oversight

Bank Supervision: Regulators Improved Supervision of Management Activities but Additional Steps Needed

Published by the Government Accountability Office on 2019-05-14.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

             United States Government Accountability Office
             Report to Agency Officials




             BANK SUPERVISION
May 2019




             Regulators Improved
             Supervision of
             Management
             Activities but
             Additional Steps
             Needed




GAO-19-352
                                               May 2019

                                               BANK SUPERVISION
                                               Regulators Improved Supervision of Management
                                               Activities but Additional Steps Needed
Highlights of GAO-19-352, a report to agency
officials.




Why GAO Did This Study                         What GAO Found
Weaknesses identified after the 2007–          Since 2009, federal banking regulators have revised policies and procedures for
2009 financial crisis included                 use by examiners in supervising depository institutions’ management activities
management weaknesses at large                 (such as those related to corporate governance and internal controls) and for
depository institutions and the need for       identifying and communicating supervisory concerns. For example, regulators
federal regulators (FDIC, Federal              differentiated levels of severity for supervisory concerns and specified when to
Reserve, and OCC) to address the               communicate them to boards of directors at the depository institutions. GAO
deficiencies in a timely manner.               found that the updated policies and procedures generally were consistent with
Concerns remain that positive                  leading risk-management practices, including federal internal control standards.
economic results of recent years could
mask underlying risk-management                Examination documents that GAO reviewed showed that examiners generally
deficiencies.                                  applied the regulators’ updated policies and procedures to assess management
This report examined (1) how
                                               oversight at large depository institutions. In particular, for the institutions GAO
consistent regulators’ revised policies        reviewed, the regulators communicated deficiencies before an institution’s
and procedures are with leading risk-          financial condition was affected, and followed up on supervisory concerns to
management practices, (2) how they             determine progress in correcting weaknesses. However, practices for
applied examination policies and               communicating supervisory concerns to institutions varied among regulators and
procedures, and (3) trends in                  some communications do not provide complete information that could help
supervisory concern data since 2012            boards of directors monitor whether deficiencies are fully addressed by
and how regulators tracked such data.          management. Written communications of supervisory concerns from the Federal
GAO compared regulators’ policies              Deposit Insurance Corporation (FDIC) and the Board of Governors of the
and procedures for oversight against           Federal Reserve System (Federal Reserve) that GAO reviewed often lacked
leading practices; compared                    complete information about the cause of the concern and, for the Federal
documents from selected bank                   Reserve, also lacked information on the potential consequences of the concern,
examinations for 2014–2016 against             which in one instance led to an incomplete response by an institution.
regulator’s risk-management                    Communicating more complete information to boards of directors of institutions,
examination procedures; reviewed               such as the reason for a deficient activity or practice and its potential effect on
aggregate supervisory concern data for         the safety and soundness of operations, could help ensure more timely
2012–2016; and interviewed regulators          corrective actions.
and industry representatives.
                                               While supervisory concern data indicated continuing management weaknesses,
What GAO Recommends                            regulators vary in how they track and use the data. Data on supervisory
GAO recommends that FDIC and the               concerns, and regulators’ internal reports based on the data, indicated that
Federal Reserve improve information            regulators frequently cited concerns about the ability of depository institution
in written communication of                    management to control and mitigate risk. However, FDIC examiners only record
supervisory concerns; FDIC improve             summary information about certain supervisory concerns and not detailed
recording of supervisory concern data;         characteristics of concerns that would allow for more complete information. With
and the Federal Reserve update                 more detailed information, FDIC management could better monitor whether
guidelines for escalating supervisory          emerging risks are resolved in a timely manner. In addition, the regulators vary in
concerns. FDIC disagreed with the first        the nature and extent of data they collect on the escalation of supervisory
recommendation, stating its policies           concerns to enforcement actions. FDIC and the Office of the Comptroller of the
address the issue, but GAO found               Currency (OCC) have relatively detailed policies and procedures for escalation of
clarification is needed. FDIC agreed           supervisory concerns to enforcement actions, but the Federal Reserve does not.
with the second recommendation. The            According to Federal Reserve staff, in practice they consider factors such as the
Federal Reserve neither agreed nor             institution’s response to prior safety and soundness actions. But the Federal
disagreed with the recommendations.            Reserve lacks specific and measurable guidelines for escalation of supervisory
View GAO-19-352. For more information,         concerns, relying solely on the judgment or experience of examiners, their
contact Michael Clements at (202) 512-8678     management, and Federal Reserve staff, which can result in inconsistent
or clementsm@gao.gov
                                               escalation practices.
                                                                                       United States Government Accountability Office
Contents


Letter                                                                                  1
               Background                                                               5
               Regulators’ Approaches to Oversight of Management at Large
                 Depository Institutions Generally Were Consistent with Leading
                 Risk-Management Practices                                            10
               Examiners Applied Their Policies but Communication of
                 Supervisory Concerns Could Be More Complete                          18
               Review of Supervisory Concern Data Revealed Data Limitations
                 and Incomplete Procedures for Escalation of Concerns                 26
               Conclusions                                                            34
               Recommendations for Executive Action                                   34
               Agency Comments and Our Evaluation                                     35

Appendix I     Objectives, Scope, and Methodology                                     38



Appendix II    Federal Banking Regulators’ Risk-Management Examination
               Policy and Procedure Documents We Reviewed                             51



Appendix III   GAO Questions for Evaluating How Federal Bank Examiners
               Applied Risk-Management Guidance for Large Depository                  57



Appendix IV    Comments from the Federal Deposit Insurance Corporation                63



Appendix V     Comments from the Board of Governors of the Federal Reserve
               System                                                                 66



Appendix VI    GAO Contact and Staff Acknowledgments                                  69


Tables
               Table 1: Overview of Federal Banking Regulators’ Programs for
                       Supervision of Large Depository Institutions                     6



               Page i                                          GAO-19-352 Bank Supervision
          Table 2: Types of Supervisory Concerns Issued by Federal
                  Banking Regulators                                                                12
          Table 3: GAO Criteria for Assessing Federal Banking Regulators’
                  Risk-Management Policies and Procedures for Large
                  Depository Institutions                                                           15

Figures
          Figure 1: Number of Selected Supervisory Concerns, Federal
                   Deposit Insurance Corporation, Board of Governors of
                   the Federal Reserve System, Office of the Comptroller of
                   the Currency, 2012-2016                                                          29
          Figure 2: Average Number of Days to Closure for the Most
                   Frequently Issued Matters Requiring Attention, Board of
                   Governors of the Federal Reserve System and Office of
                   the Comptroller of the Currency, 2012-2016                                       31




          Abbreviations

          CAMELS                     capital adequacy, asset quality, management,
                                     earnings, liquidity, and sensitivity to market risk
          COSO                       Committee of Sponsoring Organizations of the
                                     Treadway Commission
          FDIC                       Federal Deposit Insurance Corporation
          Federal Reserve            Board of Governors of the Federal Reserve System
          MRA                        matter requiring attention
          MRBA                       matter requiring board attention
          MRIA                       matter requiring immediate attention
          OCC                        Office of the Comptroller of the Currency



          This is a work of the U.S. government and is not subject to copyright protection in the
          United States. The published product may be reproduced and distributed in its entirety
          without further permission from GAO. However, because this work may contain
          copyrighted images or other material, permission from the copyright holder may be
          necessary if you wish to reproduce this material separately.




          Page ii                                                      GAO-19-352 Bank Supervision
                       Letter




441 G St. N.W.
Washington, DC 20548




                       May 14, 2019

                       The Honorable Jerome H. Powell
                       Chairman
                       Board of Governors of the Federal Reserve System

                       The Honorable Jelena McWilliams
                       Chairman of the Board of Directors
                       Federal Deposit Insurance Corporation

                       The Honorable Joseph M. Otting
                       Comptroller of the Currency
                       Office of the Comptroller of the Currency

                       After the 2007–2009 financial crisis, the federal banking regulators—the
                       Federal Deposit Insurance Corporation (FDIC), the Board of Governors of
                       the Federal Reserve System (Federal Reserve), and the Office of the
                       Comptroller of the Currency (OCC)—rethought their approach to bank
                       supervision. We and the inspectors general for the federal banking
                       regulators have previously reported that management weaknesses at
                       large financial institutions contributed to the financial crisis and that bank
                       supervision needed to be strengthened. 1 Management weaknesses at the
                       institutions included ineffective leadership by boards of directors and
                       management; compensation arrangements tied to quantity rather than
                       quality of loans; and poor underwriting and credit administration practices.
                       In addition, our prior work identified a need for federal banking regulators
                       to take timely action to address identified supervisory concerns and adopt
                       a forward-looking approach to identify emerging risks. 2

                       Since 2009, the regulators have issued updated examiner guidance for
                       examining management practices at institutions they oversee and
                       implemented risk-management requirements in the Dodd-Frank Wall

                       1
                        For example, see GAO, Bank Regulation: Lessons Learned and a Framework for
                       Monitoring Emerging Risks and Regulatory Response, GAO-15-365 (Washington, D.C.:
                       June 25, 2015).
                       2
                        For this report, we use “supervisory concerns” to describe written communication of
                       deficiencies from federal banking regulators to depository institutions in the form of
                       supervisory recommendations, matters requiring attention, matters requiring board
                       attention, or matters requiring immediate attention. See table 2 for a more detailed
                       description of these communications.




                       Page 1                                                        GAO-19-352 Bank Supervision
Street Reform and Consumer Protection Act. Although the economy and
banking industry largely have recovered from the financial crisis,
concerns remain that complacency might set in and that positive
economic results could mask underlying issues. For example, OCC has
reported that credit quality remains strong but credit risk is increasing
because of accumulated risk in loan portfolios from successive years of
incremental easing in underwriting, risk layering, concentrations, and
rising potential impact from external factors.

We conducted our work, under the authority of the Comptroller General,
to assist Congress with its oversight responsibilities. This report examines
(1) the extent to which revised policies and procedures for regulators’
supervision of management at large depository institutions were
consistent with leading risk-management practices; 3 (2) how examiners
applied policies and procedures for supervision of management at large
depository institutions they oversee; and (3) trends in regulators’
supervisory concern data for all depository institutions since 2012 and
how regulators tracked and used such data.

To address all our objectives, we focused on risk-management activities
related to corporate governance, internal controls, and internal audit
because management weaknesses in these areas could threaten the safe
and sound operation of a depository institution. We reviewed relevant
federal laws and regulations. We reviewed prior reports from GAO and
from the banking regulators’ Offices of Inspector General. 4 We also

3
 For this report, we use “depository institutions” to refer to institutions chartered as
commercial banks or savings associations (or thrifts), but not to institutions chartered as
credit unions.
4
 For a list of GAO reports we reviewed, see appendix I. Also see Board of Governors of
the Federal Reserve System and Consumer Financial Protection Bureau, Offices of
Inspector General, The Board Can Improve the Effectiveness of Continuous Monitoring as
a Supervisory Tool, 2017-SR-B-005 (Washington, D.C.: Mar. 29, 2017); Department of the
Treasury, Office of Inspector General, Safety and Soundness: Analysis of Bank Failures
Reviewed by the Department of the Treasury Office of Inspector General, OIG-16-052
(Washington, D.C.: Aug. 15, 2016); and Federal Deposit Insurance Corporation, Office of
Inspector General, Follow-up Audit of FDIC Supervision Program Enhancements, MLR-
11-010 (Washington, D.C.: Dec. 23, 2010). In addition, we recently reported on issues
related to regulatory capture and supervisory independence at OCC and the Federal
Reserve. See GAO, Large Bank Supervision: OCC Could Better Address Risk of
Regulatory Capture, GAO-19-69 (Washington, D.C.: Jan. 24, 2019); and Large Bank
Supervision: Improved Implementation of Federal Reserve Policies Could Help Mitigate
Threats to Independence, GAO-18-118 (Washington, D.C.: Nov. 6, 2017). We have
ongoing work on regulatory capture and supervisory independence in FDIC bank
supervision.




Page 2                                                         GAO-19-352 Bank Supervision
reviewed a 2013 assessment of OCC supervision of large and mid-size
institutions. 5 We interviewed Federal Reserve, FDIC, and OCC staff
about examination policies and procedures for large depository
institutions, processes related to supervision of management at large
institutions, and use of supervisory concerns to address weaknesses the
examiners identified. We interviewed Office of Inspector General staff at
each banking regulator. We also interviewed three industry
representatives with prior experience in bank supervision to obtain their
perspectives on bank examinations and supervisory concerns.

To determine the extent to which revised policies and procedures for
regulators’ supervision of management at large depository institutions
followed leading risk-management practices, we took steps to identify
relevant changes since the financial crisis to examination approaches and
processes (focus on oversight of qualitative risk-management activities
and communication of supervisory concerns) for large depository
institutions. (See table 1 for the federal banking regulators’ definitions of
“large depository institutions” which we adopted for reviewing regulators’
policies and procedures and examination documents). We reviewed
documents from several standard-setting organizations and other
information to identify criteria for assessing risks and risk management. 6
We made connections between the principles listed in each of the criteria
documents to highlight the key elements of risk assessment, risk
measurement, corporate governance, internal controls, and internal audit
requirements. Additionally, we factored in regulators’ consideration of
compliance with laws and regulations. We then reviewed relevant
documents from the regulators—policy and procedural manuals,
supervisory statements, and other supervisory guidance—issued since
2009. We compared the information in the agency documentation against
our criteria to determine if updated policies and procedures included
elements of the criteria we selected.

5
 OCC asked a small group of senior officials from foreign regulatory authorities to conduct
the independent review. See Keith Chapman, Brigitte Phaneuf, et al., An International
Review of OCC’s Supervision of Large and Midsize Institutions: Recommendations to
Improve Supervisory Effectiveness (Washington, D.C.: Dec. 4, 2013).
6
 For example, we used federal internal control standards. See GAO, Standards for
Internal Control in the Federal Government, GAO-14-704G (Washington, D.C.: Sept.10,
2014). Other sources included the Internal Control—Integrated Framework of the
Committee of Sponsoring Organizations of the Treadway Commission (COSO), Core
Principles for Effective Banking Supervision of the Basel Committee on Banking
Supervision, and safety and soundness standards developed by the federal banking
regulators. For more information on our scope and methodology, see appendix I.




Page 3                                                       GAO-19-352 Bank Supervision
To review how examiners applied agency policies and procedures for
supervision of management during examinations of large depository
institutions, we selected a non-generalizable sample of nine institutions
(three supervised by each regulator). We sought to achieve geographic
dispersion and diversity in asset size among the nine institutions and to
identify institutions with a focus on traditional banking activities. We then
requested examination documents (such as supervision plans, conclusion
memorandums, reports of examination, and supervisory letters) from
each regulator that related to review of management functions in 2014–
2016 (2016 was the most recent complete calendar year when we began
our review). We assessed the documents against the regulators’ policies
and procedures. We used a data collection instrument to determine if the
regulators’ actions and reporting were consistent with policies and
procedures we reviewed. The results of our review are not generalizable
to all of the regulators’ examinations, but provide illustrative examples of
how examiners applied agency policies and procedures for supervision of
management during examinations of large depository institutions.

To examine how regulators track and use data on supervisory concerns,
we analyzed the regulators’ policies and procedures for escalating
supervisory concerns to enforcement actions, interviewed staff at each
regulator about the data and their processes for collecting the data, and
reviewed internal reports and other supporting documentation. To
determine trends, we analyzed aggregate data on supervisory concerns
(2012–2016) for all institutions supervised by FDIC, OCC, and the
Federal Reserve. We determined the regulators’ data were reliable for
showing general trends in numbers of supervisory concerns, time frames
for closing supervisory concerns, and additionally for OCC, numbers of
supervisory concerns elevated to enforcement actions. However, the
regulators’ data had limitations that prevented us from conducting other
analyses we intended. See appendix I for more detailed information on
our scope and methodology.

We conducted this performance audit from March 2017 to April 2019 in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.




