On June 8, 2016, the Federal Reserve updated its Supervisory Guidance that partially supersedes SR letter 95-51, “Rating the Adequacy of Risk Management and Internal Controls at State Member Banks and Bank Holding Companies.” The guidance clarifies Board and senior management oversight of risk management, policies, procedures and limits, risk monitoring and MIS, and internal controls. One revision extends the applicability of the guidance to the U.S. operations of foreign banking organizations with total consolidated U.S. assets of less than $50 billion (such as ISP), which were not previously subject to SR 95- 51. The guidance notes, however, that FBO risk management processes and control functions for the U.S. operations may be implemented domestically or outside of the U.S. and in cases where the functions are performed outside of the U.S., the FBO’s oversight function, policies and procedures, and information systems need to be sufficiently transparent to allow U.S. supervisors to assess their adequacy.

Additionally, the FBO’s U.S. senior management need to demonstrate and maintain a thorough understanding of all relevant risks affecting the U.S. operations and the associated management information systems, used to manage and monitor these risks within the U.S. operations. With respect to Board responsibilities, the guidance states in a footnote: “For the purpose of this guidance, for foreign banking organizations, ‘board of directors’ refers to the equivalent governing body of the U.S. operations of the FBO.”

The guidance goes on further to state that:

The board of directors should collectively have a balance of skills, knowledge, and experience to clearly understand the activities and risks to which the institution is exposed. The board of directors should take steps to develop an appropriate understanding of the risks the institution faces, through briefings from experts internal to their organization and potentially from external experts. The institution’s management information systems should provide the board of directors with sufficient information to identify the size and significance of the risks. Using this knowledge and information, the board of directors should provide clear guidance regarding the level of exposures acceptable to the institution and oversee senior management’s implementation of the procedures and controls necessary to comply with approved policies, the guidance states.