Unimplemented Recommendations

Clarify the Manual to ensure that supervisory activities that do not meet the minimum requirements for a full-scope examination, including visitations and limited-scope examinations, provide adequate documentation in support of conclusions and retain this documentation in the FDIC system of record.

Revise examiner guidance to ensure supervisory personnel consider significant delays in required financial filings and any associated perspectives of external auditors when assessing UFIRS ratings.

Revise the FDIC’s Internal Formal and Informal Actions Procedures to include specific process and documentation requirements related to circumstances in which an approved formal enforcement action is replaced with a less severe action.

Develop detailed guidance that clarifies what information should be considered when assessing whether it is appropriate to approve a brokered deposit waiver for “Adequately Capitalized” IDIs.

Develop a means of identifying and documenting acquisition-specific team members from the Program Offices, Division of Administration Acquisition Services Branch, Legal Division, and Office of Minority and Women Inclusion.

Update the Acquisition Procedures and Guidance Manual to (1) define “reasonable planning,” (2) require the documentation of “reasonable planning” for all acquisitions, and (3) require a written description of potential or actual acquisition-specific conflict of interest-related risks in planning documentation.

Develop procedures requiring acquisition team members, as defined in response to Recommendation 1, to complete a conflict of interest certification in which each team member is to assess and document that they do not have a potential or actual conflict of interest related to the specific acquisition prior to participating in any phase of the acquisition lifecycle (from planning to closeout). These procedures should require that evidence of acquisition team members’ conflict of interest certifications is maintained in accordance with requisite FDIC records retention schedule requirements.

Develop procedures requiring acquisition team members, as defined in response to Recommendation 1, to re-certify annually that they remain free of actual or potential conflicts of interest as long as the acquisition is in place.

Develop and deliver specialized acquisition-related conflict of interest training on at least an annual basis to all acquisition team members to strengthen employee knowledge and skills related to ethics laws and regulations.

Ensure Deputy Ethics Counselors (DEC) are trained on the revised Financial Disclosure Review guidance to follow up with filers when a financial disclosure report omits an entry the DEC has independent knowledge of that is relevant to the conflict of interest analysis.

Evaluate whether there should be minimum qualifications and requirements for appointed Deputy Ethics Counselors (DEC), a desired ratio of DECs to filers across FDIC Divisions and Offices, and whether DEC duties should be incorporated into FDIC employee position descriptions to better equip DECs to monitor and respond to employees’ potential and actual conflicts of interest.

Develop and implement an action plan utilizing Deputy Ethics Counselor survey results and other relevant information to help identify strengths and opportunities for continuous improvement in the FDIC’s financial disclosure review program.

Remediate the 7 findings and 19 associated recommendations identified in Cloud Platform #1 and the applications built on Cloud Platform #1

Remediate the 8 findings and 11 associated recommendations identified in Cloud Platform #2 and the applications built on Cloud Platform #2

Remediate the 4 findings and 5 associated recommendations identified in the applications built on Cloud Platform #3

Remediate the 3 findings and 6 associated recommendations identified in Cloud Platform #4

Remediate the 4 findings and 7 associated recommendations identified in Cloud Platform #5.

This recommendation is redacted.

Design and implement a plan to prevent, detect, and remediate security weaknesses on FDIC cloud platforms and applications related to insecure coding practices, misconfigured security settings, least privilege violations, outdated software versions, and ineffective monitoring.

We recommend the Chairman reevaluate and make further updates, as necessary, and fully implement all provisions of the FDIC’s Anti-Harassment Oversight Plan.

We recommend that the Chairman: (a) incorporate a specific harassment-free culture standard into the Performance Management Program and Bonus Criteria for all staff; (b) incorporate harassment prevention into the bonus criteria for managers and executives; (c) develop and implement a process that considers violations of the anti-harassment policy when determining whether an employee should serve in a supervisory or managerial capacity; and (d) develop and implement a process that considers violations of the anti-harassment policy when determining whether an employee is eligible to receive a bonus.

We recommend that the Chairman/COO develop and implement a mechanism to ensure that corrective actions used to close recommendations related to the sexual harassment prevention program are sustained.

