IndyMac: The Inside Story of a Bank Failure and Rebirth

Security VP Offers Scoop on Institution's Transition to New Banking Model
IndyMac: The Inside Story of a Bank Failure and Rebirth
This was the closure that got everybody's attention.

It was back in July 2008 when IndyMac Bank, a $32 billion asset Pasadena, CA-based institution, was closed by its federal regulator, the Office of Thrift Supervision (OTS), and then reopened the following Monday as the IndyMac Federal Savings Bank. The transition was all over the national news, including memorable scenes of customers making a run on the bank to claim their deposits.

Following the closure, the bank was then run by the FDIC acting as its overseer for the next five months while it made tectonic shifts in its loan portfolio and business model, then sold to private investors.

Sean Wright, Vice President of Enterprise Information Security for IndyMac, worked through the bank's takeover by the FDIC and shares the story of the bank's failure, work through and rebirth as a new institution.

Wright joined IndyMac in June 2007 and says now that the past year was a huge challenge, but also a great learning experience. "The fact that we were able to make it out through to the other side and are still alive to tell about it is a good thing," Wright says.

Beginning of the End for IndyMac

Early in 2008, the Office of Thrift Supervision (OTS) came in and did its annual audit and "felt that IndyMac wasn't stable enough to maintain itself as a viable bank and still protect the best interests of its customers," Wright recalls. "So at that point the OTS made the recommendation to the FDIC to take over IndyMac, and essentially move IndyMac bank out into bankruptcy as a shell."

The FDIC then set up a new IndyMac federal savings bank that would shelter the patrons of the company (the depositors). At that time, the FDIC basically split the bank up into two pieces, Wright explains, one being the conservatory, one being the repository. The bank moved as many of the bad assets as it possibly could into the receivership, and moved all the good assets into the conservatory. The conservatory was the portion of the bank that was sold to Dune Capital Wright Management back in January. Dune has renamed the bank OneWest Bank.

Dune acts as a consortium and is made up of a group of investors, including J.C. Flowers and other private investors. Branding to the new OneWest Bank name hasn't taken place yet. "All of this was finalized at the end of March," Wright says.

Phoenix Rising From Ashes

When asked to describe the new bank, Wright says OneWest Bank is the phoenix that is rising from the ashes of IndyMac, and it will be a different bank with a different direction. "We (IndyMac) went through a unique scenario. Over the last couple of years, the FDIC has taken over about 50 different banks, and every single one of them with the exception of IndyMac has gone directly into a receivership, so they basically just took the bank over, got rid of all the bad assets and then just basically liquidated the company," Wright explains. This is the approach that the FDIC took across the board, "but with IndyMac it was different, it was almost an experiment for the FDIC," he says.

When the FDIC took over IndyMac it definitely had a different intention for the company. The intent was to take a bank that was somewhat unstable, but still salvageable. Regulators saw IndyMac was very entrenched in mortgage banking, says Wright. The FDIC saw there was a viable part of the company that could be brought back out of this bankruptcy. "What we began to do with them was develop a kind of protocol or standard for loan modifications."

Security Team Impacted by Takeover

The security department was impacted by positions that were removed after the takeover. The headcount in the department was reduced about 20 percent, Wright notes. "However our services from outside vendors increased, and today we are actually getting better coverage at a lesser cost."

Consolidation and resource management is a key focus under the bank's new ownership. As a result the security department had to look at a ways to better leverage resources. "We saw the benefits of developing and implementing a cross-matrixed organization," he says. "Through the implementation of the cross-matrixed organizational structure, towers have been combined, and new groups have been formed." In Wright's area, his team successfully combined IT Security, Compliance and Identity and Access Management to become more efficient and to streamline existing processes.

Throughout the transition, given the public news about IndyMac, it was challenging to keep existing staff motivated and on target. "We have a real challenge to reenergize our employees, and it starts with our new ownership. Our new owners bring a wealth of banking knowledge, expertise and a proven track record of success that we can all look forward to in the future as OneWest Bank matures, finds its course and emerges as a leader in the space," he says.

Under the oversight of the FDIC, all employees were motivated through individual retention plans based on goals and performance, which was a good way to get the employees to stick through the "tough times". Now Wright's team and the other areas of the bank are working on developing individual employee growth, career management and compensation plans that are in line with the workers responsibilities.

Confidence Increased

Other than the consolidation and reorganization not much has really changed for the staff, notes Wright. He sees the biggest changes have come in the amount confidence of all the employees now have successfully working through the unchartered waters of a true FDIC takeover. "There is a tremendous sense of self-satisfaction knowing that we are the only group of employees in the financial banking space that have truly worked through a bank closure, including quickly shifting direction in order to meet the demands of the FDIC, taking on all the M&A activities and successfully seeing our company return to the private sector under new ownership. Honestly, I don't think there are any individuals on the planet other than our team here that have gone full circle with the FDIC that can now take that experience and apply it to any financial institution."

