Is the FDIC’s IT Exam Effective?

Community banks may be in for a surprise the next time their information technology and cybersecurity systems are examined by the Federal Deposit Insurance Corp.

The agency is undertaking a number of changes to the exam it uses to assess IT systems and controls at supervised banks, after a report from the agency’s Office of the Inspector General in January found weaknesses that could miss or underestimate risk at examined institutions. Advisors and the OIG have warned that FDIC-examined banks might need better protections beyond what the FDIC’s IT exam requires. 

“Until the FDIC addresses these weaknesses, there is a risk that IT and cyber risks at banks will not be identified or adequately mitigated or addressed. As a result, financial institutions may be more susceptible to [cyberattacks] and threats,” the OIG wrote.

FDIC’s IT exam, called the IT Risk Examination or InTREx, was implemented in 2016 and updated in 2019. The ratings a bank receives on this exam feed into the management component of the CAMELS rating, which stands for capital, asset quality, management, earnings, liquidity and sensitivity to market risk. The CAMELS rating carries a number of implications for banks, including determining their deposit insurance assessment.

The FDIC’s OIG found that the InTREx program is outdated: It doesn’t reflect current or updated federal guidance and frameworks in three of the exam’s four core modules. For example, InTREx was developed using a cybersecurity framework from the National Institute of Standards and Technology (NIST) that came out in 2014. That framework was updated in 2018, but those changes aren’t reflected in the program, according to the OIG. 

“The evolving nature of IT and cyber risks underscores the need for timely updates to examination procedures for the InTREx program. Without an effective process to update the InTREx program, the FDIC cannot ensure that its examiners are applying current IT guidance to assess all significant risks,” the OIG wrote. “The lack of an effective process also increases the potential that banks may be operating in IT environments with unidentified and unmanaged risks.”

The OIG also audited a sample of exam findings and found instances where examiners didn’t complete the InTREx exam procedures and decision factors required to support their findings and subsequent ratings. The office wrote that these shortcomings indicate that examiners may not be making accurate assessments of bank IT risks, or that banks may not be receiving accurate or fully documented exam findings or composite ratings. 

Small banks that use their exam findings to direct IT investments may be surprised if the FDIC updates the exam. They can’t rely on the exam to be the only “trustworthy rudder” that guides their programs, says Joshua Sitta, CIO and founder of cybersecurity firm Sittadel. And an updated InTREx program could lead to examiner findings that could adversely impact a bank’s management score in their CAMELS rating.

“If you feel like your bank is operating within your risk appetite and you’re using the InTREX score to evaluate that, you’re running a bank [with risk] that is much higher than your risk appetite,” he says.  

The OIG audit contains 19 recommendations for the FDIC, including updating the program, ensuring examiners follow the procedures as intended and reviewing and applying new threat information regularly. The FDIC concurred with the majority of the OIG’s recommendations and proposed corrective action that should be completed by the end of the year. However, the OIG determined that on five recommendations, the FDIC’s proposed actions didn’t satisfy the recommendations. The FDIC didn’t return requests for comment for this article. 

The OIG’s report led audit and consulting firm Plante Moran to issue guidance this spring that encouraged banks to be proactive in testing for cybersecurity threats and to keep up with the changing IT landscape.

But that can even create challenges during InTREx exams. Colin Taggert, a principal at Plante Moran who provides cybersecurity consulting and authored the spring client notice, has heard of “pain points” from bank clients with systems that are more robust, modern or updated in certain areas beyond the scope of InTREx, but receive feedback based on the older exam materials. 

That tension also came up in banker feedback to the FDIC’s ombudsman, according to the 2022 annual report: “Some bankers reported that examiners did not sufficiently understand the processes, risks, and controls related to their bank’s technology programs. In the bankers’ opinions, this led to unwarranted criticisms and inappropriate supervisory recommendations,” the ombudsman wrote.

