September 15, 2014
Transforming Heightened Expectations to Minimum Standards
On September 2, 2014, the Office of the Comptroller of the Currency (OCC) published final guidelines, OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of Regulations, to strengthen the governance and risk management practices of large financial institutions.1
One of the most important points we see is a purposeful shift from Heightened Expectations to Minimum Standards. This is a key point. The real essence of the guidelines is to transform Heightened Expectations to Minimum Standards. There also appears to be a clear focus on driving toward more objective measures and criteria for compliance with the Minimum Standards, without creating simple “check the box” compliance exercises. Clear throughout the guidelines is that the front-line functions must own and be accountable for the risks they create. The final guidelines substantially reflect what was proposed in the NPR in January 2014. This Flash Report discusses the content and scope of the OCC’s final guidelines and highlights some of the more important components.
We also see the possibility that slight variations to meeting the Minimum Standards may be allowed, as long as evidence exists to show that the institution isn’t putting itself at risk and is covering all its risks. The use of “should” versus “must” throughout the guidelines is a significant message, as it allows for examiner judgment. The OCC will likely be looking for banks to be in substantial compliance by the required compliance dates – a gap may be allowed as long as the institution can demonstrate that the gap doesn’t inhibit the bank’s ability to manage risk.
Going forward, we expect the OCC to develop implementation guidance through revisions to the Comptroller’s Handbook (a series of booklets outlining the OCC’s supervisory guidance and expectations). Revised handbook sections hopefully would provide additional background on the intent of the Heightened Standards, more detail around the standards and transparency into examination procedures. Handbook revisions are expected by early 2015.
Which Financial Services Institutions Are Affected?
The guidelines apply to “covered banks,” which are defined as:
- Any insured national bank or federal savings association with average total consolidated assets equal to or greater than $50 billion.
- Any insured federal branch of a foreign banking organization with average total consolidated assets equal to or greater than $50 billion.
- An OCC-regulated institution with less than $50 billion in average consolidated assets if that institution’s parent company controls at least one other covered institution.
- At the OCC's discretion, an institution with less than $50 billion in average total consolidated assets if it determines the institution is highly complex or presents a heightened risk, based on consideration of the institution’s complexity of products and services, risk profile, and scope of operations.
Given the potential scope of application, OCC-supervised banks of all types should examine the guidelines closely and assess their relevance to their operations.
The effective date for compliance is staggered based on the size of an institution: immediately upon publication in the Federal Register, which occurred on September 11, 2014 (the “effective date”) for institutions with more than $750 billion in consolidated assets; within six months of the effective date for institutions with total consolidated assets of between $100 billion and $750 billion; and within 18 months of the effective date for the remaining covered institutions. For purposes of determining compliance, any covered institution which subsequently reaches the $50 billion threshold will be required to comply within 18 months from the date of the Call Report that determined the institution had reached the threshold.
The final guidelines consolidate the safety and soundness guidelines by removing 12 CFR 170 (which only applied to federal savings associations) and applying 12 CFR 30 and all appendices to all national banks and federal savings associations. These guidelines provide that if a bank or savings association fails to meet the prescribed standards, the OCC may require the institution to submit a plan specifying the steps it will take to comply. If the institution, after being notified that it is in violation of the safety and soundness standards, fails to submit an acceptable compliance plan or fails materially to comply with an OCC-approved plan, then under section 8 of FDIA, 12 U.S.C. § 1818(b), the OCC may issue an enforceable order. Codifying these guidelines as an appendix to Part 30 provides an enforcement mechanism that gives the OCC significantly more leverage to ensure heightened standards are met than was the case before codification.
What Do the Final Guidelines Say?
The guidelines set forth the minimum standards for the design and implementation of a covered bank’s risk governance framework (“Framework”) and oversight of that framework by the board of directors. The guidelines are organized in three parts: Part I is an introduction that explains the scope of the guidance and defines key terms; Part II contains minimum standards for the design and implementation of a covered bank’s Framework; and Part III sets forth minimum standards for the board of directors’ oversight of the Framework.
