Mic Cue FDIC: Matters Requiring Board (and your) Attention

On Aug 22, 2016, the FDIC released the Summer edition of its Supervisory Insights Journal. Okay, officially, it was FDIC Financial Institution Letter 57-2016, but that’s too much of a mouthful, so I’ll just call it the "summer journal." 

Unlike the novel in your summer beach bag, this isn’t quite as entertaining, but if you’re involved with bank or credit union management, you definitely need to pay attention.  While we’re swimming in some pretty voluminous recent regulations and slogging our way through those requirements, this Summer Journal is brief but packed with lots of information.

In particular, this journal contains some indications of where the FDIC is focused – even more relevant for those of us who work in and around vendor management or serve in a senior management capacity, you should really study the Matters Requiring Board Attention.

The FDIC says "'Matters Requiring Board Attention' Underscore Evolving Risks in Banking" discusses how the Matters Requiring Board Attention (MRBA) page within the Risk Management Report of Examination is used to focus the attention of bank management and the directors on issues and recommendations that, if addressed early, will reduce the likelihood that those institutions will experience serious adverse effects in the identified areas. This article describes the MRBA categories cited most often in 2014 and 2015 and highlights trends that can provide an overview of risks that may be developing in the industry.

The Journal serves as an early indication of where exams will be focused and where the regulator believes banks and credit unions may be deficient or failing to properly appreciate the level of risk to which the institution is exposed. 

The guide speaks heavily of the need for proper oversight by the board, including in matters related to vendor management. While there are certainly numerous other items called out in the report, it is worth noting carefully that the Journal specifically mentions vendor management and the policies of the institution throughout the journal. Here’s one example:

 MRBAs in the IT area include the need for management to strengthen the Information Security Program, risk assessments, vendor management, and disaster recovery and business continuity plans. 

It appears the days of suggestions, comments or warnings are over when it comes to third-party risk management. We’ve also noticed an up-trend with prospective new clients who are reaching out to us for the first time due to an MRBA or a like item from their specific regulatory body. 

Whether you are a compliance officer, board member, vendor management specialist or a risk manager, this directive requires your attention and active involvement. Too often these nuggets of information go unnoticed until it’s too late and you’re scrambling to answer a finding in your examination that could have easily been avoided with some proactive reading and preparation!

Cue the scary “Jaws” music and get to work!