between the bank

17 FIL-57-2002, Guidance on Unfair or Deceptive Acts or Practices, May 30, 2002, www.fdic.gov/news/news/ financial/2002/fil0257.html

17 Supervisory Insights Winter 2006 Chasing the Asterisk: A Field Guide continued from pg. 17

and the third party to fully understand the bank’s organizational culture. Previ- its scope and to identify important ously independent entities and independ- terms and conditions, such as indem- ent vendors frequently have difficulty nification clauses and limitations on assimilating and conforming to the liability, that may have an impact on supervisory compliance structure of the redress for consumers. Moreover, regulated institutions. if the agreement provides for the perfor- If weaknesses are seen in the oversight mance of significant activities by the and controls of a bank subsidiary or affil- third party—such as marketing, loan iate, and the types of products or serv- processing, or collections—examiners ices the subsidiary or affiliate offers have may need to conduct an on-site visita- the potential for possible unfair or decep- tion of the third party. tive practices, examiners may review related files, documents, disclosures, or Affiliated Third Parties information on-site at the offices of the Examiners will want to be apprised of subsidiary or affiliate instead of at the all subsidiaries and affiliates and the bank. As with any examination, examin- types of products and services each ers on-site observe how the subsidiary or offers. Other important factors in the affiliate operates, the business culture, examiner’s analysis include and how well-versed employees dealing directly with consumers are with applica- • Level of control and oversight the ble laws and regulations. banks exert over the subsidiary; • Types of reporting mechanisms in Analyzing an Unfair or place; Deceptive Case • Origin of the relationship between Section 5 of the FTC Act does not the bank and the affiliated third party impose any specific requirements on (i.e., was the subsidiary or affiliate banks.18 The policies and procedures “homegrown” or was it an independ- necessary to avoid engaging in unfair or ent entity purchased by the bank?). deceptive activities will largely depend Regarding the relationship between on an institution’s business strategy, its the bank and the affiliated third party, target markets, its products and services, it can sometimes take a long time to and its relationships with third parties. implement bank policies and procedures The UDAP examination procedures and integrate a purchased subsidiary into cover various topics to assist examiners

Importance of Strong Oversight and Control In some cases involving UDAP issues, the banks involved had affinity agreements with unaffili- ated third-party providers to issue credit cards via a rent-a-BIN arrangement. In this type of arrangement, the financial institution permits a third party to use its Bank Identification Number (which is required to issue credit cards) to issue credit cards on its behalf. Generally, in rent-a- BIN relationships, the institution sells its credit card receivables to the third party, although the bank remains the issuer. In both small and large institutions involved in these arrangements, examiners have at times found a lack of oversight and control, resulting in unchecked UDAPs in connection with the subprime credit card product issued under the bank’s name.

18 FDIC Compliance Examination Handbook, “Abusive Practices—Federal Trade Commission Act,” page VII-1.5.

18 Supervisory Insights Winter 2006 in their review: product structure and raise questions about whether a product terms, advertising and solicitation, fulfills its various marketing promises— repricing and change of terms, servic- claims often based upon building or ing and collections, and monitoring improving a borrower’s credit. Account the conduct of third parties. A activity reports, with fees and interest Section 5 analysis is not based upon a broken out, may also raise questions. particular checklist, but is fact specific. In several credit card products reviewed The examination procedures provide, by FDIC examiners, the limited credit as guidelines, questions for examiners lines were largely exhausted by various to consider when evaluating a particular account opening fees and other fees. act or practice, developed largely based As a result, there was no purchase or upon past Section 5 violations. When- other normal credit activity because ever an examiner determines a product there was little or no available credit. or practice is potentially unfair or decep- Activity reports for deposit products, tive, he or she will analyze it using the such as stored-value cards, are also often standards for unfairness and deception reviewed to assess consumer usage, summarized in the examination proce- access to account information, and the dures and discussed more fully in the assessment of fees and other charges and Joint Guidance. their impact on the deposited balance. In addition to setting forth the stan- Enforcement actions brought by the dards for evaluating a potential FDIC, other banking agencies, and the Section 5 situation, the Joint Guidance FTC on similar issues, and guidance addresses a number of other topics issued by the FDIC and these agencies examiners consider when evaluating provide an important framework for a product or practice. The Joint Guid- analyzing potential Section 5 violations. ance further discusses the interplay State investigations and actions may also between the FTC Act and other laws, be useful in evaluating an unfairness or and cautions that even though a bank deception claim. The FDIC’s examination may be in technical compliance with procedures provide a reference section other laws, such as the Truth in Lend- on cases and guidance on unfairness or ing or Truth in Savings Acts, a product deception issues relating to specific areas, or practice may still violate Section 5. such as mortgage and credit card lending, For example, a bank’s credit card adver- and servicing and collections.19 tisement may contain all the required Given the dynamic nature of the Truth in Lending Act disclosures, but market and the constant emergence of obscured or inadequately disclosed new products and practices that may material limitations and restrictions raise unfairness or deception issues, it could lead to a Section 5 violation. is important to remain alert to any new In analyzing a product or service that case law or guidance on a given topic. raises unfairness or deception concerns, examiners will often look beyond the compliance aspects and evaluate the Corrective Action product or practice from a safety and As with any violation of law or regula- soundness perspective. For example, tion, the response to a violation of the high default and delinquency rates identi- FTC Act will depend on a number of fied through profitability reports, aging factors, including and delinquency reports, or re-aging and negative amortization practices may • The nature of the violation;

19 Ibid., page VII-1.7.

19 Supervisory Insights Winter 2006 Chasing the Asterisk: A Field Guide continued from pg. 19

• Whether it is a repeat violation or with constant new products and services a variation of a previously cited emerging, it is critical that UDAP situa- violation; tions be evaluated with a national perspective. The FDIC recognizes the • The harm, or potential harm, suffered seriousness of violations involving by consumers; UDAPs and the potential impact of such • The number of parties affected; and violations on consumers, the institution, and the community at large. Therefore, • The institution’s overall compliance examiners are required to consult with posture and history, both in general both the regional and headquarters and with respect to UDAPs. offices when they first identify a product Significant violations not only may or service that raises deception or require discontinuance of the practice unfairness concerns. Headquarters and reimbursement of consumers, but concurrence, which may include consul- may also result in a downgrade of the tation with the FDIC’s Legal Division bank’s compliance (and possibly CRA20) and the FTC, must be obtained before a rating as well as an enforcement action. violation of the FTC Act may be cited in an examination report. UDAP—a Priority at the FDIC The FDIC has made identification of products and services with UDAP impli- Unlike most consumer compliance cations a key priority in its efforts to laws and regulations, which tend to be combat predatory lending practices. The prescriptive, Section 5 of the FTC Act is significance and seriousness of these a broadly written law subject to inter- violations should not be underestimated: pretation. While Section 5 is specific in they are raised to the highest levels of the criteria that must be met for an act the FDIC, and can adversely affect the or practice to be considered unfair or institution’s overall compliance, CRA, deceptive, determining whether any and safety and soundness ratings. particular act or practice is unfair or Depending on their severity, violations deceptive requires a review of applicable may result in a costly formal enforce- law and judgment. In a dynamic market ment action and restitution for

Corrective Action in the Case of Overdraft Protection and Erroneous ATM Disclosures In several cases involving overdraft protection, examiners found that the bank provided only a single account balance at its ATMs reflecting the consumer’s actual balance plus the amount of overdraft protection. If consumers did not have adequate information at the time of their ATM transaction to determine the amount of funds they had available, they could inadvertently over- draw their accounts and incur overdraft protection fees as well as other charges. In some instances, the FDIC determined that this practice was deceptive based upon an omis- sion of material information necessary for the consumer to consider in making an informed decision. The affected banks corrected the problem in different ways: some posted signs at ATMs that alerted customers that withdrawals might overdraw accounts and trigger fees; others took steps to ensure that ATMs showed actual account balances. The FDIC required banks to identify and reimburse all consumers who were charged overdraft protection and other fees as a result of the initial practice.

20 12 C.F.R. § 345.28(2).

20 Supervisory Insights Winter 2006 consumers. These actions, in turn, may The authors acknowledge the assis- damage the institution’s reputation, tance provided by the following FDIC expose it to litigation risk, and result in staff in the preparation of this article: substantial financial loss. Financial insti- Todd L. Hendrickson, Field Office tutions should use this information and Supervisor (Compliance) and Denise prior guidance on unfairness and decep- R. Beiswanger, Senior Compliance tion issued by the FDIC and other agen- Examiner, Sioux Falls Field Office; cies to educate their staffs on how to Greg Gore, Counsel, Richard Bogue, avoid UDAPs and to strengthen their Counsel, and Hugo Zia, Counsel, compliance management system overall. Washington Office Legal Division; Mira Marshall, Senior Policy Analyst, Deirdre Foley Compliance Policy Section, Washing- Senior Policy Analyst ton Office; and Patricia W. Farrell, Washington, DC Acting Field Office Supervisor (Compliance) and Robert M. Macrae, Kara L. Ritchie Field Office Supervisor (Compli- Review Examiner, Boston, MA ance), Philadelphia Field Office.

