(Reuters) – At the time of Silicon Valley Bank’s collapse, the number of outstanding safety and soundness warnings from Federal Reserve bank supervisors had mushroomed to three times the average for a bank its size, according to a report released on Friday.
Below is a timeline of those 31 “matters requiring attention” or “matters requiring immediate attention” that Fed officials flagged to SVB, according to a Reuters review of documents released by the U.S. central bank.
(NOTE: Not all of the references contained specific details on the shortcomings highlighted by supervisors)
January 2023:
*Third-party risk management governance and risk identification
December 2022:
*Gramm–Leach–Bliley Act 501(b) information security program
*Cybersecurity risk assessment
*Systems development/deployment methodology and practices
November 2022:
*Interest rate risk simulation and modeling: The Fed found that SVB’s interest rate risk simulations were not reliable and required improvements, noting that unreliable interest rate risk modeling impairs management’s ability to make sound asset liability management decision.
*Trust and fiduciary services (T&FS) oversight and risk management
October 2022
*Identity and access management governance and oversight
*Privileged access management (PAM)
*Identity access management lifecycle
*Identity access management logging, monitoring, and detection
August 2022
* Allowance for credit loss stress methodology: Fed officials told SVB management to strengthen its oversight of how it projected credit loss in capital planning.
June 2022
*Oversight of compliance monitoring and testing
*Sanctions country of interest risk management
May 2022
*Risk management program: Supervisors found that SVB’s risk management program was not effective or comprehensive, and resulted in a reactive approach rather than a holistic approach to risk management and reporting to senior management and the board.
*Internal audit effectiveness: SVB’s internal audit coverage of risk management was found to be less than effective and did not hold senior management accountable for the program’s deficiencies.
*Board effectiveness: The board of SVB did not provide effective oversight of the bank’s management, and did not hold senior management accountable for executing a sound risk management program.
November 2021
* Enhanced liquidity risk management project plan: Fed officials identified weaknesses in the bank’s risk management plans and said addressing them “will likely require an accelerated effort.”
* Weak risk management, audit oversight of liquidity
* Contingency funding plan: The Fed found the firm’s plan had a number of deficiencies, including failure to test the discount window or other funding sources.
* Deposit segmentation: The Fed found the bank’s assumptions that all deposits will behave similarly was “unrealistic” and warned it “potentially understates outflows under stress.”
* Internal liquidity stress testing design: The bank’s testing did not reflect forward-looking assessments of risks.
* Liquidity limits framework: The Fed warned the bank may underestimate demands on available liquidity sources in stress.
August 2021
* Governance process for lending procedures: The Fed found a “critical gap” in underlying documents for SVB’s management to implement high-level policy objectives.
* Loan risk rating granularity: While the bank’s risk ratings were deemed timely and accurate, the system was not “sufficiently granular” for a bank of its size.
February 2021
* IT asset management
* Vendor management
* Data governance
* Data protection
June 2020
* Vulnerability remediation
* Identity access management
June 2019
* Systems/technology second line of defense
(Reporting by Chris Prentice and Hannah Lang; Editing by Paul Simao)
