Truth be told, while I’ve spent somewhere near seventy-five percent of my time over the past ten years working for financial institutions I’ve also done a fair amount of work for insurance companies, mostly centered on SOX with occasional diversions into general risk assessment work.  The drivers in the insurance industry are different in terms of oversight and requirements and so the volume of work isn’t nearly the same.  But that by itself begs a question: Why isn’t the insurance industry as regulated as financial institutions?

I’ve now done major audit and assurance work for financial institutions, insurance companies and health care providers and for most of them the risk profile is almost identical in terms of non-public personal information.  So why isn’t the level of scrutiny equal across all three of them?  While some might start spouting about how it is, about how states routinely audit insurance companies and how the health care industry has to comply with HIPAA the truth is that banks and credit unions are held to a much higher degree of accountability than any other vertical.  Why is that?

I’m fond of routinely, almost incessantly beating the drum about how it’s all about the risk.  I get my initial client opportunities because I have a deep resume with relevant experience but I generate repeat business because I tend to whittle things down to what matters most both to my clients and to their oversight providers (auditors and examiners alike).  Compliance exists because risks need to be addressed – if the risks aren’t credible or likely the work should be adjusted to reflect that.  But where the risks are real they’re really real.  The type  of data shared with an insurance company is in many ways even more sensitive than anything shared with a bank and most of what’s shared with insurance companies is also shared with health care providers.  Yet there’s no true Federal oversight for the insurance industry and HIPAA is about as much of a toothless tiger as anything I’ve ever encountered.

I recently completed a boatload of documentation to get my family on a new health insurance plan.  I turned over every piece of sensitive information I have for every member of my family minus my bank account information because that’s what was required.  I had to provide all of this online and follow that up by sending them an impressive array of hard-copy documents with even more sensitive information that should never be kicking around in the public domain.   In the past I’ve also been required to provide my bank account information because one plan in particular would only provide coverage if they could automatically deduct monthly premiums via ACH drafts.  So now the insurance industry has access to it all; name, address, social security number, date-of-birth, maiden name, medical history and banking information.  And yet there’s no true oversight agency that’s responsible for making sure they’re protecting all of MY information.

To compound my frustration, of the four insurance companies I’ve conducted work for since 2006 (two of which are Fortune 5oo’s) exactly none of them have something akin to a Chief Information Security Officer.  They all have risk people focused on the business side of things (because that’s necessary to protect profitability) but that’s it.  There’s typically an information security manager who’s part of the infrastructure team but who almost never reports right into the senior-most technology person (e.g. CIO, CTO).  Any audit work that occurs is coordinated across multiple IT managers and on rare occasions there will be an audit/assurance manager.  However in the one example I personally know of where that position exists the person in the role was really just a converted IT manager who obtained a CISA designation – no fundamental audit or assessment experience.

The question has to be asked:  Why is it that banks and credit unions are heavily regulated regarding protection of non-public personal information but other industries with similar risk profiles are  not?  Why aren’t insurance companies required to comply with FFIEC-type guidance?  Why isn’t there a Federal regulatory agency that is responsible for keeping an eye on the insurance industry the way the FDIC, OCC, FRB and NCUA do so for their financial institutions?  And trust me, whatever oversight exists for the insurance and health care industry is largely ineffective.   Why is my sensitive information considered more at risk within a banking infrastructure than it is within an insurance infrastructure?  Having been on site for both and examined their internal controls  I can’t answer that question, that’s for certain.

Which is why I don’t much care for any manner of compliance-based assessments that are self-administered.

Companies have had this crazy notion for more than a decade now that the best way to identify and address risks inherent within the infrastructure is to ask key stakeholders a somewhat generic set of questions and use their responses to figure out what’s what.  Most of the time the people driving these initiatives are either information security professionals or corporate compliance people who either believe they already know where the problems are or are looking for the simplest and easiest way to satisfy some requirement.  But what they often fail to grasp is that it’s almost impossible to draft a common set of questions that either apply to the vast majority or worse, will be interpreted consistently across the stakeholder population.  Plus the perceived benefit of using a self-assessment approach to reduce effort and required support resources is almost always an illusion.  Most of the time saved in not having someone ask the questions and record the answers is instead consumed by needing to explain the format, explain the questions or trying to clarify and clean up the responses.  While supporting one such program recently each assessment required a kick-off meeting, a follow-up meeting to review the status of the assessment, a third meeting to review the initial draft of the questionnaire, a fourth meeting to review the resulting report(s) and a largely untracked number of hours to help generate all of the related support documentation.  Regardless of the size of the entity being assessed each one consumed somewhere close to eight hours.  While that might seem like a scary large number, the really scary part was that based on which risk analyst was responsible for the assessment and the personality/mindset of the stakeholder completing it the results looked very different from one another.  It was almost impossible to generate meaningful metrics across the assessment population because a “Yes” answer for one question might mean the same as an “N/A” in another; there was no way to know that.

