Bank Corporate Governance and the New Supervisory Framework

March 21, 2013

Having transformed U.S. bank regulation, Dodd-Frank implementation is now reshaping bank corporate governance.  Recent rulemakings and proposals by the Board of Governors of the Federal Reserve System (Federal Reserve) point to a far more prescriptive approach to corporate governance for significant bank holding companies and significant foreign banking organizations with U.S. operations (FBOs) than traditionally has been the case.  This approach should also be expected to apply to systemically significant nonbank financial companies (Nonbank SIFIs) designated by the Financial Stability Oversight Council.

In addition, Dodd-Frank has allowed regulators to expand their toolkit for dealing with perceived corporate governance failings, and so non-compliance with the new governance requirements may lead to greater supervisory consequences.

Below, we describe the principal new responsibilities that boards of directors and senior management should expect under the Federal Reserve’s new supervisory regime, as well as the increased penalties that may be imposed if those responsibilities are not met.

Implementation of Financial Stability Provisions of Dodd-Frank

Title I of Dodd-Frank seeks to avoid future financial crises by imposing heightened requirements on financial firms of substantial size and interconnections.  These requirements include stress tests, capital plans, resolution planning, and enhanced liquidity and risk management standards.  In implementing Dodd-Frank’s requirements in these areas, the Federal Reserve has laid out specific responsibilities for boards of directors and other specific governance mandates.

Federal Reserve Stress Test Rule

Applicability:

  • U.S. bank holding companies, state member banks, and, once they are subject to consolidated capital requirements, savings-and-loan holding companies, in each case with total consolidated assets of $10 billion or more
  • U.S. Nonbank SIFIs
  • The Federal Reserve has proposed that the rule also apply to U.S. intermediate holding companies with total consolidated assets of $10 billion or more established by FBOs with $50 billion or more in global total consolidated assets[1]

Under the Federal Reserve’s final stress test rule, the board of directors of a covered company, or a committee of the board, must review and approve the policies and procedures relating to stress testing processes as frequently as warranted by economic conditions or the condition of the company, but no less than annually.  Senior management is responsible for establishing a system of controls, oversight, and documentation to ensure that stress testing processes are effective.

In addition, a covered company’s board of directors and senior management must consider the results of stress tests, as appropriate, as part of the company’s capital planning process, including when making changes to the company’s capital structure; when assessing the company’s exposures, concentrations, and risk positions; and when developing recovery and resolution plans.

Federal Reserve Capital Plan Rule

Applicability:

  • Bank holding companies with total consolidated assets of $50 billion or more
  •  The Federal Reserve has proposed that the rule also apply to U.S. Nonbank SIFIs and to U.S. intermediate holding companies with total consolidated assets of $50 billion or more established by FBOs with $50 billion or more in global total consolidated assets

Under the Federal Reserve’s final capital plan rule, the board of directors of a covered company, or a designated board committee, must review the “robustness” of the company’s process for assessing capital adequacy, ensure that any deficiencies in the company’s process for assessing capital adequacy are appropriately remedied, and approve the company’s capital plan.

The Federal Reserve has prescribed the manner in which “robustness” is to be evaluated, which is based on seven elements:

  • A sound risk management infrastructure
  • An effective process for translating risk measures into estimates of potential loss, over a range of adverse scenarios and environments
  • A clear definition of available capital resources and an effective process for forecasting available capital resources
  • A process for considering the impact of loss and resource estimates on capital adequacy
  • A process to use assessments of loss and resource estimates on capital adequacy to make key decisions on capital planning
  • Robust internal controls governing capital adequacy components
  • Effective board and senior management oversight of the capital adequacy process, including regular reviews

The Federal Reserve has further indicated, with respect to its oversight of the capital planning process, that it would focus on whether boards of directors and senior management conduct periodic reviews of capital goals, assess the appropriateness of the adverse economic scenarios used, review the capital planning process for limitations and uncertainties, and appropriately approve contemplated capital actions.[2]

Basel III’s Advanced Approaches Implementation

Applicability:

