The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
CON Fl DENTIAL RESTRICTED FR OPERATIONS REVIEW REPORT Federal Reserve Bank of New York Banking Supervision Group May 9-27, 2005 FCIC-090706 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR CONFIDENTIAL Federal Reserve Bank ofNew York Report of Operations Review - Bank Supervision Group May 9-27, 2005 11 FCIC-090707 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR TABLE OF CONTENTS INTRODUCTION AND SCOPE ............................................................................................................. 1 ENVIRONMENTAL ASSESSMENT ..................................................................................................... 2 SUMMARY OF CONCLUSIONS ........................................................................................................... 3 OVERVIEW ............................................................................................................................................. 3 KEY RECOMMENDATIONS AND SUGGESTIONS THAT INVOLVE MULTIPLE AREAS ................................. 5 SAFETY AND SOUNDNESS SUPER VISION .............................................................................................. 11 Large Complex Banking Organizations Supervision ..................................................................... 11 Regional and Community Bank Supervision ................................................................................. 14 Foreign Banking Organizations Supervision .................................................................................. 15 Bank Secrecy Act (BSA) & Anti-Money Laundering (AML) ....................................................... 16 Market and Liquidity Risk .............................................................................................................. 19 Information Technology and Operations Risk ............................................................................... 20 CONSUMER AFFAIRS SUPERVISION ...................................................................................................... 21 Consumer Compliance and Consumer Complaints ........................................................................ 21 QUALITY MANAGEMENT ..................................................................................................................... 23 ADMINISTRATION ................................................................................................................................ 24 Training and Staff Development .................................................................................................... 24 Information Technology (IT) Support ............................................................................................ 24 Conflicts of Interest ........................................................................................................................ 25 REFERENCE LIST OF RECOMMENDATIONS AND SUGGESTIONS .......................................... 27 MEMBERS OF TilE OPERATIONS REVIEW TEAM ....................................................................... 32 111 FCIC-090708 CONFIDENTIAL Federal Reserve Bank ofN ew York Operations Review May 2005 RESTRICTED FR INTRODUCTION AND SCOPE During the weeks of May 9, 16 and 23, 2005, we conducted an operations review of the Banking Supervision Group (the Group or the BSG) of the Federal Reserve Bank of New York (the Reserve Bank). A team of officers and senior staff (the team) representing both safety and soundness and consumer affairs performed the review. The previous operations review took place during February 2002. The primary objective of the operations review program is to evaluate a Reserve Bank's supervision and regulation function to determine whether its processes and procedures adequately support performance of its delegated responsibilities. The scope of an operations review emphasizes the organizational structure, planning and resource allocation, effectiveness of communications and compliance with key System policies, programs and procedures. In view ofthe brief period oftime during which an operations review is conducted, the team is limited in its ability to render a detailed, comprehensive assessment of the day-to-day effectiveness of the Reserve Bank's supervision function. Instead, the team conducts a high-level review where testing is generally limited and emphasis is given to assessing the adequacy of processes and controls that promote effective operations and enable compliance with policies and procedures. By focusing on processes and controls, the review aims to reinforce elements of operational strength, as well as to identify those areas that may benefit from further enhancement, to assure that the objectives of the System and the Reserve Bank will be met effectively and efficiently going forward. To determine the scope for this review, the team met with Board officials responsible for program areas of banking supervision and consumer affairs, reviewed materials provided by the BSG, consulted with the Group's officers and staff, and considered both the findings from and the Reserve Bank's response to the previous operations review. Based on this information, the team tailored the scope of the review to focus on areas of highest risk within the Group's major business functions: safety and soundness supervision of large complex, foreign, and regional and community banking organizations; consumer affairs supervision (including both consumer compliance examinations and consumer complaint resolution); bank secrecy and anti-money laundering compliance; market and liquidity risk; information technology (IT) and operations risk; quality management; and administration (including information technology support, training and staff development, and conflicts of interest). Because our scope was risk-focused, we did not review several operational areas that have limited activity in the District or for which the level of risk was perceived to be low; these areas included credit risk as a specialized risk management function, safety and soundness applications, applications with consumerrelated issues, planning and resource allocation, surveillance and enforcement as independent functions, and NIC and NED 1 operations. On Thursday, May 26, the team discussed its findings with the Group's officers responsible for each area reviewed. Written close-out reports were given to BSG officials at that time. On Friday, May 27, Team Leader Stephen Jenkins summarized the material findings for President Timothy Geithner, Vice President and Assistant General Auditor Robert Ambrose, and Executive Vice President William Rutledge. 1 "NlC" stands for National Information Center; "NED" stands for National Examination Database. FCIC-090709 CONFIDENTIAL Federal Reserve Bank of New York Operations Review May2005 RESTRICTED FR ENVIRONMENTAL ASSESSMENT The banking structure of the Second District has experienced notable change since the last operations review. As summarized in the table below, during 2004 two large State Member Banks (SMBs) converted to national charters, significantly reducing the volume of assets directly supervised in this category of institution (from $815 billion to $230 billion). The number of program Foreign Banking Organizations (FBOs) supervised by the Second District declined modestly between December 2001 and December 2004, although the volume of U.S. assets increased by 21 percent (to about $2.9 trillion). The number of bank holding companies (BHCs) remained stable during this period, although the volume of assets grew significantly, by more than 60 percent (to about $4.4 trillion). These structural changes confirm the Reserve Bank's strategy to refine its role as an umbrella supervisor, as BHCs continue to own banks that control most commercial banks by number and the vast majority of their commercial banking assets. Number and Assets of Supervised Institutions in the Second District (Assets in$ Billions) Dec-01 Number ofSMBs Assets of SMBs Numbet· ofFBOs Assets ofFBOs Number ofBHCs Assets of BHCs Dec-04 29 27 $815 $230 114 101 $2,204 $2,936 131 130 $2,744 2 $4,403 2 The formal count of 101 FBO institutions -- shown for December 2004 in the table above -- is based on a definition of FBO that considers which Reserve Bank has the lead supervisory responsibility within the Federal Reserve System. Due however to the presence within the Second District of many FBO-related entities for which supervisory responsibility is shared with other Districts, the BSG's Foreign Banks and Technical Assistance Department performs supervisory activities for a larger number ofFBO entities- specifically 206 foreign branches, foreign agencies, Edge and agreement corporations, and representative offices. 2 FCIC-09071 0 CONFIDENTIAL Federal Reserve Bank ofN ew York Operations Review May 2005 RESTRICTED FR SUMMARY OF CONCLUSIONS Overview Overall, the BSG is executing the Reserve Bank's supervisory responsibilities to a high standard. Exceptions are noted in the areas of Bank Secrecy Act/anti-money laundering (BSA/AML) supervision and management information systems for Foreign Banking Organizations (FBO) supervision. The BSG has the largest number of supervisory staff in the Federal Reserve System, and uses these resources to oversee the largest and most complex banking organizations within the U.S. While the District's supervisory responsibilities have changed over the past two years due to state-member bank charter conversions and merger activity, the Reserve Bank has appropriately adjusted its supervisory strategies and plans to ensure that it fulfills its System responsibility as an umbrella supervisor. The BSG provides significant System leadership in supervision and regulation, both from a policy and a supervisory perspective. Some notable accomplishments include the key role played by BSG management in developing the new Large Financial Institution (LFI) program, and the System's decision to select the Reserve Bank to lead critical elements of that program. The BSG is also a leader in the System's activities related to BASEL II, and provides valuable technical assistance to foreign central banks and regulators. The BSG has successfully investigated several high-profile moneylaundering schemes resulting in formal supervisory actions and significant fines. The BSG also makes many other worthwhile contributions to System policy development, and to supervision activities at other Reserve Banks, through its participation in System committees, task forces and project teams. An important finding by the team is that the Reserve Bank is not fully meeting System policy and statutory obligations with regard to BSA/AML reviews, which were not conducted as required on every FBO examination. The team found that the BSA/AML examination work that is being conducted is of high quality and that management reviews the potential risk of each institution and prioritizes them for review based on that assessment. While the team recognizes that the District has had significant turnover of BSA examiners, and that special investigations and other reviews have occupied scarce staff resources, the current situation does create some reputational risk for the District and the System. The team believe that it is imperative that BSA/AML mandates be met, but also concedes that the BSG, like many System supervision departments, faces a shortage of resources for this specialty. Achieving the statutory mandates will likely require creative solutions until examiners new to the BSA/AML supervision function are more knowledgeable and functional. The BSG continues to promote innovative supervisory approaches and was the first District to adopt the risk management/relationship management organizational structure. This business model has matured since the last operations review in February 2002, and staff in both the risk and the relationship functions have a much better understanding of their roles and responsibilities. Communications between the various units have improved since the last operations review, primarily due to the experience that management and staff have accumulated by working with the model, facilitated by the thorough vetting sessions that occur at critical points in the supervisory process. While the business model results in high-quality supervisory products, it includes detailed preplanning, scoping and examination processes, which themselves draw a significant volume of resources. Such 3 FCIC-090711 CONFIDENTIAL Federal Reserve Bank ofN ew York Operations Review May 2005 RESTRICTED FR thorough processes makes sense for large and complex institutions, but the team believes the cost in time and resources for smaller, less-complex institutions may not be fully justified by equivalent benefits. The team observed that some units within the BSG already recognize the potential value of streamlining steps in the planning/scoping/vetting/examination processes, and we encourage management