Another issue I’ve always had with the self-assessment approach is that while some stakeholders take it seriously and do a remarkably thorough job, others race through it with little hesitation just to fill in the blanks and get it off their desk.  Sometimes you can detect which is which, sometimes you can’t.  Plus the approach fails to capture much of the rich and relevant information related to each question and the underlying risk behind it.  I recall conducting a team-driven risk assessment years ago where one stakeholder after the next covering a very broad sampling of the infrastructure kept lamenting on the lack of a proper disaster recovery plan.  They had something to show auditors/examiners but to a person no one believed it was a truly viable plan.  All but the CIO brought it up as a concern and when pressed a bit about why that was they all shared a common concern: If their main office was closed unexpectedly for twenty-four hours, regardless of the reason, they were likely out of business.  A related self-assessment question would ask “Do you have a current and recently tested DR plan?” – most respondents on that engagement would simply have selected “Yes” and moved on to the next question without ever being challenged to share their concerns.  Where’s the value in having a repository of questions and answers when it fails to capture the true essence or dimension of risk? 

And the biggest issue I’ve always had with self-assessment questionnaires and their related templates is that they’re so often poorly designed.  I can guarantee you that each of them has at least one question which makes zero sense to anyone who reads it.  They either answer it based on what they think it’s asking, answer with an “N/A” or require follow-up with the people managing the process to have it explained.  And you’d be amazed how many times even the author is challenged to provide a meaningful answer (including this guy).  One thing’s for certain, a self-anything needs to be designed and written so that everyone understands what they need to do without having their hand held.  Plus it’s rare that questionnaires are customized so that each stakeholder is only asked those questions that truly make sense.  An application owner should never be asked if their anti-virus solution is current and up-to-date.  A business process owner should never be asked about software change management.  Yet seldom have I encountered a self-assessment process which does anything like this and so the audience is burdened with time consuming yet unnecessary questions.

Really though in the end my overriding problem with the self-assessment approach is that it fails to capture the expertise and guiding hand of true risk and assurance people.  The process is often supported by analysts who don’t really have a feel for conducting assessments and are satisfied that all of the blanks are filled in.  I have a nose for when there’s something beyond a simple answer and know when to scratch at the surface to bring it to light.  By not allowing expert hands to guide the process potentially huge amounts of valuable and possibly critical details are being missed thus undermining any perceived value of the process.  When you consider that all tolled and tallied the self-assessment approach versus the guided assessment approach doesn’t really save you much time (if any) and that it results in a weaker finished product, why would you elect to use it?   One answer is that regulators push for it because perhaps it’s better than nothing (I can’t get any of those I know to comment).  Another is that the people sponsoring these initiatives lack the fundamental comprehension to understand their options and chose what they perceive as the less complicated approach (again, I don’t know for sure it’s just a theory).  What I do know is that when done right a risk assessment is managements best friend, a fundamental belief behind the recent spike in ERM activity.

While recently having my car serviced the mechanic discovered a nest of some sort in the engine block, he thinks it was probably squirrels.  Because of this discovery he went searching for all the wired connections to make sure they weren’t chewed up and destroyed, quite a few were as it turns out (the car had been idle for several months).  The bill only added the cost of the replacement wires but nothing significant for the time it took to first find which were affected and then replace them.  Had I attempted the repair myself I might have noticed the nest and likely would’ve cleared it but know for certain I never would’ve thought to check the wires, where to look for them or what to look for.  I was smart enough to rely on a professional with a nose for that sort of thing and it saved me time, money and best of all the aggravation of having the car break down somewhere unexpectedly.  Good thing I didn’t go the self-repair route.

Of course the truth is much more complicated.  I don’t just focus on computers, my scope expands to include anything that involves sensitive information.  While that always includes a variety of devices it also includes paper-based and people processes as well.  I frequently share stories about the enormous amount of printed content that’s to be found throughout an institutions physical locations.  I occasionally tell stories about how careless people can be when on the phone or in conversation and sharing all manner of sensitive information.  It’s never just about computers, it is however always about information and how it needs to be protected.

