The Office of the Comptroller of the Currency (OCC) has issued for public comment proposed guidelines (Guidelines) to establish minimum standards for risk management governance at large insured national banks, insured federal savings associations, and insured branches of non-U.S. banks (Banks). The proposed Guidelines would generally apply to any such institution that has average total consolidated assets of $50 billion or more, measured over the four most recent consecutive quarters.
The Guidelines are yet another step in what is becoming a codified corporate governance framework for banking organizations that are deemed systemically significant, like the enhanced prudential standards proposed by the Board of Governors of the Federal Reserve System and the granular governance and compliance framework mandated by the final Volcker Rule.
The Guidelines — which would be enforceable against OCC-regulated banking institutions through supervisory action and, potentially, public orders and civil money penalties in the worst case — are yet another demonstration that, after the Financial Crisis, regulators are no longer willing to allow large banking organizations significant leeway to design their own risk management and corporate governance frameworks.
The Guidelines mandate separate responsibilities for a Bank’s board of directors (Board), chief executive officer (CEO), so-called “front-line” units, and independent risk management and internal audit functions. The Guidelines deem it critical that the risk management and internal audit functions have access to a Bank’s Board or appropriate Board committee, in order to check excessive risk-taking by management and front-line units.
New Responsibilities for the Board of Directors
Under the Guidelines, a Bank’s Board would have the following responsibilities:
- The Board should have at least two independent directors. By “independent,” the Guidelines mean a director that is not a member of a Bank’s management or that of its parent holding company.
- The Board should establish and implement an effective risk governance framework (“Framework”) that complies with the Guidelines. Any changes to the Framework should be approved by the Board or the Board’s risk committee.
- The Board should hold front-line units, risk management and internal audit responsible for their respective obligations under the Framework and ensure that each such unit has the necessary “stature” and resources to carry out its responsibilities under the Framework.
- The Board, as a risk matter, should present a “credible challenge” to management, by actively overseeing the Bank’s risk-taking activities and holding management accountable for adhering to the Framework.
- The Board should “critically evaluate” management’s recommendations and decisions, and oppose those decisions if they would cause the Bank’s risk profile to exceed the Bank’s risk appetite or threaten the Bank’s safety and soundness.
- The Board should intervene if there are recurring breaches of risk limits or actions that cause the Bank’s risk profile materially to exceed its risk appetite — as this may be evidence that management is not adhering to the Framework.
- The Board should establish and adhere to a formal, ongoing training program for its independent directors; the program should include training on products, services, lines of business and risks that are significant for the Bank as well as applicable laws, regulations and supervisory requirements.
- The Board should conduct an annual self-assessment that includes an evaluation of the Board’s effectiveness in meeting the Guidelines’ requirements.
- The Board or a Board committee should hire, and establish reliable succession plans for, a CEO and direct reports to the CEO with the necessary skills to design and implement an effective Framework.
- The Board or a Board committee should oversee the talent development, recruitment, and succession planning processes for individuals two levels down from the CEO.
- The Board should approve the CEO’s strategic plan (Strategic Plan) and the Bank’s risk appetite statement (Risk Appetite Statement).
- The Board or a Board committee should (i) hire one or more Chief Risk Executives (CREs) and a Chief Audit Executive (CAE); (ii) establish reliable succession plans for the CRE and CAE; and (iii) oversee the talent development and succession planning for independent risk management and internal audit.
- The Board, itself, or through its committees, should grant “unfettered access” to the independent risk management function and internal audit. The OCC deems such “unfettered access” to the Board to be “critical” in ensuring the integrity of a Bank’s Framework.
Responsibilities of the Chief Executive Officer
Like the Board, the CEO is responsible for holding each unit responsible for its obligations under the Framework. In addition, the CEO is responsible for developing a written Strategic Plan for the Bank, with input from front line units, independent risk management and internal audit.