21 Supervisory Insights Winter 2006 Understanding BSA Violations1

he Bank Secrecy Act (BSA) and its Secrecy Act” or “BSA.” The BSA estab- implementing rules are not new; lished basic recordkeeping and reporting Tthe BSA has been part of the bank requirements for private individuals, examination process for more than three banks and other financial institutions. decades.2 In recent years, a number of The complexity of the BSA expanded in financial institutions have been assessed subsequent years with legislative changes large civil money penalties for noncom- requiring banks to establish procedures pliance with the BSA. While most to ensure BSA compliance. Provisions insured financial institutions examined were also added establishing criminal demonstrate an adequate system of BSA liability against persons or banks that controls, these high profile cases high- knowingly assist in money laundering light the importance of banks’ efforts to or structuring or that avoid BSA report- ensure compliance with the BSA and its ing requirements. implementing rules. Nevertheless, where The most sweeping changes in the BSA an institution falls short of these require- occurred shortly after the September 11, ments, these shortfalls can result in viola- 2001, terrorist attacks with the passage tions of the BSA and the implementing of the Patriot Act in October 2001.3 The rules being cited in Reports of Examina- Patriot Act criminalized the financing of tion (ROE). terrorism and augmented the BSA by This article discusses the evolution of strengthening customer identification the BSA, including a brief overview of the procedures; prohibiting financial institu- USA PATRIOT Act (Patriot Act) changes. tions from engaging in business with The article also discusses the types of foreign shell banks; requiring financial BSA-related violations cited in examina- institutions to have due diligence proce- tion reports, provides examples of best dures, and, in some cases, enhanced due practices for maintaining a strong Bank diligence procedures for foreign corre- Secrecy Act/Anti-Money Laundering spondent and private banking accounts; (BSA/AML) compliance program, and and improving information sharing clarifies the distinctions between a signif- between financial institutions and the icant BSA program breakdown and tech- U.S. government. The Patriot Act and its nical problems in financial institutions. implementing regulations also • Expanded the AML program require- Evolution of the BSA ments to all financial institutions; The first Anti-Money Laundering • Increased the civil and criminal penal- (AML) statute, enacted in the U.S. in ties for money laundering; 1970, was titled Currency and Foreign • Provided the Secretary of the Trea- Transactions Reporting Act and has sury with the authority to impose become commonly known as the “Bank

1 This article reflects the FDIC’s practices to date and is not intended to be a legal interpretation. Information is provided to assist banks in complying with the law but is subject to adjustment as examination practices are reviewed or refined. 2 By regulation, authority to examine for BSA compliance has been delegated to the regulator of each category of financial institution (i.e., the banking regulators for banks, the Securities and Exchange Commission for broker- dealers), and to the IRS for institutions that do not have a primary regulator. 31 CFR 103.56(b). The first rules dele- gating this authority were finalized in 1972. See 37 FR 6912, April 5, 1972. 3 Refer to the Supervisory Insights, From the Examiner’s Desk… Summer 2004 edition for a discussion of the USA PATRIOT Act and new regulations affecting the industry. See www.fdic.gov/regulations/examinations/supervisory/ insights/sisum04/sisum04.pdf.

22 Supervisory Insights Winter 2006 “special measures” on jurisdictions, In addition, the Patriot Act required institutions, or transactions that are of banks to establish a customer identifica- “primary money laundering concern”; tion program, which must include risk- based procedures that enable the • Facilitated records access and institution to form a reasonable belief required banks to respond to regula- that it knows the true identity of its tory requests for information within customers. Referred to as the “fifth 120 hours; and pillar,” this requirement was imple- • Required the Federal banking agen- mented in October 2003. cies to consider a bank’s AML record Examiners assess compliance in these when reviewing bank mergers, acqui- areas during BSA/AML examinations. sitions, and other applications for Relevant findings from transaction test- business combinations. ing and recommendations to strengthen To ensure consistency in the BSA/AML the bank’s BSA/AML compliance examination process and provide guid- program, including its policies, proce- ance to the examination staff, the dures, and processes, are reflected Federal banking agencies, the Financial within the ROE, and are an integral part Crimes Enforcement Network (FinCEN), of the FDIC’s risk management examina- and the Office of Foreign Control tion process. Examination findings may released the Federal Financial Institu- include violations of the BSA and the tions Examination Council’s Bank implementing rules. The next section Secrecy Act/Anti-Money Laundering takes a closer look at the different types Examination Manual in June 2005. of violations and discusses the signifi- The manual was updated and re-released cance of these types of violations in an in July 2006.4 overall BSA/AML program.

Required Elements of BSA-Related Violations a BSA/AML Program For state-chartered, nonmember banks Federal law requires each financial supervised by the FDIC, applicable BSA- institution to establish and maintain a related violations include infractions of BSA/AML compliance program. This FDIC Rules and Regulations (12 CFR program must provide for the following 326.8 and 12 CFR 353), as well as, the minimum requirements (also referred to Department of Treasury Regulations as “pillars”) as outlined in Part 326.8 of (31 CFR 103). These regulations, in FDIC Rules and Regulations: addition to other applicable legal require- ments, are summarized as 1) A system of internal controls to ensure ongoing compliance. A body of statutes, regulations and administrative rulings, both Federal 2) Independent testing of BSA and State, is an element of the regu- compliance. latory framework within which banks 3) A specifically designated person or operate. Their underlying rationale is persons responsible for managing the protection of the general public BSA compliance (i.e., BSA compli- (depositors, consumers, investors, ance officer). creditors, etc.) by establishing bound- aries and standards within which 4) Training for appropriate personnel. banking activities may be conducted.

4 See FFIEC BSA/AML Examination Manual InfoBase, www.ffiec.gov/bsa_aml_infobase/default.htm.

23 Supervisory Insights Winter 2006 Understanding BSA Violations continued from pg. 23

The FDIC assigns a high priority to all BSA/AML program. BSA program the detection and prompt correction violations must be supported by at of violations in its examination and least one pillar violation. Violations supervisory programs.5 of individual pillars might, or might not, lead to the conclusion that the In general, there are three broad cate- bank has suffered an overall BSA/AML gories of violations that reflect noncom- program violation. A BSA/AML pro- pliance with BSA-related regulations: gram failure exposes the institution to (I) Lack of an effective overall compli- an unnecessarily high level of potential ance program,6 or specified compo- risk to money laundering or other nents of a program (“pillar”);7 illicit financial transactions. The first possible indication that a BSA program (II) Systemic and recurring noncompli- has failed is by the absence of one or ance with the BSA and implement- more of the required pillars. For exam- ing regulations; and ple, a bank might have a lengthy (III) Isolated and technical noncompli- period when there is no designated ance with the BSA. BSA compliance officer, or may have failed to provide necessary training. Examiners document in the ROE instances of noncompliance with the A BSA/AML program failure can also BSA to develop and provide for the be demonstrated by significant noncom- continued administration of a BSA/AML pliance, on a recurring or systemic basis, compliance program reasonably with the primary elements of the BSA designed to assure and monitor com- related to recordkeeping and reporting pliance with the BSA. However, BSA of critical financial information,8 as compliance deficiencies range from outlined in the Department of Treasury isolated instances of noncompliance Regulations 31 CFR 103. Generally, within an effective overall BSA/AML examination reports citing BSA/AML compliance program to serious weak- program failures would include violations nesses exposing the institution to an that demonstrate noncompliance with unacceptable level of risk for potential one or more of the primary elements of money laundering or other illicit finan- the minimum financial recordkeeping or cial activity. The distinction between reporting requirements. These require- these violations types is outlined below. ments include (I) Program Violations. Violations of Reporting suspicious transactions by the FDIC’s BSA/AML program rule are filing Suspicious Activity Reports cited when failure occurs in the over- (SARs) [31 CFR 103.18];9

5 From the FDIC’s Risk Management Manual of Examination Policies and applies to violations that may be cited for all types of examinations (e.g., Safety and Soundness, BSA, Information Technology). 6 12 CFR 326.8(b)(1) requires that each bank develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with recordkeeping and reporting requirements. 7 12 CFR 326.8(b)(2) and (c)(1) through (c)(4) require that a program specifically include: implementing a customer identification program; establishing system of internal controls; providing independent testing; designating a BSA Officer; and instituting a training program. 8 The BSA, Titles I and II of Public Law 91-508, as amended, modified at 12 D.S.C. 1829b, 12 D.S.C. 1951-1959, and 31 D.S.C. 5311-5332, authorizes the Secretary of the Treasury, inter alia, to require financial institutions to keep records and file reports that are determined to have a high degree of usefulness in criminal, tax, and regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, to protect against international terrorism, and to implement counter-money laundering programs and compliance proce- dures. Regulations implementing Title II of the Bank Secrecy Act appear at 31 CFR 103. 9 Part 353 of the FDIC Rules and Regulations parallels 31 CFR 103.18, related to suspicious activity reporting requirements.

