Appeal of Composite and Component Ratings, Credit Risk Assessment, Matters Requiring Attention, and Violations of Law (First Quarter 2018)
A national bank supervised by the Office of the Comptroller of the Currency (OCC) appealed to the Ombudsman the supervisory office’s (SO) determinations in the most recent report of examination (ROE). Specifically, the bank appealed the following:
- Composite rating of 2.
- Component rating of 2 for asset quality, information technology (IT), and management.
- Credit risk management assessment of insufficient, aggregate credit risk assessment of moderate, and direction of credit risk assessment of increasing.
- Matters requiring attention (MRA) regarding the following:
- Credit Presentation, Financial and Collateral Analysis.
- Loan Review Program.
- Asset Quality Management Information System (MIS) and Reporting.
- Loan Modification Management.
- Loan Policy.
- Internal Audit Program.
- Information Technology.
- IT Audit.
- Vendor Management Program.
- Violation of 12 CFR 34.43(b) regarding evaluations.
The appeal asserted the composite rating as well as the component ratings for asset quality, IT, and management of 2 are unsupported. The appeal stated that the MRAs related to credit, audit, and IT were an excessive level of criticism for a small community bank and that management had completed what was necessary to maintain the rating of 1 in these areas.
For the credit risk assessment, the appeal contended the credit risk management of insufficient, aggregate risk of moderate, and credit risk direction of increasing are unsupported due to the bank’s low level of classified assets. The appeal argued the bank has had the same policies in place for many years without prior OCC criticism.
With respect to the Credit Presentation, Financial and Collateral Analysis MRA, the appeal stated that the bank’s underwriting practices are appropriate for their size and complexity, and conform to guidelines in 12 CFR 30 appendix A. The appeal contended the bank is not missing critical factors for the loan approval process and the bank obtains guarantor information necessary to perform a financial analysis.
With respect to the Loan Review Program MRA, the appeal contended that the bank’s loan review program does not need to be independent, is appropriate given the bank’s size and non-complex loan portfolio, and was previously SO approved. The appeal stated management completes annual reviews upon receipt of financials, and the bank’s external auditors conduct loan review as part of the annual Director’s Exam.
Regarding the Asset Quality MIS and Reporting MRA, the appeal argued that the bank tracks exceptions and the loan policy discusses how management handles policy exceptions. The appeal stated the bank occasionally approves loans outside of guidelines and makes acceptable exceptions to meet the legitimate credit needs of its communities and service creditworthy borrowers. The appeal further stated the bank has demonstrated that it lends to creditworthy borrowers to meet the credit needs of its communities given the bank’s low level of classified assets.
With respect to the Loan Modification Management MRA, the appeal asserted that the bank’s loan policy details the guidance and standards for controlling the use of deferrals. The appeal stated the number of deferrals had decreased over the last three years, the loan files document the ability to repay when management grants a deferral or extension, and the deferral process has been in place for many years without prior OCC criticism.
With respect to the Loan Policy MRA, the appeal contended that the bank’s loan policy is appropriately tailored to the complexity of the bank’s lending activities. The appeal also stated the SO did not discuss certain areas with management during the examination and provided the noncompliance for accounting for other real estate owned (OREO) as an example.
Regarding the Internal Audit Program MRA, the appeal stated that the bank has an audit program that is appropriate based on the bank’s size, scope of activities, and risk profile. Additionally, the appeal contended that 12 CFR 30, appendix B, states a system of independent review of key controls may be used for an institution whose size, complexity, or scope of operations does not warrant a full-scale internal audit function. The appeal argued that the bank is performing an independent review of key internal controls along with having an audit program. The appeal contended that the bank is not required to have an audit program or committee and an MRA should not be given for a program that is not even required. The appeal also argued that the bank is using a risk-based approach and does not ignore any areas even if they are rated as low risk.
With respect to the IT MRA, the appeal argued the IT-related risk assessments are commensurate with the bank’s size and complexity. The appeal stated that the bank’s information security risk assessment addresses threats and vulnerabilities in sufficient detail; that internal controls are considered in the level of residual risk; and that the frequency of testing is determined by the bank’s IT committee. The appeal also contended that the IT risk assessment appropriately determined the level of residual risk and audit frequency.
