The Office of the Comptroller of the Currency (OCC) recently released an updated and substantially revised section of its Comptroller’s Handbook titled “Retail Nondeposit Investment Products” (the Booklet). The Booklet replaces the previous booklet of the same name that was issued in February 1994. It is intended to provide guidance for bank examiners on activities of national banks and federal savings associations (collectively, banks) involved in recommending and selling nondeposit investment products to retail customers. Overall, the Booklet reflects the OCC’s increasing focus in recent years on the need for banks to implement strong risk-management processes and policies commensurate with their activities, as well as oversight of these activities by senior bank management and banks’ boards of directors. Both banks that directly engage in the sale of retail nondeposit investment products (RNDIPs) and bank-affiliated or unaffiliated broker-dealers, insurance agents, and registered investment advisers that provide services and products to certain customers on behalf of banks will need to become familiar with the supervisory expectations set out in the Booklet and incorporate, as needed,
recommended business and information-sharing practices into their operations.1
At approximately 170 pages, the Booklet is almost three times the length of the 1994 version. In light of the significant changes since 1994 regarding bank sales of RNDIP (including the passage of the Gramm-Leach-Bliley Act (GBLA),2 the issuance of Regulation R,3 and the passage of the Dodd-Frank Act4), as well as a number of bulletins released by the OCC since the 1994 version, the scope of changes in the Booklet is not surprising. As it did in the previous version, the OCC specifically incorporates the 1994 “Interagency Statement on Retail Sales of
Nondeposit Investment Products” issued by the Federal Reserve Board, the OCC, the Federal Deposit Insurance
Corporation, and the Office of Thrift Supervision, as well as joint interpretations of the same (Interagency Statement).5 The Booklet also refers to a number of OCC bulletins and other issuances that directly or indirectly apply to the sales of RNDIPs, most notably OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” (Third-Party Relationship Bulletin).6 Importantly, the Booklet is the first formal agency effort to discuss compensation and bonus issues raised in Regulation R in 2007.
The Booklet reflects the OCC’s emphasis on the importance of strong and effective risk-management processes, which continues a regulatory theme articulated by the OCC in recent years. The Booklet details the OCC’s new expectations of third parties that provide RNDIPs through bank distribution channels and focuses on the terms to be contained in networking agreements with banks. These requirements are extensive and unlikely to be satisfied with existing networking arrangements.
As mentioned above, the Booklet reflects the OCC’s heightened expectations regarding the adequacy of banks’ compliance and risk-management programs and the need for banks to develop detailed written compliance plans tailored to the complexity of their RNDIP sales activities. The OCC states that the Booklet itself is intended to explain “the risks inherent in banks’ retail nondeposit investment product (RNDIP) sales programs and provide a framework for banks to manage those risks.”7 The Booklet divides such risks into five categories (compliance risk,
operational risk, strategic risk, reputation risk, and credit risk) and sets out recommendations and expectations for
bank programs to manage those risks.
- Compliance risk: The OCC emphasizes compliance with the Interagency Statement, Regulation R, and the antifraud provisions of federal securities laws (section 10 of the Securities Exchange Act and Rule 10b-5) and a bank’s obligation to take reasonable steps to ensure that any third-party broker-dealer complies with applicable securities laws and Financial Industry Regulatory Authority (FINRA) rules. The Booklet also identifies a number of factors that could raise a bank’s level of compliance risk, including the use of bank/broker-dealer dual employees, ineffective oversight of RNDIP sales, inadequate policies and procedures and poor implementation of the same, and weak independent risk-control functions. The OCC states that it expects every bank to “conduct a comprehensive analysis of its securities activities to ensure compliance with
GLBA and Regulation R, and to maintain records to demonstrate compliance.”8
- Operational risk: The OCC identifies operational risk as arising from inadequate oversight of bank employees or third parties, sales practice misconduct, poor customer service, or adverse events that could affect business volume and efficient trade execution. The OCC emphasizes the importance of due diligence of third-party providers of RNDIP sales services and that any third parties should provide, on a quarterly basis at a minimum, information regarding the third party’s sales practices; surveillance results; exception tracking; product and service offerings; customer complaints, litigation, and settlements; hiring practices; sales force stability; regulatory findings; and compliance issues. In addition, banks should require third parties to have sufficient business continuity planning in the event of interruption, as well as the operational capacity and customer service levels that can adequately service customer needs, particularly in times of market stress. As part of its operational risk management, banks should have internal management information systems that ensure timely transaction confirmations and customer statements and billing and should ensure that any modeling used in an RNDIP sales program is properly designed and managed.