24 Supervisory Insights Winter 2006 Implementing a program to obtain • Consistently failing to obtain critical and verify customer identification customer identification information at [31 CFR 103.121]; account opening; and Establishing procedures for respond- • Systems and programs that do not ing to information requests made by allow for proper aggregation of multi- law enforcement through the FinCEN, ple cash transactions for regulatory in accordance with the process reporting purposes. provided for in Section 314(a) of the Patriot Act [31 CFR 103.100]; Systemic violations of the BSA repre- sent significant noncompliance with Reporting large cash transactions financial recordkeeping and reporting through accurate and timely Currency requirements or reflect failures within Transaction Report filings (CTRs) one or more pillars of a BSA/AML [31 CFR 103.22]; and/or program, if not the overall BSA/AML Documenting purchases and sales of program. monetary instruments and incom- ing/outgoing wire transfers [31 CFR (III) Isolated and Technical Isolated and technical 103.29 and 31 CFR 103.33]. Violations. violations are those limited instances of To affect corrective action when a noncompliance with the financial record- BSA/AML program violation is cited, the keeping or reporting requirements of FDIC will issue a cease and desist order the BSA that occur within an otherwise as required under Section 8(s) of the adequate system of policies, procedures, Federal Deposit Insurance Act. and processes. Despite the adequacy of the overall program, examiners may (II) Systemic and Recurring note minor violations regarding limited, Violations. Regardless of whether a program failure which falls under isolated individual transactions and will Section 8(s) is found, an examiner focus ROE comments on critical missing could find systemic violations which or incorrectly reported information for relate to ineffective systems or controls those transactions. These types of viola- to maintain necessary documentation tions do not generally result in signifi- or reporting of customers, accounts, or cant concerns over management’s transactions, as required under various administration of the overall BSA/AML provisions of 31 CFR 103. Determining program. Further, when such violations whether such violations are systemic are correctable and management is will- may be influenced by the number of ing and able to implement appropriate customers, accounts, or transactions corrective steps, a formal supervisory affected; the importance of the unavail- response may not be warranted. able or unrecorded information; the pervasive nature of noncompliance; the The Best Defense Is a predominance of violations throughout Good Offense the organization; and/or certain program elements that do not adequately provide The steps a bank should take to ensure for an effective system of reporting. compliance with the BSA and its imple- Examples of violations that may result menting rules are documented exten- in systemic violations include sively and are consistent with guidelines that existed before the implementation • Habitually late CTR filings across the of the Patriot Act: To avoid the most organization; serious violations and the implica- • A significant number of CTRs or SARs tions that can result when those viola- with errors or omissions of critical tions are cited, banks must have a data elements; strong BSA/AML compliance program.

25 Supervisory Insights Winter 2006 Understanding BSA Violations continued from pg. 25

Financial institutions should ensure they the board of directors to oversee BSA have a well-developed and documented functions and ensure that regulatory risk assessment that accurately captures requirements and bank policies are the risk exposures of their products, being followed on a day-to-day basis. services, customers, and geographic While banks have long been required locations. Exposures identified through to have an appropriate BSA program, the risk assessment should be addressed including policies, procedures, and in policies and procedures making sure processes in place to ensure BSA all identified risks are addressed. Moni- compliance, passage of the Patriot Act toring programs should be in place to has resulted in a number of sweeping ensure account and transaction activity changes to the BSA. Understanding is consistent with expectations and to the main components of a strong BSA identify and report suspicious activity. compliance program will help banks to A strong training program should ensure appropriately implement these changes that appropriate personnel are familiar and future amendments. with regulatory requirements and bank policies. The compliance program should For additional information on be subjected to a periodic independent BSA/AML, refer to the Federal Financial test of BSA/AML controls to verify Institutions Examination Council’s compliance with the financial institution’s (FFIEC’s) BSA/AML InfoBase. (See BSA/AML program. The test plan and its http://www.ffiec.gov/bsa_aml_infobase/ results should be reviewed by manage- default.htm.) The InfoBase is intended to ment to ensure corrective action is taken be a one-stop resource for BSA compli- and the scope of testing meets the bank’s ance. In addition to the FFIEC BSA/AML requirements. Finally, the bank should Examination Manual, the InfoBase have a qualified employee designated by includes, for example, a list of frequently asked questions, various forms needed for meeting BSA/AML compliance Table responsibilities, and links to the various Best Practices for BSA/AML BSA/AML laws and regulations. Compliance Debra L. Novak 1) Comprehensive Risk Assessment Chief, Anti-Money Laundering 2) Appropriate Policies and Procedures Section 3) Adequate Monitoring Programs Washington, D.C. 4) Strong Training Programs 5) Thorough Independent Testing Charles W. Collier 6) Qualified Employee Overseeing Day-to-Day Senior Program Analyst, Operations Anti-Money Laundering Section Washington, D.C.

26 Supervisory Insights Winter 2006 From the Examiner’s Desk . . . Examiners Report on Commercial Real Estate Underwriting Practices

This regular feature focuses on devel- these issues in their assessments of opments that affect the bank exami- banks’ risk management practices. nation function. We welcome ideas for future columns. Readers are encouraged to e-mail suggestions to FDIC-Supervised Banks Are [email protected]. Becoming Increasingly Reliant on CRE Lending uch has been written about the increase in commercial real The writers’ field examination experi- Mestate (CRE) lending. The FDIC ence, as well as information from other has published numerous articles over the examiners, indicates that many of the last few years reporting increased levels institutions experiencing moderate to of CRE and construction and develop- rapid growth in CRE lending see such ment (C&D) loans as a percentage of loans as their particular market niche. total capital.1 The Federal banking regu- Larger financial institutions and other lators2 have each alerted their supervised market participants have gained pricing financial institutions to the risks associ- advantages over community banks in ated with this rapid growth and the other areas of lending, particularly tradi- potential erosion of prudent underwrit- tional residential mortgages, home ing practices in the effort to capture lines of credit, and other market share. In 2004, an article in this consumer financing. In addition, the use journal discussed a CRE lending review of predictive credit scoring models for program conducted in the FDIC’s small and medium-sized business loans Atlanta Region, where a relatively high continues to gain wider acceptance number of banks reported significant among larger lenders and leasing compa- levels of CRE exposure.3 nies. Community banks can, however, compete for CRE loans because of their In this article, we take a closer look at knowledge of local markets and borrow- CRE underwriting and loan administra- ers. This characteristic has enabled tion practices, present recurring exami- community banks to expand their share nation findings, and discuss best of the CRE market nationwide. Growth practices for managing CRE portfolios in CRE concentrations among FDIC- in the current environment. This infor- supervised banks is detailed in Table 1. mal review suggests that examiners are observing weaknesses in CRE under- writing and loan administration fairly Examiners Report on CRE frequently. A strong economy has thus Underwriting far helped protect insured banks against the risks associated with CRE. Neverthe- In an effort to identify changes in less, the FDIC is concerned about trends underwriting practices for CRE concen- in the underwriting and management of trations, we requested information on CRE risks. Examiners are considering examination findings from each of the

1 FDIC Outlook, Summer 2006; FDIC Quarterly Banking Profile, First Quarter 2006. 2 Office of the Comptroller of the Currency; Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation; Office of Thrift Supervision. 3 Assessing Commercial Real Estate Portfolio Risk, Supervisory Insights, Vol. 1, Issue 1, Summer 2004, www.fdic.gov/regulations/examinations/supervisory/insights/sisum04/index.html.

27 Supervisory Insights Winter 2006 From the Examiner’s Desk . . . continued from pg. 27 Table 1 Percentage of FDIC-Supervised Institutions with CRE Loans/Total Capital Ratios > 300% by FDIC Region Region June-00 June-01 June-02 June-03 June-04 June-05 June-06 San Francisco 42.0 46.8 51.8 54.1 55.2 60.0 59.8 Atlanta 21.9 28.6 35.7 40.4 44.1 47.6 50.9 Chicago 12.6 15.3 20.1 20.8 24.8 28.2 30.4 New York 10.5 12.1 17.7 19.2 21.7 24.8 27.6 Dallas 11.5 13.3 15.9 17.7 20.4 22.8 24.8 Kansas City 7.4 8.1 8.8 10.2 12.2 14.7 17.1 Note: Data from June 2000 through June 2006 Reports of Condition.

six FDIC Regional Offices. Examiners responded either with examples of indi- CRE Monitoring and vidual institutions from recent examina- Management Information tions or with a synopsis of recurrent Systems Can Mitigate Risk findings. Examiners indicated that many institu- The most common deficiencies noted tions have increased their exposure to were of institutions failing to monitor CRE lending without a formal monitor- their CRE portfolios properly and fail- ing system or adequate consideration of ing to comply with the requirements of concentration risk. Some institutions did Part 365 of the FDIC Rules and Regula- not know what percentage of their CRE tions—Real Estate Lending Standards portfolio was concentrated in more risky (see text box, Major Provisions of Part speculative C&D loans. Common defi- 365). Other areas of concern were the ciencies include lack of effective oversight of construc- • Failure to consider or establish limits tion projects, weak appraisal review of exposure by type (e.g., condo- programs, inadequate knowledge of minium conversion, multifamily) or lending markets, and poor loan struc- geographic market; turing. While noting such deficiencies, examiners also reported many best • Preparing reports of activity for senior practices that mitigate the risk. management and the board of direc- tors that do not provide sufficient

Major Provisions of Part 365—Real Estate Lending Standardsa • Written lending policies must establish – Diversification standards – Prudent underwriting standards that include clear and measurable loan-to-value limits – Loan administration procedures – Guidelines for monitoring loan policy compliance

• Market conditions must be monitored. • Real estate lending policies should reflect consideration of the Interagency Guidelines for Real Estate Lending Policies (Appendix A to Part 365). a Part 365 of the FDIC Rules and Regulations prescribes real estate lending standards to be used in a state nonmember bank’s lending policies. See 12 CFR 365.2.

