The FDIC recently published a report highlighting trends and risks gleaned from Matters Requiring Board Attention (MRBA) that FDIC examiners have issued over the past five years. The report offers an in-depth look at the regulatory issues that have drawn the attention of FDIC examiners in recent years and provides guidance on areas bankers should focus on to avoid MRBAs or other adverse action from the regulators.
As the chart below indicates, board and management issues were the most frequent problems cited in MRBAs in 2015, followed closely by loan-related issues. Other common topics of MRBAs included violations of laws, regulations, or policies; interest rate risk; IT controls and cybersecurity issues; earnings problems; Bank Secrecy Act compliance issues; and liquidity problems.
MRBAs from 2011 to 2014 involved similar topics, though loan-related issues were more prevalent than management issues during most of that time period. The decrease in loan-related MRBAs is attributable primarily to the improvement in credit quality across the banking industry.
Within these broad groups, the FDIC identified specific recurring problems that its examiners have seen in issuing MRBAs, including the following:
- Corporate governance issues attributable to incomplete or ineffective policies
- Audit-related problems, including lack of independent review and insufficient board oversight
- Inadequate credit administration and loan review policies
- Credit concentration risk, particularly for community banks serving a small geographic area or specializing in a limited number of loan types
- Elevated volume of problem assets and bad loans
- Inadequate liquidity caused by a lack of sufficient contingency funding plans
- IT and cybersecurity risks and inadequate policies for managing vendor security risks
The FDIC makes several recommendations for avoiding some of the common problems leading to MRBAs. First, banks should expand or revise their corporate governance policies to “ensure those policies incorporate sound objectives, procedures, and risk limits.” Banks also must “monitor bank officer and employee compliance with those policies, banking laws, and regulations.” Second, banks should improve their audit plans to better address their risk profiles and to increase board oversight of the audit function. Third, banks should review their credit administration policies and ensure that they are engaging in a comprehensive loan review process and properly grading loans. Fourth, banks should ensure that there are no deficiencies in their ALLL methodology and, if necessary, should improve qualitative or quantitative factors used to support calculations.” Fifth, banks should examine their loans for any unsafe credit concentrations and take steps to reduce concentrations in collateral, geographic area, industry, or product line. Sixth, banks should review their IT controls for any cybersecurity risks and consider the need for expanded risk assessments, independent reviews, and vendor management programs. (See my recent Independent Banker article on managing vendor risks for a discussion of some of these cybersecurity issues).