We recommend the Chairman reevaluate and implement an organizational structure to ensure the FDIC’s Anti-Harassment Program Coordinator can meet the requirements of the program as outlined in the AHP Directive and that the structure eliminates any conflicts given Labor and Employee Relations Section and Labor Employment and Administration Section current roles and responsibilities.

We recommend the Chairman provide the appropriate authority for effective implementation of the FDIC’s Anti-Harassment Program, including the authorities for the role of the Anti-Harassment Program Coordinator and for holding supervisors accountable for failing to fulfill their supervisory responsibilities under the AHP Directive.

We recommend the Chairman dedicate the necessary resources and staff time for effective implementation of the FDIC’s Anti-Harassment Program.

We recommend the Director, Division of Administration, develop and implement quality control procedures to ensure the FDIC maintains an accurate and complete population of sexual harassment misconduct allegations and related records.

We recommend the Director, Division of Administration, conduct a review of prior allegations to ensure that it has an accurate and complete population of sexual harassment allegations and that it has maintained all allegation records in accordance with the FDIC record retention schedule, which requires that all records be maintained for 7 years.

We recommend the Director, Division of Administration, implement an effective system for tracking, securing, documenting, and reporting sexual harassment misconduct allegations. Include the following: original allegation date, names of witnesses, whether allegations are substantiated or unsubstantiated, date of written notification to complainant and alleged harasser regarding completion of the investigation, written reports, misconduct type, and a unique identification code that follows the allegation through disciplinary action.

We recommend the Director, Office of Minority and Women Inclusion, develop and implement standard operating procedures to guide the efforts of the Anti-Harassment Program Coordinator.

We recommend the Directors, Office of Minority and Women Inclusion and Division of Administration, develop and implement standard operating procedures for case file records management, including where to securely maintain files, what to maintain, and how long to retain records.

We recommend the Director, Division of Administration, update and implement investigation standard operating procedures to clearly guide investigations by ensuring that investigations are: conducted appropriately and consistently; convey the outcome of the investigation, including a Report of Investigation; and are well-documented.

We recommend the Director, Division of Administration, provide regular investigation training to the LERS Specialists conducting investigations under the Anti-Harassment Program.

We recommend the Director, Division of Administration, develop a centralized disciplinary action tracking system or tool and related procedures for what information should be captured in the tool and in support of the disciplinary decision.

We recommend the Chairman consider developing and implementing Agency-wide, consistent penalties or recommended penalty ranges to be used in disciplinary actions for harassing conduct, in accordance with applicable laws and regulations, and, as necessary and appropriate, incorporate the consistent penalties and recommended penalty ranges into policy and procedures.

We recommend the Chairman develop and implement a policy to ensure that parallel processing of allegations of sexual harassment occur under the EEO and the AHP as necessary and appropriate.

We recommend the Chairman develop and implement policy to ensure that staff who are responsible for promptly, thoroughly, and impartially investigating allegations of harassment and taking immediate and appropriate corrective action are neutral and free of conflicts or the appearance of a conflict.

We recommend the Chairman establish and implement a policy for handling allegations against senior-level corporate managers and executives from intake to final determination, including the use of Memorandums of Understanding, as appropriate, to engage those outside of the FDIC chains of command.

We recommend the Chairman update the AHP Directive to include: (1) a clear definition of sexual harassment misconduct and practical examples tailored to the workplace, (2) an explanation of the Agency’s duty to investigate and correct harassment even if alleged victims indicate they do not want the matter investigated or corrected, and (3) general time limits for concluding investigations.

We recommend the Chairman reassess and redesign, as needed, the roles and responsibilities within the AHP Directive to ensure all aspects of the Directive can be implemented. Further, we recommend the Chairman develop a plan for implementing all aspects of the AHP Directive.

We recommend that the Chairman develop and implement regular, comprehensive, and effective required training for all supervisors and executives on preventing and reporting sexual harassment that incorporates elements from the EEOC’s 2023 Promising Practices, including a larger emphasis on the Agency’s prohibition for retaliation of any kind.

We recommend that the Chairman develop and implement a plan to routinely analyze the FDIC’s sexual harassment training, ensure that it is current, and measure the impact that training is having on reducing harassment and retaliation in the Agency.

Evaluate and consider enhanced solutions to store backup data, as described in the report, and update the Storage Systems Backup Data Protection Standard Operating Procedures, as appropriate.