Truthfully though what I really do is search for controls that protect information, identify those that I find and try and measure their effectiveness and more importantly identify where controls are missing and work with my clients to remedy that.  At the heart of the regulatory requirements I focus on it’s all about the risk introduced by the presence of information, from personally identifiable (PII) to non-public personally identifiable (NPPI).  Risk: It’s what drives every single project I work on, it’s what drives every product and process I help develop.  And really, if you take the time to read through the literature, it’s what’s behind just about every piece of regulation known to the banking world.  Risk, risk, risk and risk.

One of the reasons I’ve enjoyed spending so much time working with the community banking and credit union sector over the past few years is that it’s a simple enough argument to make with fewer people to convince; everything you do to comply with the regulations should be risk-based.  It doesn’t really make a difference if it’s complicated to do or time consuming, you prioritize based on where they are found and make decisions accordingly.  But that gets much more difficult to do as the institutions grow in size and complexity.  Over the fifteen years I’ve been building and supporting compliance initiatives I’ve worked with Fortune 50′s, 100′s and 500′s and a whole lot of financial institutions that merely read Fortune magazine.  But while their overall size varies widely risk is still risk and that never changes.

I wish more practitioners embraced this simple concept.  While some do, many still don’t.  There’s often a rush to come up with a standard set of decision criteria to drive the work based on factors not necessarily aligned with risk factors.   Those who have worked with or for me will tell you that when presented with questions about which vendors or applications to assess or what to look for when conducting any type of assessment my first line of logic is to try and figure out where the greatest possible exposures to be found.   Assessing a low risk application yields little value  no matter how complete it may be.  And reviewing a vendor where the dollar spend is high but the risk factors are low does little to protect the institution.

Beware the practitioner who wields a hammer for they only know to look for nails.

Your regulator doesn’t want you to blindly implement compliance programs, they want you to identify and manage risks, real risks.  They want to be able to understand the logic and approach being used and find credible evidence that you’re focusing your efforts on the right things.   Go back and read through the library of FFIEC documentation and pay close attention to the hooks inserted throughout where they talk about conducting assessments and talk about using approaches which are appropriate for the size and complexity of your institution.  Then scan through your related program inventory and figure out if you’ve designed things accordingly.  Are they actually protecting your institution from credible threats and risks or are they just filling binders on your compliance officers shelves?

For me, professionally I’d prefer to always only do meaningful work and in the audit and assurance world meaningful is code for risk-based.

Which begs the question, why bother supporting ineffective controls when they fail to control anything?

I wish it was rare that I encountered similar situations with my clients but it’s not. My favorite ineffective control is the manual visitor sign-in sheet I often find when auditing/assessing my clients physical data center controls. My hosts often make a big deal out of asking me to sign-in before allowing me access to their data center or server room and I typically play along. However, I’m fond of using an alias to see if they validate the information I provide (usually they don’t). The manual sign in sheet falls under the category of “better than nothing” but in its own special sub-category I call “but not by much.” The list is always a bit lite and is often missing sufficient evidence to prove that it’s consistently relied upon. Another favorite of mine centers on production change control. Some of my clients have fairly robust processes to track changes to application software but ask them for evidence of system software updates or hardware configuration changes and I’m met with blank stares as they try and figure out how to tell me they don’t really track those things formally. So you have to wonder why you’d even bother to track some of the changes if you’re not tracking all of them? If something went wrong within a clients infrastructure how would they know if any recent changes might explain it if they don’t know about everything that changed?

Here’s a bit of a radical thought; stop supporting ineffective controls and save the time and effort required to support them.

Seriously, even though a control might appear critical in nature, if it’s poorly designed, poorly supported or just flat out ineffective, just kill it altogether. No decent examiner or auditor is going to be tricked into thinking it’s providing value and it’s likely going to call into question the validity and reliability of all your other (hopefully) effective controls. If you feel strongly that the control needs to be in place and doing its job than do something about it. Either redesign things so that it’s viable and effective or scramble like crazy to identify compensating controls that render the control unnecessary.

We live in an age where compliance rules all. There are all manner of controls that are required in order to satisfy our oversight agencies and auditors and that’s a list that will only continue to grow. No one has the luxury of wasting time or the precious few resources they have to work with and so it’s that much more critical that these things be thought through and validated. Expecting people to support control related activities that ultimately fail to satisfy their objective is flat out wrong. And because this is the age of regulatory enlightenment those who toil within the financial services industry are a bit more savvy about how these things work. They have an idea of whether or not what they’re being asked to do makes sense and will resist or defer participating if they think it’s a waste of time. The only thing worse than an ineffective control is one that’s poorly supported.

