On September 2, 2014, the U.S. Department of Treasury, Office of the Comptroller of the Currency (“OCC”) released final Guidelines (the “Guidelines”) aimed at strengthening the governance and risk management practices of large national banks, insured Federal savings associations, and insured Federal branches of foreign banks operating in the U.S. (“Banks”). The Guidelines represent another response to the recent financial crisis and the corresponding legislative and regulatory developments focused on stability in the financial system. The approach adopted by the OCC shares many similarities with policies that have been recently adopted by Canadian regulators aimed at strengthening responsible internal risk management by Canadian financial institutions.

The Guidelines

The Guidelines seek to further the goals outlined by the Dodd-Frank Act, namely to strengthen the financial system by focusing management and boards of directors on enhancing risk management and governance practices. The Guidelines also reflect the international policies coming out of the Financial Stability Board and Basel Committee on Banking Supervision which have been or are being adopted by domestic regulators around the world.

The Guidelines formalize five “heightened expectations” that the OCC has developed in the aftermath of the financial crisis. The objective of the Guidelines is to enhance the OCC’s supervision of and strengthen the risk management and governance practices of the Banks. The expectations are:

  1. Preserving the sanctity of the charter, by ensuring that the bank operates in a safe and sound manner rather than simply as an extension of its parent bank holding company.
  2. Maintaining a well-defined personnel management program that places emphasis on talent development, recruitment, succession planning and provides for a compensation structure that discourages inappropriate risk taking.
  3. Defining and communicating an acceptable risk appetite throughout the organization.
  4. Maintaining reliable oversight programs, including the development of strong audit and risk management functions.
  5. Having a board of directors willing to provide a credible challenge to senior management’s decision-making.

Requirements under the Guidelines

The Guidelines require the creation and implementation of and compliance with a formal, written risk governance framework (the “Framework”) that manages and controls various kinds of risk encountered by the Banks. The Framework should be designed by independent risk management within the Bank and should include well-defined risk management roles and responsibilities. The Guidelines also require a Strategic Plan, including ongoing assessments of the Bank’s risk profile and related strategic objectives, and a Risk Appetite Statement. The Guidelines also articulate key standards for boards of directors in overseeing management and ensuring the implementation of safe and sound banking practices.

A similar framework addressing the types of risk and level of risk that a financial institution is willing to accept in order to achieve its business objectives (as well an outline of the roles and responsibilities of those overseeing this framework) is required by Canadian regulators.

Enforcement

A key aspect of the Guidelines is the provision for enforcement pursuant to Section 39 of the Federal Deposit Insurance Act (“FDIA”). The OCC may initiate the enforcement process when it determines that a Bank has failed to meet a standard prescribed by the Guidelines. The OCC has the discretion to require the submission of a compliance plan specifying the steps the institution will take to correct the inadequacies and the timeline for its implementation. The OCC may issue an enforceable order if the financial institution fails to submit an acceptable compliance plan or fails in any material way to implement an approved plan.

Similarities with the Canadian approach

We are seeing many of the same themes emerging here in Canada. In recent comments before the Economic Club of Canada, Jeremy Rudin, the Superintendent of Financial Institutions, noted that financial regulators in Canada are focused on curbing “excessive” risk taking by financial institutions. He also noted that this objective has been pursued by encouraging boards of directors and management at financial institutions to take responsibility for managing their institutions’ risk. This approach differs from the enforcement approach reflected in the Guidelines in that the Canadian regulators provide “guidance” to the financial institutions and monitor compliance through supervisory powers and not through an enforcement mechanism.

Mr. Rudin  further commented on the benefits of the approach taken by financial regulators in Canada:

A major strength of our approach is that it aims to ensure that regulatory compliance does not become a substitute for risk management. Indeed, financial institutions cannot comply with our expectations unless they actively measure and manage their own risks.

For example, the Corporate Governance Guidelines issued by the Office of the Superintendent of Financial Institutions (OSFI) in January 2013 emphasize:

  1. The role of an effective, independent and competent board of directors overseeing management.
  2. Effectively overseeing the management of risk through the development of internal risk management systems, practices and controls, positions such as a Chief Risk Officer, and committees such as a Risk Management Committee and the Audit Committee.
  3. Developing a Risk Appetite Framework, which meets the minimum standards set out in the guidelines, to guide risk taking activities.

Conclusion

The interest and focus on risk management and risk governance will only continue as the legislative and regulatory framework continues to unfold in the wake of the financial crisis. Effective risk management starts within the financial institutions itself. It is essential that financial institutions continue to begin the analysis by turning inward to focus on the internal culture and controls unique to each institution.