With respect to the IT audit MRA, the appeal argued the bank’s information security and IT risk assessments dictate the audit scope and the frequency of the internal and external vulnerability scans. The appeal contended the frequency of audit testing and vulnerability scans is appropriate to test key controls. The appeal also asserted the IT audit program is independent and the IT audit staff is not involved in setting the audit scope or testing.
With respect to the Vendor Management Program MRA, the appeal contended the bank maintains a vendor management binder containing vendor risk ratings, financial information, and contracts that examiners did not discuss with management during the examination. The appeal further asserted the bank has policies and procedures in place to protect the bank from various risks, and management regularly reviews the bank’s risk scoring methodology and vendor contracts.
Regarding the violation, the appeal asserted the bank is validating an old appraisal or evaluation by documenting that the appraisal continues to be valid as allowed by Interagency Appraisal and Evaluation Guidelines dated December 10, 2010.
The Ombudsman conducted a comprehensive review using the standards in effect at the time of the examination, including the following:
- 12 CFR 30, appendix A, “Interagency Guidelines Establishing Standards for Safety and Soundness”
- 12 CFR 30, appendix B, “Interagency Guidelines Establishing Information Security Standards”
- 12 CFR 34, “Real Estate Lending and Appraisals”
- The following booklets of the Comptroller’s Handbook:
- “Bank Supervision Process,” September 2007, updated September 2012 and May 2013
- “Community Bank Supervision,” January 2010
- “Loan Portfolio Management,” April 1998
- “Internal and External Audits,” December 2016
- The following booklets of the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook:
- “Information Security,” September 2016
- “Management,” November 2015
- “Audit,” April 2012
- OCC Bulletin 2000-20, “Uniform Retail Credit Classification and Account Management Policy: Policy Implementation,” June 20, 2000
- OCC Bulletin 2010-42, “Sound Practices for Appraisals and Evaluations: Interagency Appraisal and Evaluation Guidelines,” December 10, 2010
- OCC Bulletin 2013-29, “Third Party Relationships: Risk Management Guidance,” October 30, 2013
The Ombudsman agreed with the SO’s assessment of a 2 rating for the composite as well as component ratings for asset quality, IT, and management. The weaknesses identified in credit, audit, and IT along with the violation of law and regulation resulted in the change in ratings. The composite rating is more reflective of a 2, as banks with a 1 rating for the composite are sound in all aspects.
The Ombudsman agreed with the credit risk assessment ratings assigned by the SO. Credit risk management was insufficient due to weaknesses identified in the credit-related MRAs, unidentified exceptions, and the appraisal/evaluation violations. The aggregate level of credit risk is moderate, and the direction of risk is increasing. The quantity of credit risk and the quality of credit risk management are used to derive the conclusions for the aggregate and direction of credit risk. The low quantity of credit risk coupled with the insufficient risk management results in a moderate level of risk. The direction of risk is increasing due to the potential for an increase in watch and problem loans from the development and implementation of an improved and independent loan review program.
The Ombudsman rendered a split decision for the Credit Presentation and Financial and Collateral Analysis MRA. The Ombudsman determined that the SO appropriately cited an MRA requiring management to complete credit presentation forms with sufficient detail on the primary and secondary source of repayment, collateral analysis, policy exceptions, and guarantor analysis to allow the board to make an informed decision to lend. The Ombudsman agreed with the bank that the credit presentation form captures the necessary information to understand the risks of the credit, if management properly analyzed and documented the form. The Ombudsman revised the ROE to remove the concern and corrective action associated with the content of the credit presentation forms.
The Ombudsman determined that the SO accurately cited the Loan Review Program MRA, which includes the internal annual review process and the third-party loan review. The Ombudsman agreed with the SO that the annual review process lacks depth, is not timely, and lacks independence. Further, the Director’s Exam performed by the bank’s external auditors does not meet the requirements of a loan review function.