28 Supervisory Insights Winter 2006 information to enable management to make informed decisions; Supervisory Loan-to-Value a • Inadequate or nonexistent interest Limits rate stress testing; and Institutions should establish their own internal loan-to-value limits for real estate • Failure to prepare timely or consistent loans. These internal limits should not concentrations reports. exceed the following supervisory limits: This lack of oversight often caused Loan-to-value examiners to cite contraventions of FDIC Loan category limit (percent) Rules and Regulations, specifically Raw land 65 Appendix A to Part 365—Interagency Land development 75 Guidelines for Real Estate Lending Poli- Construction: 4 cies at safety and soundness examina- Commercial, multifamily,b tions. Examiners provided examples of and other nonresidential 80 institutions failing to monitor the loan 1- to 4-family residential 85 portfolio appropriately for loan-to-value Improved property 85 exceptions (see text box, Supervisory Owner-occupied 1- to 4-family – Loan-to-Value Limits). The following and home equityc were common deficiencies: a Appendix A to Part 365 of FDIC Rules and • Failure to track exceptions; Regulations, www.fdic.gov/regulations/laws/ rules/2000-8700.html#2000appendixatopart365. • Failure to track the aggregate amount b Multifamily construction includes condomini- of loans in excess of loan-to-value limits; ums and cooperatives. • Originating numerous loans in excess c A loan-to-value limit has not been established of loan-to-value limits without docu- for permanent mortgage or home equity loans on owner-occupied 1- to 4-family residential mentation of credit factors that property. However, for any such loan with a support the underwriting decision; loan-to-value ratio that equals or exceeds 90 percent at origination, an institution should • Failure to consider commitment require appropriate credit enhancement in the amounts when computing loan-to- form of either mortgage insurance or readily value limits; marketable collateral. • Underwriting raw land loans in excess of prescribed loan-to-value limits tion of Appendix A of Part 365.5 based on “As Complete” appraised Several examiners reported that banks values; and were granting extensions of credit of up to 75 percent of value to acquire • Failure to provide timely and suffi- raw land although the borrowers had ciently complete reports to the board no plans to develop this property in of directors as required by Part 365. the near term. Certain institutions in There were numerous reports of insti- high-growth areas had concentrations tutions whose aggregate amount of all in excess of 150 percent of total capi- loans in excess of the supervisory loan- tal for land development loans, but to-value limits routinely exceeded 100 for purposes of measuring risk, inter- percent of total capital, in contraven- nal monitoring did not differentiate

4 Appendix A identifies prudent practices an institution should include in its policies in the areas of loan portfolio management, underwriting, and administration. In addition, the appendix provides supervisory loan-to-value limits. See www.fdic.gov/regulations/laws/rules/2000-8700.html#2000appendixatopart365. 5 Appendix A to Part 365 requires that the aggregate amount of loans in excess of the supervisory loan-to-value limits should not exceed 100 percent of total capital. Within this aggregate limit, total loans for commercial, agri- cultural, multifamily, or other non-1–4 family residential properties should not exceed 30 percent of total capital. An institution that approaches or exceeds the aggregate limits is subject to increased supervisory scrutiny.

29 Supervisory Insights Winter 2006 From the Examiner’s Desk . . . continued from pg. 29

actual land development loans from raw land loans or speculative invest- Market Analysis Is Often ment land loans. Overlooked Mitigation Practices. Despite these Examiners report that management weaknesses, examiners cited a number could improve its practices of monitor- of best practices focusing on effective ing market conditions in its lending internal controls and management areas. There were numerous reports of information systems that monitor the institutions that either did not prepare activity and control the associated risk. a market analysis or prepared one that Establishing policy limits appropriate was incomplete or flawed. to the bank’s size, sophistication, and Mitigation Practices. Some boards of appetite for risk is fundamental to directors, directors’ committees, or loan managing CRE concentration risk. committees mitigate this risk by main- The primary element of a useful moni- taining contact with real estate brokers, toring process is the integration of developers, and builders and using the quantitative and qualitative data that resulting information to establish maxi- provide a summary of the overall activ- mum exposure limits. ities in the CRE portfolio in order to measure risk across all dimensions of Real estate markets and economic the portfolio. The size of the portfolio cycles are dynamic, and policy guidelines should not be the sole consideration. that were once adequate may, over time, become overly liberal. Management Factors such as geographic diversifica- needs to monitor both local and regional tion, types of property held as collat- economic trends, as well as any national eral, and underwriting practices should trend that could impact the local econ- be considered in the development of omy, and adjust policy guidelines accord- any risk management process. ingly. Market analysis should include a Institutions with active and meaning- review of concentrations by type of ful monitoring programs depended property compared to projects through- on a number of in-depth reports that out the market, including completed, were reviewed periodically either by pipeline, and proposed developments. committees of the board of directors or by the full board. In addition, some institutions included these reports as Lenient Terms and Weak Loan a regular agenda item at monthly Structuring Carry Risks board meetings. The most common Examiners described a number of inci- quantitative reports included descrip- dents in which institutions had relaxed tions of CRE concentration by type underwriting standards for CRE loans. and geographic diversification. Limits Conditions included were established, and the reports provided a mechanism to review expo- • Overreliance on collateral values sure and design risk mitigation strate- instead of cash flow, gies. Some of the qualitative reports • Liberal use of interest reserves, included quarterly raw land, lot devel- opment, and construction loan reports • Loans with one- to two-year balloon with a detailed narrative summary of maturities secured by undeveloped each project’s current status, percent- land, and age of completion, expected comple- • Unsecured loans and letters of credit tion date, and any completion or granted for the purpose of investing absorption issues. Repayment sources in units of condominium projects were described, as were other risk (located primarily in the Southeast- mitigation items of interest. ern United States).

30 Supervisory Insights Winter 2006 Examiners also reported that many In certain markets, banks had borrowers were not required or were extended funds predicated on expected unable to put equity into development future gross sell-out values of condo- projects, and material deposit relation- minium conversion and construction, ships were either not required or as well as other development projects. unavailable. Mitigation Practices. Institutions Mitigation Practices. Repayment of that avoided these problems generally any CRE loan is dependent upon the had strong internal appraisal review borrower’s ability to produce cash flow programs that provided an independent from the project through either rental analysis of appraisals or internal eval- income or the sale of the property. uations prior to funding. In addition, Collateral value, while possibly providing these institutions reviewed the qualifi- certain protection, does not provide cash cations of their appraisers on an ongo- flow. Sound lending guidelines should ing basis and removed those that did help reduce exposure to borrowers with not consistently provide a product that insufficient cash flow to meet the repay- conformed to the requirements outlined ment terms. Along with good credit in 12 CFR 323—Appraisals. Loan poli- selection, an institution should develop cies and practices established guide- strong policy guidelines with respect to lines for types of appraisals required on loan-to-values, allowable exceptions, and the basis of the type of project (specula- reporting requirements. Slow or no prin- tive versus owner-occupied). These cipal reduction can erode the institu- internal requirements were often more tion’s collateral protection by allowing conservative than the standards estab- the loan-to-value to increase above lished by 12 CFR 323. prudent levels in depressed real estate markets. This is especially true of specu- lative construction lending, where slow- Conclusions ing sales may prevent borrowers from carrying the debt for a period of time. Anecdotal information provided by the examiners suggests that many insti- tutions would benefit from enhancements Oversight of the Appraisal to their existing monitoring systems. The Process May Be Weak recently reported softening of real estate markets also implies that increased Examination findings indicated that attention is warranted, given the risk oversight of the appraisal process was exposure inherent in CRE lending. A lacking in some institutions. Problems robust program of measuring and moni- included toring CRE portfolios, with special atten- • Inadequate or missing internal tion to C&D exposure, is fundamental to reviews of appraisals, effective risk mitigation. • Violations of FDIC Rules and Regula- While examiners have noted some tions concerning appraisals (12 CFR degree of deterioration in underwriting 323—Appraisals6) for absent or inade- practices, these practices have not quate appraisals, adversely impacted the overall condition of most of the institutions. Capital levels • Funding loans prior to receipt of are reported to be high, with over 99 per- appraisals, and cent of all insured institutions placing in • Including the proposed loan amounts the highest regulatory capital category at on appraisal engagement letters. year-end 2005.7 The levels of adversely

6 See www.fdic.gov/regulations/laws/rules/2000-4300.html. 7 FDIC Quarterly Banking Profile, Division of Insurance and Research, December 2005.

31 Supervisory Insights Winter 2006 From the Examiner’s Desk . . . continued from pg. 31

classified assets and past-due loans are institutions that strong risk management nominal, and earnings performance is practices and appropriate levels of capi- strong, with net interest income provid- tal are important elements of a sound ing most of the profit reported. A strong lending progrm and reinforces and CRE market has also mitigated the poten- enhances existing regulations and guide- tial ill effects of weakening lending stan- lines for safe and sound sound real estate dards over the past few years. lending. Many of the best practices iden- tified in this article reflect long-standing Where significant deficiencies were supervisory expectations presented in found, examiners made recommenda- Table 2. tions for corrective action. Many institu- tions initiated their own corrective action Marianne Lester programs based upon those recommen- Examiner, Shelby, AL dations or upon the advice of internal and external auditors. In very few cases, Lawrence J. Nicastro informal and formal enforcement actions Examiner, Atlanta, GA were necessary. On December 6, 2006, after careful consideration of comments Tracy E. Fitzgerald received on proposed guidance on Examination Specialist, commercial real estate lending issued on Tulsa, OK January 13, 2006,8 the Federal banking agencies issued Final Guidance on Brian D. Regan Concentrations in Commercial Real Examiner (Retired), Estate Lending.9 The guidance reminds Sacramento, CA Table 2

Sound Practices for Commercial Real Estate Portfolio Oversight

The board of directors should approve the scope of Lending policies should reflect the level of risk that is lending activities and the way real estate loans are acceptable to the board of directors and provide clear made, serviced, and collected. Market conditions, and measurable limits that include the maximum loan concentrations, and lending activity should be moni- amount and maturities by type of property, amortization tored, and timely and adequate reports should be made schedules, pricing structure for different types of real to the board of directors. estate loans, loan-to-value limits by type of property, pre-leasing and pre-sale requirements, requirements Internal and external factors should be considered in for takeout commitments, and minimum covenants for the formulation of loan policies and of a strategic plan loan agreements. considering the size and financial condition of the insti- tution, the expertise and size of the lending staff, and Loan administration procedures should address the market conditions. type and frequency of financial statements required, type and frequency of collateral evaluations, collateral Prudent underwriting standards should be developed administration, requirements for adequate construction that consider relevant credit factors, including the inspections and loan disbursements, and collections capacity of the borrower, income from the underlying and foreclosure. property to service the debt, the value of collateral, the creditworthiness of the borrower, the level of equity Refer to Part 365 of the FDIC Rules and Regulations—Real Estate invested, and any secondary sources of repayment. Lending Standards; Appendix A to Part 365—Interagency Guide- lines for Real Estate Lending Policies.