Page 4                                             GAO-19-352 Bank Supervision
Background
Federal Banking   The purpose of federal banking supervision is to help ensure that
Regulators        depository institutions throughout the financial system operate in a safe
                  and sound manner and comply with federal laws and regulations for the
                  provision of banking services. In addition, federal banking supervision
                  looks beyond the safety and soundness of individual institutions to
                  promote the stability of the financial system as a whole. Each depository
                  institution in the United States is primarily supervised by one of the
                  following three federal banking regulators:

                  •   The Federal Reserve supervises state-chartered banks that are
                      members of the Federal Reserve System, bank and savings and loan
                      holding companies, Edge Act and agreement corporations, and the
                      U.S. operations of foreign banks. 7
                  •   FDIC supervises insured state-chartered banks that are not members
                      of the Federal Reserve System, state-chartered savings associations,
                      and insured state-chartered branches of foreign banks.
                  •   OCC supervises federally-chartered national banks and savings
                      associations and federally-chartered branches and agencies of
                      foreign banks. 8
                  These federal banking regulators have broad authority to examine
                  depository institutions subject to their jurisdiction. 9


                  7
                   The Federal Reserve System consists of the Board of Governors, 12 Reserve Banks,
                  and the Federal Open Market Committee, the latter of which draws members from the
                  Board of Governors and Reserve Banks. The Board of Governors is an independent
                  federal agency whose responsibilities include promoting the stability of financial markets,
                  supervising financial institutions, and providing general supervision of Reserve Bank
                  operations. The Board of Governors has delegated the authority to examine financial
                  institutions to the Federal Reserve Banks.
                  8
                   FDIC, Federal Reserve, and OCC have primary consumer protection supervisory and
                  enforcement powers over banks and thrifts with $10 billion or less in assets, but the
                  Consumer Financial Protection Bureau may participate in examinations of these smaller
                  depository institutions to assess compliance with federal consumer financial protection
                  laws. The Consumer Financial Protection Bureau has primary consumer protection
                  oversight responsibilities for depository institutions with more than $10 billion in assets
                  and their affiliates. See 12 U.S.C §§ 5515-5516.
                  9
                   See, e.g., 12 U.S.C. §§ 1463(a)(1)(B), 1820(b) (FDIC); 12 U.S.C. §§ 325, 1844(c)(2)
                  (Federal Reserve); 12 U.S.C. §§ 481, 1463(a)(1)(A) (OCC); and 12 U.S.C. §
                  3105(c)(1)(C).




                  Page 5                                                         GAO-19-352 Bank Supervision
Federal Supervision and                  Federal banking regulators carry out a number of supervisory activities in
Examinations of Large                    overseeing management of large depository institutions (see table 1 for a
                                         summary of supervision programs for large depository institutions). The
Depository Institutions
                                         supervisory activities are conducted both off- and on-site. Generally,
                                         federal banking regulators use off-site systems to monitor the financial
                                         condition of an individual bank; groups of banks with common product,
                                         portfolio, or risk characteristics; and the banking system as a whole
                                         between on-site examinations. Federal banking regulators generally
                                         conduct on-site supervision by stationing examiners at specific
                                         institutions. This practice allows examiners to continuously analyze
                                         information provided by the financial institution, such as board meeting
                                         minutes, institution risk reports or management information system
                                         reports. This type of supervision is intended to allow for timely
                                         adjustments to the supervisory strategy of the examiners as conditions
                                         change within the institutions.

Table 1: Overview of Federal Banking Regulators’ Programs for Supervision of Large Depository Institutions

Regulator               Program               Structure                        Types of institutions in               Number of
                                                                               the program                    institutions in the
                                                                                                                        program
Federal Deposit         Large Bank            Regional staff embedded on-      FDIC-supervised                               38
Insurance Corporation   Supervision program   site at the institutions with    institutions with total         (as of September
(FDIC)                                        support from the Regional        assets greater than $10                    2018)
                                              Office and Washington Office.    billion
                                              The Washington Office is
                                              responsible for managing
                                              supervisory programs,
                                              conducting horizontal reviews,
                                              and providing on-site support
                                              for targeted reviews.
Board of Governors of   Large Banking         Each Reserve Bank                Domestic bank and                              20
the Federal Reserve     Organization          supervises the institutions      savings and loan holding        (as of June 2018)
System (Federal                               (large banking organizations)    companies with total
Reserve)                                      located in its district with     consolidated assets of at
                                              support and oversight from       least $50 billion not
                                              staff at the Board of            included in the Large
                                              Governors                        Institution Supervision
                                                                               Coordinating Committee
                                                                               program (which oversees
                                                                               the largest, most
                                                                               systemically important
                                                                               institutions).a




                                         Page 6                                                      GAO-19-352 Bank Supervision
 Regulator                             Program                            Structure                        Types of institutions in                    Number of
                                                                                                           the program                         institutions in the
                                                                                                                                                         program
 Office of the Comptroller Large Bank                                     Core teams are assigned to       Large national banks and                           149
 of the Currency (OCC)     Supervision                                    specific banks and are           federal savings                       (as of September
                           Department                                     housed in OCC offices or         associations with $50                            2018)
                                                                          embedded on-site with banks      billion or more in total
                                                                                                           assets and federal
                                                                                                           branches and agencies of
                                                                                                           foreign banking
                                                                                                           organizations
Source: GAO analysis of information from federal banking regulators. | GAO-19-352
                                                                 a
                                                                  The threshold for institutions supervised under the Federal Reserve’s Large Banking Organization
                                                                 program changed to $100 billion after passage of the Economic Growth, Regulatory Relief, and
                                                                 Consumer Protection Act, which was enacted after our period of review. Pub.L.No. 115-174, 132
                                                                 Stat. 1296 (2018).


                                                                 FDIC, the Federal Reserve, and OCC are required to conduct a full-
                                                                 scope, on-site examination of each insured depository institution they
                                                                 supervise at least once during each 12-month period. The regulators may
                                                                 extend the examination interval to 18 months, generally for institutions
                                                                 that have less than $3 billion in total assets and that meet certain
                                                                 conditions, based on ratings, capitalization, and status of formal
                                                                 enforcement actions, among others.

                                                                 For large institutions, federal banking regulators do not conduct an annual
                                                                 point-in-time examination of the institution. Rather, they conduct ongoing
                                                                 examination activities that are generally intended to evaluate an
                                                                 institution’s operating condition, management practices and policies, and
                                                                 compliance with applicable laws and regulations. In particular, examiners
                                                                 review an institution’s condition using the Uniform Financial Institutions
                                                                 Rating System, also known as CAMELS (capital adequacy, asset quality,
                                                                 management, earnings, liquidity, and sensitivity to market risk). 10
                                                                 Evaluations of CAMELS components consider an institution’s size and
                                                                 sophistication, the nature and complexity of its activities, and its risk
                                                                 profile. Throughout the examination cycle, each target examination will
                                                                 result in a letter that is transmitted to the institution (where applicable). At
                                                                 the end of the supervisory cycle, a report of examination is issued to the

                                                                 10
                                                                   In an examination, a depository institution is rated on each CAMELS component and
                                                                 then given a composite rating, which generally bears a close relationship to the
                                                                 component ratings. However, the composite is not an average of the component ratings.
                                                                 The component and the composite ratings are scored on a scale of 1 (best) to 5 (worst).
                                                                 Regulatory actions typically correspond to the composite rating, with regulatory actions
                                                                 generally increasing in severity as ratings become worse.




                                                                 Page 7                                                             GAO-19-352 Bank Supervision
                       institution. The target examination letter and report of examination may
                       include supervisory concerns that examiners found and that an institution
                       is expected to address within specific time frames.

                       The regulators also issue supervisory guidance, which they describe as
                       including interagency statements, advisories, bulletins, policy statements,
                       questions and answers, and frequently asked questions issued to their
                       respective supervised institutions. Supervisory guidance outlines the
                       regulators’ supervisory expectations or priorities and articulates general
                       views regarding appropriate practices for a given subject area. The
                       guidance often provides examples of practices that the regulators
                       generally consider consistent with safety and soundness standards or
                       other applicable laws and regulations. According to the regulators,
                       supervisory guidance is not legally binding. 11

                       For instance, FDIC financial institution letters generally announce matters
                       of interest to those responsible for operating an institution. Federal
                       Reserve supervision and regulation letters address significant policy and
                       procedural matters. OCC bulletins generally accomplish the same goals
                       as FDIC and Federal Reserve letters. The letters and bulletins are
                       published on each regulator’s website. Often, the contents of these
                       documents are incorporated into broader examination manuals.

                       Moreover, the federal banking regulators have developed internal control
                       functions within the supervision programs for large depository institutions,
                       which consist of several layers of review following examinations. Each
                       regulator has a review process at the conclusion of examinations, and
                       examiners prepare written products documenting their findings and meet
                       with regional and headquarters officials to finalize decisions. Also, each
                       regulator maintains an internal review function to ensure that examiners
                       properly applied examination guidance.


Forward-Looking        We and others previously found that regulators identified underlying risks
Supervisory Approach   at depository institutions that failed during the 2007–2009 financial crisis
                       well before their failure, but did not always take timely supervisory action.
                       As stated by the regulators, the strength or weakness of bank

                       11
                         For example, see Board of Governors of the Federal Reserve System, Federal Deposit
                       Insurance Corporation, National Credit Union Administration, Office of the Comptroller of
                       the Currency, and Bureau of Consumer Financial Protection, Interagency Statement
                       Clarifying the Role of Supervisory Guidance (Washington, D.C.: Sept. 11, 2018).




                       Page 8                                                       GAO-19-352 Bank Supervision
management can reflect an institution’s underlying risk. For example,
according to FDIC, the quality of management, including the board of
directors and executives, is probably the single most important element in
the successful operation of an institution. The Federal Reserve noted that
the culture, expectations, and incentives established by the highest levels
of corporate leadership set the tone for the entire organization and are
essential determinants of whether an organization is capable of
maintaining fully effective risk-management and internal control
processes. Also, according to OCC, an effective corporate and risk
governance framework is essential to ensuring the safe and sound
operation of the institution and helping to promote public confidence in the
financial system.

In our past work, regulators told us they recognized bank supervision
needed to be more forward-looking and had incorporated more forward-
looking elements into examinations. 12 Forward-looking supervision seeks
to mitigate emerging risks before they affect the financial condition of an
institution. 13 Regulators can respond to emerging risks in the banking
sector with a variety of supervisory tools. These include micro-prudential
tools, which traditionally have focused on the safety and soundness of
individual financial institutions, and macro-prudential tools, which can be
used to address vulnerabilities across the banking system and broader
financial system. Supervisory concerns are an important micro-prudential
tool to support forward-looking supervision by ensuring that a depository
institution takes early action to correct deficiencies. Also, trends in
examination data and enforcement activity can provide information on
regulators’ identification of and response to concerns of institution safety
and soundness and emerging risks.




12
  GAO-15-365.
13
  Emerging risks are vulnerabilities in the banking system which, given a shock or series
of shocks outside the system, can cause the failure of a systemically important institution
or multiple institutions.




Page 9                                                        GAO-19-352 Bank Supervision
                             Since 2009, federal banking regulators have revised policies and
Regulators’                  procedures to address management weaknesses at large depository
Approaches to                institutions, including by differentiating levels of severity for supervisory
                             concerns and specifying when to communicate them to management at
Oversight of                 the institutions. Based on our review of selected examination documents,
Management at Large          the regulators’ policies and procedures often took different approaches for
                             overseeing management of large depository institutions but each
Depository                   generally addressed leading risk-management practices.
Institutions Generally
Were Consistent with
Leading Risk-
Management
Practices
Regulators Made Progress     Since 2009, federal banking regulators have revised policies and
in Addressing Oversight of   procedures to better address management weaknesses at large
                             depository institutions identified in the aftermath of the financial crisis.
Management Weaknesses
                             Regulatory staff with whom we spoke noted that most important risk-
and Timely Action on         management concepts had been included in their policies for some
Supervisory Concerns         time. 14 The post-crisis updates were intended to provide better definitions
                             of certain risk categories and enable examiners to consider individual
                             risks within the context of all risks facing the institution.

                             For instance, in June 2009, FDIC re-emphasized the forward-looking
                             approach, which FDIC states encourages examiners to consider the
                             likelihood that identified weaknesses will cause material problems in the
                             future, and consider the severity of damage to an institution if conditions




                             14
                                For instance, in January 1997, the federal banking regulators updated definitions for
                             depository institution ratings to emphasize early identification and correction of risk-
                             management weaknesses (to avoid deterioration in institutions’ condition, financial losses,
                             or failures). The update of CAMELS codified and emphasized the regulators’ long-
                             standing practice of considering the impact of an institution’s practices on its future
                             financial and operational condition.




                             Page 10                                                      GAO-19-352 Bank Supervision
deteriorate. 15 FDIC further noted that this assessment reflects both the
board of directors’ and management’s ability to identify, measure,
monitor, and control the risks of the institution’s activities, ensure its safe
and sound operations, and ensure compliance with applicable laws and
regulations. FDIC policy provides that an assessment of management is
not solely dependent on the current financial condition of the institution.
Also, in 2015 FDIC updated policies and procedures for identifying and
assessing the influence of dominant bank officials or policymakers on an
institution, and stated the policy was intended to limit the influence of
dominant officials when internal controls are inadequate and ensure
independence of the risk-management function. 16

In 2012, the Federal Reserve updated procedures for supervision of large
financial institutions, which were intended to strengthen traditional firm-
level supervision while also incorporating systemic considerations to
reduce potential threats to the stability of the financial system and provide
insights into financial market trends. 17 In 2013, the Federal Reserve
updated expectations for the assessment of an institution’s internal audit
function and provided guidance about the degree to which examiners
may rely on the work of an institution’s internal audit function. 18

In 2015, OCC updated its Risk Assessment System to help examiners
draw conclusions about the quantity of risk, quality of risk management,
aggregate risk, and direction of risk for institutions under eight different



15
  See Federal Deposit Insurance Corporation, Risk Management Manual of Examination
Policies, Section 1.1-9, February 2016 version. In August 2018, the FDIC Office of
Inspector General recommended that FDIC issue a comprehensive policy guidance
document defining “forward-looking supervision.” See Federal Deposit Insurance
Corporation, Office of Inspector General, Forward-Looking Supervision, EVAL-18-004
(Washington, D.C.: Aug. 8, 2018). For our assessment of the extent to which regulators’
supervisory policies and procedures were consistent with leading risk-management
practices, we included policies and procedures that were in effect as of the end of 2016,
consistent with the scope of our review, unless otherwise noted.
16
  Federal Deposit Insurance Corporation, Identifying and Assessing Dominant Officials or
Policymakers, 2015-16-RMS (Washington, D.C.: Dec. 15, 2015).
17
  See Board of Governors of the Federal Reserve System, Consolidated Supervision
Framework for Large Financial Institutions, SR 12-17 (Washington, D.C.: Dec. 17, 2012).
18
  The Board of Governors of the Federal Reserve System, Supplemental Policy
Statement on the Internal Audit Function and Its Outsourcing, SR 13-1/CA 13-1
(Washington, D.C.: Jan. 23, 2013).




Page 11                                                      GAO-19-352 Bank Supervision
                                           risk categories. 19 Also, in 2016, OCC published the Corporate and Risk
                                           Governance booklet of the Comptroller’s Handbook to incorporate
                                           heightened standards requirements for depository institutions with
                                           average total consolidated assets of $50 billion or more. 20 The booklet
                                           provides guidance to examiners on board and management
                                           responsibilities, risk management assessment factors, and measurement
                                           and assessment of risk consistent with the heightened standards.

                                           Regulators also took steps to enhance their ability to resolve supervisory
                                           concerns in a timely manner through improvements to policies and
                                           procedures on identifying and communicating concerns. The regulators
                                           employ progressive enforcement regimes to address supervisory
                                           concerns that arise during the examination cycle (see table 2). If the
                                           institution does not respond to the concern in a timely manner, the
                                           regulators may take informal or formal enforcement action, depending on
                                           the severity of the circumstances. Informal enforcement actions include
                                           obtaining an institution’s commitment to implement corrective measures
                                           under a memorandum of understanding. Formal enforcement actions
                                           include issuance of a cease-and-desist order or assessment of a
                                           monetary penalty, among others. 21

Table 2: Types of Supervisory Concerns Issued by Federal Banking Regulators

Supervisory concern level          Federal Deposit Insurance           Board of Governors of the       Office of the Comptroller of
                                   Corporation                         Federal Reserve System          the Currency
Recommendation to optionally       (Not applicable)                    (Not applicable)                Informal suggestion
enhance satisfactory practice
Minor concern resolved in normal   Supervisory recommendation          Matter requiring attention      Matter requiring attention
course
Serious concern resolved in                                                                            Matter requiring attention or
normal course                                                                                          informal or formal action




                                           19
                                             The eight risk categories are credit, interest rate, liquidity, price, operational,
                                           compliance, strategic, and reputation. See Office of the Comptroller of the Currency,
                                           Comptroller’s Handbook, Bank Supervision Process booklet, p. 21, December 2015
                                           version.
                                           20
                                              See 12 C.F.R. § 30, appendix D. OCC’s heightened standards require covered banks to
                                           establish and adhere to a written risk-governance framework to manage and control their
                                           risk-taking activities.
                                           21
                                             See, for example, 12 U.S.C. §§ 1818, 1831aa.