Cybersecurity is a perennial focus of risks for banks, with 83% of respondents to Bank Director’s 2023 Risk Survey saying their cybersecurity risk concerns increased somewhat or significantly year-over-year. Almost 90% say their bank had conducted a cybersecurity assessment in the past 12 months; the median budget for cybersecurity in 2023 was $250,000. 

This focus on cybersecurity underlines that banks are responsible for making sure they have safe and sound practices. Taggart and Sitta both recommend that FDIC-examined banks work with third parties to assess their IT frameworks and cybersecurity. Taggart recommends banks pay special attention to systems that have undergone changes in the last 5 to 7 years, including digital channels, wireless networks and policies around employees using personal devices for work, among others. 

Banks should also consider incorporating guidance from organizations like the Federal Financial Institutions Examination Council and NIST that has been updated in the years since InTREX was created. Several resources that the OIG, Taggart and Sitta reference include:

Dangling the Carrot: How Banks Can Approach Incentive Compensation

incentive-5-24-17.pngWith the dearth of talent at many community banks, particularly in the executive suite, it has become increasing important to make sure that key employees stay put and not pack their bags for the competitor down the street. It is one thing to tie up these executives with non-competition and non-solicitation restrictions, but finding that delicate balance between appropriately protecting the bank’s interests and over-reaching, thereby running the risk of unenforceability, can often be tricky. In addition, adopting a carefully drafted incentive compensation plan can have the benefit of not only improving executive loyalty, but also encouraging revenue-enhancing or other desirable behaviors.

Cash or Equity?
Each employee may be motivated by different things, so it is often difficult to gauge what will have the biggest impact from an incentive perspective. There a few things, however, that should be kept in mind in evaluating this decision:

  • Cash has the advantage of immediate gratification. Equity awards are often subject to vesting requirements and can be difficult to monetize due to the virtually non-existent markets for most community banks’ stock.
  • Because of the vesting requirement of equity, such awards have the advantage of providing a longer-term benefit to the bank, in that executives will be loath to leave while they hold unvested equity awards.
  • It can be difficult for both the bank and the executive to value equity awards, given the lack of an efficient market for the shares.
  • Any time stock is issued by a bank holding company, it must be issued pursuant to a registration statement with the Securities and Exchange Commission, or an appropriate exemption must be available. The most common exemption for equity incentive awards is Rule 701, which requires awards to be issued, among other things, pursuant to written compensatory plans.

Appropriate Triggers
There are endlessly creative ways that community banks and their compensation consultants use to determine incentive compensation awards. So much of this is driven by the types of behaviors that the bank desires to encourage. However, there are a few things to keep in mind as you decide how to design your particular plan:

  • Beware of the Wells Fargo effect. While it is not uncommon to tie awards to achieving certain revenue and sales metrics, it is important to have appropriate controls and/or claw back policies in place to recoup pay and discourage overly aggressive sales practices.
  • Avoid tying incentives to confidential supervisory information. Many banks want to tie incentive compensation to achieving certain examination findings or CAMELS ratings. However, regulators have consistently stated this is inappropriate on a number of levels, not the least of which is that they do not appreciate being one of the deciding factors in whether an executive gets a bonus or not.

Other Do’s and Don’ts

  • Revisit plans that have been in place for a while to ensure that they are Section 409A compliant. Section 409A of the Internal Revenue Code sets forth certain rules regarding the timing of deferrals and distributions with which non-qualified deferred compensation must comply. Non-compliance could have significant negative tax consequences on the employee and, potentially, the bank.
  • The worst time to adopt a new incentive compensation plan, particularly one that contains change-in-control provisions, is right before the board decides to put the bank up for sale. Doing so may be perceived by shareholders as a breach of the board’s fiduciary duties.
  • If any of the bank’s mortgage loan originators are included in the pool of executives entitled to participate in the executive compensation plan, additional attention will need to be given to ensure that any awards granted under the plan do not run afoul of the loan original compensation restrictions set forth in Regulation Z.

While it is certainly a good idea to make sure your most valuable assets—your executives—are protected, there are a lot of variables to consider in putting together incentive compensation plans, which should be carefully crafted to achieve the bank’s objectives while avoiding unintended consequences.