8 FIL-4-2005, Commercial Real Estate Lending Proposed Interagency Guidance, January 13, 2006, www.fdic.gov/news/news/financial/2006/fil06004.html. 9 PR-114-2006, Joint Release/Federal Banking Agencies Issue Final Guidance on Concentrations in Commercial Real Estate Lending, December 6, 2006, www.fdic.gov/news/news/press/2006/pr06114.html.

32 Supervisory Insights Winter 2006 Accounting News: Auditor Independence

This regular feature focuses on topics of influences that compromise critical importance to bank accounting. professional judgment, thereby Comments on this column and sugges- allowing an individual to act tions for future columns can be e-mailed with integrity and exercise to [email protected]. objectivity and professional skepticism. he words “independent” and “independence” are often used b. Independence in appearance. Tin conjunction with the services The avoidance of circumstances certified public accountants (CPAs or that would cause a reasonable external auditors) provide to their and informed third party, clients, including insured depository having knowledge of relevant institutions (banks or financial institu- information, including safe- tions). When CPAs and their firms guards applied, to reasonably provide certain services that require conclude that the integrity, them to be independent, such as audits objectivity, or professional skep- of financial statements and audits of ticism of a firm or member of internal control over financial reporting, the attest engagement team has they are referred to as independent been compromised.1 public accountants, independent audi- For financial institutions, the most tors, or external auditors. But what does common services performed by external “independence” mean when external auditors that require independence auditors provide these services? It is include audits of financial statements, useful for examiners to have an under- audits of internal control over financial standing of the general principles and reporting, and attestations on manage- concepts embodied in “independence” ment’s assessment of internal control because examiners are expected to over financial reporting. Therefore, the review and evaluate institutions’ exter- primary focus of this discussion will be nal auditing programs. This article on the independence standards related summarizes existing professional stan- to audits and internal dards for auditor independence, includ- control audits/attestations. ing recent developments regarding tax services and contingent fees as well as the use of limitation of liability clauses Importance of Auditor in engagement letters. Independence The American Institute of Certified Why is it important for the external Public Accountants’ (AICPA) Concep- auditor to be independent? A properly tual Framework for AICPA Indepen- conducted audit provides an independ- dence Standards (Conceptual ent and objective view of the reliability Framework) defines independence as of a financial institution’s financial state- a. Independence of mind. The ments. The ’s objective state of mind that permits the in an audit is to form an opinion on the performance of an attest serv- financial statements taken as a whole. ice without being affected by When planning and performing the

1 ET Section 100.01, Conceptual Framework for AICPA Independence Standards, paragraph 6. The Conceptual Framework for AICPA Independence Standards was adopted by the AICPA’s Professional Ethics Executive Committee (PEEC) on January 30, 2006, and is available on the AICPA’s website. See www.aicpa.org/download/ ethics/Ethics_Interpretation_101-1_and_Conceptual_Framework.pdf.

33 Supervisory Insights Winter 2006 Accounting News continued from pg. 33

audit, the external auditor considers the cies rely on the results of audits as part financial institution’s internal control of their assessment of the safety and over financial reporting. Generally, the soundness of a financial institution. external auditor communicates any iden- Reliable financial reports, such as tified deficiencies in internal control to audited financial statements, are neces- management, which enables manage- sary for a financial institution to raise ment to take appropriate corrective capital. They provide data on an institu- action. In addition, certain financial insti- tion’s financial position and results of tutions are required to file audited finan- operations for stockholders, depositors, cial statements and internal control and other funds providers, borrowers, audit/attestation reports with one or and potential investors. Such information more of the Federal banking agencies.2 is critical to effective market discipline of The Federal Financial Institutions Exami- an institution. nation Council’s (FFIEC) Interagency Policy Statement on External Auditing For audits to be effective, the external Programs of Banks and Savings Associa- auditors must be independent in both tions3 notes that “an institution’s internal fact and appearance, and must perform and external audit programs are critical all necessary procedures to comply with to its safety and soundness.” The auditing and attestation standards estab- FFIEC’s policy statement also says that lished by either the AICPA or, if applica- an effective external auditing program ble, the Public Company Accounting “can improve the safety and soundness Oversight Board (PCAOB). of an institution substantially and lessen the risk the institution poses to the insur- ance funds administered by the Federal Independence Deposit Insurance Corporation.” Standard-Setters Many financial institutions are Currently, the independence standard- required to have their financial state- setters include the AICPA, the U.S. ments audited, and others voluntarily Securities and Exchange Commission choose to undergo such audits. For (SEC), and the PCAOB. Depending example, banks and savings associa- upon the audit client, an external audi- tions with $500 million or more in total tor is subject to the independence stan- assets are required to have annual inde- dards issued by one or more of these pendent audits.4 Certain savings asso- standard-setters. For nonpublic finan- ciations (for example, those with a cial institutions6 that are not required CAMELS rating of 3, 4, or 5) and to have annual independent audits savings and loan holding companies are pursuant to either Part 363 of the FDIC also required by the Office of Thrift regulations or Section 562.4 of the OTS Supervision (OTS) regulations to have regulations, the external auditor must annual independent audits.5 The Agen- comply with the AICPA’s independence

2 The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS), collectively referred to as the Agencies. 3 Published in the Federal Register on September 28, 1999 (64 FR 52319). 4 See Section 36(d) of the Federal Deposit Insurance Act (12 U.S.C. 1831m) and Sections 363.1(a) and 363.2(a) of Part 363 of the FDIC’s regulations (12 CFR 363). 5 See OTS regulation at 12 CFR 562.4. 6 Nonpublic financial institutions are companies that are not, or whose parent companies are not, subject to the reporting requirements of the Securities Exchange Act of 1934.

34 Supervisory Insights Winter 2006 standards; the financial institution’s For financial institutions and bank hold- external auditor is not required to ing companies that are public compa- comply with the independence stan- nies,7 regardless of size, the external dards of the SEC and the PCAOB. auditor should be in compliance with the SEC’s and the PCAOB’s independence In contrast, for financial institutions standards as well as the AICPA’s inde- subject to the audit requirements either pendence standards. in Part 363 of the FDIC regulations (i.e., those with $500 million or more in total The table below illustrates the applica- assets) or in Section 562.4 of the OTS bility of the AICPA, SEC, and PCAOB regulations, the external auditor should independence standards. be in compliance with the AICPA’s Code of Professional Conduct and also meet the independence requirements and Independence Standards interpretations of the SEC and its staff. The independence standards and inter- The SEC’s independence requirements pretations of the AICPA, the SEC, and encompass the independence standards the PCAOB8 set forth rules and provide and rules adopted by the PCAOB and guidance regarding many facets of the approved by the SEC. external auditor’s relationship with and

Applicability of AICPA SEC PCAOB Auditor Independence Independence Independence Independence Standards Standards Standards Standards Scenario 1 Nonpublic institutions YES NO NO not subject to Part 363 of the FDIC regulations or Section 562.4 of the OTS regulations Scenario 2 Public and nonpublic YES YES YES institutions subject to Part 363 of the FDIC regulations or Section 562.4 of the OTS regulations Scenario 3 Institutions and holding YES YES YES companies that are public companies (regardless of size)

7 Public companies are companies, or subsidiaries of companies, that are subject to the reporting requirements of the Securities Exchange Act of 1934. 8 For the AICPA, refer to the AICPA’s Code of Professional Conduct, ET Section 101, Independence; ET Section 191, Ethics Rulings on Independence, Integrity, and Objectivity; and Interpretations under Rule 101 - Indepen- dence. For the SEC, refer to Rule 2-01 of Regulation S-X (17 CFR Section 210.2-01); the Codification of Financial Reporting Policies - Section 600 - Matters Relating to Independent Accountants; and the Office of the Chief ’s Frequently Asked Questions: Application of the Commission’s Rules on Auditor Independence. See www.sec.gov/info/accountants/ocafaqaudind121304.htm. For the PCAOB, refer to the following PCAOB Rules and Professional Standards: Rule 3500T—Interim Ethics Standards; Rule 3520—Auditor Independence; Rule 3521— Contingent Fees; Rule 3522—Tax Transactions; Rule 3523—Tax Services for Persons in Financial Reporting Over- sight Roles; Rule 3524—Audit Committee Pre-approval of Certain Tax Services; and Rule 3600T—Interim Independence Standards. See www.pcaobus.org/Rules/Rules of_the_Board/Section_3.pdf.