At a minimum, the Strategic Plan should cover a three-year period and should contain a comprehensive assessment of risks affecting the Bank during that period, articulate an overall mission statement and strategic objectives for the Bank and include an explanation of how the Bank will achieve those objectives. In addition, the Strategic Plan should include an explanation of how the Bank will update its Framework to account for changes in the Bank’s risk profile projected under the Strategic Plan.
The CEO is also responsible for overseeing the day-to-day activities of the CAE and CRE, including budget and management accounting, human resources administration, internal communications and information flows, and administration of relevant policies and procedures.
Responsibilities of “Front-Line” Units
The Guidelines define “front line units,” the units that create risk for a Bank, as any organizational unit within a Bank that:
- engages in activities designed to generate revenue for the Bank or its parent company;
- provides services, such as administration, finance, treasury, legal, or human resources, to the Bank; or provides information technology, operations, servicing, processing, or other support to any organizational unit covered by the Guidelines.
Front-line units are responsible for managing — or, in the OCC’s parlance, “owning” — all risks associated with their activities. They are to assess, on an ongoing basis, the material risks associated with their activities and use these risk assessments to determine whether action is needed to strengthen risk management or reduce risk given changes in a unit’s risk profile. In addition, they are to establish and adhere to a set of written policies that include front-line risk limits designed to ensure that the risks of their activities are effectively identified, measured, monitored and controlled.
Responsibilities of Independent Risk Management
Under the Guidelines, “independent risk management” includes any organizational unit within the Bank that has responsibility for identifying, measuring, monitoring, or controlling aggregate risks. It is to be led by a CRE who reports to the CEO, is to be independent of the front-line units and internal audit, and should have the following duties:
- Independent risk management is to ensure that risks are assessed independent of the Bank’s CEO and front-line units.
- Independent risk management is to take primary responsibility for designing the Framework, which should be commensurate with the Bank’s size, complexity, and risk profile.
- Independent risk management is to identify and communicate to the Board or the Board’s risk committee material risks and significant instances where its assessment of risk differs from the CEO, and significant instances where the CEO is not adhering to, or holding front-line units accountable for adhering to, the Bank’s Framework.
Responsibilities of the Internal Audit Function
A Bank’s internal audit function should maintain its independence from the Bank’s front-line and risk management units. Internal audit is to be led by the CAE, who reports to the Bank’s CEO, and it is responsible for ensuring that the Bank’s Framework complies with the Guidelines and is appropriate for the Bank’s size, complexity, and risk profile. Internal audit is also responsible for designing and implementing an audit plan, and maintaining a complete and current inventory of all the Bank’s material businesses, product lines, services, and functions, so that it may assess the risks associated with each.
The audit plan should rate the risk presented by each front line unit, product line, service, and function, including activities that the Bank may outsource to a third-party. The Guidelines state that a Bank’s audit plan should be updated at least quarterly and should take into account the institution’s risk profile as well as emerging risks and issues. All changes to the audit plan should be communicated to the Board’s audit committee.
In addition, internal audit should report in writing to the Board’s audit committee conclusions, issues, and recommendations resulting from the audit work carried out under the audit plan. The reports should include objective measures that enable the identification, measurement and monitoring of risk and internal control issues, and should include comments on the effectiveness of front-line units in identifying excessive risks and issues.
Internal audit should establish and adhere to a process for independently assessing the design and effectiveness of the Framework, which should be done at least annually. The assessment should include a conclusion about the Bank’s compliance with the Guidelines and the degree to which the Bank’s Framework is consistent with leading industry practices. Internal audit should also communicate to the Board’s audit committee significant instances in which front line units or independent risk management are not adhering to the Framework.
Bank Risk Profiles
A Bank’s Framework is based on its “risk profile” — a “point-in-time assessment of the [B]ank’s risks, aggregated within and across each relevant risk category,” using methodologies consistent with the institution’s “risk appetite statement.”
