On October 11, 2023, the Federal Deposit Insurance Corporation (the “FDIC”) published in the Federal Register for comment a notice of proposed rulemaking to establish new guidelines (the “Proposed Guidelines”) for governance and risk management at FDIC-supervised insured depository institutions with $10 billion or more in consolidated assets (“covered institutions”).[1] The Proposed Guidelines would be issued as Appendix C to the FDIC’s standards for safety and soundness regulations in part 364 and would be enforceable under Section 39 of the Federal Deposit Insurance Act (the “FDI Act”).
The Proposed Guidelines aim to improve the safety and soundness of covered institutions through governance and risk management following the bank failures this past spring. The preamble, referring to the post-mortem evaluations of the Signature Bank and Silicon Valley Bank (“SVB”) failures conducted by the FDIC and the Federal Reserve Board (the “FRB”), notes that poor governance and risk management practices were contributing factors leading to the failure of those banks.[2]
The Proposed Guidelines are generally consistent with and draw from both the Office of the Comptroller of the Currency (the “OCC”)’s Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches (the “Heightened Expectations”)[3] and the FRB’s Regulation YY (the “Enhanced Prudential Standards”) and are intended to help harmonize interagency guidance. The Proposed Guidelines also would codify prior FDIC guidance and supervisory expectations, including regarding the role of the board of directors. As we note below, certain expectations set out in the Proposed Guidelines would exceed the Heightened Expectations in prescriptiveness and stringency, while others appear new. Notably, the Heightened Expectations apply to institutions with at least $50 billion in consolidated assets, and the risk management requirements of the Enhanced Prudential Standards apply to bank holding companies with consolidated assets exceeding $100 billion and foreign banking organizations with combined U.S. assets of $100 billion or more.
The Proposed Guidelines were released over the dissent of FDIC Vice Chairman Travis Hill and Director Jonathan McKernan. In his dissenting statement, Director McKernan opined that some of the Proposed Guidelines may “conflate the roles of board and management, preempt state corporate law, and potentially conflict with regulatory expectations applicable to parent companies.”
Comments on the Proposed Guidelines are due by December 10, 2023.
KEY TAKEAWAYS
Below we discuss some key takeaways from the proposal. The summaries included in these takeaways are not intended to be exhaustive.
Content of Proposed Guidelines
The Proposed Guidelines would set standards for corporate governance, risk management practices and board oversight. As discussed further below, there are some specific instances where a covered institution may borrow from its parent company’s risk management program or board to meet these standards.
A. Board of Directors
- Composition. The Proposed Guidelines set out minimum standards for board composition, requiring a majority of its members to be independent and outside directors (consistent with the FDIC’s guidance for applications for deposit insurance).[4] In terms of director independence between a covered institution and its parent company, where the business of a covered institution’s parent is consolidated predominantly in the covered institution, an independent director of the parent may also be an independent director of the covered institution, provided that the director is not a principal, member, director, officer or employee of any other institution or affiliates of the parent. The Proposed Guidelines also emphasize the importance of diversity and caution against excessive influence from a “dominant policymaker.”[5]
- Committees. The Proposed Guidelines also require boards to maintain a risk committee and compensation committee in addition to the audit committee required by Section 36 of the FDI Act and part 363 of the FDIC’s regulations. Risk committees would need to meet at least quarterly and maintain records of its proceedings, including risk management decisions. The Proposed Guidelines are unclear on the issue of whether the would-be requirement of an audit committee can be satisfied by the audit committee of a covered institution’s bank holding company (as is permitted under certain circumstances by part 363).
- Compensation Oversight. The Proposed Guidelines reflect the FDIC’s focus on board oversight of compensation programs, including through the requirement that a covered institution establish a dedicated, standalone compensation committee, and by requiring that the board adopt and oversee a Compensation and Performance Management Program.
- Policies and Board Approvals. The Proposed Guidelines envision a covered institution’s board taking an active role in establishing key components of the risk management program in addition to overseeing management. The board would approve a covered institution’s strategic plan and Code of Ethics, among other policies. While the FDIC’s Pocket Guide for Directors indicates that the board should ensure a bank has certain policies (including a Code of Ethics), it does not explicitly require approval of such policies by the board.[6] The Proposed Guidelines also require at least an annual review by the board of these policies. Additionally, the board would have to review and approve a covered institution’s risk appetite statement at least quarterly (or more frequently, as necessary, depending on the size and volatility of risks and any material changes in the covered institution’s business model, strategy, risk profile or market conditions). Notably, the Heightened Expectations require review of the risk appetite statement at least annually and only by the board’s risk committee.