to consider simplifying how the business model is applied, where appropriate. The staff are appropriately experienced given the District's risk profile; however a recent increase in turnover has resulted in staff shortages in certain critical areas including anti-money laundering, corporate compliance, and the relationship team at one Large Complex Banking Organization (LCBO). Management is fully aware ofthese issues, and both hiring objectives and staff reallocation efforts are regularly reassessed in an attempt to furnish critical areas with sufficient staffing and experience levels. The District has created an excellent staff development and training program to integrate and train the large number of new hires, most of whom are progressing very effectively through the System's examiner commissioning program. The BSG also has a formalized Job Mobility Program that encourages staff rotations to different specialties and roles within the BSG thereby creating more staffing flexibility, fostering career development and broadening individual skills. While the quality of supervisory products is generally strong, improvement opportunities were noted in two areas: the timeliness of work products and the quality ofworkpapers. • The corporate culture of the BSG emphasizes quality of final product rather than timeliness, but the team believes there are opportunities to improve timeliness without compromising quality. Indeed a greater emphasis on timeliness could complement efforts to streamline the planning and vetting processes, which the team believes would be appropriate for smaller or less risky institutions. Also with regard to timeliness, during 2004 and 2005 a large number of examination reports and communications were processed outside of the sixty-day System guideline. Particularly in the FBO supervision function, records show that there were ten missed mandates for FBO institutions, thirty-three late mailings of examination reports, and eighteen assessments of FBO combined U.S. operations that were not completed within the required sixty days following the conclusion of the last on-site examination in the cycle. • Although scope and product memoranda are very thorough and provide detailed information on areas reviewed and the supervisory findings, often there is not sufficient information in the workpapers to understand how the examiner reached his or her conclusion. There also is not consistent documentation linking source documents in the workpapers to the conclusions in the product memoranda. The BSG does not employ the standardized workprograms used by many of the other Reserve Banks. While there is no requirement that a workprogram be used, the team believes it is important that the Reserve Bank's supervision program ensure there is a proper audit trail to support the examiner's key conclusions and assessments. BSG management had already recognized this issue, based on a 2004 review ofworkpapers conducted by the Group's Quality Assurance unit. While the quality of management information systems (MIS) have improved since the last operations review, there continue to be opportunities for improvement, especially in FBO supervision. Shortcomings in MIS for FBO supervision were cited as issues in both the 1997 and the 2002 operations review reports, and are a repeat recommendation in this 2005 report. Particularly for FBO 4 FCIC-090712 CONFIDENTIAL Federal Reserve Bank of New York Operations Review May 2005 RESTRICTED FR supervision, although support staff track examination mandates and timeframes for report processing, the information is not provided to FBO management in a form that is useful to them to manage their deadlines. In some cases exceptions are unknown until after the deadline; in other cases, MIS is available but staff members still use manual processes. Lastly, the BSG implemented a centralized quality assurance function in 2001. The function has strong senior management support and oversight and is independent from supervisory processes. The quality assurance framework has clearly defined roles and responsibilities and work products and processes are of high quality. In the pages that follow, we summarize with greater specificity our findings for the individual areas that we reviewed. To make the report more concise, we focus on areas where the team has made recommendations or suggestions. 3 Readers can find additional detail in the written reports that were provided to management during the close-out meetings on May 26, 2005. Key Recommendations and Suggestions That Involve Multiple Areas Five recommendations and two suggestions made by the team affect multiple program areas across the BSG, and as such may be considered of particular importance. Rather than describe them repetitively in the individual sections that comprise this report, we bring them forward to this section. 1. Timely completion of supervisory workproducts is not a visible priority in many parts ofthe BSG. The team was consistently impressed by the very high quality of work produced by staff, and recognizes that this is a result not only of the caliber of staff the BSG recruits and the high standards set by management, but also the thorough planning and review processes that characterize the BSG supervision model. The team believes however that BSG management does not place an equivalent value on timeliness of supervisory workproducts. Supervisory messages need to be delivered on a timely basis to have an effective impact, and thus timeliness is both consistent with and supportive of good supervision. The team found several examples of how timeliness could be improved. 1. a. Opportunities to improve timeliness in LCBO supervision In LCBO supervision, for example, the 2002 operations review suggested that "management establish a uniform set of minimum standards governing the organization, format, timeliness and content of LCBO program documents to ensure that critical areas are addressed for each LCBO and to facilitate the review ofthese documents for horizontal review purposes." The current review found that, while LCBO supervisory products are fully appropriate in their depth, coverage, and clarity, standards are not being met for timeliness and this inhibits the products' effectiveness and validity for comparison in horizontal reviews. Specifically, the efficiency and effectiveness of the LCBO Supervisory Plans, Risk Assessments, and Risk Matrices are diminished because they are not completed in a regular or timely 3 The operations review program makes recommendations when the team perceives that effective or efficient performance of the supervision program is at risk and will remain so until the recommendation is implemented. The team makes suggestions when it concludes that supervision will be improved by adopting the suggestion, but that failing to do so would not place the supervision program at risk. The recommendations and suggestions are set forth in the following sections, with a summary list provided at the end of the report. 5 FCIC-090713 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR manner. In several cases, comprehensive risk assessments and risk matrices have not been updated in over twelve months. Documentation of ongoing supervision- such as notes from meetings with institution management, evaluations of risk reports from institutions, and correspondence with the organization or other parties - are neither maintained nor posted to a central repository. In addition, updates to the Supervisory Plan are not documented in any of the supervisory products (although it is clear through the team's discussions with BSG staffthat appropriate changes are made to the plans on an ongoing basis which reflect the organizations' changing risk profile). The lack of timely documentation appears to have several root causes, but chiefly reflects time constraints and a need to prioritize other tasks such as responding to frequent information requests, performing follow-up on "headline" news events, and coordinating targeted examinations and other supervisory events with BSG examiners and other regulators. Shortcomings in documentation may result in a failure to identify significant risks or supervisory issues or to justify particular actions if the institution were to suffer from an adverse event. It also limits the System's ability to assess and evaluate banking practices across organizations. The LCBO Program Product Guidance Memo issued April 21, 2003 provides guidance on the specific expectations regarding documentation for each product. We recommend that LCBO supervisory management dedicate adequate priority and resources to provide regular and timely documentation of ongoing supervision and monitoring. 1. b. Opportunities to improve timeliness in FBO supervision The FBO area continues to experience less-than-satisfactory performance in terms of managing the timeliness of its supervisory products and is not yet using a fully appropriate management information system (MIS) to accomplish this goal. This is a repeat issue cited in two previous operations reviews: - The 1997 operations review recommended that all coordinated examination plans and U.S. assessments be completed in a timely and consistent manner, and that the Reserve Bank take steps to ensure conformance with the System's report processing standard of sixty days. - The 2002 operations review recommended that sufficient resources be immediately directed to the development of timely and reliable reports and supporting databases that provide the information needed to manage workflows and supervisory efforts in an effective and efficient manner, and that senior management should clearly communicate its expectations for meeting mandated schedules 4 and deadlines. During the current operations review, the team found numerous timeliness issues with regard to completing FBO examinations and risk assessments according to System standards. Specifically the team found: ten mandates were missed for examinations of FBO branches, agencies, representative offices and one agreement corporation; thirty-three FBO examination reports were mailed after the sixty-day deadline; and eighteen assessments ofFBO combined U.S. operations that were not 4 The Reserve Bank acknowledged both of these recommendations when they were made in 1997 and 2002. For the 2002 recommendation, the Reserve Bank responded that "FBO senior management continues to regularly and clearly communicate its expectations for meeting mandated schedules and deadlines, and holds the Relationship Managers responsible for enforcing them. We redesigned several reports, making them more forward-looking by including early warning triggers and covering the status of all FBO Program products. Further, two related databases of information are being integrated into one to help us manage timing against mandates." 6 FCIC-090714 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR completed within the required sixty days following the conclusion of the last on-site examination in the cycle. In instances where deadlines were breached, resource constraints at the New York State Banking Department (NYSBD) were often cited as the reason5 , and the team acknowledges the challenges of coordinating a large number of supervisory activities with another government agency. The team concludes however that there are other important causes, and our recommendation to address timeliness issues in FBO supervision is grouped under improvements in management information systems, in the next section. Together with this recommendation, we encourage the BSG to strengthen its relationship with the NYSBD so that both organizations can work to improve timeliness in a collaborative manner. 2. Better use of information systems would improve operations for LCBO supervision, FBO supervision, and Risk Management. In the LCBO, FBO, BSA/AML, and Market and Liquidity Risk (MLR) program areas, our team concluded that the BSG is not using MIS effectively. This situation manifests itself broadly in two ways: in LCBO and MLR supervision, failure to use standardized information-sharing tools noticeably reduces efficiency; in the case of FBO and BSA/AML supervision, the absence of appropriately functional MIS contributes to less-than-satisfactory performance in meeting supervisory objectives and statutory mandates. 2.a. MIS in LCBO Supervision and the Risk Specialties In the case of LCBO supervision, posting of supervisory documents, meeting minutes, and institutional MIS to sites like BOND and shared drives is inconsistent. To house information, many of the LCBO teams are using individual shared drives, and access is restricted primarily to those specific teams. 