On September 2, 2014, the Office of the Comptroller of the Currency (OCC) issued final guidelines that establish minimum standards for the design and implementation of a risk governance framework for certain national banks and federal savings associations. The guidelines finalize a proposal issued by the OCC on January 16, 2014. The OCC received 25 comment letters regarding the proposal. While the guidelines are generally the same as the proposal, the OCC made a few notable changes and clarifications.
The guidelines were developed out of the “heightened expectations” the OCC implemented in its supervision of large banks following the financial crisis. These heightened expectations “reflected the OCC’s supervisory experience during the financial crisis and addressed weaknesses the OCC observed in large institutions’ governance and risk management practices during this time.”
The OCC has emphasized that the risk governance for large banks and thrifts begins with the board of directors.
The board of directors must “question, challenge, and, when necessary oppose” the bank’s management on certain actions relating to risk.
The guidelines will be implemented as “guidelines” rather than “regulations,” preserving the OCC’s discretion regarding whether to require remediation plans if an institution falls short of minimum expectations.
The guidelines are the first formal guidance from a federal bank regulator setting forth comprehensive enterprise risk management expectations and will likely serve as a tool for future potential enforcement actions.
Scope of Application
The guidelines apply to (i) insured national banks, insured federal savings associations and insured federal branches of foreign banks with average total consolidated assets of $50 billion or more; (ii) insured national banks and insured federal savings associations with average total consolidated assets of less than $50 billion if that institution’s parent company controls at least one insured national bank or insured federal savings association with average total consolidated assets equal to or greater than $50 billion; and (iii) insured national banks and insured federal savings associations whose average total consolidated assets are less than $50 billion if the OCC determines that the institution’s operations “are highly complex or otherwise present a heightened risk” to warrant the application of the guidelines (collectively, “covered banks”).
Summary of the Guidelines
The proposal, and now the guidelines, set forth the parameters a covered bank should consider in establishing minimum standards for the design and implementation of its risk governance framework.1 Such a framework must address the risk profile of the institution, including its credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk and reputation risk (“enumerated risks”). In addition, the risk governance framework should include well defined roles and responsibilities for certain internal organizational units (i.e., “frontline units,” “independent risk management,” and “internal audit”). These units must be independent from one another and must ensure that the board of directors is supplied with sufficient information about the institution’s risk profile so that it may provide “credible challenges” to the management’s decisions and recommendations.
In addition, the guidelines require that a covered bank’s chief executive officer develop (in coordination with the frontline units, independent risk management and internal audit) a three-year strategic plan to comprehensively assess the institution’s current and expected risks, a mission statement and strategic objectives for the institution going forward. The guidelines also require that a covered bank develop a “risk appetite statement” that will serve as the foundation for its broader risk governance framework. Covered banks will also be required to have mechanisms in place to provide for ongoing review and approval of the risk appetite statement by the board of directors or its risk committee, monitoring for compliance by frontline units and independent risk management, and protocols to identify breaches of the risk governance framework and to notify the board of directors.
Finally, the guidelines include provisions pertaining to the structure and oversight activities of a covered bank’s board of directors with respect to its risk governance framework. The board is required to ensure that the institution establishes and implements an effective risk governance framework in compliance with the minimum standards required by the guidelines. In addition, the guidelines require that at least two members of the board of directors be independent (as defined in the guidelines to exclude family members of executive officers within the last three years), that all independent directors receive formal training regarding the risk governance program and that the board perform an annual self-assessment regarding its risk governance effectiveness.
Key Changes from the Proposal
The OCC made certain changes and clarifications to the wording of the guidelines that reflect some of the comments it received regarding the proposal:
While the proposal stated that it was the “duty” of the board of directors to “ensure” that the institution was appropriately following risk governance procedures, the guidelines state that the board of directors must only “actively oversee” and “require” that the institution take appropriate risk mitigation measures. This change was implemented in response to comments that suggested the proposal’s framework could provide for greater legal liability for board members, which may dissuade otherwise qualified candidates from accepting board positions.