35 Supervisory Insights Winter 2006 Accounting News continued from pg. 35

performance of services for an audit comply with applicable professional stan- client, including dards and the firm’s standards of qual- ity.”10 The AICPA’s standards further set (1) which members of the audit engage- forth five broad elements of appropriate ment team are subject to the inde- quality control in a public accounting pendence rules (referred to as firm, which relate to maintaining inde- “Covered Members or Persons”); pendence, integrity, and objectivity; (2) financial relationships of Covered managing personnel; establishing guide- Members/Persons or their immedi- lines for accepting and continuing ate families; clients; performing engagements; and monitoring the existing quality control (3) financial interests in nonclients policies and procedures. having investor or investee relation- ships with clients; Audit firms that provide audit/attest services to nonpublic clients are subject (4) financial interests of audit firm part- to peer reviews performed in accordance ners and professional employees, with applicable AICPA standards, and their immediate families, and close audit firms that provide audit/attest relatives; services to public clients are subject to (5) employment relationships of the inspections performed by the PCAOB.11 audit firm’s partners, professional Peer reviews and inspections include an employees, and their immediate examination and/or review of an audit family and close relatives; and firm’s quality controls. However, for any particular audit client, the most visible (6) the performance of nonaudit serv- and apparent independence concerns ices to audit clients. would be manifested in the services (audit However, while the independence and nonaudit) provided to the client. rules and interpretations provide guid- ance and establish a framework for AICPA Independence Standards auditors to follow, they do not—nor were they meant or designed to— The AICPA’s professional standards consider all circumstances that raise require audit firms, including the firms’ independence concerns. partners and professional employees, to be independent in accordance with The AICPA, the SEC, and the PCAOB AICPA Rule 101, Independence,12 of the also require audit firms to have quality Code of Professional Conduct (Rule 101) controls for their audit practices.9 The whenever an audit firm performs an AICPA’s standards define quality control attest service for a client. Attest services as “a process to provide the firm with include financial statement audits, finan- reasonable assurance that its personnel cial statement reviews, and other attest

9 For the AICPA, refer to its Quality Control (QC) Standards, QC Section 20—System of Quality Control for a CPA Firm’s Accounting and Auditing Practice; QC Section 30—Monitoring a CPA Firm’s Accounting and Auditing Prac- tice; and QC Section 40—The Personnel Management Element of a Firm’s System of Quality Control—Competen- cies Required by a Practitioner-in-Charge of an Attest Engagement. On July 28, 2006, the AICPA’s Auditing Standards Board issued an Exposure Draft of a proposed Statement of Quality Control Standards that will replace all the existing QC Standards. For the SEC, refer to Rule 2-01(d) of Regulation S-X. For the PCAOB, refer to Rule 3400T—Interim Quality Control Standards—of its Rules and Professional Standards. 10 Refer to QC Section 20.03 of the AICPA’s QC Standards. 11 The public portions of these peer review and inspection reports are available on the AICPA’s and the PCAOB’s websites. See www.aicpa.org/centerprp/publicfile01.htm and www.pcaobus.org/Inspections/Public_Reports/index.aspx, respectively. 12 AICPA, Professional Standards, ET Section 101.01.

36 Supervisory Insights Winter 2006 services as defined in the AICPA’s State- • Corporate finance consulting or ments on Standards for Attestation advisory services, Engagements. For all financial institution • Appraisal, valuation, or actuarial audits (whether the audit is voluntary or services, required; whether or not the financial institution is subject to Part 363 of the • Executive or employee search services, FDIC regulations or Section 562.4 of the • Business risk consulting, and OTS regulations; and whether the finan- cial institution is a public or a nonpublic • Information systems design, installa- company), the financial institution’s tion, or integration. external auditor must comply with the Before an audit firm performs non- AICPA’s Independence Standards. attest services for an audit client, the Independence is not required when an AICPA’s Rule 101 requires the audit audit firm performs services that are not firm to meet certain general require- attest services, if those services—for ments. If certain nonattest services (for example, tax preparation and consulting example, assistance) are services—are the only services an audit to be performed, the audit firm must firm provides to a particular client. also satisfy service-specific require- However, Rule 101 requires an auditor to ments. In cases where the general or comply with the independence regula- service-specific requirements for non- tions of authoritative regulatory bodies attest services are not met, the audit (such as the SEC and state boards of firm’s independence would be impaired accountancy) when the auditor performs with respect to the attest services the 13 nonattest services for an attest client and audit firm provides to that audit client. is required to be independent of the The general requirements for perform- client under the regulations of the appli- ing nonattest services for audit clients cable regulatory body. The auditor’s fail- under Rule 101 include ure to comply with the nonattest services provisions contained in the independ- The audit firm should not perform management functions or make ence rules of the applicable regulatory management decisions for the audit body that are more restrictive than the client. provisions of Rule 101 would constitute a violation of Rule 101. The audit client must agree to perform the following functions in connection The AICPA’s Rule 101 imposes limits with the nonattest services: on the nature and scope of nonattest – Make all management decisions services an audit firm may provide to an and perform all management audit (attest) client. Rule 101 specifically functions; addresses the following nonattest services: – Designate an individual who • Bookkeeping services, possesses suitable knowledge and/or experience to oversee the • Payroll and other disbursement services; services, – Evaluate the adequacy and results • Internal audit assistance, of the services performed; • Benefit plan administration, – Accept responsibility for the results of the services; and • Investment advisory or management – Establish and maintain internal services, controls, including monitoring • Tax services, ongoing activities.

13 AICPA, Professional Standards, ET Section 101.05.

37 Supervisory Insights Winter 2006 Accounting News continued from pg. 37

Before performing nonattest services, and/or experience to be responsible the audit firm should establish and for the internal audit function; document the following in writing Determines the scope, risk, and with the client: frequency of internal audit activities, – Objectives of the engagement, including those to be performed by – Services to be performed, the external auditor providing internal – Client’s acceptance of its audit assistance services; responsibilities, Evaluates the findings and results aris- – Audit firms’ responsibilities, and ing from the internal audit activities; – Any limitation of the engagement. and Internal audit services, sometimes Evaluates the adequacy of the audit referred to as “internal audit outsourc- procedures performed and the find- ing,” are one of the more common ings resulting from the performance nonaudit services audit firms provide of those procedures by, among other to financial institutions. In evaluating things, obtaining reports from the whether independence would be external auditor. impaired with respect to an audit client As previously indicated, it is impossible that is not a public company and is not to enumerate all circumstances in which subject to Part 363 of the FDIC regula- the appearance of independence might tions or Section 562.4 of the OTS regu- be questioned. In the absence of an lations, the nature of the internal audit independence interpretation or ruling services to be provided to the client under the AICPA’s rules that addresses a needs to be considered.14 Assisting the particular circumstance, a member client in performing financial and opera- (auditor) should consider whether that tional internal audit activities would circumstance would lead a reasonable impair independence unless the external person aware of all of the relevant facts auditor takes appropriate steps to ensure to conclude there is an unacceptable that the client understands its responsi- threat to the member’s and the firm’s bilities for establishing and maintaining independence. The AICPA’s Conceptual the internal control system and directing Framework provides a risk-based the internal audit function, including the approach for making that evaluation. management thereof. Accordingly, any The risk-based approach involves three outsourcing of the internal audit func- steps: (1) the auditor should identify tion to the external auditor whereby the and evaluate threats to independence; external auditor in effect manages the (2) the auditor should determine internal audit activities of the client whether safeguards already eliminate or would impair independence. sufficiently mitigate identified threats In addition to the general requirements and whether threats that have not yet of Rule 101 for performing nonattest been mitigated can be eliminated or services for an audit client, the external sufficiently mitigated by safeguards; and auditor should ensure that client (3) if no safeguards are available to elim- management inate an unacceptable threat or reduce it to an acceptable level, the auditor Designates an individual or individuals should conclude that independence who possess suitable skill, knowledge, would be considered impaired.15

14 For audit clients that are public companies or that are subject to Part 363 of the FDIC regulations or Section 562.4 of the OTS regulations, internal audit outsourcing to the external auditor is generally impermissible under the SEC’s independence rules. 15 ET Section 100.01, Conceptual Framework for AICPA Independence Standards, paragraph 5.

38 Supervisory Insights Winter 2006 Many different circumstances (or ing with the SEC’s independence rules, combinations of circumstances) can the SEC’s Office of the Chief Accoun- create threats to an auditor’s independ- tant has also issued and periodically ence. It is impossible to identify every updates a document titled Application situation that threatens independence. of the Commission’s Rules on Auditor However, seven broad categories of Independence—Frequently Asked threats should always be evaluated Questions. when threats to independence are Unlike the AICPA’s independence rules, being identified and assessed. They are the SEC’s independence rules provide (1) self review (auditors reviewing the that an accountant is not independent if, results of their own nonattest work); at any point during the audit and profes- (2) advocacy (actions by the auditor to sional engagement period,18 the account- promote the client’s interests or posi- ant provides any of the following tion); (3) adverse interest (actions or nonaudit services to an audit client: interests between the auditor and the client that are in opposition); (4) famil- • Bookkeeping or other services related iarity (auditors having a close or long- to the accounting records or financial standing relationship with an attest statements of the audit client; client); (5) undue influence (attempts • Financial information systems design by the client’s management to coerce and implementation; or exercise excessive influence over the auditor); (6) financial self-interest • Appraisal or valuation services, fair- (potential benefit to the auditor from a ness opinions, or contribution-in-kind financial interest in, or from some reports; other financial relationship with the • Actuarial services; client); and (7) management participa- tion (the auditor taking the role of • Internal audit outsourcing services; client management or performing • Management functions; management functions on behalf of the client).16 • Human resources services; • Broker-dealer, investment adviser, or SEC Independence Standards investment banking services; The SEC’s independence rules are • Legal services; or set forth in Rule 2-01 of Regulation S-X (Rule 2-01).17 Rule 2-01 was amended • Expert services unrelated to the audit. in January 2003 by Release No. 33- The SEC’s rules state that bookkeep- 8183, Strengthening the Commission’s ing, financial information systems Requirements Regarding Auditor Inde- design and implementation, appraisal or pendence, to fulfill the mandate of valuation services, actuarial services, Title II of the Sarbanes-Oxley Act of and internal audit outsourcing services 2002. To assist practitioners in comply-

16 ET Section 100.01, Conceptual Framework for AICPA Independence Standards, paragraphs 12 to 19. 17 See 17 CFR 210.2-01. 18 Under Rule 2-01(f)(5), the audit and professional engagement period includes both: (1) the period covered by any financial statements being audited or reviewed (the “audit period”); and (2) the period of the engagement to audit or review the audit client’s financial statements to prepare a report filed with the SEC (the “professional engagement period”). The professional engagement period begins when the accountant either signs an initial engagement letter (or other agreement to review or audit a client’s financial statements) or begins audit, review, or attest procedures, whichever is earlier; and the professional engagement period ends when the audit client or the accountant notifies the SEC that the client is no longer that accountant’s audit client.