The Ombudsman determined that the concerns outlined in the Asset Quality MIS and Reporting MRA were appropriate, but should be incorporated into other existing credit MRAs, thereby removing the need for this new MRA. The Ombudsman moved two concerns, related to developing an exception tracking process and updating the loan policy regarding exception approval authorities, to the Loan Policy MRA. The concern to formally document policy limits in the lending policy was already addressed in the Loan Policy MRA. Finally, the concern and corrective action regarding the accuracy of deferral reports was moved to the Loan Modification Management MRA.
The Ombudsman agreed with the SO for the Loan Modification Management MRA. The loan policy does not detail the bank’s standards regarding deferrals, and is silent on the analysis required to document the ability of the borrower to repay under an approved deferral or extension request.
The Ombudsman agreed with the SO on the Loan Policy MRA, which required management to update the loan policy to provide direction to loan officers, set the board’s risk tolerances, and guide the bank’s lending activities consistent with strategic direction. However, the Ombudsman determined that the MRA needed to be revised to avoid duplication and ensure appropriate corrective actions for all identified deficient practices. The Ombudsman removed the corrective action regarding credit presentations, as it is included in the Credit Presentation and Financial and Collateral Analysis MRA; added the concerns regarding exception tracking and approval authorities; and renamed the MRA to Loan Policy and Exception Tracking. The Ombudsman also included a corrective action for the OREO accounting treatment, which was discussed with management during the examination.
The Ombudsman determined that the SO accurately cited the Internal Audit Program MRA to improve the bank’s internal audit program, specifically the risk assessment and audit plan. However, the MRA needed to be revised to clearly communicate the corrective actions required by the OCC. The bank must develop an accurate risk assessment that incorporates the bank’s actual practices. The audit plan and risk assessment must provide a consistent message regarding the bank’s risks, audit frequency, and audit coverage. The Ombudsman agreed with the SO that the audit scope needed expansion to include a review of internal controls and ensure appropriate coverage of all areas. The Ombudsman also determined that the appeal inaccurately stated that banks are not required to have an audit program or audit committee. Given the bank’s size, the bank is not subject to 12 CFR 363, which requires an audit committee consisting entirely of outside directors. However, the bank is required to have an audit program in accordance with 12 CFR 30, appendix A, section II, “Operational and Managerial Standards.”
The Ombudsman determined that the IT MRA regarding the information security and IT risk assessments is appropriate, but revised it to reflect that the IT-related risk assessments must be reconciled to ensure consistency in assigning the risk level and audit frequency. The Ombudsman determined that the risk assessment process is appropriate for the bank’s risk and complexity, and removed the concerns related to identifying threats and the scoring of inherent and residual risks. However, the Ombudsman determined the information security risk assessment must be updated to note the frequency of vulnerability assessments, and the bank’s use of social engineering and penetration tests.
The Ombudsman rendered a split decision on the IT Audit MRA. The Ombudsman agreed with the bank that the IT audit coupled with the vulnerability assessments and social engineering test are sufficient to test internal controls and the security of systems, as required by 12 CFR 30, appendix B. The Ombudsman revised the MRA to remove the concern related to audit testing. The Ombudsman agreed with the SO that audit independence must be improved. IT personnel may be involved in the IT audit risk assessment process, but the risk assessment must then be reviewed by the audit committee or the third-party auditor to ensure the risk assessment and audit scope are appropriate.
The Ombudsman determined that the SO appropriately cited a Vendor Management Program MRA. The MRA details concerns related to the vendor risk-scoring methodology and the vendor contract guidelines. Management must ensure comprehensive monitoring of critical vendors and ensure formal contracts address security and privacy requirements to comply with regulatory guidelines.
The Ombudsman agreed with the violations cited by the SO regarding the lack of an evaluation on three loans. While management completed in each instance an evaluation or the form for validating the evaluation, the documents did not comply with the requirements in 12 CFR 34.43(b). The use of the tax assessment as the sole source of value and the lack of or insufficient support for an evaluation of collateral resulted in the violations.