B. Risk Management Program
1. Three Lines of Defense Model. The Proposed Guidelines would require covered institutions to adopt a three-lines-of-defense risk management framework with a front line unit (which is exclusive of a covered institution’s legal department), an independent risk management unit led by a Chief Risk Officer and an internal audit unit led by a Chief Audit Officer.
a. Director McKernan’s dissenting statement notes that “one interpretation [of the Proposed Guidelines providing only one Chief Risk Officer] is that the FDIC expects that all second-line risk management responsibilities, including with respect to compliance-risk management, would be overseen by the Chief Risk Officer and the Risk Committee.”[7] The Proposed Guidelines, if interpreted this way, “would preclude a separate compliance-risk function.”[8]
b. The Proposed Guidelines differ again from the Heightened Expectations in that they would require more responsibility on the part of the independent risk management unit, requiring that the unit ensure that the front line meets risk management standards and establish compliance procedures and processes.
2. Use of Parent Company Structure. The Proposed Guidelines would permit a covered institution to use all or part of its parent company’s risk governance framework to satisfy the Proposed Guidelines in instances where the covered institution has a substantially similar risk profile to its parent company, provided that (i) parent company decisions do not jeopardize the safety and soundness of the covered institution and the covered institution’s risk profile is easily distinguishable; and (ii) separate from that of its parent for risk management and supervisory reporting purposes.
3. Types of Risk to be Addressed in Risk Management Program. The Proposed Guidelines provide that the following risks would need to be covered and addressed in a covered institution’s risk management program: operational (including, but not limited to, conduct, information technology, cybersecurity, AML/CFT compliance and the use of third parties to perform or provide services or materials for the covered institution), strategic, credit, concentration, interest rate, liquidity, price, model and legal risk.
4. Focus on Data Architecture and IT Infrastructure. A covered institution’s independent risk management unit would need to establish policies, procedures and processes that provide for the design, implementation and maintenance of a data architecture and IT infrastructure that supports the covered institution’s risk aggregation and reporting needs both during normal and stressed times. Further, material risks, concentrations, breaches of risk limits and emerging risks would need to be reported in a timely manner to the board and the CEO.
C. Identifying and Reporting Violations of Law
- Internal Escalation. The Proposed Guidelines would require a covered institution’s board to establish processes by which personnel in front line and risk management units would identify, document and notify violations of law or regulation to the chief executive officer and the board’s audit and risk committees. The requirement for documenting and notifying violations of law and regulation in writing would be a new requirement not currently present in existing FDIC guidance (e.g., the FDIC’s Pocket Guide for Directors or the Heightened Expectations. Further, this requirement appears to directly address some of the observations made by the FDIC and FRB in their post-mortem reports regarding SVB.
- Reporting to Relevant Agency. The Proposed Guidelines would require the covered institution to timely report these violations to the agency with jurisdiction over those matters. This would represent a shift from the FDIC’s current practice of encouraging, but not requiring, self-reporting of violations.
D. Enforceability
Section 39 of the FDI Act provides that, in the event of a covered institution’s failure to abide by standards prescribed by guidelines, the FDIC may, in its discretion, require the covered institution to submit a plan for the FDIC’s approval detailing steps it will take to comply with such standards. The Proposed Guidelines and the Heightened Expectations share Section 39 as their basis for enforceability.
E. Questions
The FDIC asks multiple questions regarding the scoping of banks that should be subject to the Proposed Guidelines, including whether FDIC-supervised institutions with $10 billion or more in total consolidated assets is an appropriate threshold and whether other financial institutions should fall under the definition of a covered institutions. As mentioned above, comments are due by December 10, 2023.
ENDNOTES
[1] Guidelines Establishing Standards for Corporate Governance and Risk Management for Covered Institutions with Total Consolidated Assets of $10 Billion or More, 88 Fed. Reg. 70391 (Oct. 11, 2023).
[2] For more information on regulators’ post-mortem evaluations of the Signature Bank and SVB failures, please see our prior FinReg and FinTech Blog post, Key Takeaways from Bank Failure Reports (May 1, 2023), available here.
[3] OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of Regulations, 79 Fed. Reg. 54518 (Sept. 11, 2014).
[4] Applying for Deposit Insurance: A Handbook for Organizers of De Novo Institutions, Division of Risk Management Supervision (Dec. 2019), available here.
[5] The Proposed Guidelines would codify in regulation a concept already present in the FDIC’s “RMS Manual of Examination Policies – Management” (the “RMS Manual”), stating that “a dominant policymaker may inhibit the directors’ exercise of independent judgment or prevent the board from fulfilling its responsibilities.” 88 Fed. Reg., supra note 1, at 70405. Under the RMS Manual, examiners are expected to consider the risks associated with a “dominant management official.”
[6] Pocket Guide for Directors, FDIC (Dec. 13, 2007), available here.
[7] Statement by Jonathan McKernan, Director, FDIC Board of Directors, on the Proposed Guidelines Establishing Standards for Corporate Governance and Risk Management, FDIC (Oct. 3, 2023), available here.
[8] Id.
This post comes to us from Debevoise & Plimpton LLP. It is based on the firm’s memorandum, “Key Takeaways from the FDIC’s Proposed Guideline for Corporate Governance and Risk Management,” date October 19, 2023, and available here.