January 30, 2014
The Office of the Comptroller of the Currency (OCC) has issued for public comment proposed guidelines (Guidelines) to establish minimum standards for risk management governance at large insured national banks, insured federal savings associations, and insured branches of non-U.S. banks (Banks). The proposed Guidelines would generally apply to any such institution that has average total consolidated assets of $50 billion or more, measured over the four most recent consecutive quarters.
The Guidelines are yet another step in what is becoming a codified corporate governance framework for banking organizations that are deemed systemically significant, like the enhanced prudential standards proposed by the Board of Governors of the Federal Reserve System and the granular governance and compliance framework mandated by the final Volcker Rule.
The Guidelines — which would be enforceable against OCC-regulated banking institutions through supervisory action and, potentially, public orders and civil money penalties in the worst case — are yet another demonstration that, after the Financial Crisis, regulators are no longer willing to allow large banking organizations significant leeway to design their own risk management and corporate governance frameworks.
The Guidelines mandate separate responsibilities for a Bank’s board of directors (Board), chief executive officer (CEO), so-called “front-line” units, and independent risk management and internal audit functions. The Guidelines deem it critical that the risk management and internal audit functions have access to a Bank’s Board or appropriate Board committee, in order to check excessive risk-taking by management and front-line units.
Under the Guidelines, a Bank’s Board would have the following responsibilities:
Like the Board, the CEO is responsible for holding each unit responsible for its obligations under the Framework. In addition, the CEO is responsible for developing a written Strategic Plan for the Bank, with input from front line units, independent risk management and internal audit.
At a minimum, the Strategic Plan should cover a three-year period and should contain a comprehensive assessment of risks affecting the Bank during that period, articulate an overall mission statement and strategic objectives for the Bank and include an explanation of how the Bank will achieve those objectives. In addition, the Strategic Plan should include an explanation of how the Bank will update its Framework to account for changes in the Bank’s risk profile projected under the Strategic Plan.
The CEO is also responsible for overseeing the day-to-day activities of the CAE and CRE, including budget and management accounting, human resources administration, internal communications and information flows, and administration of relevant policies and procedures.
The Guidelines define “front line units,” the units that create risk for a Bank, as any organizational unit within a Bank that:
Front-line units are responsible for managing — or, in the OCC’s parlance, “owning” — all risks associated with their activities. They are to assess, on an ongoing basis, the material risks associated with their activities and use these risk assessments to determine whether action is needed to strengthen risk management or reduce risk given changes in a unit’s risk profile. In addition, they are to establish and adhere to a set of written policies that include front-line risk limits designed to ensure that the risks of their activities are effectively identified, measured, monitored and controlled.
Under the Guidelines, “independent risk management” includes any organizational unit within the Bank that has responsibility for identifying, measuring, monitoring, or controlling aggregate risks. It is to be led by a CRE who reports to the CEO, is to be independent of the front-line units and internal audit, and should have the following duties:
A Bank’s internal audit function should maintain its independence from the Bank’s front-line and risk management units. Internal audit is to be led by the CAE, who reports to the Bank’s CEO, and it is responsible for ensuring that the Bank’s Framework complies with the Guidelines and is appropriate for the Bank’s size, complexity, and risk profile. Internal audit is also responsible for designing and implementing an audit plan, and maintaining a complete and current inventory of all the Bank’s material businesses, product lines, services, and functions, so that it may assess the risks associated with each.
The audit plan should rate the risk presented by each front line unit, product line, service, and function, including activities that the Bank may outsource to a third-party. The Guidelines state that a Bank’s audit plan should be updated at least quarterly and should take into account the institution’s risk profile as well as emerging risks and issues. All changes to the audit plan should be communicated to the Board’s audit committee.
In addition, internal audit should report in writing to the Board’s audit committee conclusions, issues, and recommendations resulting from the audit work carried out under the audit plan. The reports should include objective measures that enable the identification, measurement and monitoring of risk and internal control issues, and should include comments on the effectiveness of front-line units in identifying excessive risks and issues.
Internal audit should establish and adhere to a process for independently assessing the design and effectiveness of the Framework, which should be done at least annually. The assessment should include a conclusion about the Bank’s compliance with the Guidelines and the degree to which the Bank’s Framework is consistent with leading industry practices. Internal audit should also communicate to the Board’s audit committee significant instances in which front line units or independent risk management are not adhering to the Framework.
A Bank’s Framework is based on its “risk profile” — a “point-in-time assessment of the [B]ank’s risks, aggregated within and across each relevant risk category,” using methodologies consistent with the institution’s “risk appetite statement.”
In cases in which a Bank’s risk profile is substantially the same as its parent bank holding company, and the Bank has demonstrated “through a documented assessment” that its risk profile and its parent company’s risk profile are substantially the same, the Bank may use its parent company’s risk governance framework to satisfy the Guidelines. The Guidelines, however, impose an extremely high standard of when a parent company and Bank risk profile are considered substantially the same — if, as of the most recent quarter-end call report, the following conditions are met:
A Bank that does not satisfy this test can submit an analysis to the OCC demonstrating a substantially similar risk profile based on other factors.
If the parent company’s risk profile is not substantially similar, the Bank is required to develop its own Framework. Although certain components may be borrowed, the Bank’s Framework should ensure that the Bank’s risk profile is easily distinguished for risk management and supervisory reporting purposes.
The Guidelines further emphasize that, to “preserve the sanctity of the Bank charter,” assets and businesses should not be transferred into a Bank from nonbank entities without proper due diligence, and that a parent company should not establish complex booking structures that threaten the safety and soundness of its bank subsidiary.