  • U.S. banking institutions with total consolidated assets of $250 billion or more
  • U.S. banking institutions with total consolidated on-balance sheet foreign exposure of $10 billion or more
  • Other U.S. banking institutions that elect the advanced approaches and comply with all applicable requirements

Implementation of Basel III is a key complement to Dodd-Frank implementation.  The current proposal on Basel III’s advanced approaches, which permit internal models to be used to calculate risk-weighted assets, includes the following governance requirements:

  • As a condition to using the advanced approaches, an institution’s board of directors must approve a written plan implementing the advanced approaches
  • The institution “must maintain a comprehensive and sound planning and governance process to oversee the implementation efforts”
  • The institution must have an operational risk management function that is independent of business line management and that reports to the board of directors or a designated committee of the board
  • The board of directors, or a designated committee, must review, at least annually, the effectiveness of the systems supporting capital calculations under the advanced approaches
  • The board of directors, or a designated committee, must annually receive a report from an internal audit function regarding the controls supporting the company’s systems used to make capital calculations
  • The board of directors must approve a formal disclosure policy that addresses the institution’s approach for determining the disclosures required by Basel III as well as relevant internal controls and procedures    

Resolution Planning

Applicability:

  • U.S. bank holding companies and FBOs with global total consolidated assets of $50 billion or more
  • Nonbank SIFIs

Under the Federal Reserve’s final resolution planning rule, a covered company’s resolution plan must include a detailed description of the company’s governance with respect to the planning process, and must describe:

  • How resolution planning is integrated into the corporate governance structure and processes of the company
  • The company’s policies, procedures, and internal controls governing preparation and approval of the resolution plan
  • The identity and position of the senior management officials of the covered company primarily responsible for overseeing the development, maintenance, implementation and filing of the resolution plan and compliance with the resolution plan regulations
  • The nature, extent, and frequency of reporting to senior executive officers and the board of directors regarding the development, maintenance, and implementation of the resolution plan
  • The nature, extent, and results of any contingency planning since the date of the most recent plan’s filing to assess the viability of or improve the resolution plan
  • The relevant risk measures used to report credit risk exposures, both internally and externally[3]

The fact that specific governance structures must be described in resolution plans, of course, means that examiners will expect those structures to be maintained over time.

Federal Reserve Section 165 Proposals

Prescriptive corporate governance rules are taken even further in the Federal Reserve’s proposed regulations implementing the enhanced prudential standards required by Section 165 of Dodd-Frank, which the Federal Reserve characterized as “provid[ing] a core set of concrete rules to complement . . . existing efforts to enhance the supervisory framework for covered companies.”  This “concrete” approach to corporate governance is reflected in the proposals’ requirements on liquidity management and risk management for both domestic covered companies and FBOs, and, for FBOs, in the intermediate holding company requirement.

Domestic Section 165 Proposal

Applicability:

  • U.S. bank holding companies with total consolidated assets of $50 billion or more
  • U.S. Nonbank SIFIs

With respect to liquidity management, the Federal Reserve affirmatively stated that the proposed regulation departs from its traditional approach of overseeing liquidity risk management through supervisory guidance.  Instead, the proposal lays out a detailed governance structure with responsibilities for the company’s board of directors, risk committee, senior management, and a review function independent of the management functions that execute funding.

The domestic proposal would also require covered companies to have an “enterprise-wide risk committee” consisting of members of its board of directors, chaired by an independent director[4] and having a board-approved formal written charter,[5] as well as a chief risk officer reporting directly to both the enterprise-wide risk committee and the company’s chief executive officer.

Foreign Section 165 Proposal

Applicability:

  • FBOs with global total consolidated assets of $50 billion or more

The proposed Section 165 regulation for FBOs would require FBOs with $50 billion or more in total global consolidated assets and $10 billion or more in total consolidated U.S. nonbranch assets to form an intermediate holding company for their U.S. operations.  “To help ensure a strong, centralized corporate governance system,” the intermediate holding company would be required to be governed by a board of directors or managers operating in substantially the same manner as a U.S. corporate board.  The proposal thus departs from the current concept of a “virtual holding company,” where the U.S. operations of FBOs may be organized under different ownership chains, but there is an overall management structure overseeing those chains.