6 Also, even though the vetting sessions serve as a primary conduit for knowledge transfer in the department, there is no documentation ofthe vetting sessions. The ideas and information shared during these meetings are limited to the vetting participants unless the people involved in the vetting take the time to pass along this information to their co-workers. In the related case of MLR supervision, our team concluded that achieving synergies between the MLR staff and the Relationship teams is hampered by the absence of uniform practices for information sharing. For example, there is no common platform where the LCBO Relationship coordinators can post relevant risk reports and meeting schedules; this in tum makes it difficult for MLR team members to obtain meaningful reports and review documentation to conduct continuous supervision, to be 5 Specifically, the missed examination mandates represent a small portion, approximately 6 percent, of the FBO examinations conducted by Reserve Bank and the NYSBD, and most (seven often) were the responsibility of the NYSBD. With regard to tardy assessments of FBO combined U.S. Operations, half (nine of eighteen) were dependent upon completion of an examination by the NYSBD. 6 One LCBO team recently started using Quickplace, a web-based tool to house meeting notes, supervisory products, and institutional MlS. Access outside the team is granted to senior management, certain risk professionals and the Board of Governors analyst. While this tool is still in the early stages of its use, it appears to be valuable within the District's LCBO program. Anecdotally, the review team observed that since staff began using Quickplace as a centralized information repository, external requests for information have significantly declined. 7 FCIC-090715 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR informed about significant meetings at the institution that may be relevant to their risks, and to organize their schedules to attend such meetings. Similarly, from the Relationship perspective, the use of dissimilar, non-integrated media to post information makes it difficult to take initiative to create efficiencies between the Risk and Relationship teams. As the Relationship teams strive to increase the effectiveness of their supervisory processes by better integrating resources available from the Risk teams, transparency and flow of information become progressively more important. Information sharing at the LCBO level will become even more important under the new LFI framework that has just been put in place. A seamless and consistent platform to house information and manage data would clearly increase efficiencies between LCBO Relationship teams and likewise provide a venue by which information can be obtained by the Risk teams. Additionally, a consistent approach to information sharing would reduce duplication and promote best practice examination methods. We recommend that, particularly for LCBO supervision and the Risk specialties, the BSG develop a common platform to improve information access and sharing among the Risk and Relationship teams. 2.b. MIS in FBO and BSAIAML Supervision In the case of FBO supervision, improvements to MIS that have been made since the 2002 operations review still fall short of what is necessary to manage a large number of deadlines in a forward-looking, prospective manner. We recognize that the sheer size of the FBO portfolio (206 individual entities), the array of activities conducted, and the complexity of the internal and external points of coordination make proper tracking very challenging. We also understand the difficulty and challenge in monitoring information flows with the NYSBD during the alternate year examination cycle. Both of these situations, however, reinforce the argument that the FBO area needs to continue to improve the development and its use of MIS. Although the FBO area has made some worthwhile improvements to MIS for FBO supervision since the 2002 operations review and is better able to track tardy reports and examinations, the improvements are generally more backward-looking (tracking what has been accomplished) and are not yet sufficiently forward-looking (foreseeing what important deadlines are coming up and how much time remains to accomplish them). With regard to reports that have been designed and furnished by the BSG's Information Management Department since the 2002 operations review, the team found that senior managers, and three out of five relationship managers, generally are not using these reports for tracking purposes. Several staff members continue to use individually-maintained tracking reports to monitor key dates affecting their portfolios. We conclude that the Information Management Department reports need to be more user-friendly and should be redesigned after soliciting input from users at all levels. In addition, Relationship Managers and Relationship Specialists need to be assertive in their requests for better MIS and be persistent in achieving the desired standard, and likely would do so if senior management were to stress timeliness as an important departmental objective. Timeliness standards for FBO supervision are clearly described in SR Letter 93- 7 and .AD Letter 01-02. 8 FCIC-090716 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR The MIS recommendation for FBO supervision is that management continue to further automate and upgrade prospective MIS related to examination start mandates and reporting target dates for all FBO products including US. Assessment Letters posted to BOND and examination mailings. Trackingfor both the NYSBD and Federal Reserve Bank ofNew York examinations and reports should be equally rigorous. In the case of BSA/AML supervision, current resources are not adequate for the Reserve Bank to effectively administer the BSA/AML function. Resource constraints resulted in failure to conduct BSA examinations at a number of institutions in 2004 and 2005. Management acknowledged that the Group did not perform all the BSA/AML examinations that are required by statute, but management was unable to quantify the number of institutions not examined for BSA/AML compliance. This situation, coupled with increased public and Congressional scrutiny regarding BSA/AML supervision practices, has the potential to increase reputational risk exposure for the Reserve Bank and the Federal Reserve System. The MIS recommendation for BSA/AlvfL supervision is that management design a mechanism to identify the required BSA/AlvfL examinations and track completion ofthose examinations. 3. The business model is thorough but can be cumbersome and may not serve efficiently for smaller and lower-risk institutions. Greater flexibility in how the model is applied could conserve field resources. As mentioned earlier, our team was impressed with the uniformly high-quality workproducts produced by all supervision programs in the BSG. The Group has evolved a thorough supervisory approach with significant planning, vetting, and on-site activities. Examiners typically conduct detailed on-site preexamination planning and scoping, followed by on-site examination for transaction testing and validation. Product memoranda fully describe the results of all phases. This process does provide valuable insight and forces a disciplined approach to reaching conclusions and developing supervisory strategies. The process, however, is labor intensive and can be time consuming. In Regional and Community bank supervision, for example, our team concluded that the process helps explain why the number of hours allocated to community bank examinations far exceeds System averages. Within the supervisory process, the BSG makes extensive use of vetting sessions. Vetting has been formalized and includes discussions relating to the scoping process and finalization of the examination findings. In addition, for organizations that are subject to continuous supervision, there are roll-up vetting sessions. There are a number of benefits to these vetting sessions including: (i) the Relationship and Risk disciplines are required to work together and communicate their respective views; (ii) the scoping document becomes more risk-focused and is specific to each institution; (iii) staff are required to support their findings and recommendations; (iv) a more consistent approach to supervision is promoted; and (v) Reserve Bank management is well-informed of supervisory issues, and remains both closely engaged with the process and visible to staff. However, a uniform conclusion of our team, across multiple program areas (LCBO, Regional and Community, FBO, BSA, and Market and Liquidity Risk) is that vetting is sometimes carried too far, and can absorb excessive time and resources (including the resources devoted to preparing for the sessions). Vetting sessions to discuss supervisory products are mandatory regardless of the complexity of the institution. This places high demands on management's and staffs time, which is already a scarce resource during this period of increased turnover. We believe the vetting process could be more useful if it were limited to those 9 FCIC-090717 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR supervisory activities and products where there are new or complex supervisory issues, where there is disagreement on resolution between the Risk and Relationship staff, or where there are significant policy implications. We suggest that, across all supervision program areas, management evaluate the potential benefits ofproviding more flexibility to staff in determining which low risk issues or activities could be excluded from the vetting process or carried out in a more streamlined manner. The team observes that some units have already taken steps to streamline the vetting process, for example examination reports are no longer fully vetted for community banks that are rated 1 or 2. The team also concluded that the BSG could benefit from introducing a certain degree offlexibilityto other planning and execution elements of its supervisory model. In the program areas of Regional and Community, FBO, and BSAIAML, our team reached identical conclusions in this regard. For example, in the FBO program area, supervised institutions are ranked into four Tiers (e.g. Complex FBOs being the most complex, followed by Tiers 1, 2 and 3). Under the risk/relationship business model, lower risk Tier 2 and Tier 3 FBOs go through the same rigorous process for planning, staffing and conducting examinations as do the largest domestic banking organizations, the Complex FBOs, and the Tier 1 FBOs. A key component of the business model is a process that attempts to assess and reassess the appropriate allocation of resources to ensure that the right resources are matched with the institutions that present higher levels of risk. Despite this extended process, the frequent result (specifically in the case of BSAIAML examinations) is that sufficient risk resources are not available to complete the required work. Thus, the team is concerned that the planning effort invested does not always generate a commensurate benefit. We suggest that management reassess the applicability and efficiency ofthe business model for both Community banks and the Tier 2 and Tier 3 FBOs, and investigate alternatives to streamline and grant more flexibility to the process. Such a reassessment should include all relevant risk specialties. Resources saved through more flexible application of the business model could then be more efficiently redirected to work that is not currently being performed, such as BSAIAML examinations, or to meeting supervisory mandates and work product deadlines on a more consistent basis in the FBO program area. 4. Greater attention to workpapers would help mitigate risk exposure currently faced by the Reserve Bank. Similarly, use of administrative staff to scan e-workpapers would likely conserve scarce field resources. As the team sampled examination files, it found that workpapers were prepared to varying degrees of thoroughness among and within the different supervision program areas. Some examination workpapers were well-organized and provided appropriate examples of how and why examiners reached conclusions described in their product memoranda and examination reports. In other files, however, workpapers did not provide a clear or adequate basis to support examiners' findings. - In Regional and Community bank supervision, for example, workpaper documentation for areas such as management, capital and earnings assessments do not generally meet the minimum documentation levels that would be required by the System's ED modules. - In BSAIAML supervision, workpapers are of uneven quality and inconsistent content. Typically, source documents were loaded or scanned into the e-workpapers in a random fashion. They were not routinely indexed or categorized, nor did summary documents or comments show how the source documents led to specific observations or conclusions. Examiners indicated that they had 10 FCIC-090718 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR received little training or guidance on expected e-workpaper standards, and e-workpapers lacked evidence of secondary review. - In Consumer Compliance supervision, while the function has general guidelines for workpaper