                                           Page 12                                                      GAO-19-352 Bank Supervision
 Supervisory concern level                           Federal Deposit Insurance             Board of Governors of the     Office of the Comptroller of
                                                     Corporation                           Federal Reserve System        the Currency
 Serious concern that demands                        Supervisory recommendation,           Matter requiring immediate
 immediate board attention                           listed as matter requiring board      attention
                                                     attention
 Lack of adequate institution                        Informal or formal action             Informal or formal action     Informal or formal action
 response to serious concern that
 demands immediate response or
 certain legal standard(s) triggered
Source: GAO analysis of information from federal banking regulators. | GAO-19-352



                                                                 The regulators have continued to update these regimes to clarify the
                                                                 distinction between each level of concern and to improve communication
                                                                 of concerns to the boards of directors of depository institutions. For
                                                                 instance, in 2016, the board of directors of FDIC issued a statement
                                                                 setting forth basic principles to guide the identification and communication
                                                                 of supervisory recommendations. 22 The board stated that a supervisory
                                                                 recommendation refers to FDIC communications with a depository
                                                                 institution that are intended to inform it of FDIC’s views about changes
                                                                 needed to its practices, operations, or financial condition. FDIC’s updated
                                                                 policies and procedures state that supervisory recommendations must be
                                                                 presented in writing and most are generally correctable in the normal
                                                                 course of business. When developing and communicating these
                                                                 recommendations, FDIC examiners are required to (1) address
                                                                 meaningful concerns, (2) communicate concerns clearly and in writing,
                                                                 and (3) discuss corrective action. Supervisory recommendations involving
                                                                 an issue or risk of significant importance and that typically would require
                                                                 more effort to address than those correctable in the normal course, would
                                                                 need to be brought to the attention of the board and senior management
                                                                 through matters requiring board attention (MRBA) comments.

                                                                 The Federal Reserve updated its policies and procedures on identification
                                                                 and communication of supervisory concerns in 2013. The supervision and
                                                                 regulation letter defined matters requiring immediate attention (MRIA) to
                                                                 include (1) matters that have the potential to pose significant risk to the
                                                                 safety and soundness of the banking organization; (2) matters that
                                                                 represent significant noncompliance with applicable laws or regulations;
                                                                 (3) repeat criticisms that have escalated in importance due to insufficient
                                                                 attention or inaction by the banking organization; and (4) in the case of

                                                                 22
                                                                   Federal Deposit Insurance Corporation, Statement of FDIC Board of Directors on the
                                                                 Development and Communication of Supervisory Recommendations (Washington, D.C.:
                                                                 July 29, 2016).




                                                                 Page 13                                                  GAO-19-352 Bank Supervision
consumer compliance examinations, matters that have the potential to
cause significant consumer harm. The letter defines matters requiring
attention (MRA) as deficiencies that are important and should be
addressed over a reasonable period of time, but where the institution’s
response need not be immediate. Therefore, the distinction between
MRIAs and MRAs is the nature of and severity of the matter and the
timing by which the institution must respond. No matter how serious the
concern, it is addressed to the institution’s board of directors.

According to the Federal Reserve’s policies and procedures, the
communication of supervisory findings must be (1) written in clear and
concise language, (2) prioritized based upon degree of importance, and
(3) focused on any significant matters that require attention. The Federal
Reserve proposed new supervisory concern policies and procedures in
2017, which provided that examiners and supervisory staff should direct
most MRIAs and MRAs to senior management of institutions for
corrective action. MRIAs or MRAs only would be directed to the board for
corrective action when the board needed to address its corporate
governance responsibilities or when senior management failed to take
appropriate remedial action. The proposed policies would not change the
definitions of MRAs and MRIAs or the content of communications to
institutions. As of April 2019, the proposed policies and procedures had
not been finalized.

OCC updated its policies and procedures for examiners to identify and
communicate MRAs in 2014 and further enhanced them in 2017. OCC’s
policy states that MRAs describe practices that an institution must
implement or correct, ideally before those deficient practices affect the
bank’s condition. Specifically, MRAs describe practices that (1) deviate
from sound governance, internal control, or risk-management principles,
and have the potential to adversely affect the bank’s condition, including
its financial performance or risk profile, if not addressed; or (2) result in
substantive noncompliance with laws or regulations, enforcement actions,
or conditions imposed in writing in connection with the approval of any
application or other request by the bank. OCC refers to such practices as
deficient practices. Such practices also may be unsafe or unsound—
generally, any action, or lack of action that is contrary to generally
accepted standards of prudent operation and the possible consequences
of which, if continued, would be abnormal risk or loss or damage to an
institution, its shareholders, or the Deposit Insurance Fund.

OCC supervisory concerns are to be communicated in writing to the
institution’s management and board of directors to ensure timely and


Page 14                                             GAO-19-352 Bank Supervision
                                               effective correction. Written communications must incorporate the “five
                                               c’s” format:

                                               •    Describe the concern.
                                               •    Identify the root cause(s) of the deficient practice and contributing
                                                    factors.
                                               •    Describe potential consequence(s) or effects on the bank from
                                                    inaction.
                                               •    Describe supervisory expectations for corrective action(s).
                                               •    Document management’s commitment(s) to corrective action and
                                                    include the time frame(s) and the person(s) responsible for corrective
                                                    action.
                                               If the root cause of the deficient practice is not apparent, OCC’s
                                               procedures instruct examiners to direct management to perform a root-
                                               cause analysis as part of the corrective action.


Based on Our Review,                           The regulators’ revised policies and procedures that relate to oversight of
Regulators’ Policies and                       risk management at large depository institutions and to supervisory
                                               concerns generally were consistent with leading risk-management
Procedures for
                                               practices. We reviewed leading standards and practices (such as federal
Management Oversight                           internal control standards) and then developed criteria with which to
Generally Were Consistent                      assess the regulators’ policies and procedures. Criteria we used included
with Leading Risk-                             that guidance be clear and actionable and that examiners review risk-
Management Practices                           management and control functions, identify existing and emerging risks,
                                               and review compliance with laws and regulations. (See table 3 for the
                                               specific criteria we applied, appendix I for more information on our
                                               methodology, and appendix II for the list of policy and procedure
                                               documents we reviewed).

Table 3: GAO Criteria for Assessing Federal Banking Regulators’ Risk-Management Policies and Procedures for Large
Depository Institutions

Criteria                                           Subcriteria
Guidance on reviewing risk-management              1.   Risk-management objectives intended to maximize the achievement of risk
governance, risk-management procedures,                 identification and results are defined in specific terms so they are understood at all
and risk-control infrastructure is clear and            levels of the entity.
actionable to enable examiners to identify         2.   Risk-management objectives defined in measurable terms (are generally free of
risks and define risk tolerances.                       bias, do not require subjective judgments to dominate their measurement, and are
                                                        stated in a quantitative or qualitative form that permits reasonably consistent
                                                        measurement) so that performance toward achieving those objectives can be
                                                        assessed and lessons learned can be applied.




                                               Page 15                                                         GAO-19-352 Bank Supervision
Criteria                                        Subcriteria
                                                3. The acceptable level of variation in risk levels relative to the achievement of the
                                                   risk-management objectives is defined.
Guidance requires examiners to identify a     1.     Examiners are required to review how the bank’s internal-control and risk-
clear governance framework within the bank           management systems are overseen, including reviews of composition,
that incorporates sound objectives, policies,        responsibilities, and qualifications of the oversight body.
and risk limits. Also requires examiners to   2.     Examiners are required to assess the quality and independence of management
review the independence and effectiveness of         and operational responsibilities for risk management (including fraud risk).
the risk-management and control functions
(including internal audit, credit review, and 3.     Examiners are required to review the design, implementation, and operation of the
compliance).                                         bank’s internal control system, including framework for remediating deficiencies in
                                                     the internal control system.
Guidance requires examiners to identify and     1.   Examiners are required to review the types of risks and changes (to systems,
report existing and emerging risks at                processes, and products) that might affect supervised entities, including their
supervised banks, and significant changes            internal audit function.
that could affect the banks’ internal-control   2.   Examiners are required to consider the significance of the identified risks and
and risk-management systems. Examiners               consideration of interaction among different risks or groups of risks.
also are to ensure effective and timely
implementation of actions to address existing   3.   Examiners are required to institute specific actions to respond to existing and
and emerging risks.                                  emerging risks, including escalation of significant risks, so that risks stay within
                                                     the defined risk tolerance.
Guidance requires examiners to review           1.   Identification and explanation of applicable laws and regulations.
banks’ compliance with applicable laws and      2.   Examination procedures to review compliance with applicable laws and
regulations.                                         regulations.
                                                3.   Requirement to respond to violations of applicable laws and regulations.
Source: GAO. | GAO-19-352



                                             While individual policies or procedures may not have satisfied all of our
                                             criteria, when viewed collectively the policies and procedures generally
                                             addressed leading risk-management practices. For example, the policies
                                             and procedures almost always provided examiners with clear and
                                             actionable objectives for risk-management governance; enabled
                                             examiners to identify whether an institution had established a clear
                                             governance framework; assisted examiners in identifying, reporting, and
                                             recommending changes to address existing and emerging risks; and
                                             required review of institutions’ compliance with applicable laws and
                                             regulations.

                                             More specifically, we found FDIC risk-management policies and
                                             procedures for examining large insured depository institutions generally
                                             provide clear, actionable risk-management objectives with a few
                                             exceptions that did not materially affect our overall assessment. For
                                             instance, we identified that a policy document contains clear parameters
                                             for examiners to assess identified risks, which is consistent with our
                                             criteria, but the parameters did not include instructions for when
                                             examiners should consider changing a bank’s rating based on identified
                                             risk levels. However, related guidance for examiners in considering the



                                             Page 16                                                         GAO-19-352 Bank Supervision
impact of risk on the institution can be found in the definitions and
descriptions of CAMELS ratings. We also found that FDIC developed
adequate policies and procedures to evaluate corporate governance. In
particular, consistent with leading practices, the guidance requires
separation of board and management; identification and response to
dominant officials; and encourages detailed review of the control
environment. FDIC also has processes on risk assessment, and tracking
and monitoring risk to address existing and emerging risks. For example,
examiners are required to review updates to the institution’s risk-
management processes for new lines of business.

Similarly, we found that Federal Reserve policies and procedures for
large depository institutions generally identify clear, actionable risk-
management objectives and explain activities that might be riskier at
some institutions compared to others, but a few policies and procedures
were not fully consistent with our criteria. For instance, while corporate
governance policies and procedures provide detailed materials for
examiners to use during examination, and there is extensive guidance on
risk identification, assessment, and communication, we noted relatively
limited written procedures regarding escalation of concerns to
enforcement actions. We discuss this issue in more detail later in this
report. We also found that the Federal Reserve included forward-looking
risk assessment procedures within risk-identification processes, including
preliminary risk assessment to address existing and emerging risks.

Finally, we found that OCC policies and procedures for large depository
institutions generally provide clear requirements for examiner evaluation
of the supervised institution’s quantity of risk, quality of risk management,
and direction of risk. But the methods of measurement and specific
tolerances for risk in these policies and procedures are not as clear as
suggested by the leading practices. However, guidance to evaluate the
potential impact of risk is separately available to examiners in OCC’s
MRA and enforcement action policies and procedures. We found that
consistent with our criteria, policies and procedures are detailed to
provide examiners a clear framework to review banks’ corporate
governance and risk-management systems. In particular, appropriate
attention is paid to board oversight and effective management practice,
including clear outlines for board and management responsibilities and
independence. To address existing and emerging risks, OCC requires
examiners to assess a specific set of risks within its risk-based
supervision approach using the Risk Assessment System. OCC uses the
Risk Assessment System in conjunction with CAMELS and other



Page 17                                             GAO-19-352 Bank Supervision
                             regulatory ratings during the supervisory process to evaluate an
                             institution’s financial condition and resilience.


                             Our review of examination documents of nine depository institutions
Examiners Applied            found that examiners from the three banking regulators generally applied
Their Policies but           their policies and procedures and identified and communicated
                             management weaknesses to those institutions. Practices for
Communication of             communicating concerns varied among regulators and some practices led
Supervisory                  to communications that often lacked complete information that would help
                             institutions’ boards of directors ensure that senior management respond
Concerns Could Be            to emerging risks in a timely manner. Lastly, examiners generally followed
More Complete                up on prior supervisory concerns consistent with their policies and
                             procedures.


Examiners Generally          For the examinations we reviewed, we found that examiners generally
Applied Their Policies and   applied policies and procedures to assess management oversight of risk
                             at large depository institutions, including those relating to corporate
Procedures for
                             governance, internal controls, and internal audit. We compared selected
Supervision of               elements of examiner policies and procedures (focusing on the
Management at Large          management component of CAMELS) with selected 2014–2016
Depository Institutions in   examination documents to determine how examiners applied policies and
the Examinations We          procedures. (See appendix III for the questions we used to make these
                             determinations).
Reviewed
                             Our non-generalizable review of examination documents of nine
                             institutions found that examiners reviewed areas relating to corporate
                             governance, internal controls, and internal audit, which are key
                             components of risk-management frameworks for institutional
                             management and governance. For instance, to assess the adequacy of
                             an institution’s overall corporate governance, FDIC, Federal Reserve, and
                             OCC examiners of the selected institutions generally conducted reviews
                             of areas such as board and management oversight and internal audit. For
                             example:

                             •   In examination documents for one of the institutions, we found that
                                 FDIC examiners examined materials regarding independence and
                                 qualifications of directors and policies and procedures related to risk
                                 assessments.
                             •   We noted for another institution that Federal Reserve examiners
                                 reviewed materials regarding directors’ fulfillment of duties and



                             Page 18                                             GAO-19-352 Bank Supervision
    responsibilities and policies and procedures relating to corporate
    compliance.
•   Also, we observed that for one institution, in describing the leadership
    of the board and management, OCC examiners described aspects of
    the control environment, risk assessment, control activities,
    accounting, information, and communication as well as self-
    assessment and monitoring.
At eight of the nine institutions we reviewed, we also found that regulators
took steps that were designed to communicate deficiencies they identified
before the weaknesses affected an institution’s financial condition. More
specifically, examiners identified concerns related to board oversight; risk
monitoring; policies, procedures, and limits; and internal controls.

Also, for at least four of the nine institutions we reviewed, examiners
reported they downgraded the management component rating based on
weaknesses identified in management of risks independent of the
institutions’ financial condition. For example, at one institution, we
observed examiners reporting that weaknesses in an institution’s risk
management contributed to a less-than-satisfactory or “3” rating for the
management component. Additionally, examiners downgraded the
management component rating for two institutions with satisfactorily-rated
financial positions because of significant weaknesses in the risk-
management program. In another instance, we observed examiners
reporting that management’s need to complete remediation of previously
identified weaknesses contributed to a “fair” or “3” rating for the
management component of CAMELS. As previously discussed, in the
past regulators did not always take timely supervisory action on the
management weaknesses they identified. In all the reports of
examinations we reviewed, examiners generally explained the basis for
the rating they assigned to the management component of CAMELS,
such as management’s responsiveness to addressing weaknesses and
compliance with laws and regulations.




Page 19                                            GAO-19-352 Bank Supervision
Communication of            Practices for communicating supervisory concerns to institutions varied
Supervisory Concerns        among regulators and some communications do not provide complete
                            information that could help boards of directors monitor whether
Varied among Regulators
                            deficiencies are fully addressed by management. As discussed
and Some                    previously, the regulators require staff to communicate supervisory
Communications Did Not      concerns to institutions through formal written communications. 23 The
Provide Information on      written communications are generally directed to senior management and
Cause or Potential Effect   boards of directors, which have oversight responsibilities over senior
                            management. According to the Federal Reserve, boards are inherently
                            disadvantaged given their dependence on senior management for the
                            quality and availability of information. One industry representative told us
                            that supervisory concerns were not always clearly communicated, noting
                            that communications of supervisory concerns sometimes can be difficult
                            to interpret and correct. An official from one of the regulators stated that
                            former examiners working as industry consultants sometimes may be
                            hired to help interpret supervisory letters and assist depository institutions
                            in responding to supervisory concerns.