In cases in which a Bank’s risk profile is substantially the same as its parent bank holding company, and the Bank has demonstrated “through a documented assessment” that its risk profile and its parent company’s risk profile are substantially the same, the Bank may use its parent company’s risk governance framework to satisfy the Guidelines. The Guidelines, however, impose an extremely high standard of when a parent company and Bank risk profile are considered substantially the same — if, as of the most recent quarter-end call report, the following conditions are met:
- The bank’s average total consolidated assets represent 95% or more of the parent company’s average total consolidated assets;
- The bank’s total assets under management represent 95% or more of the parent company’s total assets under management; and
- The bank’s total off-balance sheet exposures represent 95% or more of the parent company’s total off-balance sheet exposures.
A Bank that does not satisfy this test can submit an analysis to the OCC demonstrating a substantially similar risk profile based on other factors.
If the parent company’s risk profile is not substantially similar, the Bank is required to develop its own Framework. Although certain components may be borrowed, the Bank’s Framework should ensure that the Bank’s risk profile is easily distinguished for risk management and supervisory reporting purposes.
The Guidelines further emphasize that, to “preserve the sanctity of the Bank charter,” assets and businesses should not be transferred into a Bank from nonbank entities without proper due diligence, and that a parent company should not establish complex booking structures that threaten the safety and soundness of its bank subsidiary.
Minimum Standards for Risk Governance Framework
Under the Guidelines, a Bank must establish and adhere to a formal, written Framework that covers the following risk categories that apply to the Bank: credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputation risk. Banks may choose to categorize underlying risks in a different manner than these eight categories, but regardless of a how a bank categorizes its risks, the required Framework must appropriately cover risks to the Bank’s earnings, capital, liquidity, and reputation that arise from its activities.
Bank Risk Appetite Statements
A Bank must have a comprehensive written statement that articulates the Bank’s risk appetite and serves as a basis for the Framework. The Guidelines define the term “risk appetite” as:
- The aggregate level and types of risk that the Board and management are willing to assume to achieve the Bank’s strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements.
The Risk Appetite Statement should include both qualitative components and quantitative limits.
Qualitatively, the Statement should describe a safe and sound “risk culture” and how the Bank will assess and accept risks on a consistent basis. The Guidelines state that it is critical to set “an appropriate tone at the top,” and therefore the Statement should articulate the “core values” that the Board and CEO expect employees to share. The Guidelines also set forth the OCC’s view of a sound risk culture, which includes:
- Open dialogue and transparent sharing of information between front line units, independent risk management, and internal audit
- Consideration of all relevant risks and the views of independent risk management and internal audit in risk-taking decisions
- Compensation and performance management programs and decisions that reward compliance with the core values and quantitative limits, and hold accountable those who do not conduct themselves in a manner consistent with these articulated standards.
As for quantitative limits, they should incorporate sound stress testing processes, as appropriate, and should address the Bank’s earnings, capital, and liquidity positions. Although the Guidelines permit a Bank to set such limits on either a gross or net basis that takes into account appropriate capital and liquidity buffers, they state that limits should not be based on lagging indicators: rather, the limits should be set at levels that prompt management and the Board to manage risk proactively. For this reason, analyzing performance under various adverse scenarios is encouraged. Although Bank risk limits can be designed as thresholds, triggers, or hard limits, the OCC views thresholds and triggers that prompt discussion and action before a hard limit is reached or breached as “useful tools.”
The Framework should also include concentration risk limits, and, as applicable, risk limits for each front-line unit to ensure that those units do not create excessive risks. When aggregated across all such units, the risks should not exceed the limits established in the Bank’s Risk Appetite Statement. In addition, concentration risk limits and front-line risk limits may also need to be established for legal entities, units based on geographic areas or units based on product lines.
The Guidelines propose the following requirements:
- Review and approval of the Risk Appetite Statement by the Board or Board’s risk committee at least annually or more frequently, based on the size and volatility of risks and any material changes in the Bank’s business model, strategy, risk profile or market conditions.
- Initial communication and ongoing reinforcement of the Risk Appetite Statement throughout the Bank to ensure that all employees appropriately align their risk-taking activities.