documentation, standardized examination modules do not exist and workpapers are not reviewed by anyone other than the examiner-in-charge (EIC) on a regular basis. The lack of specific workpaper standards or standardized examination modules coupled with the absence of a quality control review mechanism appear to have led to the workpaper inconsistencies noted during the review. Guidance provided inCA 02-5 sets forth minimum workpaper guidelines for compliance examinations, and states that each Reserve Bank is expected to have more specific workpaper procedures and documentation standards to augment the letter's minimum requirements. Included in the minimum workpaper guidelines is the expectation that workpapers must document the examination findings so that they may be reviewed for accuracy and reconstructed, if necessary, and be organized so that each element of the examination may be understood. The team recognizes that management wants to improve workpaper documentation by moving to an eworkpapers system, and that personnel shortages relative to high workload, particularly in BSA/AML supervision, help explain workpaper shortcomings in that area. Nevertheless, the team believes that the uneven quality and inconsistent content of the workpapers places the Reserve Bank at some risk in the event it were faced with internal and external information requests that might be associated with a significant banking issue; in such a situation, the BSG staff could find it difficult to document a direct link or audit trail for examination conclusions and findings. Thus, we recommend that management develop guidelines or templates for indexing and providing content to workpapers, including the requirement for secondary review, and provide additional training to staff in the preparation of workpapers. A difficulty with the BSG's migration to e-workpapers is that administrative support is very limited. Examiners must perform by themselves all image-scanning of actual workpapers to the electronic database. This absorbs valuable professional field resources that could more effectively be deployed to higher priority supervision work. We encourage management to consider using additional nonexaminer administrative or support staffto complete administrative tasks, such as loading electronic workpapers or scanning examination documents. Safety and Soundness Supervision The remainder of this report describes observations, recommendations and suggestions that apply more specifically to individual program areas. For brevity, recommendations and suggested listed above are not repeated below. All recommendations and suggestions in this report are however listed at the end ofthe report in the section "Reference List of Recommendations and Suggestions". Large Complex Banking Organizations Supervision Our team concluded that the BSG fulfills its delegated responsibilities with regard to the Large Complex Banking Organization (LCBO) supervision program. During the review the team observed that the LCBO Relationship Management units, working with the BSG's Risk Management units, demonstrate a number of strengths including a balanced and strong senior management team, an 11 FCIC-090719 CONFIDENTIAL Federal Reserve Bank of New York Operations Review May 2005 RESTRICTED FR experienced and knowledgeable cadre of Central Points of Contact (CPCs), high quality written supervision products, visible commitment to and involvement of senior management in the vetting process, improved communication processes with the risk management function, worthwhile use of information sharing software (Quickplace), and positive relationships with Board staff Notwithstanding these and other strengths, our review found a number of opportunities to improve operations within the LCBO supervision program. Resource Adeguacy and Allocation The BSG's business model relies on significant interdependencies between the Relationship Teams and the Risk Teams. The Relationship Teams provide the risk specialists with institutional knowledge and access to information sources within the supervised entity that is necessary to understand the banking companies' risk management activities and practices. Institutional knowledge gained by the Relationship Team through continuous supervision provides the necessary background to develop the scope for on-site targeted reviews, horizontal reviews, and discovery inquiries that are conducted by the Risk Teams. In tum, Risk Team members provide subject matter expertise and horizontal perspectives via their product memoranda. This collaboration enables the BSG's supervisory program to be risk focused and to provide value-added through advanced knowledge sharing. A shortcoming of this system is that the synergies are not fully realized if part of the collaboration is incomplete or breaks down. The team believes that thin staffing on the relationship teams detracts from the teams' ability to conduct continuous supervision activities. The situation is particularly severe for the team of one LCBO, but also exists to a lesser extent at others. Turnover of staff and planned rotations with short transitions for new staff have left some of the teams with little tenure; in addition the supervised institutions have faced frequent changes in the underlying risk issues. 7 At one LCBO, much ofthe team's time and energy is absorbed by "hot topic" supervisory issues (compliance, governance, information requests, etc.) that keep the team from fully completing its continuous supervision objectives. The result is that there are insufficient resources to conduct continuous supervision activities in a consistent manner. Not having sufficient staff to sustain continuous supervision activities on the LCBO Relationship Teams may result in late reaction to address emerging risk areas within the LCBO portfolio. We recommend that management review the sufficiency ofstaff across the LCBO portfolio to address the teams' capacity to properly sustain continuous supervision objectives. The team acknowledges that management is actively engaged in adding staff to the LCBO team that is most understaffed, and encourages management to jill the resource gaps as soon as possible. 7 As an example, a finding from the 2002 Operations Review -- that high tillllover in the Market and Liquidity Risk area had resulted in some staff movements that were not well matched to the qualifications needed --resulted in a suggestion to develop transition management guidelines that would include a defined transition period and relevant standards for the overall process. A transition policy was not developed, but the BSG did establish a set of principles for both knowledge transfer and experience levels to facilitate orderly transitions. T=over in the LCBO relationship teams has resulted in limited transition time to manage the personnel changes in such a way as to consistently meet the principles. This situation places further emphasis on the importance of transitions that result from either normal staff rotations or the Job Mobility Program. 12 FCIC-090720 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR Our team found that LCBO Relationship Teams are stretched and increasingly under stress to both manage their ongoing responsibilities and to report on and react to new supervisory issues. The heightened attention now attached to compliance issues within the LCBO portfolio has required a significant increase in specialty support in some topical areas such as BSA/AML supervision as well as greater attention to broader corporate compliance issues (including enterprise-wide compliance management). At the same time that perceived legal and reputational risks have increased, the BSG is facing turnover and a scarcity of available talent in the marketplace leaving gaps in both the relationship and risk areas (a situation that exists also throughout the System). Nevertheless the level of staff allocated to corporate compliance supervision needs to be expanded in view of the increased regulatory attention to compliance issues and to governance gaps that pose legal and reputational risk exposure to LCBOs supervised by the Second District. We suggest that the BSG complete an evaluation of the staffneeded to execute the principles advocated in Reserve Bank's white paper on corporate compliance, to help management prioritize the strategic hiring needed for this initiative. Quality and Adequacy of Work Products The team found written work products generally to be of very high quality. Supervisory Plans follow a consistent format, adjusted to reflect the individual differences in corporate structure and activities, emerging risks, and supervisory concerns. Scope Memoranda generally provide an appropriate amount of background information and include clearly stated objectives. Product Memoranda are clearly written and include a concise executive summary. Roll-up reports, transmittal letters, and target examination letters sent to supervised financial institutions are clear, readable, and effectively convey issues of supervisory concern. The team is concerned, however, that current documents (Institutional Overviews and Risk Assessments) associated with the existing LCBO program have not been produced or updated on a consistent basis. While the Monthly Reports are excellent briefing documents, and are prepared on a consistent basis, these documents still do not fully link changes in the supervisory strategy resulting from changes in the LCBO risk profile. We suggest that documentation standards with respect to format, content, and timeliness be incorporated into the new Risk Assessment Program (RAP) to ensure that risk assessment documents are current and effectively link to the Supervisory Plan. Surveillance and Monitoring Since the 2002 Operations Review, management and staff have further developed the BSG's business model, and in so doing have achieved tangible results including closer coordination with the risk specialists and performance of comprehensive vetting protocols. Continuous supervision is conducted through the team's onsite presence, target examinations, discovery and horizontal reviews as well as regular interaction with institution management. These activities generate a flow of meaningful information that results in a comprehensive and current understanding of the institutions, their business strategies, risk profiles and the quality and effectiveness of their risk management systems. This depth of knowledge is evidenced by the quality of supervisory judgments and communications to the supervised institutions. Despite these improvements, the team concludes that the BSG should invest further effort in processes to ensure that supervisory documents such as risk assessments and supervisory plans are updated more 13 FCIC-090721 CONFIDENTIAL Federal Reserve Bank of New York Operations Review May 2005 RESTRICTED FR frequently and effectively. At the last operations review, BSG management and staff offered the Monthly Report as the vehicle to update and adjust supervisory strategies and plans to adjust to new information received from bank performance, target examinations, or continuous supervision activities. The team concludes, however, that the Monthly Reports do not provide this insight on a consistent basis, and that each report should reach a more formal conclusion regarding whether or not adjustments should be made to risk assessments and supervisory strategies. Regional and Community Bank Supervision The overall operations of Regional and Community Bank Supervision (R&C) meet System standards and are considered to be well managed. Resources assigned to supervisory responsibilities are generally adequate, and the knowledge, expertise, and significant experience of most management and staff contribute to good supervisory judgment. Key supervisory issues are identified in a timely manner, and appropriate follow-up and monitoring ensure concerns are adequately addressed. Work products appropriately address the risks in the organizations, findings, and conclusions, and, when applicable, support the ratings assigned. Communication within the R&C units is considered good, as is communication with the Risk Management staff. In addition, there is extensive use of vetting sessions, which are considered generally beneficial. Notwithstanding these and other strengths, our review found a number of opportunities to improve operations within the R&C supervision program. Compliance with System Policies and Procedures We reviewed for compliance with ten System policies and, other than the three exceptions noted below, found compliance to be satisfactory. The exceptions involve SR 99-24 Loan Write- Up Standards for Assets Criticized During Examinations, SR 97-25 Risk-Focused Framework for the Supervision ofCommunity Banks, and SR 02-19 Use ofStatistical Sampling in the Review ofCommercial and Industrial Loans and Commercial Real Estate Loans during On-site Safety and Soundness Examinations ofCommunity Banks. With respect to SR 99-24, loan