                            Federal internal control standards state that management should
                            communicate quality information externally to help the entity achieve its
                            objectives and address related risks. Quality information is defined as
                            appropriate, current, complete, accurate, accessible, and provided on a
                            timely basis. Other authoritative internal control sources, including
                            Circular A-123 and the framework of the Committee of Sponsoring
                            Organizations of the Treadway Commission (COSO) require cause
                            analysis—that is, an identification of the cause of the deficiencies that
                            have been found. Generally accepted government auditing standards
                            require that auditors plan and perform procedures to develop all four
                            elements of a finding (criteria, condition, cause, and effect) necessary to
                            address audit objectives. Although these authoritative sources do not
                            apply to federal banking regulators, the standards identify principles
                            consistent with the goal of FDIC, Federal Reserve, and OCC guidance in
                            ensuring clear and complete communication of supervisory
                            recommendations.

                            OCC. For two of the three OCC-supervised institutions whose
                            examination documents we reviewed, OCC examiners generally
                            communicated to boards of directors the information they would need to

                            23
                              These formal written communications could take the form of a report of an examination,
                            supervisory letter, or letter of findings.




                            Page 20                                                    GAO-19-352 Bank Supervision
monitor to determine whether deficiencies were fully addressed by
management. OCC’s policies and procedures on MRAs require
examiners to identify and communicate in writing to depository institutions
the concern, cause, consequences of inaction, required corrective action,
and management’s commitment for corrective action. If the cause of the
deficient condition is not apparent, examiners must direct the institution’s
management to perform a root-cause analysis as part of the corrective
action. According to OCC staff, they implemented the MRA requirements
agency-wide in 2014 after having a positive experience applying them at
the community bank level. OCC staff told us that it is necessary for
examiners and institutions to understand the cause of a deficiency for
examiners to make appropriate recommendations and institutions to
address the concern and help ensure the deficiency does not reoccur.

Failure of examiners to identify and communicate the root causes of
inappropriate practices was among the key findings of an internal OCC
review of supervision of sales practices at Wells Fargo. In September
2016, OCC took enforcement action against Wells Fargo for improper
sales practices. In April 2017, OCC’s Office of Enterprise Governance
and the Ombudsman published an independent review of OCC’s
supervisory record for Wells Fargo, which identified gaps in OCC’s
supervision and lessons learned. Review findings included that the OCC
team responsible for supervising Wells Fargo did not ensure that
examiners evaluated root causes of the improper sales practices. In
addition, they found that the first MRA that identified the sales practices
issue in 2010 did not list the issue as an unsafe or unsound practice and
did not identify a root cause or responsible parties. Among the lessons
learned was ensuring analysis of root causes and compliance with OCC
MRA guidance.

In our review, we also observed how OCC’s written communications of
concerns changed as its requirements were implemented. For example,
in documents from 2014 for two institutions, OCC examiners generally
only communicated the concern or the required corrective action and
management’s commitment to corrective actions. By 2016, examiners
documented each of the required elements for MRAs in their written
communication (for two institutions).

FDIC. For the three FDIC-supervised institutions whose examination
documents we reviewed, FDIC examiners did not communicate to boards
of directors the information they would need to monitor whether
deficiencies were fully addressed by management. For these three
institutions, FDIC examiners stated the concern (deficiency) and required


Page 21                                            GAO-19-352 Bank Supervision
corrective action in their internal communications of supervisory
recommendations and also externally with depository institutions. They
sometimes stated the potential effect of the deficient condition on the
safety and soundness of the institution. These practices were consistent
with FDIC policies and procedures in place at the time. 24 For example, in
the written communication to one FDIC institution selected for our review,
examiners conveyed specific information about the supervisory concerns,
the effect of the deficiencies on the institution, and the required corrective
action for the MRBAs related to an examination. In another instance, the
communication of the supervisory concerns appeared less specific. In
that case, examiners reported that the institution management’s actions
did not fully address a deficient condition identified in the prior
examination. We found that the prior written communication of concerns
to the institution did not identify the cause of the deficient condition or
propose specific action to be taken.

FDIC staff told us they believed that updates to their policies and
procedures in 2016 already require examiners to identify the cause for the
deficient condition and communicate it to the depository institutions.
Specifically, FDIC requires examiners to “describe the deficient practices,
operations, or financial condition and how it deviates from sound
governance, internal controls, or risk management or consumer
protection principles, or legal requirements.” 25 This requirement is similar
to OCC’s requirement to “describe the concern.” Specifically, OCC
examiners are required to “describe the deficient practice and how it
deviates from sound governance, internal control or risk management
principles.” 26 FDIC’s policies and procedures do not require examiners to
identify the factor(s) responsible for the deficient condition (the “why”) or
communicate it to the institutions. Based on the examination documents
we reviewed, we did not observe that FDIC examiners communicated the
cause of the deficiency. Including the cause facilitates a better
understanding of why an institution’s condition is not consistent with law

24
 Federal Deposit Insurance Corporation, Matters Requiring Board Attention, Transmittal
No. 2010-003 (Washington, D.C.: Jan. 26, 2010).
25
  See 2016 FDIC Board statement.
26
  See Office of the Comptroller of the Currency, Matters Requiring Attention, PPM 5400-
11 (Washington, D.C.: Mar. 13, 2017). OCC examiners have a separate requirement to
identify root cause(s) of the deficient practice and contributing factors, or to direct
institution management to perform a root-cause analysis as part of the corrective action if
root cause is not apparent.




Page 22                                                       GAO-19-352 Bank Supervision
or regulations and, ultimately, can help an institution determine how it
could remedy the condition.

Federal Reserve. In our review of examination documents for three
institutions, Federal Reserve examiners did not include information that
boards of directors would need to monitor whether deficiencies were fully
addressed by management. Reserve Bank examiners stated the
condition and required corrective action in their internal and external
communications of supervisory recommendations to depository
institutions, consistent with Federal Reserve policies and procedures.
Furthermore, the condition and required corrective action were generally
closely linked to the criteria examiners applied during the examination,
which often consisted of Federal Reserve supervisory guidance.

We found that the written communications to depository institutions did
not always provide information that would convey the reason the deficient
condition occurred (cause) or the potential consequences of the deficient
condition (effect). As a result, the information conveyed in the written
communications of supervisory concerns was limited.

The Federal Reserve Board has broad criteria for Federal Reserve Bank
examiners requiring them to communicate only the condition and required
corrective action. Federal Reserve Board staff told us that they do not
require examiners to identify the cause of a deficient practice or condition.
Instead, they leave that responsibility to institutions. Staff stated that they
believe the institution is in the best position to identify the cause. They
noted that this also could reduce the amount of time examiners otherwise
would spend searching for the cause. However, we noted that at least
one Reserve Bank builds on the Board’s criteria for communicating
supervisory concerns and developed policies and procedures that require
examiners to identify condition, criteria, cause, and effect to support
supervisory findings in review sessions with Reserve Bank management.
As discussed previously, authoritative internal control sources require
cause analysis. As an example applicable to banking regulators, OCC
requires its staff to identify and communicate the cause of the deficiency
that led to the supervisory concern, or, if the root cause is not apparent, to
instruct institution management to identify root cause as part of its
corrective action. OCC staff noted that identifying root cause in
examinations does not require additional resources. Also, if the root
cause is not apparent, examiners instruct the institution to identify root
cause as part of the corrective action, per OCC’s MRA policy.




Page 23                                              GAO-19-352 Bank Supervision
                         Furthermore, a September 2018 interagency statement clarifying the role
                         of supervisory guidance instructed examiners to not criticize institutions
                         for a “violation” of supervisory guidance. 27 Identification and
                         communication of the potential effect of a deficiency could enable the
                         Federal Reserve to move away from its practice of closely linking
                         supervisory concerns to failure to comply with guidance and better
                         explain why an institution’s condition is not consistent with law or
                         regulations.

                         FDIC and the Federal Reserve are missing an opportunity to
                         communicate complete information, in writing, to the boards of institutions
                         regarding the cause of the identified deficiency that led to the supervisory
                         concern, which would facilitate a better understanding of why the
                         institution’s condition deviates from safety and soundness standards.
                         Additionally, without communicating the potential effect of a deficiency,
                         the Federal Reserve is missing an opportunity to convey to boards of
                         directors how the concern could undermine the institution’s safety and
                         soundness.


Examiners Generally      In the examination documents of nine institutions we reviewed, federal
Conducted Follow-Up of   banking regulators generally followed up on supervisory concerns to
                         determine an institution’s progress in correcting previously identified
Prior Supervisory
                         weaknesses. The regulators require that examiners follow up on
Concerns                 corrective actions taken by depository institutions in response to




                         27
                           Board of Governors of the Federal Reserve System, Interagency Statement Clarifying
                         the Role of Supervisory Guidance, SR 18-5/CA18-7 (Washington, D.C.: Sep. 12, 2018);
                         Federal Deposit Insurance Corporation, Interagency Statement Clarifying the Role of
                         Supervisory Guidance, FIL-49-2018 (Washington, D.C.: Sep. 17, 2018); Office of the
                         Comptroller of the Currency, Agencies Issue Statement Reaffirming the Role of
                         Supervisory Guidance, NR 2018-97 (Washington, D.C.: Sept. 11, 2018). According to the
                         statement, examiners are instructed not to criticize institutions for a “violation” of
                         supervisory guidance. Any citations are to be for violations of law, regulation, or other
                         enforceable conditions only. According to officials and staff of the regulators, this
                         clarification should not affect the extent to which they issue supervisory concerns. They
                         stated the clarification is intended to ensure that written communications about
                         supervisory concerns do not require compliance with specific guidance provisions. Rather,
                         the regulators stated, communications should use precise language to convey why
                         deficient practices affect safety and soundness (supervisory guidance can be used as an
                         example of good practice).




                         Page 24                                                     GAO-19-352 Bank Supervision
supervisory concerns. 28 Examiners used various methods to follow up on
supervisory concerns, such as by conducting limited-scope targeted
reviews of one or more issues or incorporating follow-up as part of their
regularly scheduled examination of a functional area. In addition, we
observed that at four institutions examiners performed follow-up as part of
their ongoing supervisory activities.

While there are time frame targets for completion of corrective action,
concerns can remain open until examiners are satisfied with the
effectiveness of the remedial actions taken to address the supervisory
concern. For instance, at three institutions we found that examiners
closed concerns in targeted follow-up examinations once they validated
the completion of remedial action by reviewing documents and activities
that verified the implemented action was effective. We also observed
instances for at least three institutions in which examiners refrained from
closing supervisory concerns because they determined that the
institutions’ management had not yet adequately addressed the concerns
and further attention was warranted to ensure the corrective action was
sustainable.

In performing regularly scheduled target examinations of specific
functions or risk areas examined during a previous examination cycle,
examiners assessed management’s progress in addressing prior
supervisory concerns at eight of the nine institutions we selected for
examination documentation review. They examined documents, and
reviewed processes and other related actions taken by management to
address weaknesses in the institution’s management of risk.

Lastly, at four institutions, examiners reviewed management’s progress
and reported updated information on the institutions’ actions to address
supervisory concerns that were escalated to enforcement actions. For
example, at one institution OCC examiners documented substantive
discussion on the work they performed in conducting follow-up on a
consent order, which included reviewing revised documents and reports
as well as validation efforts by a third-party consultant.


28
  Federal Deposit Insurance Corporation, 2018 Annual Performance Plan. In this plan
FDIC has a stated goal for MRBA follow-up: for at least 90 percent of institutions assigned
a composite CAMELS rating of 2 and for which the examination report identifies MRBAs, it
will review progress reports and follow up with the institution within 6 months of the
issuance of the examination report to ensure that all MRBAs are being addressed.




Page 25                                                      GAO-19-352 Bank Supervision
                           Federal banking regulators collect and analyze supervisory concern data
Review of                  but do so to different degrees, and FDIC collects supervisory concern
Supervisory Concern        data in a manner that challenges management’s ability to fully monitor its
                           supervision activities. We reviewed supervisory concern data for all
Data Revealed Data         institutions supervised by FDIC, OCC, and the Federal Reserve. The data
Limitations and            we reviewed indicate that management weaknesses have been a
                           consistent concern since 2012. In general, the amount of time supervisory
Incomplete                 concerns remain open generally has been reduced. The Federal Reserve
Procedures for             and OCC track escalation of supervisory concerns to enforcement
                           actions, but the Federal Reserve lacks specific, measurable guidelines for
Escalation of              examiners to consider when supervisory concerns are not addressed in a
Concerns                   timely manner.


Regulators Use             Federal banking regulators analyze supervisory concern data to inform
Supervisory Concern Data   examination strategy and forward-looking supervision to varying degrees.
to Different Degrees but   •    FDIC staff uses the data to track the duration of open MRBAs. FDIC’s
FDIC Data Are Limited           Risk Management Supervision Division has staff responsible for
                                categorizing and analyzing MRBA summary comments quarterly and
                                providing an analysis memorandum to the division’s management to
                                assist with forward-looking risk identification. FDIC staff stated that
                                these analyses supplement other data used to conduct supervisory
                                follow-up.
                           •    Federal Reserve Board staff told us that they use the data to track
                                MRA and MRIA information over time within portfolios of depository
                                institutions of different sizes. Staff noted that the data are used to
                                inform supervisory strategy development for upcoming examination
                                cycles. According to staff with whom we spoke, the data are useful for
                                conducting horizontal reviews across a single portfolio and
                                determining issues that crop up across institutions in that portfolio. 29
                                Staff said that the data can be used to identify common issues as they
                                relate to Board guidance. Staff said that the data also are used to
                                determine whether MRAs and MRIAs are closed in a timely manner,
                                both across portfolios and at a granular level—tracking the progress
                                of individual firms. The data are aggregated across all supervision
                                portfolios.

                           29
                             As described by the Federal Reserve, horizontal reviews involve examining several
                           institutions simultaneously and encompass firm-specific supervision and the development
                           of cross-firm perspectives.




                           Page 26                                                    GAO-19-352 Bank Supervision
•    OCC staff told us that they use MRA data to track the number of MRA
     concerns issued, amount of time open, the types of supervisory
     concerns for which an MRA was issued, and other information useful
     to OCC supervisory offices and the National Risk Committee. 30 OCC
     conducts analysis of supervisory concern data in aggregate. Quarterly
     reports aggregate trends (including number of concerns, whether
     concerns are increasing or decreasing, and the number of banks with
     these concerns). For example, OCC analyzes the data by lines of
     business, examination areas, categories, and primary risk, which
     helps track existing risks and growing risks and whether MRA
     concerns have been escalated to enforcement actions. OCC staff said
     that data regarding aging of MRAs, which can raise visibility of
     longstanding concerns, are of particular interest to the National Risk
     Committee, which we observed in internal reports summarizing
     supervisory concern data.
The regulators have internal tracking systems and policies and
procedures to record and track examination data but FDIC does not
collect certain data in a manner that provides management with
comprehensive information to fully monitor the effectiveness of
supervision activities.

•    The Federal Reserve System has two systems for recording and
     tracking supervised institution data: the “C-SCAPE” platform for
     institutions with assets greater than $50 billion and all foreign banks,
     and the “INSite” platform for smaller community banks. 31 Each
     Reserve Bank has issued guidance on recording MRAs and MRIAs
     specific to the examiners at those Reserve Banks. The MRA and
     MRIA data are recorded under a broad area of supervisory focus (for
     C-SCAPE) or MRA and MRIA category (for INSite), with
     subcategories for the name and description of the issue for greater
     detail.


30
  OCC’s National Risk Committee monitors the condition of the federal banking system
and emerging threats to the system’s safety and soundness. Members of the committee
include senior agency officials who supervise banks of all sizes, as well as officials from
policy and enterprise risk management. The committee meets quarterly and issues
guidance to examiners that provides perspective on industry trends and highlights issues
requiring attention.
31
  The threshold for institutions supervised under the Federal Reserve’s Large Banking
Organization program changed to $100 billion after passage of the Economic Growth,
Regulatory Relief, and Consumer Protection Act, which was enacted after our period of
review. Pub.L.No. 115-174, 132 Stat. 1296 (2018).