In addition, FBOs with $50 billion or more in total consolidated U.S. assets would be subject to liquidity and risk management requirements similar to the domestic proposal, with most responsibilities being given to a U.S. risk committee and U.S. chief risk officer, both of which the proposal would require.  The U.S. risk committee for such FBOs would be required to have at least one independent member.[6]

The principal responsibilities assigned under the domestic and foreign proposals are described in detail in the accompanying charts.

Increased Sanctions for Governance Failings — Early Remediation Proposals 

Under the new supervisory regime, failure to comply with governance requirements may lead to increased sanctions.  Traditionally, ineffective governance and risk management could lead to a lowering of supervisory ratings.  Under the Federal Reserve’s proposed rules implementing Dodd-Frank’s early remediation requirements, however, board and senior management failings would have additional consequences.  Failure to comply with the enhanced liquidity management or risk management standards would lead to level 1, level 2, or level 3 remediation, depending on the severity of the noncompliance.  The higher levels of remediation include, among other restrictions, limitations on capital distributions, asset growth, acquisitions, and executive compensation.

Conclusion

For significant financial institutions, a new corporate governance regime which regulators view as intrinsically linked to satisfactory compliance with Dodd-Frank’s prudential requirements is being born.  The era of flexible structures subject to bank supervisory guidance and recommendations is giving way to an era of codified responsibilities for boards of directors and senior management.  Compliance with these new responsibilities should be expected to become the subject of regulatory examinations, which in turn will determine whether particular institutions maintain sound ratings or become subject to supervisory action or early remediation.

Enhanced Prudential Standards — Primary Responsibilities

U.S. Bank Holding Company/Systemically Significant Nonbank Financial Company

Responsibility

Minimum Frequency (Ongoing, unless otherwise stated)

Board of Directors
Oversee liquidity risk management processes May be delegated to the Risk Committee
Review and approve liquidity risk management strategies, policies, and procedures established by senior management May be delegated to the Risk Committee
Establish liquidity risk tolerance Annually
Review information provided by senior management to determine whether the company is managed in accordance with the established liquidity risk tolerance Semi-annually
Review and approve the company’s contingency funding plan Annually, and whenever the company materially revises the plan

Risk Committee (or Designated Sub-Committee)
Review and approve liquidity costs, benefits, and risks of each significant new business line and each significant new product; consider whether liquidity risk of the new business line or product under current conditions and under liquidity stress is within company’s established liquidity risk tolerance Before company implements a new business line or offers a significant new product
Review approved significant business lines and products to determine whether each line or product has created any unanticipated liquidity risk, and to determine whether liquidity risk of each strategy or product continues to be within company’s established liquidity risk tolerance Annually
Review regulatorily required cash flow projections to ensure that company’s liquidity risk is within the established liquidity risk tolerance Quarterly
Review and approve liquidity stress testing, including stress testing practices, methodologies, and assumptions Quarterly, and whenever the company materially revises its liquidity stress testing
Review liquidity stress testing results Quarterly
Approve the size and composition of the liquidity buffer Quarterly
Review and approve specific limits established to control liquidity risk and review company’s compliance with those limits Quarterly
Review liquidity risk management information necessary to identify, measure, monitor, and control liquidity risk and ensure regulatory compliance Quarterly
Review independent validation of required liquidity stress tests Periodically
Establish procedures governing content of senior management reports on liquidity risk profile and other regulatorily required information  
Oversee the operation of an appropriate enterprise-wide risk management framework commensurate with company’s capital structure, risk profile, complexity, activities, size, and other appropriate risk-related factors  

Chief Risk Officer
Oversee the allocation of delegated risk limits and monitoring compliance with such limits  
Oversee implementation of, and ongoing compliance with, appropriate policies and procedures relating to risk management governance, practices, and risk controls  
Oversee development of appropriate processes and systems for identifying and reporting risks and risk-management deficiencies, including emerging risks, on an enterprise-wide basis  
Oversee management of risk exposures and risk controls within the parameters of the company’s risk control framework  
Oversee monitoring and testing of risk controls  
Oversee reporting of risk management deficiencies and emerging risks to enterprise-wide risk committee  
Ensure that risk management deficiencies are effectively resolved in a timely manner  