write-ups for significant classifications in banks rated "3" or worse were not included in the reports as required by the SR letter. In the case of SR 97-25, the primary examination procedure modules (ED modules) are not being used for the examinations of community banks. With regard to SR 02-19, the use ofloan sampling is not documented in the examination report as required by the SR letter. We recommend that management enhance its compliance efforts with regard to the SR letters listed above. Report Review and W orkpapers SR Letter 97-25 establishes a risk-focused framework for the supervision of community banks. The framework includes an expectation that the primary Examination Documentation (ED) modules will be used at each community bank examination. The ED modules are not currently being used for community bank examinations conducted by Community Bank Supervision staff. While the product 14 FCIC-090722 CONFIDENTIAL Federal Reserve Bank of New York Operations Review May 2005 RESTRICTED FR memoranda produced by the risk areas generally appear to provide documentation and support that is consistent with that which would be included in the primary ED modules, workpaper documentation for other areas such as management, capital and earnings assessments do not generally meet the minimum documentation levels that would be required by ED. Therefore we recommend that management either require the primary ED modules be used in the community bank examination process, or ensure that an alternative examination documentation program is used that captures the expectations outlined in the primary ED modules. This documentation is important to ensure that the risk-focused framework is being carried out and to support the examination findings. In addition, the use of such a work program could enhance the effectiveness of training newer staff. Resource Adequacy and Allocation, and Staff Development Resources assigned to Regional and Community are considered generally adequate. The experience level of a majority of the Regional relationship specialists is significant, and the number of relationship specialists was recently increased in recognition of the growth and increasing complexity in the portfolio. New staff positions, in addition to transfers relating to the job mobility program, have resulted in a number of staff new to their positions. Additionally, two of the three analysts are rotated out of their positions every nine to twelve months, limiting their ability to gain institutional knowledge and provide continuity to the function. Therefore, we suggest that management evaluate the workload ofthe analyst positions in the function to determine whether the relationship specialists would benefit from greater analytical support and how that might be achieved. The experience level of the Community relationship specialists, both in years and breadth of assignments, is a benefit to the function. However, analytical and administrative support is very limited. To improve efficiency, we suggest that management consider evaluating the use of administrative staff to complete a number of tasks including, but not limited to, scanning of workpapers, compilation ofinformation for MIS reports and quarterly reviews, preparation for board meetings, and examination report formatting. This evaluation could also include a review ofthe administrative tasks completed by the analysts in Regional Banks, where a shift in these duties could allow additional time for analysis and examination assignments. Foreign Banking Organizations Supervision Overall the BSG's Foreign Banks and Technical Assistance area (the FBO area) demonstrates several notable strengths. The FBO area uses rigorous, risk-focused prioritization meetings to assess the appropriate allocation of resources, coupled with heavy emphasis on planning and scoping. The overall knowledge and experience of management and staff is sound, and communications are excellent with both the A VP and the Relationship Managers enjoying reputations for inclusiveness and transparency in sharing information. Surveillance and monitoring is robust and products are shared appropriately through BOND and other means. The reports review process is effective and supervisory follow-up continues to strengthen. The quality and adequacy of the electronic workpapers are good. Management and staff have established excellent relationships with the FBOs, for which the Reserve Bank has responsibility, and with associated foreign central banks, banking superintendencies, and the NYSBD. The FBO area also coordinates the BSG's extensive foreign technical assistance efforts, and 15 FCIC-090723 CONFIDENTIAL Federal Reserve Bank of New York Operations Review May2005 RESTRICTED FR is able to draw upon the talents, experience, and expertise from other business lines within the Reserve Bank. Notwithstanding these and other strengths, our review found a number of opportunities to improve operations within the FBO supervision program. Planning and Resource Allocation Risk Specialists within FBO have been forced to shoulder additional responsibilities since the FBO analyst positions were phased out. Risk Specialist responsibilities include acting as ElC for reviews of FBOs in their portfolio, developing Strength of Support Assessments (SOSAs) and Institutional Overviews (lOs) for their institutions, and preparing briefing memos, usually on very short notice, for the numerous visitations of foreign bank senior executives to the Reserve Bank. The team believes that reintroducing the FBO analyst positions would help bring more uniformity to the SOSAs and lOs, and appropriately relieve some of the pressure that has been increasingly placed on the Relationship Specialists. Accordingly, we suggest reintroducing the FBO analyst position, or suitable equivalent, in support of the FBO area's Relationship Specialists. Compliance with Key Programs and Policies The team selected four key System policies for review. While the team found the FBO supervision program to be in overall compliance with two of the four, we found notable departures from compliance with SR 93-7, Minimum Timing Standards for the Completion ofInternational Examination Reports and AD 01-02, Revisions to the Procedures for Implementing the Interagency Program for Supervising the US. Operations ofForeign Banking Organizations. Timeliness issues with regard to missed mandates, missed examination report dates, and missed deadlines for risk assessments, are the reasons why the team concluded that the Department is not fully compliant with SR 93-7 and AD 0 1-02. Bank Secrecy Ad (BSA) & Anti-Money Laundering (AML) Recognizing the critical importance of BSA/AML supervision, the Reserve Bank was a System leader in forming two dedicated AML teams, with ten examiners, in 2000. The group expanded since then, and will ultimately include four team leaders and 20 field examiners. These BSA/AML examiners who are experienced have highly-developed BSA/AML knowledge and examination skills, allowing them to conduct effective examinations of complex and sophisticated entities. The quality of their workproducts is generally excellent. Supervisory workproducts are subjected to the rigorous vetting process. We found that scope and product memoranda are highly detailed and contain sufficient information. Examination deficiencies and supervisory follow-up are thoroughly reviewed. Management and staff prioritize the BSA/AML work based on the size and complexity of the organizations to be examined and on available resources. Although the teams lack sufficient resources to meet all examination requests and to complete other projects, the Prioritization Committee attempts to resolve conflicting requests for resources using risk-focused criteria. Acknowledging these considerable strengths, the core issue in this review is that management has not allocated enough personnel to accomplish the Second District's existing BSA/AML supervisory 16 FCIC-090724 CONFIDENTIAL Federal Reserve Bank of New York Operations Review May 2005 RESTRICTED FR obligations, a condition that is exacerbated by the exceedingly thorough and detailed planning and vetting processes that characterize many aspects of supervision as practiced by the BSG. A difference of opinion emerged during the review, whereby senior management of the BSG favored omitting BSA/AML supervisory examinations when staff are not yet fully trained, whereas the team's perspective was that it would be preferable to get less experienced staff moving quickly up the BSA/AML learning curve by exposing them to on-the-job experience even before they are ''fully trained". The team's perspective reflected how many Reserve Banks are dealing with the System-wide shortage of BSA/AML specialists, in order to fulfill the statutory requirements to perform a BSA compliance review during each examination. With this preface, the team found a number of opportunities to improve BSA/AML supervision, as described below. Resource Adequacy and Allocation and Staff Development Statutory requirements, specifically 12 USC 1818(s)(2) and Federal Reserve supervisory policy, mandate a BSA compliance review during every examination or examination cycle. However, current resources are not adequate for the Reserve Bank to effectively administer the BSA/AML function. Resource constraints resulted in failure to conduct BSA examinations at a number of institutions in 2004 and 2005. Reserve Bank management were unable to quantify the number of institutions not examined for BSA compliance; at a minimum the team found that BSA/AML work was not conducted at twenty-two FBO examinations as required by law and System policy. As of the operations review, the BSA/ AML risk teams had only seven examiners experienced in the subject matter. The remaining nine AML examiners are considered "trainees" and are being trained by the BSG's experienced AML examiners. The AML teams suffered material turnover during 2004 and into 2005, losing a total of seven field examiners and one team leader, a situation that by itself would have strained already scarce resources. Reasons reported for the turnover include market demand for AML resources, outside compensation opportunities, and excessive administrative process demands. In 2005, the AML teams filled their openings with commissioned examiners from within the division. The failure to conduct required BSA/AML reviews may allow supervised institutions to operate without adequate BSA/AML compliance programs, which increases their risk exposure to money laundering and terrorist financing. This situation coupled with increased public and Congressional scrutiny regarding BSA/ AML supervision practices has the potential to increase reputational risk exposure for the Reserve Bank and the Federal Reserve System. We recommend that the Reserve Bank form a plan to develop or acquire the necessary BSAIANIL resources to ensure that all supervised entities are examined for BSA compliance, as required by statute and Federal Reserve guidelines. We also encourage management to consider using additional non-examiner administrative or support staff to complete administrative tasks, such as loading electronic workpapers or scanning examination documents. This would allow more time for experienced BSA/AML examiners to devote to direct examination work. 17 FCIC-090725 CONFIDENTIAL Federal Reserve Bank of New York Operations Review May 2005 RESTRICTED FR Report Review and Workpapers Related to the preceding suggestion, currently Reserve Bank examinations do not include a review of non-BSA related SAR policies, procedures, and controls; therefore, a supervised institution may operate without a fully effective SAR process and it may potentially violate reporting requirements. As a best practice we recommend that examinations include a review of all SAR processes. The BSG has not historically used System-provided workprograms (such as ED Modules, BSA Workprogram, or supplemental workprograms provided through SR Letters). 8 Detailed, tailored transaction testing procedures are contained in scope memoranda; however, the underlying framework used by AML examiners to document examination work and overall conclusions lacks transparency. Such programs would provide a framework and guidance to less experienced BSA/AML examiners and to relationship or other risk specialty staff who may be called upon to supplement AML resource requests. Workprograms also serve as a mechanism to link the underlying source documents to specific conclusions. Thus, we recommend that management use System-provided BSA/AML examination workprograms or documented alternatives, and provide training to staff in the use of such workprograms, so that documentation of important examination findings becomes more explicit and complete. 