- Independent risk management to monitor the Bank’s risk profile in relation to its risk appetite and compliance with concentration risk limits and to report such monitoring to the Board or Board’s risk committee at least quarterly.
- Front-line units and independent risk management to monitor their respective risk limits and to report to independent risk management at least quarterly.
- When necessary due to the level and type of risk, independent risk management to monitor front-line units’ compliance with front-line unit risk limits, and to report any concerns to the CEO and the Board or risk committee, at least quarterly.
- Monitoring and reporting should be performed more often, as necessary, based on the size and volatility of the Bank’s risks and any material change to its business model, strategy, or risk profile.
Risk Limit Breaches
With respect to breaches of risk limits, a Bank should establish and adhere to processes that require front line units and independent risk management to identify any breaches of the Risk Appetite Statement, concentration risk limits, and front-line unit risk limits, distinguish identified breaches based on the severity of their impact, and establish protocols for when and how to inform the Board, front line management, and the OCC of breaches.
The OCC notes that “[d]uring the financial crisis, it became apparent that many banks’ IT and data architectures were inadequate to support the broad management of financial risks.” Many banks, the OCC stated, “lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank level, across business lines, and among legal entities.” As a result, the OCC now expects banks to have “risk aggregation and reporting capabilities that meet the Board’s and management’s needs for proactively managing risk and ensuring that the Bank’s risk profile remains consistent with its risk appetite.”
In addition, a Bank’s front line units and independent risk management should incorporate risk limits into their strategic and annual operating plans, capital stress testing and planning processes, product and service risk management processes, decisions regarding acquisitions and divestitures and compensation performance management programs.
Enforcement of the Guidelines
The OCC proposed the Guidelines pursuant to Section 39 of the Federal Deposit Insurance Act (FDIA), which authorizes the OCC to prescribe safety and soundness standards in the form of a regulation or guidelines. If a national bank, federal savings association, or insured branch of a non-U.S. bank fails to meet a standard in the Guidelines, the OCC may, in its discretion, require the Bank to submit a plan specifying how it will achieve compliance. If the OCC requests a compliance plan, a Bank must generally submit a plan for approval within 30 days.
If the Bank fails to submit an acceptable plan, or materially fails to comply with a plan approved by the OCC, the OCC may issue a public order deeming the institution to be in noncompliance. Noncompliance may also be punished with a civil money penalty under 12 U.S.C. § 1818.
The Guidelines, with their detailed prescriptions, suggest that the OCC will continue to emphasize sound corporate governance processes as a means of ensuring prudent risk management. Although the OCC notes that certain of the Guidelines’ requirements have already been communicated informally via examinations and otherwise in the supervisory process, the fact that the Guidelines are being promulgated in a manner enforceable under the FDIA clearly indicates that the OCC will have much higher expectations for the future — and that large banking institutions will run much greater risks from non-compliance.
 Because of the “unique nature” of insured OCC-regulated branches of non-U.S. banks, the OCC reserved authority to modify the Guidelines as necessary to tailor their application to those entities.
 If a Bank’s independent director is also a member of the board of directors of the Bank’s parent holding company, she must consider the safety and soundness of the Bank when analyzing parent company decisions that affect the Bank’s risk profile.
 If internal audit reports to the Board’s audit committee, the audit committee or its chair would fill the CEO’s role with respect to the CAE.
 The audit committee should review and approve internal audit’s overall charter, risk assessments and audit plans, as well as all decisions regarding the appointment or removal and annual compensation of the CAE. It should also make appropriate inquiries of management or the CAE to determine whether there are scope or resource limitations impeding the ability of internal audit to execute its responsibilities.
 When a Bank’s risk profile is substantially the same as its parent company, the Bank’s Board may tailor the parent company’s Risk Appetite Statement to make it applicable to the Bank. A Bank’s Board, however, must approve the Bank-level statement and document any necessary adjustments or material differences between the Bank’s and parent company’s risk profiles.
The original memo was published by Gibson, Dunn & Crutcher LLP on January 30, 2014 and is available here.