Senior Management
Establish and implement strategies, policies, and procedures for managing liquidity risk, including overseeing development and implementation of liquidity risk measurement and reporting systems, cash flow projections, liquidity stress testing, liquidity buffer, contingency funding plan, specific limits, and monitoring procedures  
Report to risk committee or designated subcommittee on the company’s liquidity risk profile and provide information to the board of directors (or risk committee) to facilitate oversight of the liquidity risk management process  

Independent Review Function

Review and evaluate adequacy and effectiveness of company’s liquidity risk management processes Annually
Assess whether company’s liquidity risk management complies with applicable laws, regulations, supervisory guidance, and sound business practices  
Report regulatory noncompliance and other material liquidity risk management issues to the board of directors or the risk committee in writing for corrective action  

Enhanced Prudential Standards — Primary Responsibilities

Foreign Banking Organization

Responsibility

Minimum Frequency

(Ongoing, unless otherwise stated)

Board of Directors (or Enterprise-Wide Risk Committee)
Concur in the approval of liquidity risk tolerance for FBO’s combined U.S. operations Annually

U.S. Risk Committee
Review and approve liquidity risk tolerance for FBO’s combined U.S. operations Annually
Review and approve risk management practices of FBO’s combined U.S. operations  
Oversee operation of an appropriate risk management framework for FBO’s combined U.S. operations commensurate with capital structure, risk profile, complexity, activities, and size of combined U.S. operations and consistent with enterprise-wide risk management policies  
Meet and fully document and maintain records of its proceedings, including risk management decisions Quarterly

U.S. Chief Risk Officer
Review and approve liquidity costs, benefits, and risks of each significant new business line and each significant new product; consider whether liquidity risk of new business line or product under current conditions and under liquidity stress is within FBO’s established liquidity risk tolerance for its combined U.S. operations Before the FBO implements a new business line or offers a significant new product through its combined U.S. operations
Review significant business lines and products offered, managed or sold through combined U.S. operations to determine whether each business line or product has created any unanticipated liquidity risk, and to determine whether liquidity risk of each strategy or product continues to be within FBO’s established liquidity risk tolerance for its combined U.S. operations Annually
Review and approve contingency funding plan for FBO’s combined U.S. operations Annually, and when the FBO materially revises its contingency funding plan either as a whole or for its combined U.S. operations
Review cash flow projections required to ensure that liquidity risk of FBO’s combined U.S. operations is within the established liquidity risk tolerance Quarterly
Review and approve liquidity stress testing practices, methodologies, and assumptions for FBO’s combined U.S. operations Quarterly, and whenever FBO materially revises its liquidity stress testing
Review liquidity stress testing results for FBO’s combined U.S. operations Quarterly
Approve size and composition of liquidity buffer for FBO’s combined U.S. operations Quarterly
Review and approve specific limits to control liquidity risk and review compliance with those limits Quarterly
Review liquidity risk management information for FBO’s combined U.S. operations necessary to identify, measure, monitor, and control liquidity risk and to ensure regulatory compliance Quarterly
Establish procedures governing content of reports generated within FBO’s U.S. operations on the liquidity risk profile of the combined U.S. operations  
Review strategies and policies and procedures for managing liquidity risk established by senior management of FBO’s combined U.S. operations  
Review information provided by senior management of FBO’s combined U.S. operations to determine whether FBO is complying with the established liquidity risk tolerance for the combined U.S. operations  
Report to the FBO’s U.S. risk committee and enterprise-wide risk committee (or designated subcommittee) on the liquidity risk profile of the company’s combined U.S. operations Semi-annually
Provide other information to U.S. risk committee and enterprise-wide risk committee relevant to compliance with the established liquidity risk tolerance for the U.S. operations  
Oversee implementation of, and ongoing compliance with, appropriate policies and procedures relating to risk management governance practices and risk controls of FBO’s U.S. operations  
Oversee development of appropriate processes and systems for identifying and reporting risks and risk-management deficiencies, including emerging risks, on a combined U.S. operations basis  
Oversee management of risk exposures and risk controls within the parameters of the FBO’s risk control framework for the combined U.S. operations  
Oversee monitoring and testing of risk controls for the combined U.S. operations  
Ensure that risk management deficiencies are effectively resolved in a timely manner  

