On January 16, 2014, the Office of the Comptroller of the Currency (“OCC”) released a proposal establishing minimum standards for the design and implementation of a risk governance framework for large insured national institutions, insured federal savings associations, and insured federal branches of foreign institutions with average total consolidated assets of $50 billion or more (the “Proposed Framework”), and minimum standards for the board of directors’ oversight of the framework’s design and implementation (the “Proposed Board Requirements”) (collectively, the “Proposed Heightened Standards”). The Proposed Heightened Standards would reserve the OCC’s authority to apply the guidelines to an institution with less than $50 billion in assets if the OCC determines that it is highly complex or otherwise presents a heightened risk. In making such determination, the OCC will consider the institution’s risk profile, scope of operations, and the complexity of products and services offered by the institution.
Formal Written Risk Governance Framework
Under the Proposed Framework, an institution would be required to establish and adhere to a formal, written framework that addresses the following categories of risk: credit, interest rate, liquidity, price, operational, compliance, strategic, and reputation. In addition, the framework must be designed and reviewed and updated by an institution’s independent risk management at least annually.
The Proposed Framework must include policies and supporting processes that are appropriate for the institution’s size, complexity, and risk profile that effectively identify, measure, monitor, and control the institution’s concentration of risk, including concentration risk limits.
Roles and Responsibilities
The Proposed Framework also establishes proposed roles and responsibilities for the organizational units that are fundamental to the design and implementation of the framework, specifically front line units, independent risk management, and internal audit. These units must ensure that the Board has sufficient information on the institution’s risk profile and risk management practices to provide credible challenges to management’s recommendations and decisions.
The Proposed Framework also provides that an institution’s independent risk management function should:
- oversee the institution’s risk-taking activities and assess risks and issues independent of the chief executive officer and front line units;
- identify and communicate to the Board or the Board’s risk committee material risks and significant instances where independent risk management’s assessment of risk differs from the chief executive officer;
- identify and communicate significant instances where the chief executive officer is not adhering to, or holding front line units accountable for adhering to, the framework;
- develop, attract and retain talent, maintain appropriate staffing levels, and establish and adhere to talent management processes and compensation and performance management programs; and
- prohibit any front line unit executive from overseeing any independent risk management units.
Under the Proposed Framework, the internal audit function is required to:
- maintain a complete and current inventory of all of the institution’s material businesses, product lines, services, and functions;
- ensure that the institution’s framework complies with the guidelines and is appropriate for the institution’s size, complexity, and risk profile;
- report in writing to the Board’s audit committee conclusions, issues, and recommendations resulting from the audit work carried out under the audit plan;
- establish and adhere to processes for independently assessing the design and effectiveness of the framework; and
- assess the institution’s framework at least annually.
Under the Proposed Framework, the institution’s chief executive officer would be required to develop a written strategic plan with input from front line units, independent risk management, and internal audit. The strategic plan should cover a three-year period and should contain a comprehensive assessment of risks that currently impact the institution or that could impact the institution during this three-year period, articulate an overall mission statement and strategic objectives for the institution, and include an explanation of how the institution will achieve those objectives. The strategic plan must also include an explanation of how the institution will update, as necessary, the framework to account for changes in the institution’s risk profile projected under the strategic plan. Finally, the strategic plan should be reviewed, updated, and approved, as necessary, due to changes in the institution’s risk profile or operating environment that were not contemplated when the strategic plan was developed. The Board should evaluate and approve the strategic plan and monitor management’s efforts to implement it at least annually.
Risk Appetite Statement
The Proposed Framework also requires that institutions have a comprehensive written statement that articulates the institution’s risk appetite and serves as a basis for the framework. The risk appetite statement must include both qualitative components and quantitative limits. An institution’s risk appetite statement must be reviewed and approved by its Board or the Board’s risk committee at least annually.
The OCC stated that the qualitative components of the risk appetite statement should describe a safe and sound “risk culture” and how the institution will assess and accept risks, including those that are difficult to quantify, on a consistent basis throughout the institution. The risk appetite statement’s quantitative limits should incorporate sound stress testing processes, as appropriate, and should address the institution’s earnings, capital, and liquidity positions.
The proposed guidelines also address the institution’s talent management processes and compensation and performance management programs, respectively. Institutions should establish and adhere to processes for talent development, recruitment, and succession planning to ensure that those employees who are responsible for or influence material risk decisions have the knowledge, skills, and abilities to effectively identify, measure, monitor, and control relevant risks.
Standards for Boards of Directors
Under the Proposed Board Requirements, each member of the Board would have a duty to oversee the institution’s compliance with safe and sound banking practices. The Board must actively oversee the institution’s risk-taking activities and critically evaluate management’s recommendations and decisions by questioning, challenging, and, when necessary, opposing, management’s proposed actions that could cause the institution’s risk profile to exceed its risk appetite or threaten the institution’s safety and soundness.
At least two members of an institution’s Board should be independent and each member of the Board should have the knowledge, skills, and abilities needed to meet the minimum standards. An institution’s Board should be comprised of financially knowledgeable directors who are committed to conducting diligent reviews of an institution’s management team, financial status, and business plans. The Board must also establish and adhere to a formal, ongoing training program for independent directors which includes training on:
- complex products, services, lines of business, and risks that have a significant impact on the institution; and
- laws, regulations, and supervisory requirements applicable to the institution.
The OCC is proposing these guidelines pursuant to section 39 of the Federal Deposit Insurance Act (“FDI Act”), which authorizes the OCC to prescribe safety and soundness standards in the form of a regulation or guidelines. If a bank or savings association fails to meet a prescribed standard, the OCC may require the institution to submit a plan specifying the steps it will take to comply with the standard. The OCC may issue an enforceable order under section 8 of the FDI Act, 12 U.S.C. § 1818(b), if the bank, after being notified that it is in violation of a safety and soundness standard, fails to submit an acceptable compliance plan or fails materially to comply with an OCC-approved plan.
Potential Issues Related to Implementation and Enforcement
The Proposed Heightened Standards reflect the current trend of increased regulation and enforcement with respect to financial institutions. The Proposed Heightened Standards not only increase the level of OCC involvement in the policies and procedures of certain financial institutions but also further increase the responsibility of an institution’s board of directors. Although increased regulatory involvement is not a new development, the Proposed Heightened Standards create additional problems for institutions through its failure to define how an institution or its board of directors can meet the requirements of the Proposed Heightened Standards. The lack of clearly a defined standard with respect to the implementation of the Proposed Heightened Standards is an oversight that will result in inconsistent application of the Proposed Heightened Standards. Moreover, the OCC fails to discuss the interaction of the Proposed Heightened Standards with the guidelines of other banking regulators. Specifically, the OCC fails to address the potential issues that may arise between an institution’s implementation of the Proposed Heightened Standards and enterprise-wide risk management expectations of the Board of Governors of the Federal Reserve System.
Comments on the Proposed Heightened Standards must be submitted within 60 days following publication in the Federal Register.