- Strategic risk: The OCC emphasizes that a RNDIP sales program is a substantial commitment. A bank’s failure to provide adequate resources and risk management to properly manage and control the risks associated with any RNDIP sales program may present a strategic risk to the bank. The bank’s management and oversight of its RNDIP program should be able to respond to and incorporate regulatory reforms and changes in the brokerage industry, and the bank’s strategic goals with respect to its RNDIP program should reflect, as appropriate, changes in market conditions.
- Reputation risk: Reputation risk arises from the way a bank or a third party interacts with customers.
Unsuitable sales practices, client misunderstandings of the risk associated with RNDIP offerings, or poor customer service could result in reputational damage. Proper supervision and training of bank employees engaged in direct bank RNDIP activities is needed to help manage reputation risk. The OCC Booklet explicitly notes that banks that offer services to lower-income clients, clients with little to no investment experience, or seniors may present heightened reputation risk. Reputation risk may be increased if the RNDIP program actively associates a bank’s name with the offered products and services, including the offering of bank- branded products.
Credit risk: Credit risk in an RNDIP may arise if the program provides retail clients with margin lending or securities lending services. In addition to the compliance obligations associated with these lending activities, the bank needs to monitor and manage its credit exposures. Retail foreign exchange transactions also present counterparty credit risk where a bank acts as principal in a transaction. Credit risk can also arise if a bank advances payments to client accounts (even intraday) or allows overdrafts in client accounts.
The OCC expects each bank to “identify, measure, monitor, and control risk by implementing an effective risk management system appropriate for its size and the complexity of its operations.”9 Examiners will review and assess the effectiveness of a risk-management system and take into consideration a bank’s policies, processes,
personnel, and control systems.10
Identification of risk: Risk identification should be a continuous and ongoing process at the transactional, line of business, and aggregate business levels and should include risks that originate in broker-dealer subsidiaries or affiliates or through networking arrangements. Banks are also expected to identify cross-business-line interdependencies or issues that could present increased risk.
Measurement of risk: To measure risk, banks are expected to use measurement systems and models appropriate for the nature and complexity of the RNDIP sales program and should periodically test the measurement systems. Although no one measurement system will be appropriate for all RNDIP sales programs, the OCC expects that the measurement process will assess risks of individual transactions, aggregate client portfolios, and interdependencies, correlations, and risks across business lines.
Monitoring risk: Part of the risk-monitoring program should include a requirement that affiliated and unaffiliated third parties provide risk-monitoring reports that allow a bank to properly oversee the RNDIP sales program, including the quality and suitability of the RNDIPs sold by an affiliated or third-party broker-dealer.
Control of risk: Banks’ boards of directors must establish the banks’ strategic direction and risk tolerance with respect to any RNDIP sales program and communicate the same through policies and procedures that establish responsibility and authority. In accordance with the Interagency Statement, boards should adopt written statements that address the risks, policies, and procedures and risk-management associated with an RNDIP sales program.
In addition, banks should adopt comprehensive compliance policies and procedures that address applicable regulations and guidance, including the Interagency Statement. The compliance policies should address the following:
- Third-party risk management
- Qualification and training requirements for bank personnel and supervisors, as well as third-party sales representatives who will recommend or sell RNDIPs
- Compensation arrangements that comply with applicable regulations (GLBA, Regulation R, 12 C.F.R. Part 14 (insurance sales)) and OCC guidance11 regarding compensation for referrals, bonuses, and other compensation arrangements
- Suitability and sales practices to ensure that RNDIP recommendations and sales are suitable for retail clients and incorporate proper sales practices, including clear criteria for the selection and ongoing review of RNDIPs sold or recommended through a bank’s program and overall compliance with FINRA Rule 2111
- Customer disclosures and advertising that comply with applicable regulations and guidance
- Setting and circumstances that comply with the Interagency Statement and GLBA requirements for separation of RNDIP activities from bank deposit–taking activities.
The OCC expects the compliance program to include periodic testing of customer accounts and transactions to detect, prevent, and correct abusive practices. The compliance program should also incorporate a system to monitor customer complaints and their resolution. The Booklet also strongly encourages using mystery shopping and call-back programs to test sales programs and ensure that sales activities comply with applicable regulations, guidance, and a bank’s policies.
- Applicable guidance includes OCC Bulletin 2010-24, “Incentive Compensation: Interagency Guidance on Sound Incentive Compensation Policies.”
There are several aspects of the Booklet that are particularly noteworthy or warrant special mention.