Independent Review Function

Review and evaluate adequacy and effectiveness of FBO’s liquidity risk management processes within combined U.S. operations Annually
Assess whether FBO’s liquidity risk management of its combined U.S. operations complies with applicable laws, regulations, supervisory guidance, and sound business practices  
Report regulatory noncompliance and other material liquidity risk management issues to U.S. risk committee and enterprise-wide risk committee for corrective action  

   [1]   In each case, there are additional stress testing requirements for covered companies whose asset size is $50 billion or more.  National banks, federal thrifts, and state nonmember banks that have total consolidated assets of $10 billion or more are subject to their regulators’ stress testing requirements, which are similar to those imposed by the Federal Reserve.

   [2]   Similarly, for national banks and federal thrifts, the Office of the Comptroller of the Currency has noted that “a robust capital planning process is an integral and significant part” of the governance process and that “[e]xaminers should consider the quality of the bank’s overall corporate governance of the bank’s risk taking activities, including senior management and board oversight, when assessing capital adequacy.”  Upon taking over supervision of savings-and-loan holding companies, the Federal Reserve charged examiners with assessing the level of board and senior management involvement in capital planning, including documenting capital planning assessments in board and committee meeting minutes.

   [3]   The Federal Deposit Insurance Corporation’s final resolution planning rule for covered insured depository institutions contains similar requirements.

   [4]   Under the domestic proposal, to be independent, the director would be required:  (i) not to be an officer or employee of the company (and not to have been an officer or employee during the previous three years); (ii) not to be a member of the immediate family of any person who is, or has been within the previous three years, an executive officer of the company; and (iii) either to be an independent director under Item 407 of SEC Regulation S-K or to be demonstrated to the Federal Reserve’s satisfaction as qualifying as an independent director under the listing standards of a national securities exchange if the company were publicly traded on a national securities exchange.

   [5]   Under Section 165(h) of Dodd-Frank, bank holding companies with $10 billion or more, but less than $50 billion, in total consolidated assets must have a risk committee if they are publicly traded.  The Federal Reserve has proposed a U.S. risk committee requirement in the case of publicly-traded FBOs with $10 billion or more in total consolidated assets.

   [6]   The foreign proposal’s independence definition would be similar to that in the domestic proposal, but would omit the third requirement.

Gibson, Dunn & Crutcher’s Financial Institutions Practice Group lawyers are available to assist in addressing any questions you may have regarding these areas.  Please contact any member of the Gibson Dunn team, the Gibson Dunn lawyer with whom you normally work, or the following:

Arthur Long – New York (212-351-2426, [email protected])
Chuck Muckenfuss – Washington, D.C. (202- 955-8514, [email protected])
Kimble Cannon – Los Angeles/Washington, D.C. (2028873652, [email protected])
Alex Acree – Washington, D.C. (202-887-3725, [email protected])
Colin Richard – Washington, D.C. (202-887-3732, [email protected])

Please also feel free to contact the following members of the firm’s Securities Regulation and Corporate Governance Practice Group:

John F. Olson – Washington, D.C. (202-955-8522, [email protected])
Brian J. Lane – Washington, D.C. (202-887-3646, [email protected])
Ronald O. Mueller – Washington, D.C. (202-955-8671, [email protected])
Amy L. Goodman – Washington, D.C.  (202-955-8653, [email protected])
James J. Moloney – Orange County, CA (949-451-4343, [email protected])
Elizabeth Ising – Washington, D.C. (202-955-8287, [email protected])
Gillian McPhee – Washington, D.C. (202-955-8201, [email protected])

© 2013 Gibson, Dunn & Crutcher LLP

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.