The guidelines clarify that a “frontline unit” means an organizational unit or function thereof accountable for one the enumerated risks and that also (i) engages in activity designed to generate revenue or reduce expenses for the institution, (ii) provides operational support or servicing to a unit in the institution in the delivery of products or services to customers, or (iii) provides technology services to a unit or function covered by the guidelines. This change was prompted by many commenters’ concerns that the broad definition of “frontline unit” set forth in the proposal would have covered certain back-office personnel who are not responsible for the enumerated risks (e.g., human resources).2
Under the proposal, a covered bank would only have been permitted to use its parent company’s risk governance framework if its risk profile was “substantially” the same as the parent company’s risk profile, meaning (i) the bank’s average total consolidated assets represent 95 percent or more of the parent company’s average total consolidated assets; (ii) the bank’s total assets under management represent 95 percent or more of the parent company’s total assets under management, and (iii) the bank’s total off-balance sheet exposures represent 95 percent or more of the parent company’s total off-balance sheet exposures. While the guidelines retain the 95 percent threshold, the OCC emphasized that it is only a safe harbor and that a covered bank that does not satisfy the threshold may still utilize its parent company’s risk governance framework (or a component of that framework), provided that the covered bank can demonstrate that it has substantially the same risk profile of the parent and the parent company’s framework meets the criteria outlined in the guidelines.
Application to Community Banks and Others with Less Than $50 Billion in Assets
Importantly, the OCC retained language from the proposal indicating that banks with less than $50 billion in assets may also be subject to the heightened expectations. Specifically, as noted above, the OCC retains discretion with regard to banks that are “highly complex or otherwise present a heightened risk.”3 The Comptroller has indicated in public remarks that this will be a high threshold only to be crossed in “extraordinary circumstances” and that the OCC does not intend to apply the guidelines to community banks. Time will tell, however, whether the OCC’s guidelines establish de facto standards among all banks with regard to risk management discipline generally.
The guidelines were issued pursuant to Section 39 of the Federal Deposit Insurance Act, which authorizes the OCC to prescribe safety and soundness standards in the form of a regulation or guidelines, and will be published as an appendix to the OCC’s regulations appearing at 12 C.F.R. Part 30. The OCC issued its heightened expectations as “guidelines,” rather than as regulations, because Section 39 provides the OCC with “supervisory flexibility to pursue the course of action that is most appropriate given the specific circumstances of a covered bank’s failure to meet one or more standards, and the covered bank’s self-corrective and remedial responses.”4 The OCC can enforce the guidelines using its discretion under rules set forth in 12 C.F.R. Part 30, utilizing a Notice of Deficiency that would require a covered bank to submit and receive approval of a compliance plan. If a covered bank fails to submit an acceptable compliance plan, the OCC may issue a Notice of Intent to issue an order that provides the institution with the opportunity to respond before the OCC makes a final decision or, alternatively, may issue an order regarding noncompliance with the guidelines without providing the institution with a Notice of Intent.
Covered banks with average total consolidated assets equal to or greater than $750 billion must comply with the guidelines by their effective date, November 11, 2014, while other covered banks are subject to a schedule that generally phases in the required compliance date over the 18-month period following the effective date.
 A more comprehensive treatment of the substance of the new guidelines can be found in our discussion of the proposal here.
 The proposal defined “frontline unit” to mean “any organizational unit within the bank that: (i) engages in activities designed to generate revenue for the parent company or bank; (ii) provides services, such as administration, finance, treasury, legal, or human resources to the bank; or (iii) provides information technology, operations, servicing, processing, or other support to any organizational unit covered by the proposed guidelines.”
 The determination regarding whether a bank’s operations are “highly complex or otherwise present a heightened risk” will be made based on consideration of the complexity of products and services, risk profile and scope of operations.
 Specifically, under Section 39, “[i]f a national bank or Federal savings association fails to meet a standard prescribed by guideline, the OCC has the discretion to decide whether to require the submission” of a plan specifying the steps it will take to achieve compliance with the standard. In contrast, “if a national bank or Federal savings association fails to meet a standard prescribed by regulation, the OCC must require it to submit a plan specifying the steps it will take to comply with the standard.”
This advisory is published by Alston & Bird LLP’s Financial Services & Products practice area to provide a summary of significant developments to our clients and friends. It is intended to be informational and does not constitute legal advice regarding any specific situation. This material may also be considered attorney advertising under court rules of certain jurisdictions.