Wasting no time in leaving summer behind, on September 2, 2014, the Office of the Comptroller of the Currency (OCC) adopted Final Guidelines, to be published soon in the Federal Register, establishing risk governance standards for FDIC-insured national banks, federal savings banks and federal branches of foreign banks with average total consolidated assets of $50 billion or more. Notably, the Final Guidelines also cover a smaller bank whose parent controls at least one $50 billion bank or which the OCC deems to be highly complex or to present heightened risk. This landmark action, which is the ultimate formalization of the OCC’s response to the Great Recession, finalizes the proposed guidelines explained in our January 24, 2014 Client Alert and supersedes the current OCC heightened expectations program.

Pepper participated prominently in the public comment process, and we are pleased that the OCC took so many comments to heart in refining a wide array of provisions. Because the format of the Final Guidelines does not differ appreciably from the proposed guidelines, this Client Alert will focus primarily on significant changes made by the OCC.

At the outset, the OCC makes an especially forceful point of distinguishing between prescribing standards by regulation and prescribing them by guideline. The key element is supervisory flexibility, whereby, under a regulation, the agency would have no choice but to require a noncompliant bank to submit a corrective action plan, while, under a guideline, it would retain discretion to require a plan or pursue an alternative course of action, as it deems appropriate. Importantly, although the OCC has chosen guideline over regulation, it still may initiate the formal enforcement process, including orders and fines, at any time.

Like the proposed guidelines, the Final Guidelines are split into three sections. Section I contains the introduction, explains the scope and defines key terms; Section II prescribes minimum standards for design and implementation of a bank’s risk governance framework (“Framework”); and Section III lays out minimum standards for oversight of the Framework by a bank’s board of directors.


Use of Parent Company Framework

In an effort to allay deep concerns expressed by several commenters, the Final Guidelines clarify that a bank may use its parent company’s Framework in its entirety without modification (i) if the Framework meets the prescribed minimum standards and (ii) the risk profiles of the bank and parent company are substantially the same. The test for qualifying as substantially the same has been simplified to require that for the four most recent consecutive quarters the bank’s average total consolidated assets (as stated in its Call Reports) represent 95 percent or more of the parent company’s average total consolidated assets. Even when the 95 percent test is not met, a bank can use components of the parent company’s Framework if certain criteria are satisfied. Indeed, the OCC explicitly encourages banks to leverage their parent company’s Framework to the appropriate extent, including the sharing of employees. Even where risk profiles diverge, the OCC expects a bank to work closely with its parent company to promote efficiencies and synergies between their two Frameworks.

Compliance Deadlines

Responding to comments questioning the $50 billion threshold and the inflexibility of the proposed rules in treating all large banks the same, the OCC reaffirmed the acceptability of the threshold but adopted a phase-in for mandatory compliance based on a bank’s size. For banks with average total consolidated assets of $750 billion or more, compliance is required 60 days after publication of the Final Guidelines in the Federal Register (the “effective date”). For banks between $100 billion and $750 billion, the compliance deadline is six months after the effective date, while banks of $50 billion up to $100 billion have 18 months after the effective date to comply.

Community Banks

Many commenters took issue with the OCC’s reserving authority in the proposed guidelines to cover banks smaller than $50 billion, fearing that community banks could be readily blindsided. In response, the OCC makes clear in adopting the Final Guidelines that it expects to utilize this authority only in extraordinary circumstances, and to erase all doubt, it declares that it “does not intend to exercise this reservation of authority to apply the Final Guidelines to community banks.”

Federal Branches of Foreign Banks

Recognizing the unique characteristics of federal branches of foreign banks, the OCC stated its intention to apply the Final Guidelines in a flexible manner, taking into account the nature, scope and risk of a branch’s activities. With respect to provisions directed at a bank’s board, OCC examiners will consult with the branch to determine the appropriate person or committee to assume the board role.