Review and update policies and procedures for identifying, assessing, and tracking new Federal IT requirements to ensure timely control implementation, as appropriate.

Conduct an analysis to identify viable alternatives for testing restoration of Active Directory from backups, or have senior management formally accept the risk of not testing these backups.

Develop a process to ensure the Continuity Implementation Plan is regularly updated in a timely manner to ensure it is current, complete, and accurate.

Develop and implement a process to ensure employees and contractors in a Continuity Implementation Plan role are assigned and complete initial Disaster Recovery Awareness Training in the FDIC Learning Experience system.

Develop and implement a process to ensure employees and contractors in a Continuity Implementation Plan role are assigned and complete annual Disaster Recovery Awareness Training in the FDIC Learning Experience system.

Develop a change management process and require Divisions and Offices to employ a change management strategy and plan that incorporates relevant elements mentioned in this report when implementing significant changes to business processes. The relevant change management elements should consider the following:
• Understanding the impact on workforce segments,
• Identifying and engaging the right people,
• Assigning a change management leader,
• Establishing relevant objectives and goals,
• Establishing a communication strategy and plan,
• Ensuring open communication and collaboration with employees impacted by the change,
• Providing effective employee training and tools,
• Assessing achievement of objectives and goals, and
• Analyzing and reporting independently and objectively on project health (using tools such as a project sentiment survey or pulse survey) at key intervals.

Implementation of this recommendation will result in $9.9 million in funds to be put to better use as the FDIC realizes better outcomes over time.

Develop and provide training to Executive and Corporate Managers on the change management process and in developing and employing change management strategies and plans.

Develop and implement a change management strategy and plan for the acquisition of a new acquisition management system.

Conduct a formal assessment of the Regional Service Provider examination program to establish program-level goals, metrics, and indicators and determine whether additional resources and controls are needed to improve the effectiveness of the program, as identified in this memorandum.

Evaluate why large-bank examination teams may wait to issue CAMELS ratings downgrades until issuance of Reports of Examination (ROEs), rather than promptly when circumstances warrant it as required by the RMS Continuous Examination Process Procedures. Then, take corrective action as appropriate.

Identify additional communications or adjustments to training curriculum to reemphasize to examiners the importance of timely ratings changes in accordance with the FDIC’s approach to forward-looking supervision.

Evaluate and update as appropriate examination guidance to require specified supervisory actions when a bank’s business practices do not align with its policies and procedures (e.g., a balance sheet position that does not align with its interest rate policy).

In light of the unexpected uninsured deposit outflows experienced by First Republic, we recommend that the Director, Division of Risk Management Supervision comprehensively re-evaluate the Manual to determine whether updates to examination guidance are needed pertaining to the evaluation of banks’ deposit outflow assumptions for liquidity stress testing, including the magnitude and velocity of uninsured deposit outflows.

Proactive horizontal identification and monitoring of similarities across banks – including like business characteristics and risks, and like reputational characteristics – that may result in similar behaviors amongst their depositors, including shared risk characteristics that may result in increased contagion risk between institutions.

Incorporating shared risk characteristics that may result in increased contagion risk between institutions into the FDIC’s supervisory approach across large institutions.

Explore potential processes and information sources for real-time monitoring of large bank reputational risk. Potential information sources could include bank share price tracking websites, short seller activity, and social media discussions.

Engage with other federal regulators to evaluate the need for changes to rules under the safety and soundness standards, including the adoption of noncapital triggers that would require early and forceful regulatory actions tied to unsafe banking practices before they impair capital.

Emphasize to examiners in the form of training and other internal communications the requirements around timely escalation of supervisory concerns in line with the FDIC’s
forward-looking approach to supervision.

Reiterate to examiners requirements around prompt communication of risk and supervisory results to bank management, emphasizing the significance of prompt communication over linear or chronological issuance of supervisory products.