Page 27                                                       GAO-19-352 Bank Supervision
•   OCC’s supervisory information system is Examiner View, in which
    examiners record, update, and view MRAs. The baseline for the
    required fields is documented in OCC’s policy and procedures
    manuals on MRAs and Examiner View, as well as in a supplemental
    memorandum for large bank supervision. Since March 2017, the data
    have been recorded in a four-level concern framework (examination
    area, category, concern type, and topic), as determined by a cross-
    agency working group under OCC’s National Risk Committee.
•   FDIC supervisory data are collected and retained in various systems.
    Supervisory recommendations are maintained (by institution) in text
    format in a separate system that is not readily searchable. FDIC
    maintains information on MRBAs that are not included in an
    enforcement action in the Supervisory Tracking and Reporting module
    of the ViSION system. Supervisory recommendations and MRBAs
    issued to large institutions supervised by FDIC are also tracked in
    spreadsheets by examination teams. Supervisory recommendations
    contained in an enforcement action are collected and tracked in the
    Formal and Informal Actions Tracking system. In 2017, FDIC updated
    its MRBA policies and procedures to require that examiners enter
    summary information into ViSION about individual MRBA events,
    rather than an overall summary of all MRBA events during an
    examination. But the summary approach means that MRBA data are
    not categorized at different levels (from a broad level such as
    examination area to more specific levels, including risk or concern
    type).
    Federal internal control standards state that management should use
    quality information to achieve objectives. Quality information is
    defined as appropriate, current, complete, accurate, accessible, and
    provided on a timely basis. Federal internal control standards also
    stress the importance of management conducting ongoing monitoring
    of the internal control system, which includes regular management
    and supervisory activities, comparisons, reconciliations, and other
    routine actions.
    As noted above, FDIC policies and procedures do not require
    examiners to record MRBAs under different categories in the MRBA
    reporting and tracking system. Instead, FDIC Risk Management
    Supervision staff is responsible for analyzing summary MRBA data
    entered by examiners and then categorizing the data for FDIC
    management reports. These categories are based on staff expertise
    rather than the experience of examiners in the field who developed
    the MRBAs. A structure that examiners could use to record more
    granular details about MRBAs directly after examinations would help



Page 28                                          GAO-19-352 Bank Supervision
                                  ensure that reports prepared for FDIC management are not missing
                                  important details about FDIC MRBAs. Currently, FDIC management
                                  lacks complete information to better monitor the effectiveness of
                                  supervision activities in remediating emerging risks in a timely
                                  manner.

Data Indicate Continuing     Our analysis of supervisory concern data and federal banking regulators’
Concerns about               internal reporting based on the data indicate that management
                             weaknesses at depository institutions of all sizes continued to exist
Management Weaknesses
                             through 2017. The number of supervisory concerns issued for all concern
at Depository Institutions   categories decreased each year during 2012–2016.
Through 2017
                             Figure 1: Number of Selected Supervisory Concerns, Federal Deposit Insurance
                             Corporation, Board of Governors of the Federal Reserve System, Office of the
                             Comptroller of the Currency, 2012-2016




                             Note: Supervisory concerns included are matters requiring board attention issued by the Federal
                             Deposit Insurance Corporation, and matters requiring attention issued by the Board of Governors of
                             the Federal Reserve System and the Office of the Comptroller of the Currency. Matters requiring
                             board attention are a more serious category of supervisory concern than matters requiring attention;
                             thus, the smaller number shown. We did not include data on supervisory recommendations issued by
                             the Federal Deposit Insurance Corporation or matters requiring immediate attention issued by the
                             Board of Governors of the Federal Reserve System.




                             Page 29                                                            GAO-19-352 Bank Supervision
                       All the regulators frequently cited management as a primary risk area in
                       the supervisory concerns issued during the period.

                       •    For instance, management and board and loan and credit
                            administration were the largest of 14 categories of MRBAs issued by
                            FDIC in 2012–2016, each constituting about 22 percent of all MRBAs.
                       •    Corporate governance was the largest of 26 categories of MRAs
                            issued by the Federal Reserve in that period, constituting
                            approximately 19 percent of all MRAs. The next largest category of
                            MRAs issued was credit risk management at 13 percent.
                       •    Enterprise governance and operations was the third-largest of 16
                            examination areas of MRA concerns issued and closed by OCC in
                            2012–2016, constituting about 11 percent of all MRA concerns. The
                            largest examination area of MRA concerns issued was credit at about
                            37 percent, followed by bank information technology at 13 percent. 32
                       Similarly, internal reports from the regulators for late 2016 through 2017
                       indicated that supervisory concerns about management’s ability to control
                       and mitigate risk at depository institutions continued. Our review of the
                       reports showed that corporate governance issues were among the most
                       common categories for issued supervisory concerns. In addition, the
                       Federal Reserve reported in November 2018 that governance and
                       controls issues constituted about 70 percent of outstanding supervisory
                       concerns for the Large and Foreign Banking Organizations portfolio. 33


The Amount of Time     Our review of supervisory concern data from the Federal Reserve and
Supervisory Concerns   OCC from 2012 through 2016 generally showed that the amount of time
                       concerns remained open was reduced (for example, see figure 2 for data
Remained Open Was
                       on the supervisory concerns issued most frequently by the Federal
Reduced                Reserve and OCC during the period). 34 Federal banking regulators told us
                       32
                         MRA data for the “credit” examination area include MRA data for the credit, commercial
                       credit, and retail credit exam areas. OCC staff told us that in 2017, as part of their new
                       concern framework, they divided the credit examination area into commercial credit and
                       retail credit for enhanced tracking and analysis. We combined these three examination
                       areas for consistency.
                       33
                          Federal Reserve’s Large and Foreign Banking Organizations portfolio includes U.S.
                       firms with total assets of $50 billion and all foreign banking organizations not in the Large
                       Institution Supervision Coordinating Committee portfolio.
                       34
                         As discussed previously, examiners may refrain from closing supervisory concerns
                       because they determine that an institution’s management did not adequately address the
                       concerns or because they want to ensure that the corrective action was sustainable.




                       Page 30                                                        GAO-19-352 Bank Supervision
that they have made efforts in recent years to have institutions remediate
the deficiencies that cause supervisory concerns.

Figure 2: Average Number of Days to Closure for the Most Frequently Issued
Matters Requiring Attention, Board of Governors of the Federal Reserve System
and Office of the Comptroller of the Currency, 2012-2016




Note: The credit examination area encompasses data for the credit, commercial credit, and retail
credit categories.


•    FDIC data regarding MRBAs were limited and we were not able to
     determine how long MRBAs remained open by type of concern. 35
•    Federal Reserve data indicated that the average amount of time
     needed to close corporate governance MRAs changed from 568 days
     in 2012 to 155 days in 2016. The time to closure for corporate

35
  The open and close dates of MRBAs by category were not exact due to the
methodology FDIC employed for data collection before 2017. Specifically, under the
procedures at the time, an MRBA record was closed only when all the concerns (MRBA
events) identified during an examination were resolved.




Page 31                                                             GAO-19-352 Bank Supervision
                              governance MRAs ranged from 3 to 1,605 days for 2012-2016. Time
                              to closure for credit risk-management concerns, the second-largest
                              MRA category for the Federal Reserve, saw a similar decrease (from
                              431 days on average in 2012 to 246 days on average in 2016).
                          •   For OCC, the average time to closure for enterprise governance and
                              operations MRAs decreased from 517 days in 2012 to 245 days in
                              2016. The time to closure for enterprise governance and operations
                              MRA concerns ranged from 7 to 1,724 days in 2012-2016. Time to
                              closure for OCC’s largest MRA examination area (credit concerns)
                              decreased from 445 days on average in 2012 to 241 days on average
                              in 2016.

Federal Reserve Lacks     Federal banking regulators vary in the nature and extent of data they
Specific Guidelines for   collect on escalation of supervisory concerns to enforcement actions. As
                          noted above, under their progressive enforcement regimes, the regulators
Escalating Supervisory
                          may take informal or formal enforcement action against an institution if it
Concerns                  does not respond to a supervisory concern in a timely manner.

                          •   OCC collects data on escalation of supervisory concerns to
                              enforcement actions. These data show that about 2,300 MRA
                              concerns, or about 10 percent of all MRA concerns, were escalated to
                              enforcement actions from 2012 through 2016. Of this amount, 18
                              percent related to enterprise governance and operations concerns,
                              the second-largest number of escalated MRA concerns behind credit
                              concerns at 41 percent.
                          •   Federal Reserve data for escalation of MRAs to MRIAs and
                              enforcement actions were collected in a manner that made it difficult
                              for us to reliably determine the extent to which escalation occurred.
                              Therefore, we did not use the Federal Reserve’s escalation data.
                          •   FDIC does not track escalation of supervisory concerns in a manner
                              that allowed us to determine the extent to which escalation occurred.
                          FDIC and OCC have relatively detailed policies and procedures for
                          escalation of supervisory concerns to enforcement actions, while the
                          Federal Reserve has broad guidelines. Although the Federal Reserve
                          tracks escalation of supervisory concerns, as noted above, Federal
                          Reserve policies and procedures do not delineate specific factors for
                          examiners to follow in deciding whether to identify a concern as
                          warranting possible enforcement action. Instead, the Federal Reserve
                          provides broad guidelines; for instance, stating only that informal
                          enforcement actions are tools used when circumstances warrant a less
                          severe form of action than formal enforcement actions.



                          Page 32                                           GAO-19-352 Bank Supervision
Federal Reserve staff told us that in practice the facts and circumstances
of the case dictate when escalation is appropriate. They said that they
take into account the institution’s response to prior safety and soundness
actions against the institution and determine whether the institution’s
conduct meets enforcement action standards. However, the Federal
Reserve has not defined specific and measurable guidelines for when a
supervisory concern would require escalation to a more formal regulatory
action (such as an enforcement action).

In contrast, FDIC and OCC have relatively detailed guidelines for
escalating concerns. For example, FDIC guidelines published in 2016
instruct examiners to consider several factors, including management’s
attitude towards complying with laws and regulations and correcting
undesirable or objectionable practices; management’s history of
instituting timely remedial or corrective actions; and whether management
established procedures to prevent future deficiencies or violations. 36
Similarly, OCC guidelines published in 2017 instruct examiners to
consider several factors, including the board and management’s ability
and willingness to correct deficiencies within an appropriate time frame;
the nature, extent, and severity of previously identified but uncorrected
deficiencies; and the bank’s progress in achieving compliance with any
existing enforcement actions. 37

Federal internal control standards provide that management conducts risk
assessment to develop appropriate risk responses. Key attributes of
effective risk assessment are definitions of objectives and risk tolerances,
and management defines risk tolerances in specific and measurable
terms so they are clearly stated and can be measured. In assessing risks
that might necessitate an enforcement action, the Federal Reserve’s
guidelines do not provide its examiners with guidance as to the
acceptable level of variation in an institution’s performance relative to the
achievement of supervision objectives.

Without formalized, specific, and measurable guidelines for escalation of
supervisory concerns, the Federal Reserve relies on the experience and
judgment of examiners, Reserve Bank management, and Federal

36
 Federal Deposit Insurance Corporation, Risk Management Manual of Examination
Policies, Section 13.1-2, updated as of April 2016.
37
  Office of the Comptroller of the Currency, Bank Supervision: Bank Enforcement Actions
and Related Matters, PPM 5310-3 (Washington, D.C.: Oct. 31, 2017).




Page 33                                                    GAO-19-352 Bank Supervision
                      Reserve staff to determine when escalation is appropriate. Reliance on a
                      single mechanism or tool can be risky. For instance, institutional
                      knowledge can disappear in times of turnover, such as occurred after the
                      2007–2009 financial crisis. In addition, reliance on judgement alone can
                      produce inconsistent escalation practices across Reserve Banks and
                      supervision teams.


                      Federal banking regulators have strengthened their approach to oversight
Conclusions           of management at large depository institutions since 2009. This stronger
                      approach is important as management weaknesses can reflect an
                      institution’s underlying risk. However, we identified areas where written
                      communication of supervisory concerns to institutions and monitoring of
                      supervisory data at FDIC and the Federal Reserve could be
                      strengthened.

                      •   The communications of supervisory concerns from FDIC and the
                          Federal Reserve did not fully convey why a practice at a depository
                          institution was deficient and, for the Federal Reserve, the effect of the
                          deficient practice on safety and soundness. Complete information
                          about deficiencies is essential to ensuring timely corrective action by
                          senior bank management before the deficiencies negatively affect
                          safety and soundness at the institution.
                      •   Furthermore, we identified data gaps in FDIC’s recording of MRBAs
                          that resulted in incomplete information for FDIC management on
                          supervisory concerns. Complete supervisory concern information
                          would allow FDIC management to fully monitor the effectiveness of
                          supervision activities (that is, to remediate risks in a timely manner).
                      •   Finally, the Federal Reserve lacks specific, measurable guidelines for
                          escalating supervisory concerns. Although escalation of a supervisory
                          concern can depend on the facts and circumstances of the case, a
                          lack of formalized, specific, and measurable guidelines for escalation
                          of supervisory concerns could result in inconsistent escalation
                          practices across Reserve Banks and examination teams.

                      We are making a total of four recommendations: two to FDIC and two to
Recommendations for   the Federal Reserve.
Executive Action
                      The Director of the Division of Risk Management Supervision of FDIC
                      should update policies and procedures on communications of supervisory
                      recommendations to institutions to provide more complete information




                      Page 34                                             GAO-19-352 Bank Supervision
                     about the recommendation, such as the likely cause of the problem or
                     deficient condition, when practicable. (Recommendation 1)

                     The Director of the Division of Supervision and Regulation of the Board of
                     Governors of the Federal Reserve System should update policies and
                     procedures on communications of supervisory concerns to institutions to
                     provide more complete information about the concerns, such as the likely
                     cause (when practicable) and potential effect of the problem or deficient
                     condition. (Recommendation 2)

                     The Director of the Division of Risk Management Supervision of FDIC
                     should take steps to improve the completeness of MRBA data in its
                     tracking system, in particular, by developing a structure that allows
                     examiners to record MRBAs at progressively more granular levels (from a
                     broad level such as examination area to more specific levels, including
                     risk or concern type). (Recommendation 3)

                     The Director of the Division of Supervision and Regulation of the Board of
                     Governors of the Federal Reserve System should update policies and
                     procedures to incorporate specific factors for escalating supervisory
                     concerns. (Recommendation 4)


                     We provided a draft of this report to FDIC, the Federal Reserve, and OCC
Agency Comments      for review and comment.
and Our Evaluation
                     During their review of the draft report, FDIC and the Federal Reserve
                     provided oral comments about Recommendations 1 and 2 (to update
                     policies and procedures for communication of supervisory concerns to
                     provide more complete information, such as the likely cause and, for the
                     Federal Reserve, potential effect). We modified the respective
                     recommendations to address technical issues raised by their comments.

                     FDIC provided written comments that are summarized below and
                     reprinted in appendix IV. FDIC disagreed with Recommendation 1 and
                     agreed with Recommendation 3.

                     More specifically, FDIC stated that its current instructions to examiners
                     meet the intent of Recommendation 1 (to update policies and procedures
                     for communicating supervisory recommendations to provide more
                     complete information). In particular, FDIC cited its policies and
                     procedures on drafting supervisory recommendations in the report of
                     examination, which include a section entitled, “Explain the Basis for any


                     Page 35                                           GAO-19-352 Bank Supervision
Supervisory Recommendations or Concerns.” FDIC stated this instruction
requires examiners to communicate why there is a concern within the
supervisory recommendation. Furthermore, FDIC issued an internal
memorandum in October 2018 that reminds examiners to take prompt
action to address root causes of deficiencies in complex and changing
situations. FDIC stated that it began training in 2018 on developing strong
enforcement action provisions to address root causes of deficiencies at
problem banks, which continues in 2019.

We describe FDIC’s policies and procedures in our report and agree that
examiners are instructed to communicate why they are concerned about
a deficient condition. However, examiners are not instructed to
communicate what they believe to be the root cause of the deficient
condition. We are encouraged that FDIC agrees it is important to identify
root causes when addressing deficiencies in problem bank corrective
actions. Nevertheless, the emphasis on identifying root cause is not found
in examination policies and procedures. If, as FDIC indicated, examiners
already identify the root causes of deficiencies during bank examinations,
then FDIC can address our recommendation by formalizing that process
in its policies and procedures.

For Recommendation 3 (to improve MRBA data in its supervisory
recommendations tracking system, by developing a structure that allows
recording of MRBAs at more granular levels), FDIC agreed that a
structure should be enhanced to allow staff to further categorize MRBAs
at the point of entry into the system. FDIC further agreed that input of
more granular information about MRBAs directly after examinations
should provide the functionality to track an MRBA from a broad level such
as examination to more specific levels, including concern type.

The Federal Reserve provided written comments summarized below and
reprinted in appendix V. The Federal Reserve did not state whether it
agreed or disagreed with Recommendations 2 and 4 but responded that it
would take our recommendations into consideration.