It’s why I often wonder what would happen if I simply drove across the lawn closest to my Mom’s building and completely avoided the main gate. I’m thinking that if it’s after sunset when there are no golfers walking the links I could probably pull it off. Of course I’d have to deal with the compensating control of an angry mother once she figured out what I did but perhaps, just to prove a point it might be worth it.

Whenever I’ve been engaged by a banking client to help them resolve findings surfaced during an exam, my first question almost always is “What did the examiner suggest you do about this?” which is usually met with a blank stare. When new or modified regulations are issued and go into effect, I’m fond of recommending to my clients that they contact their examiner for guidance on how best to address it. Again, the typical response is either a strange look or they pretend I didn’t say anything at all. Why is it that financial institutions are so reluctant to engage in dialogue with their examiners?

That was the spirit of the FDIC FIL. It was titled “Reminder on FDIC Examination Findings” and it was intended to remind their member institutions to work with them when dealing with findings and establish a dialogue. It pointed out that “an open dialog with bank management is critical to ensuring the supervisory process is effective in promoting an institution’s strong financial condition and safe-and-sound operation.” It further went on to point out that “if an institution disagrees with examination findings, it should address those concerns through communication with the examiner, field office management, or the appropriate regional office staff.” Good advice, but likely words falling on deaf ears (or blind eyes).

I’ve only conducted audits in my career, as I’ve never been an examiner for any of the oversight bodies. But one thing I can tell you is that when I detail a finding in an audit report it’s always accompanied by recommendations for remediation along with suggestions on how best to approach managing the work. I would never write up anyone or something where I didn’t have a clear idea about how it should be working along with a solid approach for getting there. I can assure you that by and large the same is true for your examiners. They are not only experts on measuring and assessing procedures and controls, but because they see such a wide range of solutions during their travels, they are uniquely positioned to provide guidance on how you should be doing things.

If you disagree with a finding, you need to let your examiner know. But you will need to qualify your position and articulate it in such a way so that they can consider compensating factors that they might have missed.

A few years back I coined the following definitions: an auditor is someone who knows if your answer addresses the question, a good auditor is someone who knows if you gave the right answer to the question and a great auditor is someone who knows if you offered your best answer to the question. I’m always amazed by how many findings I’ve encountered in my career where there were clear compensating controls in place to mitigate the associated risk that no one ever took into consideration. I’m also often amazed how despite a clients being aware that an examination finding doesn’t hold up under scrutiny, for similar reasons makes no attempt to discuss it with their examiner. It’s almost as if though they’re afraid to engage them in conversation lest they find even more issues to report.

The problem I suspect is rooted in the basic fear that the examiners are looking for something to write about in their reports and so the less attention you bring upon yourself or your institution the better off you are. The reason so few institutions dispute what they consider questionable findings is that no one wants to anger the person writing the report, lest they seek revenge the next time around. Of course that’s all remarkably flawed logic.

Let me share a secret with you; my favorite audits are those where I find a cooperative staff and a management team committed to running things right. It sort of inspires me to do my best work and only present them with findings that are relevant and which will help them strengthen their infrastructure in a meaningful way; and I’m certain a vast majority of examiners for the FDIC and their oversight partners are the same exact way (in large part because I know a few of them).  If you seek to forge a partnership with them you’ll find a productive relationship that winds up benefiting both sides. However, if you continue to perceive the relationship as somewhat adversarial, that’s what you’ll be burdened with.

The examination process and the people who staff the function play an important role in helping keep the industry running right. At a minimum they’re there to measure and assess their member institutions to identify issues before they grow into problems. What they’re really there to do is help you figure out how to manage things more effectively to protect depositors that fall under their jurisdiction. Fundamentally that’s what you’re supposed to be doing and so it only makes sense that you work together.

Am I advocating that “examiners are your friends, don’t be afraid?” No. I am recommending that you engage their knowledge and expertise and trust that they want to work with you. Odds are quite high that it will result in a less painful examination process and one where everyone comes out ahead. Oh and one more thought, if they recommend you manage something a certain way, it’s almost a guaranteed pass on the exam because they’re likely to think what you did was pure genius.