Conduct and document an evaluation of existing examination guidance to determine whether updates are warranted for:
a. The need to timely communicate findings to bank board and management even when not all supervisory findings are finalized.

b. Escalation of supervisory concerns and ratings downgrades when SRs and MRBAs have been outstanding for multiple examination cycles.
c. Specific circumstances that give rise to interim rating changes, including when concerns are known in advance of the issuance of ROEs and other supervisory
products.
d. The effect of bank management’s and board’s lack of receptiveness and responsiveness towards the supervisory process on the rating for the CAMELS Management component.
e. Permitting the LBS Branch to review all supervisory products prior to issuance to the bank when requested, regardless if the products contain ratings information.
f. Resolution of situations in which trends between UFIRS and LIDI ratings trend differently for multiple quarters.

Reevaluate the FDIC's strategy to attract, retain, and allocate staffing, including how to enhance the supervision of large, complex financial institutions.
a. This evaluation should be documented and submitted to the FDIC’s Chairman for review and approval.

Implement target metrics and monitor variances for key supervisory outputs consistent with requirements contained in CEP Procedures, such as:
a. Supervisory Plan percentage completed to actual percentage completed to identify and take timely corrective action when examination teams are not on
track to achieve objectives detailed in annual supervisory plans.
b. Target review start date to actual review start date to identify and take timely corrective action when examination teams are not on track to achieve objectives
detailed in annual supervisory plans.
c. Number of days elapsed between target review start date and exit meeting to expectation to identify and take corrective action when reviews are not being completed and informal results communicated to the bank timely.
d. Number of days elapsed between target review start date and issuance of Supervisory Letter to expectation to identify and take corrective action when the results of reviews are not being completed and results communicated to the bank timely.
e. Number of days elapsed between year-end and ROE issuance to expectation to identify and take corrective action when ROEs are not being completed and
results communicated to the bank timely.
f. Number of days elapsed between quarter-end and issuance of Ongoing Monitoring Reports to expectations to identify and take corrective action when
ongoing monitoring is not being completed timely.

Comprehensively re-evaluate the Manual in light of the SBNY failure to determine whether updates to examination guidance are needed in the areas of:
a. stability of deposits, including large and long-term uninsured depositor relationships.
b. the velocity and magnitude of potential deposit outflows, including the supervision of liquidity stress testing.

Establish a plan with timeframes for assessing risks pertaining to crypto-related activities by:
a) Continuing to identify and document crypto-asset risks, b) Performing and documenting an analysis of the identified risks to estimate their significance, and c) Developing and documenting strategies to address crypto-asset risks.

Establish and maintain a consistent focus on the Orderly Liquidation Authority program in the Division of Complex Institution Supervision and Resolution strategic planning, to include a roadmap with established milestones for ensuring that the FDIC promptly matures the Orderly Liquidation Authority program.

Develop and consistently maintain comprehensive Orderly Liquidation Authority policies and procedures for systemically important financial companies, to include:
a. Tier I policies and procedures for framework-level activities.
b. Tier II policies and procedures for operational process-level activities.
c. Tier III policies and procedures for institution-specific planning activities.
d. Other operational program policies and procedures for Orderly Liquidation Authority resolution planning activities.

Apply Tier III policies and procedures to develop and consistently maintain institution-specific resolution planning documents for all nonbank financial companies and financial market utilities designated by the Financial Stability Oversight Council as systemically important.

Establish an action plan for promptly developing and issuing rules and regulations required by the Dodd-Frank Act, including:
a. In consultation with the U.S. Secretary of the Treasury, rules or regulations to meet the requirements of 12 U.S.C. § 5390(o)(6).
b. In coordination with the FRB, and in consultation with FSOC, rules or regulations to meet the requirements of 12 U.S.C. § 5393(d).

Ensure regular interdivisional oversight of the Orderly Liquidation Authority program and related products.

Establish a process for identifying and preparing staff who would be responsible for key Orderly Liquidation Authority resolution governance roles, such as the Executive Advisory and Oversight Group, the Tactical Project Manager, and the Onsite Liaison, to include:
a. Completing planned guidance and/or preparing a charter that will define in more detail the key resolution governance roles and responsibilities.
b. Maintaining a roster of potential staff for key resolution governance roles.
c. Informing potential staff for the key resolution governance roles of their respective Orderly Liquidation Authority resolution responsibilities.

Ensure the completed Tier I and II policies, procedures, and related guidance documents fully define the applicable Orderly Liquidation Authority roles and responsibilities of each FDIC Division and Office.