For Recommendation 2 (to update policies and procedures for
communicating supervisory concerns to provide more complete
information, such as likely cause (when practicable) and potential effect),
the Federal Reserve stated it recognizes that more effectively
communicating supervisory concerns may achieve faster resolution of
identified deficiencies and ultimately promote a more resilient banking
system. The Federal Reserve noted it issued proposed guidance in
August 2017 (which we discuss in the report) that would, in part, clarify


Page 36                                            GAO-19-352 Bank Supervision
expectations for communications of supervisory concerns, and that it
continues to evaluate commenters’ suggestions. The Federal Reserve
stated that it will consider ways to update its policies and procedures
consistent with our recommendation.

For Recommendation 4 (to update policies and procedures to incorporate
specific factors for escalating supervisory concerns), the Federal Reserve
stated it appreciated our recognition that the decision to escalate a
supervisory concern ordinarily depends on the particular facts and
circumstances of each case. The Federal Reserve stated that it will
consider whether there are specific factors that staff should consider
when escalating supervisory concerns.

The Federal Reserve and OCC also provided technical comments, which
we incorporated as appropriate.


We are sending copies of this report to the appropriate congressional
committees and the Chairman of the Board of Governors of the Federal
Reserve System, the Chairman of the Board of Directors of FDIC, and the
Comptroller of the Currency. This report will also be available at no
charge on our website at http://www.gao.gov.

Should you or your staff have questions concerning this report, please
contact me at (202) 512-8678 or clementsm@gao.gov. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. Key contributors to this report are listed in
appendix VI.




Michael E. Clements
Director, Financial Markets and Community Investment




Page 37                                              GAO-19-352 Bank Supervision
Appendix I: Objectives, Scope, and
                      Appendix I: Objectives, Scope, and
                      Methodology



Methodology

                      This report examines (1) the extent to which federal banking regulators’—
                      the Federal Deposit Insurance (FDIC), Board of Governors of the Federal
                      Reserve System (Federal Reserve), and Office of the Comptroller of the
                      Currency (OCC)—revised policies and procedures for supervision of
                      management at large depository institutions were consistent with leading
                      risk-management practices; (2) how examiners applied agency policies
                      and procedures for supervision of management at large depository
                      institutions they oversee; and (3) trends in regulators’ supervisory
                      concern data for all depository institutions since 2012 and how regulators
                      tracked and used such data.


General Methodology   To address all our objectives, we focused on risk-management issues,
                      such as those related to corporate governance, internal controls, and
                      internal audit because management weaknesses in these areas could
                      threaten the safe and sound operation of a depository institution. We
                      selected this approach because recent GAO reports have addressed risk-
                      management issues related to financial conditions such as capital and
                      liquidity requirements, stress testing, and commercial real estate risk. 1
                      We reviewed relevant federal laws and regulations, including sections of
                      the Federal Deposit Insurance Act, Federal Reserve Act, National Bank
                      Act, and interagency regulations on safety and soundness. 2 We reviewed
                      prior GAO reports, including reports on quantitative risk-management
                      issues as they relate to financial condition, supervision of compliance with




                      1
                       See GAO, Commercial Real Estate Lending: Banks Potentially Face Increased Risk;
                      Regulators Generally Are Assessing Banks’ Risk Management Practices, GAO-18-245
                      (Washington, D.C.: Mar. 15, 2018); Mortgage-Related Assets: Capital Requirements Vary
                      Depending on Type of Asset, GAO-17-93 (Washington, D.C.: Dec. 15, 2016); and Federal
                      Reserve: Additional Actions Could Help Ensure the Achievement of Stress Test Goals,
                      GAO-17-48 (Washington, D.C.: Nov. 15, 2016).
                      2
                       See, for example, 12 U.S.C. § 1831p-1; 12 U.S.C. § 1820(d); 12 U.S.C. § 481; 12 C.F.R.
                      § 364.101(a); 12 C.F.R. Part 208, Appendix D-1; and 12 C.F.R. Part 30, Appendix A.




                      Page 38                                                    GAO-19-352 Bank Supervision
Appendix I: Objectives, Scope, and
Methodology




laws and regulations, and regulatory capture in bank supervision. 3 We
reviewed reports from the Offices of Inspector General for the federal
banking regulators. 4 We also drew on prior and on-going work related to
regulatory capture in bank supervision. 5 In addition, we reviewed the
2013 OCC-commissioned assessment of OCC’s supervision of large and
mid-size institutions. 6

We interviewed staff at FDIC, Federal Reserve, and OCC about
examination policies and procedures for large depository institutions,
processes related to supervision of management at such large
institutions, and use of supervisory concerns to address weaknesses they
identified. We interviewed staff in the Office of the Inspector General at
each banking regulator. We also interviewed three industry
3
 See GAO-18-245; Remittances to Fragile Countries: Treasury Should Assess Risks from
Shifts to Non-Banking Channels, GAO-18-313 (Washington, D.C.: Mar. 8, 2018); Bank
Secrecy Act: Derisking along the Southwest Border Highlights Need for Regulators to
Enhance Retrospective Reviews, GAO-18-263 (Washington, D.C.: Feb. 26, 2018); Large
Bank Supervision: Improved Implementation of Federal Reserve Policies Could Help
Mitigate Threats to Independence, GAO-18-118 (Washington, D.C.: Nov. 6, 2017);
GAO-17-93; GAO-17-48; Bank Regulation: Lessons Learned and a Framework for
Monitoring Emerging Risks and Regulatory Response, GAO-15-365 (Washington D.C.:
June 25, 2015); Bank Regulation: Modified Prompt Corrective Action Framework Would
Improve Effectiveness, GAO-11-612 (Washington, D.C.: June 23, 2011); Financial
Regulation: Review of Regulators’ Oversight of Risk Management Systems at a Limited
Number of Large, Complex Financial Institutions, GAO-09-499T (Washington, D.C.: Mar.
18, 2009); Deposit Insurance: Assessment of Regulators’ Use of Prompt Corrective Action
Provisions and FDIC’s New Deposit Insurance System, GAO-07-242 (Washington, D.C.:
Feb. 15, 2007); and Risk-Focused Bank Examinations: Regulators of Large Banking
Organizations Face Challenges, GAO/GGD-00-48 (Washington, D.C.: Jan. 24, 2000).
4
 See Board of Governors of the Federal Reserve System and Consumer Financial
Protection Bureau, Offices of Inspector General, The Board Can Improve the
Effectiveness of Continuous Monitoring as a Supervisory Tool, 2017-SR-B-005
(Washington, D.C.: Mar. 29, 2017); Department of the Treasury, Office of Inspector
General, Safety and Soundness: Analysis of Bank Failures Reviewed by the Department
of the Treasury Office of Inspector General, OIG-16-052 (Washington, D.C.: Aug. 15,
2016); and Federal Deposit Insurance Corporation, Office of Inspector General, Follow-up
Audit of FDIC Supervision Program Enhancements, MLR-11-010 (Washington, D.C.: Dec.
23, 2010).
5
 See GAO, Large Bank Supervision: OCC Could Better Address Risk of Regulatory
Capture, GAO-19-69 (Washington, D.C.: Jan. 24, 2019); and GAO-18-118. We expect to
issue another report on regulatory capture and supervisory independence in FDIC bank
supervision later in 2019.
6
 OCC asked a small group of senior officials from foreign regulatory authorities to conduct
the independent review. See Keith Chapman, Brigitte Phaneuf, et al., An International
Review of OCC’s Supervision of Large and Midsize Institutions: Recommendations to
Improve Supervisory Effectiveness (Washington, D.C.: Dec. 4, 2013).




Page 39                                                      GAO-19-352 Bank Supervision
                          Appendix I: Objectives, Scope, and
                          Methodology




                          representatives with prior experience in bank supervision to obtain their
                          perspectives on bank examinations and supervisory concerns.


Reviewing the Extent to   For this objective, we took steps to identify relevant changes to
Which Regulators’         examination approaches and processes (focusing on oversight of
                          qualitative risk-management activities and communication of supervisory
Revised Policies and
                          concerns). First we obtained confirmation from the regulators of the list of
Procedures Were           policies and procedures and other guidance documents we identified for
Consistent with Leading   review and solicited suggestions for additional documents to review. We
Practices                 then reviewed and analyzed guidance the agencies issued to examiners
                          and depository institutions, relevant to (1) assessment of board and
                          senior management’s management of risks, (2) metrics used to measure
                          risk, and (3) assessment of depository institutions’ internal controls and
                          audit procedures.

                          Specifically, we reviewed and described regulators’ policy and procedural
                          manuals, supervisory statements, and other supervisory guidance issued
                          since 2009 to identify changes to the agency’s approach and process
                          subsequent to the financial crisis. We focused primarily on changes to
                          address oversight of risk management. 7

                          We then reviewed documents from several standard-setting organizations
                          to identify criteria for assessing risks and risk management. More
                          specifically, we reviewed

                          •   federal internal control standards;
                          •   Internal Control - Integrated Framework of the Committee of
                              Sponsoring Organizations of the Treadway Commission (COSO);
                          •   safety and soundness standards developed by the federal banking
                              regulators;
                          •   Core Principles for Effective Banking Supervision of the Basel
                              Committee on Banking Supervision;
                          •   Federal Reserve’s enhanced prudential standards regulation, which
                              applies to bank holding companies with assets greater than $10 billion
                              and thus applies to the bank holding companies that own the
                              depository institutions within the scope of our review; and

                          7
                           Certain guidance issued before the financial crisis and not updated since is still relevant
                          to the examination process. We included this and similar guidance in our review.




                          Page 40                                                        GAO-19-352 Bank Supervision
Appendix I: Objectives, Scope, and
Methodology




•   GAO reports developing risk-management frameworks for
    government entities. 8
Based on these documents, we selected a list of criteria to use in
assessing the regulators’ risk-management guidance for examining large
depository institutions (see table 3). We made connections between the
principles listed in each of the documents to highlight the key elements of
risk assessment, risk measurement, corporate governance, internal
controls, and internal audit requirements. Additionally, we factored in
regulators’ consideration of compliance with laws and regulations in their
evaluation of the management component of CAMELS (capital adequacy,
asset quality, management, earnings, liquidity, and sensitivity to market
risk).

Specifically for the first three criteria, we considered principles from GAO
Standards for Internal Control, COSO’s Integrated Framework, the federal
banking regulators’ safety and soundness standards, and the Federal
Reserve’s risk management regulation. Additionally, for the second
criterion we considered the Basel Committee on Banking Supervision
Core Principles for Effective Banking Supervision. For the fourth criterion
we considered the regulators’ safety and soundness standards.

We also identified sub-criteria to help determine the extent to which the
regulators’ guidance to address past supervisory weaknesses aligned
with the criteria. Our baseline for the sub-criteria related to the first
criterion was that the guidance communicates the need for clear lines of
authority and responsibility for monitoring internal controls. The baseline
for the sub-criteria related to the second criterion was that the guidance
require independence of the risk management function. For the sub-

8
 See GAO, Standards for Internal Control in the Federal Government, GAO-14-704G
(Washington, D.C.: Sept. 10, 2014). For examples of reports in which we developed risk-
management frameworks for government entities, see GAO, Enterprise Risk
Management: Selected Agencies’ Experiences Illustrate Good Practices in Managing
Risk, GAO-17-63 (Washington, D.C.: Dec. 1, 2016); and Risk Management: Further
Refinements Needed to Assess Risks and Prioritize Protective Measures at Ports and
Other Critical Infrastructure, GAO-06-91 (Washington, D.C.: Dec. 15, 2005). COSO’s
Internal Control - Integrated Framework was updated in 2013 and is intended to help
business organizations design and implement internal controls. COSO develops
comprehensive frameworks and guidance on enterprise risk management. The Core
Principles for Effective Banking Supervision of the Basel Committee on Banking
Supervision are intended to help nations assess their supervisory systems and identify
areas for improvement. The most recent version was issued in September 2012. The
Basel Committee is an international body, the members of which are central banks and
supervisory authorities from 27 jurisdictions.




Page 41                                                    GAO-19-352 Bank Supervision
                                  Appendix I: Objectives, Scope, and
                                  Methodology




                                  criteria related to the third criterion, the baseline was that the guidance
                                  provide for identification of and timely action to address existing and
                                  emerging risks. Finally, for the sub-criteria related to the fourth criterion
                                  we looked for guidance to require compliance with laws and regulations,
                                  which regulators considered in the evaluation of management
                                  performance.

                                  Using a data collection instrument containing the selected criteria, we
                                  assessed the guidance documents against the criteria. To demonstrate if
                                  the contents of the updated guidance aligned with elements of the criteria
                                  we selected, we either noted the original language from the guidance
                                  document or included explanatory language. For each criterion, the
                                  supporting information in the guidance documents may have been found
                                  in multiple locations, which we noted in the supporting language. We then
                                  determined if the guidance document included elements of each criterion
                                  and explained the rationale for our determination. The outcomes from our
                                  assessment are as follows:

                                  •   “Yes” indicated that the guidance document met all or mostly all
                                      aspects of the criteria
                                  •   “Partially” indicated that the guidance document met some but not all
                                      or mostly all aspects of the criteria
                                  •   “No” indicated that the guidance document did not meet any aspects
                                      of the criteria
                                  •   “Not applicable” indicated that the guidance document was to some
                                      extent outside the scope of the criteria

Reviewing How Examiners
Applied Policies and
Procedures for
Examinations of Risk
Management at Large
Depository Institutions
Selection of Institution Sample   For this objective, we undertook a multistep process to select institutions
                                  from which to obtain examination documents for review. First, we
                                  obtained the lists of institutions subject to examination by the regulators’
                                  large bank examination programs in recent years. For FDIC, these were
                                  institutions with total assets of $10 billion or more; for the Federal




                                  Page 42                                              GAO-19-352 Bank Supervision
Appendix I: Objectives, Scope, and
Methodology




Reserve and OCC, generally, these were institutions with assets greater
than $50 billion.

More specifically, we obtained a listing of

•    all FDIC-supervised institutions in its Large Insured Depository
     Institution program that were subject to examination from June 2013
     through March 2017, 9
•    all Federal Reserve member banks in its Large Banking Organization
     portfolio as of December 2016, and
•    all OCC-supervised institutions in its Large Bank Supervision portfolio
     from 2012 to 2016. 10
Next, we selected a non-generalizable sample of three depository
institutions from each of the regulators (nine in total) for which to request
2014-2016 examination documents for review. To assemble the sample,
we determined the asset size of each institution supervised by the
regulators’ large bank examination program as of December 2016, and
selected institutions with a range of asset amounts. If these institutions
were from the same geographic area (supervised by the same regional
office or Reserve Bank), we selected other institutions with comparable
asset amounts in order to have geographic dispersion in our sample. The
purpose of this selection approach was to assess whether material
differences existed in examinations conducted by the different regional
offices in our sample.

Also, if the selected institutions were headquartered in a foreign country,
we selected other institutions with comparable asset amounts. The
purpose of this selection approach was to omit institutions with only a
branch office in the United States, which would allow the regulator to only
examine a portion of the institution’s operations.

In addition, if the selected institutions were not primarily engaged in
traditional banking activities, we selected other institutions with
comparable asset amounts. To make this determination, we conducted a
9
 The Large Insured Depository Institution program falls within FDIC’s Large Bank
Supervision program.
10
  Our review excluded institutions in the Federal Reserve’s Large Institution Supervision
Coordinating Committee supervisory program, which includes the largest and most
systemically important financial institutions subject to Federal Reserve oversight. In 2016,
we conducted a review of stress testing that included those institutions (see GAO-17-48).




Page 43                                                       GAO-19-352 Bank Supervision
                               Appendix I: Objectives, Scope, and
                               Methodology




                               separate analysis to determine if (1) the institutions engaged in traditional
                               banking activities (accepting deposits and making consumer loans), (2)
                               traditional banking activities made up a majority of the bank’s activities as
                               recorded on the balance sheet, and (3) the bank’s loan activities were
                               primarily domestic. The purpose of this selection approach was to omit
                               companies that primarily conduct “non-traditional” banking activities such
                               as investment banking and credit cards but have a regulated depository
                               institution to support those activities.

                               We conducted a separate analysis of OCC-supervised institutions in its
                               Large Bank Supervision portfolio because a number of entities were
                               nationally chartered banks under a foreign holding company or were not
                               primarily depository institutions. In our analysis, we first determined if (1)
                               an institution engaged in traditional banking activities, (2) traditional
                               banking activities made up a majority of its activities as recorded on the
                               balance sheet, and (3) the institution’s loan activities were primarily
                               domestic. We included three federal savings banks in our universe of
                               OCC-supervised institutions because we determined they were subject to
                               many of the same supervision policies and procedures as national banks.