I couldn’t spit out my “yes” answer fast enough. Not only did I think it would work for scaled down institutions, in some ways I thought its impact would be more dramatic.

GRC at its core is really just about coordinating the related disciplines so that economies of scale are realized where applicable and ensure that all three work with and not against one another. While some of my fellow practitioners are all too happy to bury that simplified interpretation under a deluge of formula’s and/or related methodologies I prefer to keep things simple. I do so because the only way GRC works at an institution is if it receives the full support from the C-level community (tone-at-the-top is a must) and if you make the message difficult to understand, well, no one understands it.

So the question begs to be asked; why wouldn’t a CEO/CFO/COO be interested in applying a methodology that would allow their institution to address compliance in a way that encourages efficiencies and reduced effort? The answer of course is that they would be interested, likely very interested. The problem is that for the small and mid-sized banking space no one is offering or marketing GRC in any measurable way and so business continues as usual.

As it stands right now, most conduct the related GRC work in a one-off fashion. They schedule audits to occur based on when they were last conducted and independent of a recent risk assessment. They schedule Board review and approval of the various policies at the same time each fiscal year regardless of whether the related audit and compliance activities have occurred to validate their effectiveness. As for risk assessments, those typically only occur if they’re required and almost never happen as part of an overall strategy. Then there’s almost always a mad scramble before each of the exams trying to pull everything together.

But think about how applying the principles of GRC would benefit a smaller institution. Imagine if all of the work required over the balance of a year is organized so that they work together and are timed so that one feeds into the next. Imagine if they kick-off the compliance cycle by conducting the various risk assessments that are either required or recommended and use the output to adjust their audit plan so that they’re testing what needs to be tested. Consider how effective their efforts would be if at various points along the way they assessed these activities against what’s required to ensure that where applicable they’re tied together. How much stronger would a financial institutions risk posture be if when senior management and the board of directors signed off on the various elements it conveyed more than a tacit approval of the work; what if their acceptance was more than a required step to appease the examiners and actually allowed them to make informed decisions?

GRC solves a different set of problems for scaled down institutions than those encountered in the larger ones. It requires that a true plan be developed to coordinate the related activities, something that’s often missing in smaller banks and credit unions. It allows for a review of these activities to both understand their interdependencies and identify reusable artifacts and test steps which just about never happens because no one has time to spare to do such things. It also allows management to achieve a holistic view into these activities thus affording them a chance to make corrections when or where necessary and before they become a bigger issue waiting to be discovered by an examiner. Perhaps the best byproduct of applying GRC – it allows your institution to avoid the all-too-common mad scramble leading up to an exam. If you can demonstrate to an examiner that a required activity isn’t scheduled to occur until later in the year, show them the plan and provide evidence that it’s being adhered to they typically consider that a valid response. So instead of pulling the late nights and long weekends trying to update documentation or conducting assessments, you can wait to do the work when it’s scheduled to happen.

GRC doesn’t necessarily mean less work (though that’s likely) but it always results in an institution working smarter, not harder. In those GRC projects in which I’ve participated in, there was clearly an improvement in the value the company derived from its audit and compliance work. Regardless of the size and complexity of an organization, that has to hold appeal to its management.

GRC is not a one-size-fits-all solution, it’s a one-size-fits-all concept. Regardless of whether you’re a single branch CU or a global bank it’s a concept that will work if only you give it a chance.

So when the FDIC recently issued new guidance titled “Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers” (FIL-56-2010),” I was reminded once again of this favorite phrase of mine.

It’s important to explain that my first foray into audit allowed me to work with arguably the best auditor I’ve ever met.  I was taught to question everything and assume it was in scope until proven otherwise, and I was encouraged to trust and follow my instincts.  And so fairly early in my regulatory career when I first started to search out the myriad threats to personally identifiable information (PII), all sorts of things landed on my radar screen.  Accordingly, for nearly a decade I’ve been advising clients on the threats posed by what are typically thought of as secondary devices or peripherals.  Financial institutions will spend all sorts of crazy money to protect servers and storage devices but completely ignore multifunction devices that copy, scan, fax and email just about any document imaginable and often retain those images in memory.  They’ll have surprise desktop audits where someone will spot check work spaces to see if PII has been properly secured but will walk past the copier room time and again and ignore what lays in the output trays.  Our practice has long advocated for related control activities to remove this remarkable blind spot but year over year we return to our clients and find that little has changed.

And so the question needs to be asked: Why?