- Application of the Third-Party Relationship Bulletin: The Booklet refers to the Third-Party Relationship Bulletin numerous times and contains a detailed description of third-party risk-management expectations with respect to RNDIP sales, including expectations regarding risk assessment by a bank’s board and management, the due diligence process, and the written agreement with and reporting obligations of the third- party broker-dealer. Banks that use third parties for RNDIP sales should carefully review both the Third-Party Relationship Bulletin and the expectations of that bulletin’s application to RNDIP sales. The Booklet states that “[b]y referring its customers to a broker-dealer, the bank is tacitly endorsing the RNDIP sales made by those brokers to those customers. To the extent the bank has clients that may be vulnerable to a broker’s hard sell, the bank should have procedures in place to ensure that these customers are not sold inappropriate
- Networking agreements and disfavor of “turnkey” arrangements for RNDIP sales: The Booklet emphasizes that banks must have ongoing and substantive involvement in the administration and oversight of any RNDIP sales program and cannot rely solely on representations made by broker-dealers regarding quality and suitability of RNDIPs and sales practices. In other words, banks cannot abdicate their oversight and compliance responsibilities to the affiliated or third-party broker-dealers and must conduct their own independent analysis of RNDIPs, particularly the suitability of the products for the banks’ customers. As noted above, these requirements are to be addressed by new networking agreement terms.
- Disclosures and advertising: The Booklet goes into great detail regarding applicable requirements concerning disclosures and advertising of RNDIPs. Banks should pay particular attention to the guidance and expectations regarding disclosures and advertising because those aspects of compliance are easily reviewed and tested by examiners.
- Compensation arrangements and referral fees: The Booklet contains extensive discussion about permissible compensation arrangements and referral fees. The only previous guidance on these issues was contained in the preamble to Regulation R issued in 2007.13
- Incorporation of FINRA Rule 2111 into the bank compliance program: The Booklet acknowledges that FINRA Rule 2111 regarding suitability of recommended products does not expressly apply to sales or recommendations made directly by a bank. However, the Booklet identifies the rule as “an appropriate reference for a bank compliance program designed to ensure that the bank’s sales of RNDIPs are operated in a safe and sound manner.”14
- Risks associated with offering swaps and foreign-exchange derivatives: The Booklet emphasizes that, because of the changes enacted by the Dodd-Frank Act, offering off-exchange swaps and foreign-exchange transactions to retail customers presents heightened risk to a bank, particularly with respect to possible inadvertent aiding and abetting violations of the Commodity Exchange Act. Such inadvertent violations could occur if a retail customer entering into an off-exchange swap is not an “eligible contract participant,” as well as raise questions about compliance with OCC regulations regarding retail foreign-exchange transactions. The Booklet emphasizes the need for banks to retain qualified counsel to help assess and manage the risk by ensuring compliance with applicable regulations.
- The Interagency Statement is still alive and well: Although it was adopted almost 21 years ago, the Booklet demonstrates the Interagency Statement’s durability and continued relevance for bank RNDIP activities. In this respect, the Booklet shows that basic regulatory attitudes about bank retail securities
- Booklet, p. 63.
- “Definitions of Terms and Exemptions Relating to the ‘Broker’ Exceptions for Banks and Exemptions for Banks Under Section 3(a)(5) of the Securities Exchange Act of 1934 and Related Rules,” 72 Fed. Reg. 56,513 (Oct. 3, 2007).
activities have not materially changed since 1994. What has changed, as the Booklet demonstrates, are the regulatory expectations with respect to the nature and strength of the compliance architecture required to manage a RNDIP sales program.
- Do the Federal Reserve Board and Federal Deposit Insurance Corporation (FDIC) agree?: The Booklet is an OCC publication that technically applies only to national bank and federal savings association RNDIP activities. We would expect, however, that Federal Reserve Board and FDIC views with respect to the RNDIP activities of state member and nonmember banks, respectively, under their jurisdiction would not be materially at variance with the OCC’s supervisory expectations reflected in the Booklet. In turn, the Booklet may serve as a useful compliance guide for banks other than national banks.
The Booklet’s major implication is that a bank that engages in an RNDIP sales program should expect increased scrutiny of the program and should be prepared to document and demonstrate through written policies and procedures, board and management oversight records, and other means that the bank is adequately assessing and managing any risks presented by the RNDIP. As with other recent OCC guidance, active and meaningful oversight and participation of a bank’s board and senior management is expected and required. Overall, the Booklet will be a useful reference tool for banks, broker-dealers, insurance agents, and registered investment advisers that engage in bank RNDIP sales programs as they modify and adjust their risk management of the RNDIP sales program. Banks that are active in retail securities activities should expect that their next examination will involve detailed questions and requests for information regarding their RNDIP sales programs. To that end, the examination procedures set forth in the Booklet, as well as the sample request letters contained in Appendix I to the Booklet, will provide useful guidance to banks as to the likely scope of information requests that will precede their next exam. More clarity regarding specific OCC expectations and methods for implementing the guidance in the Booklet will be revealed through upcoming examination cycles.