9 (During the review, management stated that the Reserve Bank will use the new FFIEC Bank Secrecy Act Anti-Money Laundering Examination Manual.) Knowledge and Expertise of Management and Staff During our review, senior legal and compliance risk managers and senior relationship management officers exhibited a strong understanding of BSA/AML related topics and issues. Relationship staff, however, who may be required to fill unmet resource needs, generally have limited, stale BSA/AML skills. We suggest that management develop and provide periodic BSA/AlvfL training to relationship specialists and CPCs, who could supplement scarce AlvfL resources. Along with the suggested training, management should provide basic BSA/AML examination tools and guidelines (such as standardardized work programs) to less experienced staff to aid their ability to conduct basic reviews. Workflows, Use of Information Systems, and Communication An analyst provides examination assistance by preparing pre-examination packages and analysis using FinCEN SAR downloads. Because this analysis focuses only on BSA -related SARs, we suggest that the analyst also review non-BSA related SA.Rs to identifY trends and issues that may be associated with other occurrences (such as, fraudulent activity). 8 The majority of the Reserve Bank's constituency consists ofFBO entities, for which the ED Modules have not been adequate. Management further decided that the 1997 BSA Workprogram was outdated and failed to meet current needs, an assessment with which the operations review team concurs. 9 It is System policy that Reserve Banks that use alternatives to System-provided workprograms should vet those workprograms with Board staff who will then vet them with the Financial Crimes Enforcement Network (FINCEN) if necessary, following the Memorandum of Understanding of September 16, 2004 (http :1/www. treas. gov /press/re leas es/reports/fincenbankingregulatorsmou. pdf). 18 FCIC-090726 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR Market and Liquidity Risk The Market and Liquidity Risk Department (MLR or the Department) provides valuable specialized supervision through three teams that cover interest rate risk and liquidity, market risk controls, and models and methodologies. MLR's mission is to support the Relationship staff in evaluating banks' abilities to identify, measure, monitor, and control market and liquidity risks, and to verify that supervised institutions are adequately capitalized to support these risks. As more banks move to a national charter, the overall mission ofMLR has shifted towards the BSG's evolving objectives, in particular linking the examination process more closely with evaluation of financial market stability. Another worthwhile goal of MLR is to enhance the supervisory process by improving ongoing monitoring to identify emerging risks more systematically. MLR provides quality support for the LCBO teams through both target reviews and continuous supervision. MLR's work, as reviewed by the operations review team, is consistently timely with all workproducts passed to the end users according to schedule. MLR also supplies support staff for the less complex FBO, regional and community banks. Although these are usually the less-senior members ofMLR staff, checks and balances are in place to ensure that adequate depth of coverage is supplied, and the MLR management demonstrates flexibility so that jobs typically receive appropriate resources. Resource Adequacy and Staff Development MLR staff are highly educated and possess an ample combination of technical and industry experience, especially at the PhD level on the Models team. This is a credible advantage for the unit. However, given the importance of Market and Liquidity Risk supervision for the portfolio of institutions supervised by the Second District, the operations review team is concerned that at present the MLR staff do not yet offer an optimum balance of depth and breadth of expertise together with broad supervisory experience. We observe that there is an experience or "perspective" gap between seasoned "bank supervisors" and the more technical examiner staff. MLR employs several middle-range examiners, but at present these individuals do not have enough experience as both field examiners and bank regulators to fill the "perspective" gap. We recognize that the BSG has considerable depth and supervisory perspective within its professional and management ranks, but we encourage management to pay particular attention to developing MLR's middle-tier examiner staff through recruiting and continuing professional development programs. A related issue is that the "perspective" gap has created key man risk (over-reliance on one individual to cover market risk issues) at two LCBO institutions. In an effort to broaden the exposure and perspective of staffmembers within MLR, and thus close the "perspective gap", we suggest that management consider the possible value ofmoving to a staffingframework that aligns team members to either specific institutions or specific products or risk activities. Such a framework would help accelerate the pace of accumulating supervisory experience, would improve team members' horizontal exposure to different capital market risks, would address staff desires for broader exposure and more varied duties, and would help to establish contingency or "back up" coverage in different subject areas. 19 FCIC-090727 CONFIDENTIAL Federal Reserve Bank of New York Operations Review May 2005 RESTRICTED FR Information flows, Communication and Use of MIS With respect to the interaction between MLR and the Relationship teams, conditions have noticeably improved since the 2002 operations review. At that time, the review found shortcomings with MLR's coordination with, and contribution to, the supervisory work of the Relationship staff, particularly with regard to risk assessments, examination planning, and report findings. Now, in contrast, we find that formal processes have improved and MLR is better integrated with the Relationship teams, particularly regarding the development of supervisory plans and year-end roll-up reports. Issues still exist, however, with the continuous supervision process; specifically, there are opportunities to improve communications with the Relationship staff, most notably in terms of staying informed of relevant scheduled meetings at the supervised institutions, and obtaining pertinent risk information from LBCO coordinators. The Market Risk Management Group The Market Risk Management Group (known as MRMG), which meets quarterly, operates both as a forum and as a process to better identify and assess developing market-related risks that may impact LCBOs across the System. The MRMG also establishes a platform for horizontal supervision exercises incorporating the involvement of Relationship staff Looking forward, MRMG also has the potential to contribute synergistically to the LFI process. In the past, issues have existed with respect to how well the LCBO resident teams attend and contribute to MRMG, and cooperate with MRMG surveys sent to risk coordinators on the LCBO teams, but these concerns are now improving. All parties must remain aware that the MRMG process has both high benefits and distinct costs, both for Risk staff and Relationship staff. We suggest that MLR continue to invest in the MRMG process, including perhaps integrating MRMG into the supervisory plan process, and consider broadening coordination of the MRMG beyond a key individual. Adding risk staff to the MRMG initiative would act to mitigate key-man risk issues, contribute towards the platform's continuity, and support potential synergies with LFI. Information Technology and Operations Risk Information Technology (IT) and Operations Risk supervision are conducted by the Operational Risk Department (the Department). The staff and management are knowledgeable and experienced and produce high-quality workproducts. Product memoranda are generally comprehensive and detailed. Additionally, the Department does an exceptional job of referencing SR Letters and other guidance in examination reports, thereby reinforcing to supervised institutions the rationale behind required actions. Many of the Departments professionals have extensive regulatory experience, and remain upto-date in their areas of expertise. Organization of the Department into relatively small teams allows for valuable supervisory specialization (such as IT, financial controls, business resiliency, governance/audit, and payments/settlement/fiduciary), but the Department also accommodates the need for some personnel who are skilled in multiple disciplines to perform supervision of smaller, less complex institutions. Internal communications are good, with quarterly knowledge-sharing meetings whereby current risks and risk management approaches are discussed; management and staff also maintain good liaison with the Relationship teams. 20 FCIC-090728 CONFIDENTIAL Federal Reserve Bank of New York Operations Review May 2005 RESTRICTED FR We found two related opportunities for improvement for the IT/Operations Risk area. Currently, the Operational Risk Department does not have a defined process for assessing Gramm-Leach-Bliley Act (GLBA) 50lb compliance at LCBO and other large financial institutions, including certain BHC nonbank subsidiaries subject to the standards. SR 01-15 Standards for Safeguarding Customer Information, and the associated Interagency Guidelines Establishing Standards for Safeguarding Customer Information (the Guidelines), state that "Examiners should assess compliance with the Guidelines during each safety and soundness examination or examination cycle... and monitor ongoing compliance as needed during the riskfocused examination process." Although the Department enhanced its supervisory efforts on 50lb after the 2002 operations review, the process for assessing 50lb compliance has been limited to reviewing some 50lb requirements during non-GLBA target reviews, and receiving banks' internal policies and reports for offsite supervisory review. In certain situations, this information flow appears sufficient to assess compliance with the standards; however, the lack of a defined process or framework means that supervision of GLBA 501 b requirements are not following a consistent approach. We suggest that the Department, in conjunction with the Relationship staff, formalize a process to assess compliance with GLBA 501 b at LCBOs and other large financial institutions. Regarding community and regional institutions where full-scope examinations are performed, the team understands that it is an expectation by Board of Governors staffthat examination reports contain conclusions regarding the institution's compliance or noncompliance with 50lb and the related 10 implementing regulations. A review of community bank reports and workpapers revealed that, while staff are performing a worthwhile amount of examination work in this area, the examination reports do not contain information regarding the institution's overall 50lb compliance. Thus, we suggest that the Department take the added step to include within examination reports conclusion(s) regarding the institution's overall 501 b compliance. We also encourage departmental management to consult with Board staff to clarify this expectation. Consumer Affairs Supervision Consumer Compliance and Consumer Complaints The Reserve Bank has processes in place to effectively implement the consumer compliance riskfocused supervision and the consumer complaints programs. Staff are experienced, knowledgeable and produce high quality supervisory documents for state member banks. The development and use of product memoranda, which include examination conclusions and findings, responses to questions from the scope memorandum, and information about the institution and its peers are especially noteworthy. The Consumer Affairs Supervision function (CA) maintains current knowledge oflarge state member banks under a continuous supervision program. The Analytical Support Unit provides technical and analytical assistance to CA examination field staff. The Reserve Bank is a strong supporter of System efforts through contributions to the Subcommittee on Consumer Compliance, the steering committee of the risk-focused review project and the workgroups of the project. In addition, Reserve Bank staff contribute to a number of CA working groups, including the Complaint Analysis Evaluation System 10 While this expectation is not explicitly stated in SR 01-15 and has not been officially communicated to Reserve Banks, the team understood this to be a supervisory standard and confirmed the expectation with Board staff during the review. 