39 Supervisory Insights Winter 2006 Accounting News continued from pg. 39 are prohibited “unless it is reasonable PCAOB Independence Standards to conclude that the results of these Title I of the Sarbanes-Oxley Act of services will not be subject to audit 2002 established the PCAOB and procedures during an audit of the audit charged it with the responsibility of client’s financial statements.”19 This overseeing the audits of public compa- limited exception to the general prohibi- nies that are subject to the U.S. Federal tion regarding nonaudit services is quite securities laws. Only accounting firms narrow in the SEC’s view, establishing that register with the PCAOB (registered a rebuttable presumption that these public accounting firms) may audit services are subject to audit procedures. public companies. The PCAOB’s duties In other words, the SEC presumes that, include the establishment of auditing, when an accountant audits an audit quality control, ethics, independence, client’s financial statements, the accoun- and other standards relating to public tant will end up auditing the work he or company audits. she performed when rendering the aforementioned nonaudit services for The PCAOB adopted all of the inde- the audit client. pendence standards described in the AICPA’s Code of Professional Conduct Like the AICPA’s independence rules, Rule 101, and the interpretations and the SEC’s independence rules do not rulings thereunder, as in existence on purport to consider all circumstances April 16, 2003, as the PCAOB’s Interim that raise independence concerns. In Independence Standards. These Interim this regard, the SEC considers whether a Independence Standards also include relationship or the provision of a service Standards Nos. 1, 2, and 3 and Interpre- (a) creates a mutual or conflicting inter- tations 99-1, 00-1, and 00-2 of the former est between the accountant and the audit Independence Standards Board. Gener- client (b) places the accountant in a ally, this means that the PCAOB applies position of auditing his or her own work the independence standards/principles (c) results in the accountant acting as discussed under the “AICPA Indepen- management or an employee of the audit dence Standards” section of this article client or (d) places the accountant in a to registered public accounting firms. position of being an advocate for the audit client. The PCAOB’s Interim Independence Standards do not supersede the SEC’s The SEC will not recognize an account- auditor independence rules. Therefore, ant as independent, with respect to an to the extent that a provision of the audit client, if the accountant is not, or a SEC’s rules is more or less restrictive reasonable investor with knowledge of all than a provision of the PCAOB’s Interim relevant facts and circumstances would Independence Standards, a registered conclude that the accountant is not, public accounting firm must comply with capable of exercising objective and impar- the more restrictive rule. tial judgment on all issues encompassed within the accountant’s engagement. In The PCAOB’s interim standards will determining whether an accountant is remain in effect until modified or super- independent, the SEC will consider all seded, either by PCAOB action approved relevant circumstances, including rela- by the SEC, or by SEC action pursuant tionships between the accountant and the to its independent authority under the audit client, and not just those relating to Federal securities laws to establish inde- reports filed with the SEC. pendence standards for auditors of public companies.

19 See Rule 2-01(c)(4)(i) through (v) of SEC Regulation S-X (17 CFR 210-01).

40 Supervisory Insights Winter 2006 Letters.20 The Interagency Advisory Recent Developments in applies to audit engagement letters Auditor Independence executed on or after February 9, 2006, and provides that the inclusion of indem- Recent AICPA Developments nification and limitation of liability provi- sions in external audit engagement On September 8, 2006, the AICPA’s letters will generally be considered an Professional Ethics Executive Committee unsafe and unsound practice. Appen- (PEEC) re-exposed its Proposed Interpre- dix A of the Interagency Advisory con- tation 101-16 under Rule 101: Indemnifi- tains examples of unsafe and unsound cation, Limitation of Liability, and ADR limitation of liability provisions. Clauses in Engagement Letters. The comment period for the revised Exposure While the Interagency Advisory Draft (ED) ended on December 8, 2006. addresses indemnification and limitation The AICPA’s initial ED on this subject was of liability from a safety and soundness issued on September 15, 2005. perspective, rather than from an auditor independence perspective, it is fairly The revised ED is significantly differ- consistent with the PEEC’s September ent from the September 2005 ED. The 2005 ED. However, the PEEC’s Septem- revised ED has an underlying principle ber 2006 revised ED is generally incon- that would permit external auditors to sistent with its September 2005 ED and include indemnification and limitation the Interagency Advisory. of liability provisions in audit engage- ment letters if such provisions are contingent upon the related services Recent PCAOB Developments being performed in compliance with On April 19, 2006, the SEC approved professional standards, in all material the PCAOB’s proposed ethics and inde- respects. However, the revised ED would pendence rules concerning independ- also permit certain indemnification and ence, tax services, and contingent fees. limitation of liability provisions to be These rules have varying effective dates, included in audit engagement letters most of which are in 2006. and not be subject to the underlying principle. For example, under the Besides establishing general rules revised ED, the audit client could waive with respect to ethics and independ- the right to seek punitive damages and ence, these new PCAOB rules restrict indemnify the auditor for third-party certain types of tax services a regis- punitive damage awards, the time tered public accounting firm may period for the client to file a claim for provide to an audit client and certain damages could be limited, and the members of the client’s management, client’s right to assign or transfer a and prohibit contingent fee arrange- claim could be limited. ments for any services a registered public accounting firm provides to an On February 3, 2006, the Federal bank- audit client, in order for the firm to ing agencies, together with the National maintain its independence with respect Credit Union Administration, issued an to that client. Nonpublic financial insti- Interagency Advisory on the Unsafe and tutions subject to Part 363 of the FDIC Unsound Use of Limitation of Liability regulations or Section 562.4 of the Provisions in External Audit Engagement OTS regulations and their auditors

20 FIL-13-2006, External Audit Engagement Letters: Unsafe and Unsound Use of Limitation of Liability Provisions, February 9, 2006, www.fdic.gov/news/news/financial/2006/fil06013.html. Also see the February 3, 2006, Joint Press Release, www.fdic.gov/news/news/press/2006/pr06011.html and the Federal Register, Volume 71, Page 6847, www.fdic.gov/regulations/laws/federal/2006/06notice29.pdf.

41 Supervisory Insights Winter 2006 Accounting News continued from pg. 41

should note that these new independ- Accordingly, as noted in the February ence rules from the PCAOB apply to 2006 Interagency Advisory and the institutions’ external auditors. 1999 Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations, examiners Examiner Considerations should consider an institution’s policies Auditor independence is the corner- and processes surrounding its external stone for CPAs and audit firms that auditing program, including those for provide audit/attestation services to determining whether the auditor main- financial institutions. Sometimes tains appropriate independence in its concerns regarding an auditor’s inde- relationship with the institution under pendence with respect to a specific audit applicable professional standards, when client are “black and white” and a deci- they evaluate the institution’s program. sion as to whether the auditor’s inde- Examiners should also review external pendence is impaired can be reached audit engagement letters to determine rather easily. However, many times, the whether they include any limitation of resolution of concerns regarding auditor liability provisions of the types that are independence requires a thorough and deemed unsafe and unsound by the complete analysis of all of the relevant Interagency Advisory. facts and circumstances before a conclu- sion can be made. In the end, ensuring Harrison E. Greene, Jr. auditor independence is a responsibility CPA, CBA, Accounting and of both the auditor and the client finan- Securities Disclosure Section cial institution. Washington, DC

42 Supervisory Insights Winter 2006 Overview of Selected Regulations and Supervisory Guidance This section provides an overview of recently released regulations and supervisory guidance, arranged in reverse chronological order. Press Release (PR) or Financial Institution Letter (FIL) designations are included so the reader may obtain more information.

Subject Summary Comments Requested on Proposed The FDIC, the Board of Governors of the Federal Reserve System (Federal Reserve Board), Illustrations of Consumer Information the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), for Nontraditional Mortgage Product and the National Credit Union Administration (NCUA) (collectively, the Federal financial Risks (PR-93-2006, October 18, 2006; regulatory agencies) sought comment on proposed Illustrations of Consumer Information FIL-90-2006, October 5, 2006; and for Nontraditional Mortgage Product Risks (the illustrations). The illustrations were intended Federal Register Vol. 71, No. 192, to assist institutions in implementing the consumer protection portion of the Interagency p. 58672, October 4, 2006) Guidance on Nontraditional Mortgage Product Risks. Comments were due December 4, 2006.

Final Rule Issued to Provide One-Time The FDIC issued the final rule to implement the One-Time Assessment Credit, as required by Assessment Credits to Insured the Federal Deposit Insurance Reform Act of 2005. Under this rule, eligible institutions will Institutions (PR-91-2006, October 10, share in an aggregated one-time deposit insurance assessment credit of $4,707,580,238.19. 2006; FIL-93-2006, October 18, 2006; and The final rule took effect November 17, 2006. Federal Register Vol. 71, No. 201, p. 61374, October 18, 2006)

Final Rule Issued on Assessment The FDIC issued the final rule to implement assessment dividends, as required by the Dividends (FIL-92-2006, October 18, Federal Deposit Insurance Reform Act of 2005. The Act generally requires the FDIC to 2006; and Federal Register Vol. 71, No. pay dividends from the Deposit Insurance Fund (DIF) to insured institutions when the DIF 201, p. 61385, October 18, 2006) reserve ratio at the end of a calendar year exceeds 1.35 percent. The final rule takes effect January 1, 2007.