The OCC uses the definitions as both a vocabulary to be applied throughout the Final Guidelines and a vehicle for demarcation of responsibilities. Particularly noteworthy are the following terms:

  • Chief Audit Executive (CAE) – an individual who leads internal audit (IA) and reports directly to the CEO.
  • Chief Risk Executive (CRE) – an individual who leads an independent risk management unit and reports directly to the CEO. Because this term generated considerable comment, the OCC has given banks flexibility in determining the appropriate number of CREs, so long as they institute processes for coordinating all Independent Risk Management (IRM) activities (as defined below).
  • Control – This term was not defined in the proposed guidelines. The Final Guidelines deem a parent company to control a bank if it holds 25 percent or more of a class of voting securities or if it consolidates the bank in its financial reports.
  • Front Line Unit – This was among the most hotly debated concepts in the comments received by the OCC. Under the Final Guidelines, to be a front line unit, an organizational unit or function must be accountable for at least one enumerated risk and meet one of these three additional criteria: (i) engage in revenue-generating or expense-reducing activities; (ii) provide operational support or servicing in delivering products or services to customers; and (iii) provide technology services. This definition makes it possible for only part of an organizational unit, as opposed to the entire unit, to qualify as a front line unit. Human resources is expressly exempted from this definition, as is any unit or function that provides legal services. However, the OCC recognizes that a general counsel responsible for functions extending beyond legal services might qualify as a front line unit.
  • Independent Risk Management (IRM) – any organizational unit or function responsible for identifying, measuring, monitoring, or controlling aggregate risks. Reporting structure and oversight were of greatest concern to commenters on this term. In response, while maintaining a reporting structure that ensures independence of IRM from front line units, the OCC removed the requirement that the CEO oversee the CRE’s day-to-day activities. Like the proposed guidelines, the Final Guidelines require the CRE to have unrestricted access to the board, but unlike the proposed guidelines, the Final Guidelines do not impose managerial duties on the board, leaving approval of material policies under the Framework to management. IRM is expected to coordinate and actively engage with front line units while applying its own judgment when assessing front line unit risks and risk management practices.
  • Internal Audit (IA) – Comments on this term also centered on overlapping oversight and reporting. Clarifying the OCC’s intent regarding a proper reporting structure, the Final Guidelines mandate independence of IA from IRM and front line units. The CAE must have unrestricted access to the audit committee, and the audit committee, in turn, approves the appointment, removal and compensation of the CAE and reviews and approves IA’s overall charter and audit plans. As with the CRE, the CEO does not oversee the CAE’s day-to-day activities, but the CEO or the audit committee has primary oversight of the CAE’s administrative activities, such as personnel matters, expense account management, and departmental supplies. There is no bar to IA consulting with the bank’s legal unit, and the OCC has removed from the definition the implication in the proposed guidelines that the audit committee should review and approve all IA risk assessments.
  • Parent Company – The OCC has clarified this term as designating the top-tier legal entity in a bank’s ownership structure.


Elements of the Risk Governance Framework

In prescribing minimum standards for a bank’s Framework, the OCC expanded the Final Guidelines in several respects. In addition to addressing changes in the bank’s risk profile caused by internal or external factors or evolution of industry risk management practices, the Framework should include delegations of authority from board to management, risk limits for material activities, and processes for management reports to the board. Changes resulting from emerging risks and strategic plans should also be part of the Framework. The board is to review the Framework at least annually, and front line units must monitor their risk limits and report to IRM at least quarterly. Similarly, IRM must report any concerns to the CEO and the board at least quarterly.

Three Lines of Defense

The Final Guidelines center the Framework on the “three lines of defense” – front line units, IRM, and IA. Impressed by concerns raised in numerous comments, the OCC made a number of changes to the roles and responsibilities prescribed for each of these functions.

  • Front line units – In the interest of providing flexibility in designing the Framework, the OCC decided to permit front line units to fulfill their responsibilities alone or in conjunction with other organizational units whose purpose is to assist them. Each front line unit must have IRM review and approve its policies, including the unit’s risk limits, to ensure consistency throughout the Framework. Compliance policies and procedures associated with a front line unit’s activities are the province of that front line unit.
  • IRM – The Final Guidelines, in contrast to the proposed guidelines, does not require IRM to assess risks and issues independent of the CEO. Moreover, IRM assessment is subject to CEO oversight. Nonetheless, IRM should report to the board regarding material risks and significant disagreements with the CEO. The OCC expects IRM to use its risk assessments to design appropriate actions when necessary, even where risk appetite or formal risk limits have not been exceeded. IRM is also duty-bound to tell the CEO and the board of instances where front line units are not adhering to the Framework.
  • IA – Again, the OCC has sought to inject flexibility into the role and responsibilities of IA. Unlike the proposed guidelines, the Final Guidelines task IA with reporting its conclusions and material, issues and recommendations to the audit committee. Central to IA’s role under the Framework is the audit plan; fundamental to the audit plan is the inventory of all processes, product lines, services, and functions, which, together with IA’s risk assessments, are called the “internal audit universe.” The Final Guidelines assign sole responsibility to IA for maintaining that inventory. The OCC places particular emphasis on IA’s rating the risk presented by each front line unit, but it allows IA to leverage risk assessments made by front line units and IRM on the condition that it exercises independent judgment in that connection. The audit plan also must evaluate the adequacy of, and compliance with, all Framework policies, procedures and processes. The Final Guidelines require IA to review the audit plan periodically, as opposed to the quarterly review mandated by the proposed guidelines, and the audit committee must be informed of all significant changes. Additionally, IA is required to consider both pre-existing and prospective risks, and it must institute a quality assurance program to ensure that its policies and procedures reflect emerging risks and improvements in industry practices. Finally, IA, IRM, the CEO and the board must do their best to benchmark the bank’s risk management practices against its peers.

