Cliff Stanford, counsel in the firm’s Financial Services & Products Group, was quoted in Bank Safety & Soundness Advisor in an article titled “OCC Big Bank Risk Guidance a Rich Source for Small Bank Best Practices.”
The article discusses the OCC’s recently proposed NPR on heightened risk management expectations for banks—which sets standards for enterprise-wide risk management—and what lessons community banks can learn from the guidance document when it comes to standards for enterprise-wide risk management.
“With this NPR, the OCC is spelling out what has only previously been communicated through on-site exams and that’s a benefit for smaller bankers,” Stanford said. “This is more proscriptive, but that should be welcomed, because it lays out expectations that have been unclear in the past.”
“There has been a degree of uncertainty for banks under $50 billion as to what expectations really are,” Stanford added. “The way this has been communicated in the last few years is through supervisory communications, bank-by-bank.”
“So if you found yourself in front of the OCC or Federal Reserve or the FDIC, and they say, ‘You need to work on your risk governance,’ there was no baseline, no standard. But this [new OCC guidance] sets the standard,” he said.
Stanford added that smaller banks looking to benchmark their ERM to some kind of regulatory standard now have an official document to look to.
“I think, embedded within the expectations for strong, big-bank risk management, there’s an adequate or acceptable standard for smaller institutions,” Stanford said. “This does provide some clarity to banks trying to figure out what they’re supposed to do.”
In the NPR, the OCC clearly lays out a concept it calls the three lines of defense, which is the structure it wants big banks to use to manage risk across the enterprise.
“This is the first place I’ve seen this in bank regulatory guidance,” Stanford said. “This expectation has been discussed before in supervisory communication outside of written guidance.”
Stanford said smaller bankers shouldn’t worry so much about this specific, big-bank risk structure so much as the OCC’s preferred endgame.
“What [smaller bankers] should be thinking about is how does our board get risk information and how does the board respond to this information?” he said. “How can boards mount a credible challenge to management? Can the board ask risk questions and get answers? Can they demonstrate this in the context of board minutes?”
“The board has to have a view of bank risk,” he added. “It has to check management risk-taking. That is the concept of credible challenge, and the board has to be able to demonstrate that it has this – that it has the information and can show regulators that it’s doing it well.”