Added Security Risks Answered

When the FDIC took over, the security team was given instructions that they (FDIC) would need to have open access to everything in the environment. This meant access to not only file rooms, but access to digital essence. "As you could imagine, this posed a significant risk since all information was now accessible with elevated privileges and access rights to users who were not IMB employees," he notes.

IndyMac and now One West Bank has always been a target of Phishing, SpearPhishing, Social engineering and ID Theft/Fraud. Wright and the information security team have been able to (as in the past) thwart these types of activities. "We have been very diligent with our Security Awareness programs and continual compliance training. We are actually required by the FDIC and OTS to have a Compliance and Awareness program in place which continually educates our staff to look out for these types of activities," he says. Wright doesn't see the "takeover" by the FDIC increased the amount of instances of attempted security breaches as a whole.

New Loan Modification Program Developed

Re: IndyMac's new approach to loans: Is this the same loan modification program espoused by President Barack Obama? IndyMac Bank set the standard for that loan modification program that the government is talking about, Wright explains.

This entails working with existing customers that may be in danger of defaulting on their mortgage or may need to rework their mortgage requirements.

Now many other banks are adopting the standard that IndyMac created, and Wright believes that's really the reason why the FDIC took over the institution the way it did. "We were very unique, where we didn't just get taken over, or absorbed, or liquidated; they actually held on and created this environment where we could then become more of a servicing company, rather than an origination company."

New Direction for Bank

As a result, the new bank that has been created is no longer originating loans, Wright says, "We're only servicing the loans, and now we are building out the banking component." The agreement made with the FDIC is that the bank will be taking the assets of existing banks that they may be closing and looking at their portfolios to service loan term. The bank would then potentially modify the toxic assets or the toxic loans in those new portfolios.

It's an interesting approach that was completely different, but the outcome was something Wright sees as a positive for the economy overall. He sees that the bank is able to come out on the other side with something that it could offer to customers -- and not just from IndyMac, but other banks that may be in trouble, something that could help homeowners stay in their homes, and standardize a program that all other banks will be using moving forward.

Thus far the new bank is servicing $200 billion in loans, and Wright sees this number will only grow. The bank's model now is to: Acquire new banks, grow out the banking business, and grow out the loan servicing business.

As part of the bank's loan servicing business, it is looking to the FDIC when it goes through bank closures, to offer the chance to bid on the loan portfolios that are considered good assets. "We already have this loan modification program in place and we can reach out to those individuals who are experiencing problems and help them keep their homes," he explains.

FDIC's 10-Year Transition

The transition between being fully run by the FDIC and the move to a conservatorship under the private investment company keeps the bank answerable to the regulator for the next 10 years. This means that if the bank wanted to get rid of a core application, it can't just get rid of it, it has to get approval through the FDIC. Wright notes that the FDIC has the oversight to go in at any point in time and say "We need this data, or we need access to this system, or whatever the request is, and as a result we really aren't able to make any changes without first consulting with them, it is part of the contract."

This will require OneWest Bank to retain data, including all the data from IndyMac Bank's history for the next 10 years, including the applications that would access the data. The support around that infrastructure becomes very costly, he explains. There isn't an estimated cost yet for the additional information storage requirements, he adds, but is comparable to costs related to e-Discovery compliance. Information has to be readable, it has to be trackable, it has to be auditable, and it has to be managed in a way that all of the specific controls are in place, he says.

Automated Tools Help Workload

One of the positive points Wright saw was the use of automated tools in handling the threat modeling that was required because of workforce reductions. When Wright began at IndyMac in 2007, it had more than 11,000 employees. It now operates with 2,000 employees and around 700 contractors. "The threat modeling component is being handled well by this tool," he says. "It gives us visibility into whether or not something could be exploitable or not."

This will come in good use when OneWest Bank begins acquiring other banks, Wright says. "We have to really understand our landscape, and threat modeling tools have really given us that ability to understand what our landscape is. We can go through and very quickly identify systems that could potentially be reused, or systems that could be taken down without any adverse affect on the rest of the network, or potentially network segments that could be shut off or reduced."

Without a tool like this it would be "very difficult for us to get a very quick snapshot of what we have out there. Not just from an asset perspective, but also just from a like a topology environment perspective," Wright says.

For Wright's department, the transition to the brick and mortar bank and the move away from a mortgage bank has made the job a bit easier, mainly because the new owners are more risk averse. "The new owners are well-proven, seasoned veterans in banking and financial services. "As a part of that, risk is not something they like to assume if they don't have to. It's like risk is a four-letter word to them."

One of the key focus areas is going to be acquisition, so Wright's group will focus more on how integration works. "Using our existing tools to help us with that integration, understanding what the other bank has, will help us know their landscape very quickly and get them integrated faster into our environment."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.