On January 16, 2014, the Office of the Comptroller of the Currency (OCC) proposed guidelines that would establish minimum standards for the design and implementation of a risk governance framework for certain national banks and federal savings associations (“Proposed Guidelines”). The Proposed Guidelines were developed out of the “heightened expectations” the OCC implemented in its supervision of large banks following the financial crisis. The OCC notes that “[a]chievement and maintenance of the heightened expectations should help lessen the impact of future economic downturns on large institutions.”
- The Proposed Guidelines reflect years of supervisory experience, and set forth the new “gold standard” of bank risk governance.
- The Proposed Guidelines are explicitly applicable to large national banks and federal thrifts, but the OCC has left itself the discretion to apply the standards to mid-size institutions (generally, those with $10-50 billion in assets).
- A covered bank may only utilize its parent company’s risk governance framework if it complies with the Proposed Guidelines and the bank can demonstrate (by documented annual review) that its risk profile and its parent company’s risk profile are substantially the same.
- At least two members of the board of directors must be independent, and all independent directors must receive formal training regarding the risk governance program.
- The OCC proposes to issue “guidelines,” rather than regulations, in order to preserve its discretion whether to require remediation plans where an institution falls short of minimum expectations.
- The Proposed Guidelines can be used by institutions other than large national banks or federal thrifts to help assess the strength of their own risk governance.
Scope of Application
The Proposed Guidelines would apply to insured national banks, insured federal savings associations and insured federal branches of foreign banks with average total consolidated assets of $50 billion or more. In addition, the OCC retains the discretion to apply the Proposed Guidelines to an institution whose average total consolidated assets are less than $50 billion “if the OCC determines such entity’s operations are highly complex or otherwise present a heightened risk as to require compliance with the Guidelines.” The OCC will make this determination by considering the “complexity of products and services, risk profile, and scope of operations” of a particular institution.
Establishment of Risk Governance Framework
The Proposed Guidelines would require each covered institution to establish and adhere to a formal risk governance framework that addresses the risk profile of the institution, including the institution’s credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk and reputation risk. The framework should be designed by an independent risk management unit and approved by the institution’s board of directors or its risk committee, and reviewed at least once per year. The framework must define roles and responsibilities for internal organizational units, including frontline units, independent risk management and an internal audit function, each of which are integral to the risk governance framework and are commonly referred to as “three lines of defense.” Each unit must maintain independence from the others and must actively ensure that the board of directors is supplied with sufficient information regarding the risk profile of the institution and its risk management practices in order to ensure that the board may provide “credible challenges” to management’s decisions and recommendations. In addition, it is critical that the independent risk management and internal audit functions have “unfettered” access to the board of directors or a board committee.
Strategic Plan and Risk Appetite Statement
The Proposed Guidelines would require that the institution’s chief executive officer—with input from the front line units, independent risk management and internal audit—develop a three-year strategic plan to assess comprehensively the current and expected risks facing the institution and to articulate a mission statement and strategic objectives for the institution going forward. In addition, the Proposed Guidelines would require that an institution develop a “risk appetite” statement that serves as the foundation for its broader risk mitigation framework. The “risk appetite” is defined as “the aggregate level and types of risk the board of directors and management are willing to assume to achieve the bank’s strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements.” Under the Proposed Guidelines, the risk appetite statement must contain quantitative limits, such as stress-testing processes and measures concerning the institution’s earnings, capital and liquidity position. It must also include a qualitative component that describes a safe and sound “risk culture” at the institution and the context in which the institution will assess and accept risks.
The risk governance framework adopted by an institution pursuant to the Proposed Guidelines should include concentration risk limits and other measures that are tailored to assess and govern frontline unit risks. The Proposed Guidelines also require mechanisms to provide for ongoing review and approval of the risk appetite statement by the board of directors or its risk committee, monitoring for compliance by frontline units and independent risk management, and protocols to identify breaches of the risk governance framework and notify the board of directors thereof. An institution should also implement a set of policies and procedures concerning its risk data aggregation and reporting capabilities. Ultimately, the frontline units and independent risk management should incorporate the substantive aspects of the risk appetite statement, concentration risk limits, and frontline risk limits into strategic and annual operating plans, capital stress testing and planning processes, liquidity stress testing, product and service risk management processes, decisions regarding acquisitions and divestitures, and compensation and performance management programs.
Standards for Board of Directors
The Proposed Guidelines include provisions pertaining to the structure and oversight activities of an institution’s board of directors with respect to its risk governance program. Specifically, the board would be required to ensure that the institution establishes and implements an effective risk governance framework in compliance with minimum standards. The board should provide active oversight of and accountability for management with respect to the risk governance program, including questioning, challenging and, as necessary, opposing management’s decisions. The Proposed Guidelines would also require that at least two members of the board of directors be independent (not a part of the institution’s or its parent company’s management), that all independent directors receive formal training regarding the risk governance program and that the board perform an annual self-assessment regarding its risk governance effectiveness.
The Proposed Guidelines are issued pursuant to Section 39 of the Federal Deposit Insurance Act (“Section 39”), which authorizes the OCC to prescribe safety and soundness standards in the form of a regulation or guidelines, and would be published as an appendix to the OCC’s regulations appearing at 12 C.F.R. Parts 30. The OCC has proposed its heightened expectations as “guidelines,” rather than as regulations, because under Section 39, “if a national bank or Federal savings association fails to meet a standard prescribed by regulation, the OCC must require it to submit a plan specifying the steps it will take to comply with the standard.” However, “[i]f a national bank or Federal savings association fails to meet a standard prescribed by guideline, the OCC has the discretion to decide whether to require the submission of such a plan.” Thus, by issuing guidelines, the OCC will have “flexibility to pursue the course of action that is most appropriate given the specific circumstances” of an institution’s noncompliance with the standards, and the institution’s self-corrective and remedial responses. The OCC would exercise discretionary authority to require an institution to submit a plan identifying the steps it will take to comply with the Proposed Guidelines. The OCC retains authority to escalate noncompliance with the plan to a formal enforcement action when warranted.
The OCC has requested comments on the Proposed Guidelines, and has asked a number of specific questions. Comments must be submitted within 60 days of the date the Proposed Guidelines are published in the Federal Register. For example, the OCC requested comment on whether a single risk officer should provide oversight to all independent risk management units versus having multiple, risk-specific officers providing oversight to one or more independent risk management units.
As noted above, the Proposed Guidelines (and, in the future, the OCC’s final guidance) provide important direction on the emerging “gold standard” for bank risk governance. We have significant experience assisting banks with ensuring their risk management governance structure meets regulatory expectations. Please contact one of the lawyers below, or your regular Alston & Bird lawyer, for assistance in meeting these standards.
This advisory is published by Alston & Bird LLP’s Financial Services & Products practice area to provide a summary of significant developments to our clients and friends. It is intended to be informational and does not constitute legal advice regarding any specific situation. This material may also be considered attorney advertising under court rules of certain jurisdictions.