The answer is very likely found in the fact that no known breaches or cases of identify theft have ever been tied back to information gleaned from a peripheral device.  We’ll read about huge PCI-related disasters where millions of credit card numbers were potentially stolen.  We’ll see stories on the news about how a laptop has gone missing with hundreds of thousands of accounts containing Social Security numbers.  We’ll read about how criminals are piggy-backing card reader devices on legitimate ATM’s to grab your credit and bank card data.  But no one can ever recall hearing about any identity thefts cases where the information involved was found to be harvested from just such a device.  And odds are you’re never going to.

The amount of information to be gleaned from peripheral devices is relatively small.  All but a few of them can only retain a modest amount of data and so you’re not going to find much more than a few dozen opportunities per device.  If someone within an office is aware of this treasure trove of information and is skimming it off and either using it or selling it how would you know?  How would you be able to develop the trend (remember that very few people file police reports when they discover that their identify has been stolen or accounts accessed).  So there isn’t a whole lot of investigating going on.  And if someone at either the equipment reseller or company warehouse is collecting the information and using it for illegal purposes how would anyone know?  We’re not talking about thousands of accounts or individuals from any one company or institution; it’s more like a patchwork collection.  You would only be able to find a trend if you went looking for it, and you would only go looking for it if you had a credible reason to do so.

But here’s the thing; I’ve thought about this information being readily available and difficult to trace and I’m an honest man and one of the good guys. Don’t you think the bad guys have this figured out as well?

So it will be interesting to see how or if the banking industry reacts to this bulletin.  It’s been my experience that these things go largely unheeded until an examiner applies a little pressure.  I suppose way too many financial institutions are happy enough to apply the “what you don’t know can’t hurt you” logic. Not me.

Going back to at least last September I have read and saved each and every one of them (several hundred I might add).  I’m sure some of my peers will beg to differ, but for me this is where anyone in the industry should’ve been looking during the crisis for the best indicators of what’s going on.

Yesterday, I was glad for this somewhat addictive habit of mine.  For what may be the very first time since Lehman went belly-up, I may have found the first true concrete piece of evidence that we’re on the road to recovery, if only in some small way.

The FDIC agency alert yesterday announced plans to bolster the Deposit Insurance Fund (DIF) by requiring insured institutions (mostly the banks you and I know) to prepay on their quarterly premiums so that the fund remains viable and liquid through the still unfolding resolution of the banking mess.  And that’s significant because unlike a year ago, this time around the plan calls for the industry to take responsibility for itself and not go running to Capitol Hill for help, an option FDIC Chairman Sheila Bair has denounced on several occasions.

Here’s what Bair had to say in the announcement:

“The decision today is really about how and when the industry fulfills its obligation to the insurance fund. It’s clear that the American people would prefer to see an end to policies that look to the federal balance sheet as a remedy for every problem. In choosing this path, it should be clear to the public that the industry will not simply tap the shoulder of the increasingly weary taxpayer. This proposal is a vote of confidence for the banking industry’s resilience, and it will continue to recover its strength as we work through the significant challenges ahead.”

The reason for my optimism is that this action shifts control back to the banking sector to fix its own mess.  It puts greater emphasis on each individual institution to fulfill its obligations to the DIF in advance of using those same funds for more traditional activities commonly associated with generating profits.  I think accountability is necessary, if not essential, to repairing the damage inflicted on the industry and repairing its reputation with depositors, investors and borrowers (something the NCUA had figured out much sooner).  And so I’m feeling a little better about where we’re heading, economically speaking.

Oh, and Comptroller of the Currency John C. Dugan (that’s the OCC head honcho in case you didn’t recognize the handle) agrees with me.  Mr. Dugan said of the FDIC plan: “The actions we are taking today represent a balanced approach to raising needed money for the deposit insurance fund without impairing the ability of our banks and thrifts to support economic recovery.”  He added, “I think this is a very positive proposal. The staff did an excellent job, and I support the way you handled it”.

I’d like to chalk it up to “great minds think alike.”

By the way, if anyone knows of a Sheila Bair Fan Club or is thinking of starting one I’d appreciate if you would let me know.  She won my admiration last year (no surprise to my regular readers) and has routinely found ever more ways to score points with me.  She continues to step up and talk straight, smart and to the point about what’s going on with the banks and what to do about it.  I look forward to the President acting out on the banking reform plans announced earlier this year and I sincerely hope he put Bair in charge of the new entity.

For now, though, I have to go; seven more FDIC email alerts have landed in my inbox and I need to check ‘em out.