                               We then determined that the geographic location of the examiners-in-
                               charge for the institutions in the Large Bank Supervision portfolio
                               determined the regional office to which the examiner-in-charge reported. 11
                               To obtain geographic dispersion, we based our selection on the location
                               of the examiners-in-charge to ensure that each examiner was associated
                               with a different regional office. 12 Using these criteria and considerations,
                               we selected small, moderate, and large OCC-supervised institutions.

Document Selection and         To determine how regulators applied agency policies and procedures for
Development of Questions for   supervision of management during examinations of large depository
Regulators                     institutions, we requested selected examination documents from the
                               regulators for the nine institutions we selected.

                               •    For FDIC, initially we requested 2016 examination documents for the
                                    three selected large institutions subject to the Large Insured
                                    Depository Institution program.
                               11
                                 At OCC, the examiner-in-charge is the designation for the commissioned examiner
                               assigned supervisory responsibility for large and mid-size banks.
                               12
                                 These locations were not necessarily consistent with the location of the institution’s
                               charters (the institutions generally had more than one charter) or the location from which
                               enforcement actions were issued.




                               Page 44                                                       GAO-19-352 Bank Supervision
Appendix I: Objectives, Scope, and
Methodology




•   For the Federal Reserve, we initially requested 2016 examination
    documents for the three selected large institutions subject to the
    Large Banking Organization program.
•   For OCC, we initially requested 2016 examination documents for the
    three selected large national banks subject to the Large Bank
    Supervision program.
We reviewed these examination documents to learn how examiners
reviewed qualitative risk-management issues, such as those relating to
the management component of CAMELS. Based on our initial review, we
submitted another document request to the regulators.

FDIC. Through our initial review of FDIC documents, we identified the risk
categories for which FDIC examined corporate-wide risk-management
functions. We then requested relevant examination documents for each of
the three FDIC-supervised institutions, such as

•   scope, summary, and conclusion memorandums and supervisory
    letters related to corporate-wide risk-management functions and the
    Bank Secrecy Act;
•   examination documentation for supervisory recommendation
    (remediation) follow-up reviews that were reviewed during the 2014,
    2015, and 2016 supervisory cycles;
•   summary examination documents related to ongoing monitoring work;
•   explanation of planned target review areas that appeared to cover
    review of corporate-wide risk-management functions for the same
    supervisory cycles that had not been completed; and
•   supervisory plans and reports of examination for 2014 and 2015
    examination cycles. 13
In total, we reviewed 94 FDIC examination documents.


13
  We planned to assess examination documents relating to the same risk or functional
areas over the 3-year examination cycle. However, in certain instances FDIC did not
perform a review of the same risk area each year. For example, FDIC staff explained in
2014 and 2015 FDIC did not conduct a corporate governance review of one institution
while it was changing its risk-management program. Instead, FDIC monitored the
institution’s progress in its risk-management reorganization. In this instance, we requested
examination documents for another risk area examined in 2014 and 2015. At another
institution, FDIC provided only a few examination documents for the 2014 examination
cycle because of the agency’s 1-year workpaper retention requirements.




Page 45                                                       GAO-19-352 Bank Supervision
Appendix I: Objectives, Scope, and
Methodology




We took as criteria the examination procedures from the examination
documentation modules referenced in FDIC’s Basic Examination
Concepts and Guidelines and the Management portion of the agency’s
examination policy manual. We also incorporated elements of other FDIC
policies and procedures, such as those relating to internal routine and
controls, dominant officials, and incentive compensation. 14 Our criteria
also included FDIC memorandums to assess communication and follow-
up on supervisory recommendations, including matters requiring board
attention (MRBA). Finally, we used information on enforcement policies
and procedures in the agency’s Report of Examination Instructions
manual.

Federal Reserve. Based on our initial review, we requested conclusion
memorandums and supervisory letters (letters of findings) pertaining to
several targeted and enhanced continuous monitoring examinations the
Federal Reserve conducted during the 2014, 2015, and 2016 supervisory
cycles at the three institutions we selected. 15 In total, we reviewed 83
Federal Reserve examination documents.

To assess how examiners applied agency policies and procedures, we
used examination procedures contained in the Commercial Bank
Examination Manual for most of our criteria. In particular, the Commercial
Bank Examination Manual includes a section on “Assessment of the
Bank” with detailed examination procedures for review of boards of
directors, management, internal controls, and audit. In addition, we used
guidance from supervision and regulation letters to the extent the
information was not incorporated in the manuals.

OCC. Based on our initial review, we requested examination documents
for targeted and ongoing examination work related to enterprise risk
management, operational risk, and other safety and soundness
(management) for the 2014, 2015, and 2016 examinations cycles.
Specifically, we requested ongoing supervision memorandums,
conclusion memorandums, supervisory letters, and risk assessments. We
also requested the supervisory strategy and report of examination for the

14
  We determined to review the interagency policy on incentive compensation in the
context of FDIC examination policies and procedures out of expediency, rather than
reviewing the same policy three separate times.
15
  The three depository institutions we selected were examined primarily on a 15-month
cycle. As a result, for each institution we reviewed documents from two cycles of
examination that covered 2014–2016.




Page 46                                                    GAO-19-352 Bank Supervision
                          Appendix I: Objectives, Scope, and
                          Methodology




                          2014 and 2015 examination cycles. In total, we reviewed 268 OCC
                          examination documents.

                          As criteria, we applied examination procedures from the Large Bank
                          Supervision booklet for certain risk elements related to bank governance
                          and management. We also applied examination procedures for internal
                          control and audit as criteria. In addition, we included agency guidance on
                          follow-up for matters requiring attention (MRA) and enforcement action.

                          We then developed questions to assess the examination documents
                          based on the criteria we selected. See appendix III for our list of
                          questions.

Assessing How Examiners   Using a data collection instrument populated with the selected questions,
Applied Policies and      we assessed each of the regulators’ examination documents. 16 To
Procedures                demonstrate how examiners applied each criterion, we either took
                          language from the examination document or included explanatory
                          language of what the examiner did during the examination to assess risk
                          management. We also tracked the examiner’s findings on each individual
                          risk area we reviewed to the annual report of examination to ensure that
                          the risk was considered in the context of the entire institution.

                          The results of our review of depository institution examination reports and
                          examination documents are not generalizable to all of the regulators’
                          examination reports and documents. Each individual review serves as an
                          independent assessment of the examiners’ application of relevant agency
                          guidance.


Examining How             To evaluate the extent to which the federal banking regulators ensured
Regulators Tracked and    that large depository institutions addressed risk management-related
                          supervisory concerns, such as MRA, and addressed supervisory
Used Supervisory
                          concerns since 2012, we (1) analyzed the regulators’ policies and
Concern Data              procedures for escalating supervisory concerns to enforcement actions,
                          and (2) analyzed aggregate supervisory concern data from 2012 to 2016



                          16
                            For FDIC, after testing the 2014 and 2015 examination documents for one institution, we
                          decided to modify the criteria because most of the sub-criteria were too specific for the
                          types of examinations we would be assessing. Such modification was not needed for the
                          Federal Reserve or OCC.




                          Page 47                                                    GAO-19-352 Bank Supervision
Appendix I: Objectives, Scope, and
Methodology




for all institutions supervised by FDIC, the Federal Reserve, and OCC. 17
We did not collect data on all the different types of supervisory concerns
issued. In particular, we did not collect data on supervisory
recommendations by FDIC and matters requiring immediate attention
(MRIA) by the Federal Reserve. Therefore, our analysis of the data does
not provide a complete representation of the status of supervisory
concerns issued by the regulators.

To examine trends, we requested that each regulator provide the data by
risk category so that we could analyze whether certain risk areas
generated more timely resolution of risk management-related supervisory
concerns and whether supervisory concerns were elevated to
enforcement actions.

FDIC. Because of the current structure of FDIC’s data collection and
storage systems, FDIC could not provide data on MRBA in a format that
would have been easily analyzable for our purposes. Specifically, FDIC
examiners enter summary information about MRBAs into the system with
no categorization by examination or risk area.

FDIC provided us two data sets—raw data downloaded from its ViSION
system; and a data set sorted by topics, which was prepared by the FDIC
Emerging Risks section and used for publication in FDIC’s Supervisory
Insights newsletter. For large institutions, FDIC informed us that the data
were not complete because MRBAs reflected in ViSION were those that
remained open at the end of the year when the annual report of
examination was issued and that MRBAs opened and closed during the
examination cycle were not recorded in the system. Due to the limitations
with the data and the inability to combine the data sets, some analyses
were completed with the raw data set and others with the data set divided
by topics. As a result, the analysis provides a general understanding of
trends in FDIC supervisory concerns, rather than a rigorous trend
analysis.




17
  Supervisory concerns included are matters requiring board attention issued by the
Federal Deposit Insurance Corporation, and matters requiring attention issued by the
Board of Governors of the Federal Reserve System and the Office of the Comptroller of
the Currency. We did not include data on supervisory recommendations issued by the
Federal Deposit Insurance Corporation or matters requiring immediate attention issued by
the Board of Governors of the Federal Reserve System.




Page 48                                                    GAO-19-352 Bank Supervision
Appendix I: Objectives, Scope, and
Methodology




Federal Reserve. We obtained data on MRAs issued to all Federal
Reserve-supervised institutions from 2012 through 2016. The Federal
Reserve has two systems for recording and tracking supervised institution
data: the “C-SCAPE” platform for institutions with assets greater than $50
billion and all foreign banks, and the “INSite” platform for smaller
community banks. Some of the MRA data were not categorized by
supervisory concern and were assigned a “null” value. According to
Federal Reserve staff, in 2012 the Federal Reserve migrated from a
legacy tracking system to the current C-SCAPE platform.

The MRA data contain both broad MRA categories and sub-categories for
greater detail. For ease of explanation and analysis, the data under the
sub-categories were consolidated under their larger categories. The
number of MRAs uncategorized by supervisory concern did not present a
significant obstacle to our analysis. The data on escalation of MRAs to
MRIAs and enforcement actions were collected in a manner that made it
difficult for us to determine the extent of escalation. Specifically, the
glossary that was provided with the data stated that issues closed through
the “transformation process” are marked “closed,” and are distinguished
from other closed issues by indicating how they were closed (for example,
transformed to MRA, transformed to MRIA, or transformed to provision).
We determined that any results we produced regarding escalation would
be unreliable given the lack of clarity around data collection methods.

OCC. We obtained MRA data from OCC that included records opened
from January 2012 through December 2016. OCC’s supervisory
information system is Examiner View, in which examiners record, update,
and view MRAs (among other things). For our purposes, OCC staff stated
that we could use the data to count the number of concerns; however,
analyzing the concerns by categories could have been problematic
because of changes to the classification method that occurred in October
2014 and March 2017. As a result of the 2017 changes, OCC supervisory
concern data are recorded in a four-level framework (examination area,
category of concern, type, and topic) that allows for tracking of
supervisory concerns at the MRA level and at the “concern” level. Before
2017, the information was classified differently. The newer data allow for
enhanced trend analysis and risk identification.

We were able to analyze OCC data to show the MRAs issued in 2012–
2016 by exam area. We also could show trends in risk management-
specific exam areas, as well as the average time it took to close risk-
management specific concerns. Furthermore, we obtained and analyzed
data on MRAs that were escalated to enforcement actions.


Page 49                                           GAO-19-352 Bank Supervision
Appendix I: Objectives, Scope, and
Methodology




For all the regulators, we assessed the reliability of the data. First, we
interviewed staff at each of the regulators who were knowledgeable about
the data. We asked for the source of the data, how frequently it was
updated, and about the controls in place to ensure the data were accurate
and complete. Additionally, in assessing the reliability of the data, we
reviewed internal reports and other documents prepared by the
regulators. Specifically, for FDIC we reviewed management reports for
each quarter of fiscal year 2017. For the Federal Reserve, we analyzed
draft 2017 annual assessment letters, feedback from the Operating
Committee of the Large Institution Supervision Coordinating Committee to
dedicated supervisory teams, and other organizing documents. For OCC,
we analyzed management reports to different oversight committees for
calendar year 2017.

While the data did not allow all of the analysis we had planned to
complete, overall, we determined that the FDIC, Federal Reserve, and
OCC data were reliable for purposes of showing general trends in the
number of supervisory concerns, the time frames for closing supervisory
concerns, and—additionally for OCC—the number of supervisory
concerns escalated to enforcement actions.

We conducted this performance audit from March 2017 to April 2019 in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.




Page 50                                          GAO-19-352 Bank Supervision
Appendix II: Federal Banking Regulators’
                            Appendix II: Federal Banking Regulators’ Risk-
                            Management Examination Policy and
                            Procedure Documents We Reviewed


Risk-Management Examination Policy and
Procedure Documents We Reviewed
                            This appendix lists the federal banking regulators’ policy and procedure
                            documents included in our review.


Federal Deposit Insurance   Division of Risk Management Supervision Manual of Examination
Corporation                 Policies – Basic Examination Concepts and Guidelines section
                            (section 1.1), including relevant Financial Institution Letters and internal
                            memorandums.

                            Provides overview of the Federal Deposit Insurance Corporation (FDIC)
                            bank examination process, including rationale for examinations; the
                            Uniform Financial Institutions Rating System, also known as CAMELS
                            (capital adequacy, asset quality, management, earnings, liquidity, and
                            sensitivity to market risk); examination types; scheduling guidelines; and
                            communication with management.

                            Division of Supervision and Consumer Protection Risk Management
                            Manual of Examination Policies – Management section (section 4.1),
                            including relevant internal memorandums.

                            Focuses on the management component of CAMELS ratings, with the
                            main emphasis on the powers, responsibilities, and duties vested in bank
                            directors. It also includes policies and procedures for identifying and
                            assessing the influence of dominant bank officials.

                            Division of Risk Management Supervision Manual of Examination
                            Policies – Internal and Routine Controls section (section 4.2),
                            including relevant internal memorandums.

                            Discusses internal controls, internal control programs, management’s
                            responsibilities, internal control and fraud review examination instructions,
                            and includes a reference tool for examiners.

                            Division of Risk Management Supervision Manual of Examination
                            Policies – Informal Actions section (section 13.1)

                            Identifies procedures for memorandums of understanding to address
                            weak operating practices, deteriorating financial conditions, apparent
                            violations of laws or regulations, or weak risk-management practices.

                            Division of Risk Management Supervision Manual of Examination
                            Policies – Formal Administrative Actions section (section 15.1)



                            Page 51                                              GAO-19-352 Bank Supervision
Appendix II: Federal Banking Regulators’ Risk-
Management Examination Policy and
Procedure Documents We Reviewed




Identifies the statute and regulations that authorize the use of formal
enforcement actions when necessary to reduce risks and address
deficiencies, particularly when an insured state nonmember bank is rated
4 or 5 and evidence of unsafe or unsound practices is present.

Division of Risk Management Supervision Manual of Examination
Policies – Report of Examination Instructions section (section 16.1),
including relevant Financial Institution Letters.

Includes procedures for examiners to communicate supervisory
recommendations (including matters requiring board attention and
deviations from safety and soundness principles underlying policy
statements) and identifies schedules for inclusion in reports of
examination.

Large Bank Supervision Procedures (internal manual), including
relevant internal memorandum

Describes procedures and processes (in three broad categories:
planning, examination activities, and communication) for conducting
continuous examination programs at state nonmember banks with total
assets exceeding $10 billion.

Supervisory Recommendations, Including Matters Requiring Board
Attention (internal memorandum)

Describes policies and procedures for scheduling supervisory
recommendations (including matters requiring board attention) in reports
of examination and for tracking bank management’s actions in response
to these items after examinations.

Pocket Guide for Directors and Statement Concerning the
Responsibilities of Bank Directors and Officers

The pocket guide describes FDIC’s expectations for boards of directors of
institutions to carry out their duties. A second document, the statement,
responds to concerns expressed by representatives of the banking
industry and others regarding civil damage litigation risks to directors and
officers of federally insured banks.




Page 52                                            GAO-19-352 Bank Supervision
                            Appendix II: Federal Banking Regulators’ Risk-
                            Management Examination Policy and
                            Procedure Documents We Reviewed




Board of Governors of the   Consolidated Supervision Framework for Large Financial
Federal Reserve System      Institutions (SR 12-17)

                            Framework for consolidated supervision of large financial institutions with
                            more than $10 billion in total assets.