Ensure the FDIC establishes a timeframe to obtain, and then obtains, the staff resources needed to mature the Orderly Liquidation Authority resolution planning program.

Conduct and document a representative survey or other assessment of the Orderly Liquidation Authority-related skill sets existing or needed within the Division of Complex Institution Supervision and Resolution and ensure the Division’s Professional Development Plan incorporates the results.

Conduct and document an assessment of the level of staff and contractor resources needed for a baseline Orderly Liquidation Authority resolution execution team.

Regularly conduct and document Orderly Liquidation Authority general and functional training and ensure that training is clearly linked to the key components of the systemic resolution framework and processes.

Complete and implement the operational exercise program for significant Orderly Liquidation Authority-related activities, such as the systemic risk determination process, and ensure key contractor resources and FDIC Board Members are included in exercises.

Establish key performance metrics for the Orderly Liquidation Authority program with which the FDIC can measure and monitor the overall status of the program.

Ensure the FDIC regularly updates the FDIC Operating Committee and the FDIC Chairman on the overall status of the Orderly Liquidation Authority program.

Ensure the Division of Complex Institution Supervision and Resolution maintains the necessary staff and establishes a plan for conducting regular internal reviews of Orderly Liquidation Authority resolution planning activities.

Establish a mechanism to track and monitor the implementation of significant current and future recommended action items from internal and external exercises or actual resolution events.

Develop an FDIC readiness plan for a financial crisis, to include a scenario that involves the resolution of multiple concurrent failures of systemically important financial companies.

Implement process improvements to ensure prompt notification and removal of user network accounts on or before the user’s separation date.

In developing future Economic Inclusion Strategic Plans, perform an environmental scan of the current economic inclusion landscape. The environmental scan should include external resources, such as national partners and banks, to identify and understand trends in banking services and technology solutions that may affect the FDIC’s economic inclusion goals.

Resume the Bank survey, or implement another mechanism, to obtain the perspectives of banks, including bank efforts to address primary reasons cited by households for being unbanked, and data related to the Federal Deposit Insurance Reform Conforming Amendments Act of 2005 questions. Data obtained should be leveraged to inform the development of the FDIC’s future economic inclusion strategic planning efforts.

Identify and describe internal and external stakeholder coordination and collaboration efforts, including inputs, responsibilities, and expected contributions in the FDIC’s future Economic Inclusion Strategic Plans.

Review Executive Orders related to advancing equity and improving economic opportunities in specific communities to identify and consider best practices that can be incorporated into the FDIC’s future economic inclusion strategic planning efforts.

Clearly identify and describe strategies to achieve the desired goals in the FDIC’s future Economic Inclusion Strategic Plans.

Develop and implement consistent assessment and progress reporting for all Economic Inclusion Strategic Plan goals and objectives, and ensure that the expressed intent of annual FDIC Performance Goals related to economic inclusion matches the goals and objectives articulated in the Economic Inclusion Strategic Plan.

Coordinate with the Division of Finance to develop and implement formal policy and guidance for the formulation of discretionary strategic plans that are consistent with strategic planning best practices from the Office of Management and Budget, the Government Accountability Office, and other organizations identified in this report.

Align the Economic Inclusion Strategic Plan with the policy and guidance developed in response to Recommendation 7.

Develop or use an existing tracking system to measure internal staffing costs related to individual economic inclusion programs and initiatives.

Develop a mechanism to help identify whether the FDIC needs to reallocate resources for economic inclusion initiatives to meet Economic Inclusion Strategic Plan goals and objectives.

Conduct a feasibility study for expanding the language availability for FDIC economic inclusion outreach products.

Develop clear guidance on running business reports out of Community Affairs Reporting and Events System, including the use of filters.

Ensure risk mitigation strategies identified for the economic inclusion-related Enterprise Risk Management Risk Inventory item clearly address and effectively reduce risks related to implementing strategic objectives, effective controls, and responsive programs to promote economic inclusion.

Share threat and vulnerability information that is uniquely developed or summarized by the FDIC with financial institutions or other financial sector entities to further strengthen their threat intelligence activities. This includes results from the FDIC’s 2022 Ransomware Horizontal Review and relevant trending and analysis conducted by the Division of Risk Management Supervision.

Conduct training for examiners on the requirements for recording computer-security incidents, the information to include, and specific requirements for Notification Rule incidents.