Interagency Guidance Issued on Non- The Federal financial regulatory agencies issued Interagency Guidance on Nontraditional traditional Mortgage Product Risks, Mortgage Product Risks and an Addendum to the Credit Risk Management Guidance for and an Addendum to Credit Risk Home Equity Lending. These documents describe how financial institutions should both Management Guidance for Home Equity address the risks associated with underwriting nontraditional mortgage loan products and Lending Issued (PR-86-2006, September provide consumers with clear and balanced information before they make a product or 29, 2006; FIL-89-2006, October 5, 2006; payment choice. and Federal Register Vol. 71, No. 192, p. 58609, October 4, 2006)

Final Rule Issued Covering Changes The FDIC Board of Directors permanently adopted the final rule implementing provisions to Deposit Insurance Coverages of the Federal Deposit Insurance Reform Act of 2005 pertaining to deposit insurance (FIL-83-2006, September 18, 2006; and coverage. The final rule took effect October 12, 2006. Federal Register Vol. 71, No. 176, p. 53547, September 12, 2006)

Comments Requested on a Proposed The FDIC, Federal Reserve Board, OCC, and OTS (collectively, the Federal bank and thrift Rule on Risk-Based Capital Standards: regulatory agencies) jointly issued a notice of proposed rulemaking (NPR) on possible Market Risk (PR-82-2006, September 5, modifications to the risk-based capital standards for market risk. The proposed rule would 2006; FIL-87-2006, September 25, 2006; incorporate improvements to the current trading book regime as proposed by the Basel and Federal Register Vol. 71, No. 185, Committee on Bank Supervision and the International Organization of Securities Commis- p. 55958, September 25, 2006) sions in the joint document The Application of Basel II to Trading Activities and the Treat- ment of Double Default Effects, published in July 2005. The proposed rule would also apply to certain savings associations, which currently are not covered under the rule. The FDIC will accept comments on the NPR through January 23, 2007.

43 Supervisory Insights Winter 2006 Regulatory and Supervisory Roundup continued from pg. 43

Comments Requested on a Proposed The Federal bank and thrift regulatory agencies jointly issued and sought comment on Rule on Risk-Based Capital Standards: an NPR concerning the domestic application of selected elements of the Basel II capital Advanced Capital Adequacy framework. The proposed rule would require some core banks, and permit other banks, to Framework (PR-82-2006, September 5, use an internal ratings-based approach to calculate regulatory credit risk capital require- 2006; FIL-86-2006, September 25, 2006; ments and an advanced measurement approach to calculate regulatory operational risk and Federal Register Vol. 71, No. 185, capital requirements. The FDIC will accept comments on the NPR through January 23, 2007. p. 55830, September 25, 2006)

Comments Requested on Wide- The FDIC sought public comment on wide-ranging issues involving industrial loan Ranging Issues Related to Industrial company charters. Comments were due by October 10, 2006. Loan Companies (PR-77-2006, August 17, 2006; FIL-79-2006, August 29, 2006; and Federal Register Vol. 71, No. 163, p. 49456, August 23, 2006)

Frequently Asked Questions Published The Federal Financial Institutions Examination Council (FFIEC) published frequently asked Regarding Authentication in an questions to assist financial institutions and their technology service providers in conform- Internet Environment (FIL-77-2006, ing to the FFIEC guidance entitled Authentication in an Internet Banking Environment, August 21, 2006) which was issued on October 12, 2005.

Revised Bank Secrecy Act/Anti-Money The FFIEC released a revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Laundering Examination Manual Examination Manual on July 28, 2006. The manual can be accessed on the FFIEC BSA/AML Released (FIL-71-2006, August 2, 2006) InfoBase at http://www.ffiec.gov/bsa_aml_infobase/default.htm.

Revisions Issued to the FDIC The FDIC revised its Statement of Policy (SOP) Regarding the National Historic Preserva- Statement of Policy Regarding the tion Act of 1966. The purpose of the SOP is to inform affected parties of the FDIC’s prac- National Historic Preservation Act tices in applying the requirements of the National Historic Preservation Act and its imple- (FIL-70-2006, August 1, 2006; and menting regulations. The SOP is relevant to applications for deposit insurance for de novo Federal Register Vol. 71, No. 143, institutions, applications for establishment of domestic branches, and applications for the p. 42399, July 26, 2006) relocation of domestic branches or main offices.

Comments Requested on Proposed The FDIC sought comment on three proposed rules. The first proposed rule would create Deposit Insurance Rules (PR-70-2006, a new system for risk-based assessments. The second proposed rule would set the desig- July 11, 2006; FIL-65-2006, July 25, nated reserve ratio at 1.25 percent. The third proposed rule would govern the penalties for 2006; and Federal Register Vol. 71, No. failure to pay assessments. Comments on the first two proposed rules were due September 141, p. 41910, July 24, 2006) 22, 2006; comments on the third proposed rule were due September 18, 2006.

Comments Requested on Proposed The Federal financial regulatory agencies and the Federal Trade Commission requested Guidelines for Identity Theft public comment on the proposed regulation to implement sections 114 and 315 of the Fair Procedures (PR-71-2006, July 18, 2006; and Accurate Credit Transactions Act of 2003 (FACT Act). The proposed regulation would FIL-64-2006, July 18, 2006; and Federal require financial institutions and creditors to adopt reasonable policies and procedures to Register Vol. 71, No. 137, p. 40786, indicate the possible existence of identity theft and to validate addresses under certain July 18, 2006) circumstances. Comments were due September 18, 2006.

44 Supervisory Insights Winter 2006 Revisions Issued to the Uniform The Federal financial regulatory agencies issued a statement notifying regulated institutions Standards of Professional Appraisal of the Appraisal Standards Board’s issuance of the 2006 version of the Uniform Standards of Practice (FIL-53-2006, June 23, 2006) Professional Appraisal Practice. These changes were effective July 1, 2006.

Guidance Issued on Managing Risks The FDIC issued guidance to address the risks inherent in outsourcing relationships in Relationships with Foreign-Based between U.S. financial institutions and foreign-based third-party service providers. The Third-Party Service Providers guidance outlines steps institutions should take to manage reputational, operational/ (FIL-52-2006, June 21, 2006) transactional, compliance, strategic, and country risks.

Standard Flood Hazard Determination The FDIC notified FDIC-supervised institutions that the Federal Emergency Management Form Updated (FIL-51-2006, June 21, Agency had issued a revised Standard Flood Hazard Determination Form, which included 2006) a new Office of Management and Budget control number and a revised expiration date of October 31, 2008. The form’s format and content have not changed. Institutions were required to use the updated form beginning July 1, 2006.

Booklet Issued to Institutions on The FFIEC and the Conference of State Bank Supervisors jointly issued a booklet of the Lessons Learned from Hurricane lessons that financial institutions learned in the aftermath of Hurricane Katrina. Institutions Katrina (FIL-49-2006, June 15, 2006) can use the booklet in preparing to respond to a catastrophic event. The booklet can be found at http://www.fdic.gov/regulations/resources/lessons/index.html.

Examination Procedures Issued for The FFIEC Task Force on Consumer Compliance issued examination procedures to assess New Regulations on Medical compliance with the medical information regulations that became effective on April 1, Information (FIL-47-2006, May 25, 2006) 2006. The regulations implement the Protection of Medical Information provisions of the Fair Credit Reporting Act, as amended by the FACT Act. The new procedures were effec- tive May 25, 2006.

Comments Requested on a Revised The Federal bank and thrift regulatory agencies and the Securities and Exchange Commis- Statement Concerning Elevated Risk in sion requested public comment on a revised proposed statement on the complex struc- Complex Structured Finance Activities tured finance activities of financial institutions. The revised statement describes the types (PR-44-2006, May 9, 2006; FIL-45-2006, of internal controls and risk management procedures that should help financial institutions May 16, 2006; and Federal Register identify, manage, and address the heightened legal and reputational risks that may arise Vol. 71, No. 94, p. 28326, May 16, 2006) from certain complex structured finance transactions. Comments were due June 16, 2006.

Comments Requested on Access to The FDIC notified FDIC-supervised institutions that the Department of the Treasury’s Banking Services by Money Services Financial Crimes Enforcement Network had issued a request for public comment on an Businesses (FIL-37-2006, May 2, 2006; Advance Notice of Proposed Rulemaking regarding the impact of Bank Secrecy Act and Federal Register Vol. 71, No. 47, regulations on the ability of money services businesses to open and maintain accounts p. 12308, March 10, 2006) and obtain other banking services at banks and other depository institutions. Comments were due July 9, 2006.

45 Supervisory Insights Winter 2006 Subscription Form

To obtain a subscription to Supervisory Insights, please print or type the following information:

Institution Name ______

Contact Person ______

Telephone ______

Street Address ______

City, State, Zip Code ______

Please fax or mail this order form to: FDIC Public Information Center 3501 North Fairfax Drive, Room E-1022 Arlington, VA 22226 Fax Number (703) 562-2296

Subscription requests also may be placed by calling 1-877-ASK-FDIC or 1-877-275-3342.

PRESORTED STANDARD Federal Deposit Insurance Corporation MAIL Washington, DC 20429-9990 Postage & OFFICIAL BUSINESS Fees Paid PENALTY FOR PRIVATE USE, $300 FDIC Permit No. G-36