                            Bank Holding Company Supervision Manual

                            Provides guidance to examiners as they conduct on-site inspections of
                            bank holding companies and their nonbank subsidiaries.

                            Commercial Bank Examination Manual

                            Provides guidance to examiners as they assess risk-management
                            practices of state member banks, bank holding companies, and savings
                            and loan holding companies (including insurance and commercial savings
                            and loan holding companies) with less than $50 billion in total
                            consolidated assets, and foreign banking organizations.

                            Supervisory Considerations for the Communication of Supervisory
                            Findings (SR 13-13/CA 13-10)

                            Discusses the standard language the Federal Reserve uses to enhance
                            focus on matters requiring attention and highlights supervisory
                            expectations for corrective actions, Reserve Bank follow-up, and other
                            supervisory considerations. Also defines matters requiring attention and
                            matters requiring immediate attention and outlines procedures that safety-
                            and-soundness and consumer compliance examiners will follow in
                            presenting and communicating their supervisory findings.

                            Framework for Risk-Focused Supervision of Large Complex
                            Institutions, including relevant supervision and regulation letter (SR
                            97-24)

                            Describes aspects of the Federal Reserve’s program to enhance the
                            effectiveness of its supervisory processes for state member banks, bank
                            holding companies, and the U.S. operations of foreign banking
                            organizations.

                            Rating the Adequacy of Risk Management Processes and Internal
                            Controls at State Member Banks and Bank Holding Companies (SR
                            95-51)



                            Page 53                                            GAO-19-352 Bank Supervision
                               Appendix II: Federal Banking Regulators’ Risk-
                               Management Examination Policy and
                               Procedure Documents We Reviewed




                               Directs examiners to assign separate rating for risk management to state
                               member banks and bank holding companies with $50 billion or more in
                               total assets, and highlights the importance of risk management as a facet
                               of the supervisory process.


Office of the Comptroller of   Comptroller’s Handbook – Bank Supervision Process
the Currency
                               Includes explicatory materials on types of banks, supervision
                               responsibilities, regulatory ratings, supervisory process, functional
                               regulation, rating systems, and disclosure.

                               Comptroller’s Handbook – Large Bank Supervision

                               Outlines the supervisory process for large banks: the core assessment,
                               risk assessment system, evaluation of bank internal control, and audits.

                               Comptroller’s Handbook – Corporate and Risk Governance

                               Focuses on management of a variety of risks and the roles and
                               responsibilities of the board of directors and senior management, and
                               provides relevant examination procedures.

                               Comptroller’s Handbook – Internal and External Audits

                               Addresses risks inherent in the audit function (which compromises both
                               internal and external audit functions) and the audit function’s role in
                               managing risks. Also addresses internal and external audit functions’
                               effect on risk-management supervisory expectations and the regulatory
                               requirements for prudent risk management. Includes guidance and
                               examination procedures to assist examiners in completing bank core
                               assessments affected by audit functions.

                               Comptroller’s Handbook – Internal Controls

                               Discusses the characteristics of effective controls to assist examiners and
                               bankers to assess the quality and effectiveness of internal control.
                               Describes OCC’s supervisory process for internal control reviews and the
                               roles and responsibilities of boards of directors and management.

                               Enforcement Action Policy (Policies and Procedures Manual 5310-3),
                               internal memorandum



                               Page 54                                             GAO-19-352 Bank Supervision
                       Appendix II: Federal Banking Regulators’ Risk-
                       Management Examination Policy and
                       Procedure Documents We Reviewed




                       Describes policy for taking appropriate enforcement action in response to
                       violations of law, rules, regulations, final agency orders, and unsafe or
                       unsound practices and conditions.

                       Violations of Laws and Regulations (Bulletin 2017-18)

                       Describes updated policies and procedures on violations of laws and
                       regulations and provides the agency with consistent terminology for
                       communication, format, follow-up, analysis, documentation, and reporting
                       of violations.

                       Enterprise Risk Appetite Statement

                       Articulates the level and type of risk the agency will accept while
                       conducting its mission.

                       Matters Requiring Attention (Policies and Procedures Manual 5400-
                       11), internal memorandum

                       Describes procedures for examiners to identify and aggregate
                       supervisory concerns into matters requiring attention including criteria,
                       communication, and follow-up of concerns. Also describes the
                       relationship between matters requiring attention and interagency ratings,
                       OCC’s risk-assessment system and enforcement actions. Includes
                       examiner tools in the appendixes.

                       Risk Management of New, Expanded, or Modified Bank Products and
                       Services (Bulletin 2004-20, replaced by Bulletin 2017-43)

                       Outlines the expectations for national banks’ management and boards to
                       implement an effective risk-management process to manage risks
                       associated with new, expanded, or modified bank products and services.


Interagency Policies   Guidance on Sound Incentive Compensation Policies 75 Fed. Reg.
                       36395 (June 25, 2010)

                       Interagency statement on sound incentive compensation practices to
                       banking organizations supervised by FDIC, the Board of Governors of the
                       Federal Reserve System (Federal Reserve), and the Office of the
                       Comptroller of the Currency (OCC). It is intended to assist banking
                       organizations in designing and implementing incentive compensation



                       Page 55                                             GAO-19-352 Bank Supervision
Appendix II: Federal Banking Regulators’ Risk-
Management Examination Policy and
Procedure Documents We Reviewed




arrangements and related policies and procedures that effectively
consider potential risks and risk outcomes.




Page 56                                          GAO-19-352 Bank Supervision
Appendix III: GAO Questions for Evaluating
              Appendix III: GAO Questions for Evaluating
              How Federal Bank Examiners Applied Risk-
              Management Guidance for Large Depository


How Federal Bank Examiners Applied Risk-
Management Guidance for Large Depository
              This appendix lists the questions we used to determine how federal bank
              examiners applied their policies and procedures to assess management
              oversight of risk at large depository institutions. We found that each
              federal banking regulator has slight variation in its policies and
              procedures for oversight of management at large depository institutions.
              Therefore, we did not apply generally applicable criteria in our
              assessment; instead, we applied the specific policies and procedures
              used by each federal banking regulator.

              Federal Deposit Insurance Corporation:

              1. To what extent did examiners assess board and management
                 oversight?
              2. To what extent did examiners assess the bank’s control environment,
                 including whether management takes appropriate and timely action to
                 address recommendations by auditors and regulatory authorities?
              3. To what extent did examiners assess the bank’s risk assessment?
              4. To what extent did examiners assess the bank’s control activities, to
                 include determining if policies, procedures, and practices were
                 adequate for the size, complexity, and risk profile of the bank and if
                 management took appropriate steps to comply with laws and
                 regulations?
              5. To what extent did examiners assess the bank’s information and
                 communication, to include adequacy of information systems to
                 identify, capture, and report relevant internal and external
                 information?
              6. To what extent did examiners assess the bank’s systems in place to
                 monitor risk arising from all major activities the bank is engaged in
                 with respect to
                  a. operational risk,

                  b. legal risk, and

                  c. reputation risk?

              7. In identifying matters requiring attention, did examiners consistently
                 explain the rationale for the concern (whether the matter deviates
                 from sound governance or internal controls and how it could adversely
                 impact the condition of the institution)?
              8. In communicating matters requiring attention, did examiners



              Page 57                                           GAO-19-352 Bank Supervision
Appendix III: GAO Questions for Evaluating
How Federal Bank Examiners Applied Risk-
Management Guidance for Large Depository




    a. write in clear and concise language

    b. describe the deficient practices, operations, or financial condition,

    c. recommend actions the board should take to address the
       deficiency?

9. What steps did examiners take to follow up on matters requiring
   attention and verify completion?
10. To what extent did the examiner comment on how the bank
    accomplished compliance with enforcement actions or the reason why
    the bank is not in compliance with enforcement actions?
Conclusions: To what extent did examiners follow agency risk-
management guidance for this examination? To what extent do the
conclusion memorandums link to the supervisory letter and report of
examination?

Board of Governors of the Federal Reserve System:

1. Within the context of the consolidated financial entity, to what extent
   did examiners assess the bank’s implementation of its corporate
   governance framework?
2. Within the context of the consolidated financial entity, to what extent
   did examiners assess management of the bank’s core business lines?
3. To what extent did the examiners assess the bank’s board and
   management for active oversight of the bank, to include the extent to
   which examiners
    a. assessed the adequacy of the bank directors’ fulfillment of their
       duties and responsibilities; and

    b. assessed bank management’s fulfillment of their duties and
       responsibilities?

4. To what extent did examiners assess the adequacy of the bank’s
   policies, procedures, and limits?
5. To what extent did examiners assess the adequacy of the bank’s risk
   monitoring and management information systems?
6. To what extent did examiners assess the adequacy of the bank’s
   internal controls?




Page 58                                             GAO-19-352 Bank Supervision
Appendix III: GAO Questions for Evaluating
How Federal Bank Examiners Applied Risk-
Management Guidance for Large Depository




7. To what extent did examiners assess the adequacy of the bank’s
   audit function, to include
    a. internal audit staff,

    b. quality assurance,

    c. internal audit function adequacy and effectiveness,

    d. external audit staff, and

    e. regulatory examinations?

8. How did examiners assess the Management rating for CAMELS?
9. In identifying matters requiring attention, did examiners consistently
   explain the rationale for the concern?
10. In communicating matters requiring attention, did examiners
    a. write in clear and concise language,

    b. prioritize based upon degree of importance, and

    c. focus on any significant matters that require attention?

11. To what extent did examiners follow-up on matters requiring attention
    and verify completion?
12. To what extent did the examiner comment on how the bank
    accomplished compliance with enforcement actions or the reason why
    the bank was not in compliance with enforcement actions?
Conclusions: To what extent did examiners follow agency risk-
management guidance for this examination? To what extent do the
conclusion memorandums link to the supervisory letter and report of
examination?

Office of the Comptroller of the Currency:

1. To what extent did the examiners assess the quantity and quality of
   the bank’s
    a. strategic risk,

    b. reputation risk,




Page 59                                            GAO-19-352 Bank Supervision
Appendix III: GAO Questions for Evaluating
How Federal Bank Examiners Applied Risk-
Management Guidance for Large Depository




    c. operational risk, and

    d. compliance risk?

2. To what extent did the examiners assess the bank’s internal controls,
   including
    a. control environment,

    b. risk assessment,

    c. control activities,

    d. accounting information, communication, and

    e. self-assessment and monitoring?

3. To what extent did the examiners assess the bank’s audit function,
   including
    a. audit committee,

    b. audit management and processes,

    c. audit reporting, and

    d. internal audit staff?

4. How did examiners assess the Management rating for CAMELS?
5. In identifying matters requiring attention, did examiners consistently
   find that the concern
    a. deviates from sound governance, internal control, or risk
       management principles, and has the potential to adversely affect
       the bank’s condition, including its financial performance or risk
       profile, if not addressed;

    b. results in substantive noncompliance with laws and regulations,
       enforcement actions, supervisory guidance, or conditions imposed
       in writing in connection with the approval of any application or
       other request by the bank; or

    c. describes an unsafe or unsound practice. An unsafe or unsound
       practice is generally any action, or lack of action, which is contrary



Page 60                                             GAO-19-352 Bank Supervision
Appendix III: GAO Questions for Evaluating
How Federal Bank Examiners Applied Risk-
Management Guidance for Large Depository




          to generally accepted standards of prudent operation, the possible
          consequences of which, if continued, would be abnormal risk or
          loss or damage to an institution, its shareholders, or the Deposit
          Insurance Fund?

6. In communicating matters requiring attention, did examiners
    a. describe the concern(s);

    b. identify the root cause(s) of the concern and contributing factors;

    c. describe potential consequence(s) or effects on the bank from
       inaction;

    d. describe supervisory expectations for corrective action(s); and

    e. document management’s commitment(s) to corrective action and
       include the time frame(s) and the person(s) responsible for
       corrective action?

7. In follow-up on matters requiring attention, did examiners consistently
    a. monitor the board and management’s progress implementing
       corrective actions;

    b. verify and validate the effectiveness of the board and
       management’s corrective actions;

    c. perform timely verification after receipt of the documentation or
       communication from the bank that the documentation is ready for
       review;

    d. meet, as necessary, with the bank’s board or management to
       discuss progress assessments and verification results; and

    e. deliver written interim communications to the board summarizing
       the findings of validation activity?

8. To what extent did examiners verify and validate bank actions to
   comply with enforcement actions?
Conclusions: To what extent did examiners follow agency risk-
management guidance for this examination? To what extent do the




Page 61                                             GAO-19-352 Bank Supervision
Appendix III: GAO Questions for Evaluating
How Federal Bank Examiners Applied Risk-
Management Guidance for Large Depository




conclusion memorandums link to the supervisory letter and report of
examination?




Page 62                                          GAO-19-352 Bank Supervision
Appendix IV: Comments from the Federal
             Appendix IV: Comments from the Federal
             Deposit Insurance Corporation



Deposit Insurance Corporation




             Page 63                                  GAO-19-352 Bank Supervision
Appendix IV: Comments from the Federal
Deposit Insurance Corporation




Page 64                                  GAO-19-352 Bank Supervision
Appendix IV: Comments from the Federal
Deposit Insurance Corporation




Page 65                                  GAO-19-352 Bank Supervision
Appendix V: Comments from the Board of
             Appendix V: Comments from the Board of
             Governors of the Federal Reserve System



Governors of the Federal Reserve System




             Page 66                                   GAO-19-352 Bank Supervision
Appendix V: Comments from the Board of
Governors of the Federal Reserve System




Page 67                                   GAO-19-352 Bank Supervision
Appendix V: Comments from the Board of
Governors of the Federal Reserve System




Page 68                                   GAO-19-352 Bank Supervision
Appendix VI: GAO Contact and Staff
                  Appendix VI: GAO Contact and Staff
                  Acknowledgments



Acknowledgments


                  Michael E. Clements, (202) 512-8678 or clementsm@gao.gov
GAO Contact
                  In addition to the contact named above, Karen Tremba (Assistant
Staff             Director), Philip Curtin (Analyst in Charge), Enyinnaya David Aja, Bethany
Acknowledgments   Benitez, Rachel DeMarcus, M’Baye Diagne, Risto Laboski, Yola Lewis,
                  Christine McGinty, Kirsten Noethen, David Payne, Amanda Prichard,
                  Barbara Roesmann, Jena Sinkfield, and Farrah Stone, made key
                  contributions to the report.




(101772)
                  Page 69                                          GAO-19-352 Bank Supervision
                         The Government Accountability Office, the audit, evaluation, and investigative
GAO’s Mission            arm of Congress, exists to support Congress in meeting its constitutional
                         responsibilities and to help improve the performance and accountability of the
                         federal government for the American people. GAO examines the use of public
                         funds; evaluates federal programs and policies; and provides analyses,
                         recommendations, and other assistance to help Congress make informed
                         oversight, policy, and funding decisions. GAO’s commitment to good government
                         is reflected in its core values of accountability, integrity, and reliability.

                         The fastest and easiest way to obtain copies of GAO documents at no cost is
Obtaining Copies of      through GAO’s website (https://www.gao.gov). Each weekday afternoon, GAO
GAO Reports and          posts on its website newly released reports, testimony, and correspondence. To
                         have GAO e-mail you a list of newly posted products, go to https://www.gao.gov
Testimony                and select “E-mail Updates.”

Order by Phone           The price of each GAO publication reflects GAO’s actual cost of production and
                         distribution and depends on the number of pages in the publication and whether
                         the publication is printed in color or black and white. Pricing and ordering
                         information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
                         Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                         TDD (202) 512-2537.
                         Orders may be paid for using American Express, Discover Card, MasterCard,
                         Visa, check, or money order. Call for additional information.

                         Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO         Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                         Visit GAO on the web at https://www.gao.gov.

                         Contact FraudNet:
To Report Fraud,
                         Website: https://www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in
                         Automated answering system: (800) 424-5454 or (202) 512-7700
Federal Programs
                         Orice Williams Brown, Managing Director, WilliamsO@gao.gov, (202) 512-4400,
Congressional            U.S. Government Accountability Office, 441 G Street NW, Room 7125,
Relations                Washington, DC 20548

                         Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs           U.S. Government Accountability Office, 441 G Street NW, Room 7149
                         Washington, DC 20548

                         James-Christian Blockwood, Managing Director, spel@gao.gov, (202) 512-4707
Strategic Planning and   U.S. Government Accountability Office, 441 G Street NW, Room 7814,
External Liaison         Washington, DC 20548




                            Please Print on Recycled Paper.