Ensure FDIC threat and vulnerability communication procedures facilitate the sharing of unclassified non-cyber related threat and vulnerability information.

Update the Division of Risk Management Supervision Threat and Vulnerability Communication Operating Procedures to:
(1) account for a more appropriate methodology for determining when to share threat and vulnerability information created internally and by other credible sources;
(2) formalize processes for (a) coordinating with the Intelligence and Threat Sharing Unit and accounting for threat and vulnerability information received from the Intelligence and Threat Sharing Unit, (b) coordinating with the Chief Information Officer Organization under the Vulnerability Disclosure Policy program, and (c) coordinating with other FDIC Divisions and Offices that may obtain relevant threat and vulnerability information that requires communication to financial institutions; and
(3) specify the key documents that should be retained to support the Division of Risk Management Supervision threat sharing decisions.

Develop and implement a feedback process for external threat sharing activities.

Develop performance measures to assess the effectiveness of its external threat and vulnerability information sharing activities.

Ensure that all data sets within the FDIC that contain relevant threat and vulnerability information are assessed and natural language processing or alternative technological capabilities are considered for enhancing threat and vulnerability information sharing operations.

Develop and maintain an inventory and catalog of all FDIC data used throughout the cloud data lifecycle.

Establish and implement data governance requirements (e.g., policies, processes, roles, and responsibilities) for managing data residing in the cloud.

Develop and implement Contract Management Plans for all contract actions, including contracts, basic ordering agreements, and related task orders, as required by FDIC policy.

Provide additional training to Contracting Officers and Oversight Managers to emphasize the requirement to develop Contract Management Plans for contract actions, when appropriate.

Update the Project Management Lifecycle and/or System Development Life Cycle frameworks to include a Disposal phase and process.

Develop and implement policies and procedures for overseeing the decommissioning of legacy systems.

Review all current and planned system replacements and ensure legacy system decommissioning plans are created in accordance with FDIC policies and procedures.

Develop and implement guidance to examination staff on the credit, operational (including fraud), liquidity, and compliance risks related to Government-guaranteed loans to ensure staff adequately plans and conducts examinations to identify and address emerging risks.

Develop and implement guidance to examination staff to ensure the staff consistently evaluate Government-guaranteed loans in their review of loan classification, assessment of off-balance sheet risk, concentration risk, and ongoing monitoring.

Revise and implement FDIC guidance and practices for assessing concentrations and loan classification to ensure uniform application with the other Federal bank regulators of supervisory approaches to banks.

Coordinate with the other Federal bank regulators to ensure uniform application of supervisory approaches to banks regarding concentrations and loan classification.

Develop and implement a training plan to ensure examination staff are trained on the requirements and risks of Government-guaranteed loan programs.

Provide additional training to emphasize password requirements for privileged account users and communicate the effect of poor password practices, including those identified in this report.

Develop and implement controls to monitor and track password usage for privileged users and domain administrators to mitigate insecure password practices.

Develop and implement policies and procedures to automate the password creation and management process for privileged Active Directory accounts.

Develop and implement a process to regularly evaluate the roles to determine whether they are still needed or duplicative of other roles.

Develop and implement a process to reconcile conflicting certification determinations for duplicative roles.

Update and implement procedures to proactively update or replace operating systems before vendor support ends.

Develop and implement defined, objective, quantifiable, and measurable goals related to the InTREx program.

Develop and implement a process to collect and analyze relevant data regarding the InTREx program.

Develop and implement metrics and indicators, including outcome measures, to assess the effectiveness of the InTREx program and to determine if the program is achieving its desired results and outcomes.

Develop and implement a policy to review, approve, and centrally manage the configuration settings of current and future Wi-Fi enabled devices in FDIC facilities, before set-up and subsequent updates.
 

Address the 31 POA&Ms identified as of June 21, 2022, associated with NIST SP 800-53 Rev. 5 control SI-2 (Flaw Remediation).

Establish and implement procedures for RMS threat information sharing activities.

Develop and implement SCRM processes and procedures in accordance with the Supply Chain Risk Management Program Directive and applicable government guidance.

Provide enhanced contract portfolio reports to FDIC executives, senior management, and the Board of Directors.