21 FCIC-090729 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR and Reports Users Advisory Group and the HMDA/CRA Users Group. The Reserve Bank is also active in System training efforts. The Reserve Bank can improve processes and more fully comply with System policies with respect to documenting analyses in examination workpapers, documenting and reporting the results of FBO assessments and FBO examinations, and maintaining consumer complaint files. Report Review and Workpapers While the function currently has general guidelines for workpaper documentation, standardized examination modules do not exist and workpapers are not reviewed by anyone other than the EIC on a regular basis. The lack of specific workpaper standards or standardized examination modules coupled with the absence of a quality control review mechanism appear to have led to the workpaper inconsistencies noted during the review. Guidance provided in CA 02-5 sets forth minimum workpaper guidelines for compliance examinations. The letter states that each Reserve Bank is expected to have more specific workpaper procedures and documentation standards to augment the letter's minimum requirements. Included in the minimum workpaper guidelines is the expectation that workpapers must document the examination findings so that they may be reviewed for accuracy and reconstructed, if necessary, and be organized so that each element ofthe examination may be understood. Compliance with System Policies and Procedures We reviewed compliance with System policies and procedures related to the implementation ofthe consumer compliance risk-focused supervision and the consumer complaints programs. While the Reserve Bank complies with most System policies, deviations from policy were noted with regard to the implementation ofCA 04-03 and 03-13 for FBOs and the privacy requirements for complaints as described in CP Letter 2003-4. With respect to the supervision of FBOs, the team found some deviations from policy with respect to assessments to determine whether an FBO engages in activities subject to consumer protection laws and regulations and the examinations of those FBOs with activities subject to the consumer compliance laws and regulations, albeit on a minimal basis. Currently, if the results of the FBO assessment indicate that there has been no activity at the FBO and consumer protection laws and regulations do not apply, the Reserve Bank sends a letter to the FBO stating that consumer protection laws are "only minimally applicable" and no rating will be assigned. As written, the letter does not clearly describe the assessment process and appears to indicate that the FBO is engaging in lending or deposit activity subject to consumer compliance laws. This does not comply with CA 04-3 (Assessments of Foreign Banking Organizations and Special Purpose Banks). We recommend that the Reserve Bank use language consistent with guidance provided inCA 04-3. The letter should apprise institution management ofthe fact that an examination was not deemed necessary and a rating will not be assigned. With respect to FBO Examinations, the supervisory letters sent to FBOs after a consumer compliance examination are very general and do not include some ofthe key components required under CA 03-13 (Revised Risk-Focused Consumer Compliance Supervision Program Procedures). In addition, while 22 FCIC-090730 CONFIDENTIAL Federal Reserve Bank ofN ew York Operations Review May 2005 RESTRICTED FR not evidenced through our review of workpapers, management informed us that the Reserve Bank recently stopped issuing consumer compliance ratings for FBOs considered by the Reserve Bank to have "engaged in minimal consumer compliance activity." Reserve Bank management is reminded that System policy, as stated in guidance provided inCA 03-13 (Revised Risk-Focused Consumer Compliance Supervision Program Procedures) requires that at the conclusion of an examination a consumer compliance rating be assigned when a report is issued. While current policy requires the Reserve Bank to issue an examination report at the conclusion of the consumer compliance examination, we recognize that the Strategic Planning Steering Committee's Subcommittee on Consumer Compliance is currently considering a proposal regarding adoption of this practice for the consumer compliance supervision function. Therefore, we are not making a recommendation with respect to the practice of issuing a letter at the conclusion of an FBO examination instead of issuing a examination report at this time. We do, however, recommend that the Reserve Bank enhance the language used in these FBO CA examination letters to convey the key components of a CA examination report that are required by CA 03-13, especially the examination scope, an evaluation of the compliance management program, a consumer compliance rating and a definition ofthe rating. The Reserve Bank's complaint investigation program is effective. With respect to record keeping, however, the Reserve Bank failed to thoroughly follow the procedures outlined in the Consumer Complaint Manual and in the Board's Complaint Policy letters, specifically CP Letter 2003-4. CP Letter 2003-4 states that the Reserve Bank must, in order to comply with restrictions set forth by the Privacy Act, create separate bank and consumer files and that the files should be separated during the investigation process. The review team found that the Reserve Bank did maintain separate bank and consumer files subsequent to closing complaint investigations, but the files were not separated during the investigation as required by Board policy. Staff indicated that it was their understanding that the files could be separated after the complaint investigation was closed. We recommend that separate bank and consumer files be created and maintained during the investigation process. The Reserve Bank took prompt corrective action to correct this recordkeeping issue while the operations review was m process. Quality Management 11 With the creation ofthe Quality Assurance Department (QAD) in 2001, the BSG enhanced its existing embedded quality management processes by adding an independent, centralized QA unit. Our review concludes that the QAD is providing an effective quality management framework within the supervision function. QAD management and staff are experienced and knowledgeable; the unit has clearly defined roles and responsibilities, and operates with adequate independence, producing appropriately focused workproducts with well-supported conclusions and thoroughly documented workpapers; and the unit enjoys strong senior management involvement in and oversight of quality management activities. 11 The Department's quality control activities are embedded within the various supervisory processes, and as such are the responsibility of the individual business lines and are discussed where appropriate in those sections of this report. Our analysis in this section of the report addresses the effectiveness of centralized quality management as performed by the Quality Assurance Unit. Despite the important distinction between quality control and quality assurance, the two functions are closely related. 23 FCIC-090731 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR When the QAD was formed, the initial focus of its activities was on the examination process, as this area was perceived to be the one that posed the greatest risk. As a result, the QAD's governance structure was designed so that it included only representatives from each of the examination-related business units within the BSG. As the QAD has evolved, the BSG has come to recognize the importance of quality assurance activities to the entire supervision function, not just the examination process. Consequently, the BSG has taken steps to begin including representatives from all of its business units in the governance structure for the QAD. We agree with the actions taken by the BSG and recommend that management continue to move forward with steps to broaden the BSG 's participation in the work ofthe QAD by including representatives from all of the BSG 's business units in the QAD governance structure. Administration Training and Staff Development Overall, the training and staff development processes within the BSG are sound and supportive of the supervision function's needs. The Training/Development Unit (TD or the Unit) provides many innovative programs to help BSG staff develop their behavioral and technical skills. It also conducts a thorough needs assessment for teams, and offers individual career development planning for staff to ensure appropriate development opportunities are available. In addition, the Unit actively supports System efforts in committees, workgroups, and instructor assignments. The 2002 operations review suggested opportunities for improvement in four areas-- job mobility, use ofthe Continuing Professional Development catalog, participation in System initiatives, and tighter management regarding class cancellations-- and TD management and staff have satisfactorily addressed all ofthese. The current review revealed that TD management and staff are aware of, and are addressing, feedback from BSG employees requesting greater transparency and clarification of administrative issues with the Job Mobility Program. TD staff also recognize the ongoing importance of quality control checks to verify report accuracy. We have no suggestions or recommendations as a result of this review. Information Technology (IT) Support The Data Resources Department (DR or the Department) provides IT support for the BSG. IT services are well aligned with business needs, and BSG staff expressed a high level of satisfaction with the IT support they receive. Management and staff of DR accomplish this through effective planning, review of high-level projects by investment review committees, and by informal conversations with various departments. Where possible, DR has aligned its strategic and tactical projects with System and Board projects, and provides resources to support those efforts. While the overall processes for managing the Department are effective, our team did find some opportunities for improvement that are described below. 24 FCIC-090732 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR Service Level Agreements The Department relies on the Reserve Bank's central IT function, known as Automation and System Services (Automation Services), to provide infrastructure support and application development for the BSG. Although requests for support are met in a timely manner, service level agreements (SLA) are not in place for all infrastructure services provided by Automation and System Services to S&R. For example, SLAs are in place for network and server management, but not for other services. SLAs are generally used by organizations to support the efficient communication of roles and responsibilities and performance objectives of support organizations. Without SLAs, the responsibilities of Automation and System Services and the alignment of the performance objectives for that function with the business objectives of S&R are unclear. We suggest that the Department continue to develop and update SLAs, based on templates provided by System workgroups where possible, to ensure that critical services remain aligned with the BSG 's business objectives and that roles and responsibilities are clearly defined and efficiently communicated. Performance Management Although DR manages the performance of selected services by monitoring performance data available on web sites and by discussing performance with the relevant Automation Services managers, the BSG does not receive summary reports of monthly or quarterly performance statistics relative to SLAs for the full complement of services provided by Automation Services. Summary performance reports of monthly or quarterly data would provide the BSG with the information necessary to evaluate how well the services are meeting performance objectives; without summary performance reports, the effectiveness ofiT support is unclear. We suggest that DR strengthen its management process by requesting summary reports ofperformance against objectives specified in SLAs for all critical infrastructure services provided by Automation Services, with the goal of effectively determining that the services provided continue to meet the BSG 's business requirements. Conflicts ofInterest The BSG's Conflicts of Interest (COl) program appropriately meets the needs of the supervision function. As administered, the program successfully meets the procedures for hiring new employees, advises BSG staff about COl requirements and responsibilities, annually reviews employees' financial disclosure forms, properly restricts examiners from participation in inappropriate filed assignments, and provides ongoing discussion and awareness regarding the code of conduct and ethics rules. The 2002 operations review recommended that the BSG enhance the COl program by acknowledging more formally the concurrence of the Officer in Charge of Supervision over waivers granted to BSG employees, and by transmitting more details to the Board of Governors staff when prohibited debt or security interests are resolved. The BSG has responded effectively to these opportunities for improvement. As a result of a recent new SR Letter (SR 05-02, Amended Examiner Borrowing Rules), examiners are now permitted to receive credit card and/or mortgage debt from a lender that is supervised by the Federal Reserve System. Anticipating the forthcoming significant change in this reporting 25 FCIC-090733 CONFIDENTIAL Federal Reserve Bank of New York Operations Review May 2005 RESTRICTED FR requirement, BSG management made plans to perform the 2004 review under the new guidelines, but this became impractical when it appeared that the SR Letter would not be issued until the following year. Therefore, BSG management solicited the 2004 Financial Disclosure forms in the fall of 2004 and was finalizing the review of those data when our team was onsite. Management will begin the 2005 review on schedule during the fall of 2005. Our review finds no opportunities to improve administration the COl program, and we offer no recommendations or suggestions. 