How the New FDIC Assessment Proposal Will Impact Your Bank

growth-strategy-8-14-15.pngIn June, the Federal Deposit Insurance Corp. (FDIC) issued a rulemaking that proposes to revise how it calculates deposit insurance assessments for banks with $10 billion in assets or less. Scheduled to become effective upon the FDIC’s reserve ratio for the deposit insurance fund (DIF) reaching a targeted level of 1.15 percent, these proposed rules provide an interesting perspective on the underwriting practices and risk forecasting of the FDIC.

The new rules broadly reflect the lessons of the recent community bank crisis and, in response, attempt to more finely tune deposit insurance assessments to reflect a bank’s risk of future failure. Unlike the current assessment rules, which reflect only the bank’s CAMELS ratings and certain simple financial ratios, the proposed assessment rates reflect the bank’s net income, non-performing loan ratios, OREO ratios, core deposit ratios, one-year asset growth, and a loan mix index. The new assessment rates are subject to caps for CAMELS 1- and 2-rated institutions and subject to floors for those institutions that are not in solid regulatory standing.

While the proposed assessment rates reflect a number of measures of an institution’s health, provisions relating to annual asset growth and loan mix may influence a bank’s focus on certain categories of loans and the growth strategies employed by many community banks in the future. We’ll discuss each of these new assessment categories in turn.

One Year Asset Growth
Under the proposed assessment rules, year-over-year asset growth is subject to a multiplier that would have, all other things being equal, the effect of creating a marginal assessment rate on a bank’s growth. In the supporting materials for the FDIC’s rulemaking, the FDIC indicates that it found a direct correlation between rapid asset growth and bank failures over the last several years. But while organic asset growth is subject to the new assessment rate, asset growth resulting from merger activity or failed bank acquisitions is expressly excluded from the proposed assessment rate. This approach is somewhat counterintuitive in that most bankers would view merger activity as entailing more risk than organic growth or growing through the hiring of new teams of bankers. While the new assessment rate might not be significant enough to impact community bank growth strategies on a wide scale, it may offset some of the added expense of a growth strategy based upon merger and acquisition activity.

Loan Mix Index Component
This component of the assessment model requires a bank to calculate each of its loan categories as a percentage of assets and then to multiply each category by a historical charge-off rate provided by the FDIC. The higher the 15-year historical charge-off rate, as weighted according to the number of banks that failed in each year, the higher the assessment under the proposed rules. Unsurprisingly, the proposed rules assign the highest historical charge-off rate (4.50 percent) to construction and development loans, with the next highest category being commercial and industrial loans at 1.60 percent. Interestingly, the types of loans with the lowest historical charge rates are farm-related, with agricultural land and agriculture business loans each having a 0.24 percent charge-off rate.

While the new loan mix index component is a clear reflection of the impact of recent bank failures on the current assessment rates, it may also create economic obstacles to construction lending, which continues to be performed safely by many community banks nationwide. Despite these positive stories, there is no doubt as to the regulators’ views of construction lending—in conjunction with the new Basel III risk-weights also applicable to certain construction loans, community banks face some downside in continuing to focus on this category of loan.

However, when considering the asset growth and loan index components together, community banks that have a strong pipeline of construction loans may have added incentive to complete an acquisition, particularly of an institution in a rural market. Not only can the acquiring bank continue to grow its assets while incurring a lower assessment rate, it can also favorably adjust its loan mix, particularly if the seller has a concentration of agricultural loans in its portfolio. In general, acquirers have recently focused their acquisition efforts on metro areas with greater growth prospects, but the assessment rules may provide an incentive to alter that focus in the future. In many ways, the proposed assessment rates provide bankers an interesting look “behind the curtain” of the FDIC, as this proposal clearly reflects the FDIC’s current points of regulatory concern and emphasis. And while none of the components of the proposed deposit insurance assessments may have an immediate impact on community banks, some institutions may be able to reap a substantial benefit if they can effectively reflect the new assessment components in their business plan going forward.