Under the Guidelines, a Bank must establish and adhere to a formal, written Framework that covers the following risk categories that apply to the Bank: credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputation risk. Banks may choose to categorize underlying risks in a different manner than these eight categories, but regardless of a how a bank categorizes its risks, the required Framework must appropriately cover risks to the Bank’s earnings, capital, liquidity, and reputation that arise from its activities.
A Bank must have a comprehensive written statement that articulates the Bank’s risk appetite and serves as a basis for the Framework. The Guidelines define the term “risk appetite” as:
The Risk Appetite Statement should include both qualitative components and quantitative limits.
Qualitatively, the Statement should describe a safe and sound “risk culture” and how the Bank will assess and accept risks on a consistent basis. The Guidelines state that it is critical to set “an appropriate tone at the top,” and therefore the Statement should articulate the “core values” that the Board and CEO expect employees to share. The Guidelines also set forth the OCC’s view of a sound risk culture, which includes:
As for quantitative limits, they should incorporate sound stress testing processes, as appropriate, and should address the Bank’s earnings, capital, and liquidity positions. Although the Guidelines permit a Bank to set such limits on either a gross or net basis that takes into account appropriate capital and liquidity buffers, they state that limits should not be based on lagging indicators: rather, the limits should be set at levels that prompt management and the Board to manage risk proactively. For this reason, analyzing performance under various adverse scenarios is encouraged. Although Bank risk limits can be designed as thresholds, triggers, or hard limits, the OCC views thresholds and triggers that prompt discussion and action before a hard limit is reached or breached as “useful tools.”
The Framework should also include concentration risk limits, and, as applicable, risk limits for each front-line unit to ensure that those units do not create excessive risks. When aggregated across all such units, the risks should not exceed the limits established in the Bank’s Risk Appetite Statement. In addition, concentration risk limits and front-line risk limits may also need to be established for legal entities, units based on geographic areas or units based on product lines.
The Guidelines propose the following requirements:
Monitoring and reporting should be performed more often, as necessary, based on the size and volatility of the Bank’s risks and any material change to its business model, strategy, or risk profile.
With respect to breaches of risk limits, a Bank should establish and adhere to processes that require front line units and independent risk management to identify any breaches of the Risk Appetite Statement, concentration risk limits, and front-line unit risk limits, distinguish identified breaches based on the severity of their impact, and establish protocols for when and how to inform the Board, front line management, and the OCC of breaches.
The OCC notes that “[d]uring the financial crisis, it became apparent that many banks’ IT and data architectures were inadequate to support the broad management of financial risks.” Many banks, the OCC stated, “lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank level, across business lines, and among legal entities.” As a result, the OCC now expects banks to have “risk aggregation and reporting capabilities that meet the Board’s and management’s needs for proactively managing risk and ensuring that the Bank’s risk profile remains consistent with its risk appetite.”
In addition, a Bank’s front line units and independent risk management should incorporate risk limits into their strategic and annual operating plans, capital stress testing and planning processes, product and service risk management processes, decisions regarding acquisitions and divestitures and compensation performance management programs.
The OCC proposed the Guidelines pursuant to Section 39 of the Federal Deposit Insurance Act (FDIA), which authorizes the OCC to prescribe safety and soundness standards in the form of a regulation or guidelines. If a national bank, federal savings association, or insured branch of a non-U.S. bank fails to meet a standard in the Guidelines, the OCC may, in its discretion, require the Bank to submit a plan specifying how it will achieve compliance. If the OCC requests a compliance plan, a Bank must generally submit a plan for approval within 30 days.
If the Bank fails to submit an acceptable plan, or materially fails to comply with a plan approved by the OCC, the OCC may issue a public order deeming the institution to be in noncompliance. Noncompliance may also be punished with a civil money penalty under 12 U.S.C. § 1818.
The Guidelines, with their detailed prescriptions, suggest that the OCC will continue to emphasize sound corporate governance processes as a means of ensuring prudent risk management. Although the OCC notes that certain of the Guidelines’ requirements have already been communicated informally via examinations and otherwise in the supervisory process, the fact that the Guidelines are being promulgated in a manner enforceable under the FDIA clearly indicates that the OCC will have much higher expectations for the future — and that large banking institutions will run much greater risks from non-compliance.
 If a Bank’s independent director is also a member of the board of directors of the Bank’s parent holding company, she must consider the safety and soundness of the Bank when analyzing parent company decisions that affect the Bank’s risk profile.
 The audit committee should review and approve internal audit’s overall charter, risk assessments and audit plans, as well as all decisions regarding the appointment or removal and annual compensation of the CAE. It should also make appropriate inquiries of management or the CAE to determine whether there are scope or resource limitations impeding the ability of internal audit to execute its responsibilities.
 When a Bank’s risk profile is substantially the same as its parent company, the Bank’s Board may tailor the parent company’s Risk Appetite Statement to make it applicable to the Bank. A Bank’s Board, however, must approve the Bank-level statement and document any necessary adjustments or material differences between the Bank’s and parent company’s risk profiles.
Gibson, Dunn & Crutcher’s Financial Institutions Practice Group lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact any member of the Gibson Dunn team, the Gibson Dunn lawyer with whom you usually work, or the following:
Arthur S. Long – New York (212-351-2426, email@example.com)
Chuck Muckenfuss – Washington, D.C. (202-955-8514, firstname.lastname@example.org)
Michael D. Bopp – Washington, D.C. (202-955-8256, email@example.com)
Nicolas H.R. Dumont – New York (212-351-3837, firstname.lastname@example.org)
Alfred J. Chianese – New York (212-351-2353, email@example.com)
Colin Richard – Washington, D.C. (202-887-3732, firstname.lastname@example.org)
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.