26 FCIC-090734 CONFIDENTIAL Federal Reserve Bank of New York Operations Review May 2005 RESTRICTED FR REFERENCE LIST OF RECOMMENDATIONS AND SUGGESTIONS The scope of the operations review addressed ten different areas; a separate close-out report was written for each, and these were delivered on May 26, 2005, to the officers responsible for the area. Below is a reference list of the recommendations and suggestions that were identified by the team. For the areas of Training and Staff Development and Conflicts of Interest, the team identified no material recommendations or suggestions. Key Recommendations and Suggestions Than Involve Multiple Areas Recommendations Timely completion of supervisory workproducts is not a visible priority in many parts of the BSG. We recommend that LCBO supervisory management dedicate adequate priority and resources to provide regular and timely documentation of ongoing supervision and monitoring. (Our recommendation to address timeliness issues in FBO supervision is grouped under improvements in management information systems, immediately below.) Better use of management information systems would improve operations for LCBO supervision, FBO supervision, and Risk Management. - We recommend that, particularly for LCBO supervision and the Risk specialties, the BSG to develop a common platform to improve information access and sharing, so that supervisory information can better be shared among the Risk and Relationship teams. - We recommend that management continue to further automate and upgrade prospective MIS related to examination start mandates and reporting target dates for all FBO products including U.S. Assessment Letters posted to BOND and examination mailings. Tracking for both the NYSBD and Federal Reserve Bank of New York examinations and reports should be equally ngorous. - Management acknowledged that the Group did not perform all the BSA/AML examinations that are required by statute, but were unable to quantify the number of institutions not examined for BSA/AML compliance. We recommend that management design a mechanism to identify entities that require BSA/AML examinations and track completion of the examinations. The business model is thorough but can be cumbersome and may not serve efficiently for smaller and lower-risk institutions. Greater flexibility in how the model is applied could conserve scarce resources. - We suggest that, across all supervision program areas, management evaluate the potential benefits of providing more flexibility to staff in determining which low risk issues or activities could be excluded from the vetting process or carried out in a more streamlined manner. - We suggest that management reassess the applicability and efficiency of the business model for both Community banks and the Tier 2 and Tier 3 FBOs, and investigate alternatives to streamline and grant more flexibility to the process. Such a reassessment should include all relevant risk specialties. 27 FCIC-090735 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR Greater attention to workpapers would help mitigate risk exposure currently faced by the Reserve Bank. Similarly, use of administrative staff to scan e-workpapers would likely conserve scarce field resources. We recommend that management develop guidelines or templates for indexing and providing content to workpapers, including the requirement for secondary review, and provide additional training to staff in the preparation of workpapers. We encourage management to consider using additional non-examiner administrative or support staff to complete administrative tasks, such as loading electronic workpapers or scanning examination documents. LCBO Supervision Recommendation We recommend that management review the sufficiency of staff across the LCBO portfolio to address the teams' capacity to properly sustain continuous supervision objectives. The team acknowledges that management is actively engaged in adding staff to the LCBO team that is most understaffed, and encourages management to fill the resource gaps as soon as possible. Suggestions The level of staff allocated to corporate compliance supervision needs to be expanded in view of the increased regulatory attention to compliance issues and to governance gaps that pose legal and reputational risk exposure to LCBOs supervised by the Second District. We suggest that the BSG complete an evaluation ofthe staff needed to execute the principles advocated in Reserve Bank's white paper on corporate compliance, to help management prioritize the strategic hiring needed for this initiative. While the Monthly Reports are excellent briefing documents, and are prepared on a consistent basis, these documents still do not fully link changes in the supervisory strategy resulting from changes in the LCBO risk profile. We suggest that documentation standards with respect to format, content, and timeliness be incorporated into the new Risk Assessment Program (RAP) to ensure that risk assessment documents are current and effectively link to the Supervisory Plan. Regional and Community Bank Supervision Recommendations We recommend that management enhance its compliance efforts with regard to SR Letters 99-24, 9725, and 02-19. We recommend that management either require the primary ED modules be used in the community bank examination process, or ensure that an alternative examination documentation program is used that captures the expectations outlined in the primary ED modules. 28 FCIC-090736 CONFIDENTIAL Federal Reserve Bank ofN ew York Operations Review May 2005 RESTRICTED FR Suggestions We suggest that management evaluate the workload of the analyst positions in the function to determine whether the relationship specialists would benefit from greater analytical support and how that might be achieved. We suggest that management consider evaluating the use of administrative staff to complete a number of tasks including, but not limited to, scanning of workpapers, compilation of information for MIS reports and quarterly reviews, preparation for board meetings, and examination report formatting. This evaluation could also include a review ofthe administrative tasks completed by the analysts in Regional Banks, where a shift in these duties could allow additional time for analysis and examination assignments. FBO Supervision Suggestion We suggest reintroducing the FBO analyst position, or suitable equivalent, in support of the FBO area's Relationship Specialists. Bank Secrecy Act I Anti-Money Laundering Recommendations We recommend that the Reserve Bank form a plan to develop or acquire the necessary BSA/AML resources to ensure that all supervised entities are examined for BSA compliance, as required by statute and Federal Reserve guidelines. Currently Reserve Bank examinations do not include a review of non-BSA related SAR policies, procedures, and controls; therefore, a supervised institution may operate without a fully effective SAR process and it may potentially violate reporting requirements. As a best practice we recommend that examinations include a review all SAR processes. We recommend that management use System-provided BSA/AML examination workprograms or suitable documented alternatives, and provide training to staff in the use of such workprograms, so that documentation of important examination findings becomes more explicit and complete. (During the review, management stated that the Reserve Bank will use the new FFIEC Bank Secrecy Act AntiMoney Laundering Examination Manual.) Suggestions We suggest that management develop and provide periodic BSA/AML training to relationship specialists and CPCs, who could supplement scarce AML resources. Along with the suggested training, management should provide basic BSA/AML examination tools and guidelines (such as standardized work programs) to less experienced staff to aid their ability to conduct basic reviews. 29 FCIC-090737 CONFIDENTIAL Federal Reserve Bank of New York Operations Review May 2005 RESTRICTED FR An analyst provides examination assistance by preparing pre-examination packages and analysis using FinCEN SAR downloads. Because this review focuses only on BSA-related SARs, we suggest that the analyst's review also include non-BSA related SARs to identify trends and issues that may be associated with other occurrences (such as, fraudulent activity). Market and Liquidity Risk Suggestions In an effort to broaden the exposure and perspective of staff members within MLR, and thus close the "perspective gap", we suggest that management consider the possible value of moving to a staffing framework that aligns team members to either specific institutions or specific products or risk activities. We suggest that MLR continue to invest in the MRMG process, including perhaps integrating MRMG into the supervisory plan process, and consider broadening coordination of the MRMG beyond a key individual. Adding risk staff to the MRMG initiative would act to mitigate key-man risk issues, contribute towards the platform's continuity, and support potential synergies with LFI. Infonnation Technology and Operations Risk Suggestions We suggest that the Department, in conjunction with the Relationship staff, formalize a process to assess compliance with GLBA 501b at LCBOs and other large financial institutions. Examination reports do not contain information regarding the institution's overall 501b compliance. We suggest that the Department take the added step to include within examination reports conclusion(s) regarding the institution's overall 501b compliance. We also encourage departmental management to consult with Board staff to clarify this expectation. Consumer Compliance and Consumer Complaints Recommendations The team found some deviations from policy with respect to assessments to determine whether an FBO engages in activities subject to consumer protection laws and regulations and the examinations of those FBOs with activities subject to the consumer compliance laws and regulations, albeit on a minimal basis. We recommend that the Reserve Bank use language consistent with guidance provided inCA 04-3. The letter should apprise institution management of the fact that an examination was not deemed necessary and a rating will not be assigned. The supervisory letters sent to FBOs after a consumer compliance examination are very general and do not include some ofthe key components required under CA 03-13. We recommend that the Reserve Bank enhance the language used in these FBO CA examination letters to convey the key components of a CA examination report that are required by CA 03-13, especially the examination scope, an 30 FCIC-090738 CONFIDENTIAL Federal Reserve Bank ofNew York Operations Review May 2005 RESTRICTED FR evaluation of the compliance management program, a consumer compliance rating and a definition of the rating. The review team found that the Reserve Bank did maintain separate bank and consumer files subsequent to closing complaint investigations, but the files were not separated during the investigation as required by Board policy. We recommend that separate bank and consumer files be created and maintained during the investigation process. The Reserve Bank took prompt corrective action to correct this recordkeeping issue while the operations review was in process. Quality Management Recommendation We recommend that management continue to move forward with steps to broaden the BSG's participation in the work of the QAD by including representatives from all of the BSG's business units in the QAD governance structure. Information Technology Support Suggestions We suggest that the Department continue to develop and update SLAs, based on templates provided by System workgroups where possible, to ensure that critical services remain aligned with the BSG's business objectives and that roles and responsibilities are clearly defined and efficiently communicated. We suggest that DR strengthen its management process by requesting summary reports of performance against objectives specified in SLAs for all critical infrastructure services provided by Automation Services, with the goal of effectively determining that the services provided continue to meet the BSG's business requirements. 31 FCIC-090739