Strategic Plan

Like the proposed guidelines, the Final Guidelines require each bank to prepare a written, three-year strategic plan that comprehensively assesses all risks that could reasonably be expected to have an impact on its business. The plan must contain a mission statement and strategic objectives along with an explanation of how the bank will achieve them. However, the OCC makes clear that the strategic plan is distinct from a capital plan and should focus only on risk management. While the CEO is responsible for developing the strategic plan, the Final Guidelines clarify the point that the CEO is not individually expected to prepare it, and the OCC expects that IA will have input.

Risk Appetite Statement

The Final Guidelines require a risk appetite statement that underpins the Framework by describing a safe and sound risk culture and the quantitative limits incorporating sound stress-testing processes. Included in the risk culture, the OCC expects to see open dialogue and information-sharing among front line units, consideration of all risks, and compensation and performance management programs that reward compliance and hold violators accountable. A bank’s board may tailor its parent company’s statement to make it applicable to the bank, but in doing so it must ensure the sanctity of the bank charter by documenting any necessary adjustments or material differences between the respective risk profiles.

Risk Limits

In the Final Guidelines, the OCC has removed language in the proposed guidelines that implied that front line units must guarantee that the concentration limits they establish will avoid excessive risk. Otherwise, the Final Guidelines remain unchanged in calling for policies and supporting processes appropriate for a bank’s size and risk profile that identify, measure, monitor and control concentration of risk.

Talent Management

Recognizing the need spotlighted by many commenters to reduce operational burdens on bank boards, the OCC has focused the Final Guidelines on the board oversight role. This focus is especially evident in connection with the talent management program for high-level employees. Among its responsibilities, the board must approve a written talent management program, appoint the CEO and approve management’s appointment of the CRE and CAE. The board is not expected to oversee talent development, recruitment, and succession planning for IRM, IA, and employees two levels below the CEO.


While continuing to require compensation and performance management programs that reflect adherence to the Framework, the OCC revised the Final Guidelines to require front line unit compensation plans to consider the severity of concerns identified by IRM and IA together with the timeliness of corrective action taken.


As noted already, but deserving re-emphasis, the Final Guidelines key the board-of-director standards to the strategic and oversight role they play with respect to design and implementation of the Framework. The OCC has taken pains, in response to extensive comments, to avoid imposing undue operational burden and managerial responsibilities on the board, and it expressly states that the board is not a guarantor of results under the Framework. As a core duty, the board must actively oversee the bank’s risk-taking activities, approving changes to, and monitoring compliance with, the Framework. Members of the board are expected to have a comprehensive understanding of the bank’s risk-taking activities and must dedicate sufficient time and energy to reviewing information, especially from IRM and IA, and questioning or, if necessary, opposing management recommendations and decisions. The OCC expects all directors to exercise sound, independent judgment. Additionally, the Final Guidelines require each bank to have at least two independent board members, meaning generally that they have not been officers or employees of the parent company or the bank for three years or a member of the immediate family of any such executive officer. Unlike the proposed guidelines, the Final Guidelines give the board flexibility in structuring a formal, ongoing training program that is tailored to each director’s needs, experience and education. Finally, the board must conduct an annual self-assessment of its effectiveness in meeting these standards.

Pepper Point: Although the OCC was responsive to a broad range of comments in revising the Final Guidelines, it made little reference to the concern raised by many commenters regarding the absence of coordination with the other federal banking agencies. By acting unilaterally, the OCC is risking misalignment and confusion with standards erected for banks and bank holding companies regulated by the Federal Reserve Board and FDIC.

Pepper Point: Despite its protestations that the issuance of guidelines offers banks desirable flexibility, the truth is that the OCC now has added a major weapon to its arsenal in enforcing prudential standards for risk governance. How it uses this new power will depend on the flexibility of examiners in applying the guidelines to individual institutions.