The final guidelines include some notable revisions sought by participants in the financial services industry. The final guidelines were revised to provide clarity around certain terms and requirements. Key points of clarification include: (1) clearer definition of “substantially the same risk profiles” of Parent and Covered Banks, and clearer guidance on when covered banks could potentially use components of its parent’s risk governance framework; (2) revised definition of front-line units (which excludes Human Resources and units that provide legal services from qualifying as front-line units); (3) clarification that the “Chief Audit Executive,” per the Standards, is the individual who leads internal audit and is one level below the CEO; and (4) a language change that preserves the focus of the Board of Directors on providing strategic guidance versus imposing managerial responsibilities on board members by removing terminology such as “ensure” and “active board oversight.”
Important Matters to Consider
Institutions should review the final guidelines and determine how the heightened standards might affect them. We’ve summarized below a few of the unique statements and challenges institutions may face as they contemplate compliance with the final guidelines:
- Distinction between “regulation” and “guideline” – Section 39 of the Federal Deposit Insurance Act (FDIA) prescribes different consequences depending on whether the standards the OCC authorizes are issued by regulation or guidelines. Pursuant to section 39, if a national bank or Federal savings association fails to meet a standard prescribed by regulation, the OCC must require it to submit a plan specifying the steps it will take to comply with the standard. If a national bank or Federal savings association fails to meet a standard prescribed by guideline, the OCC may require it to submit a plan – meaning the OCC has the discretion to decide whether to require the submission of such a plan.
Protiviti Comment: Since the OCC is issuing a guideline rather than a regulation, this will give the agency flexibility to determine the best course of action. This is a vitally important distinction.
GUIDELINE PART I – INTRODUCTION
- Definitions provided – Includes definitions of key concepts such as: “substantially the same” risk profiles; when a covered bank may use its parent company’s risk governance framework or when a covered bank should establish its own risk governance framework and can use components of its parent company’s risk governance framework; and what organizational units or functions constitute front-line units.
Protiviti comment: The definition of which organizational units or functions qualify as front-line units is one of particular interest. The final guidelines provide that when a unit is accountable for a risk and also meets one of three additional criteria, the function will be considered a front-line unit. The three additional criteria are: 1) engages in activities designed to generate revenue or reduce expenses for the parent company or covered bank; 2) provides operational support or servicing to any organizational unit or function within a covered bank for the delivery of products and services to customers; and 3) provides technology services to any organizational unit function covered by the Guidelines. The guidelines do explicitly state that a front-line unit does not ordinarily include an organizational unit or function within a covered bank that provides legal services to the covered bank.
GUIDELINE PART II – STANDARDS FOR RISK GOVERNANCE FRAMEWORK
- Standards and scope for risk governance framework – Covered banks need to establish and adhere to a formal, written risk governance framework that is designed by independent risk management and approved by the board of directors or the board’s risk committee. The framework should cover all the risk categories that apply to the covered bank including: credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputation risk. The standards also establish clear roles and responsibilities for the front-line units, independent risk management, and internal audit.
A covered bank may use its parent company’s risk framework if the framework meets the minimum standards, and the covered bank has demonstrated through a documented assessment that the risk profiles of the parent and covered bank are substantially the same. When the risk profiles are not the same the covered bank should establish its own risk governance framework, and may, in consultation with the OCC, use or rely on components of its parent company’s risk governance framework when developing its own framework to the extent those components are consistent with the objectives of the guidelines.
Protiviti Comment: Specifically enumerating that all risk categories need to be covered in the framework is a point of clarification.
- Roles and responsibilities of organizational units that are fundamental to the design and implementation of the risk governance framework – The guidelines set forth the roles and responsibilities of the front-line units, independent risk management and internal audit (what is typically referred to as the three lines of defense).2 These units are required to establish an appropriate system to manage risk taking and ensure the board of directors has sufficient information on the institution’s risk profile and risk management practices to provide credible challenges to management’s recommendations and decisions.
Protiviti Comment: Banks should review organizational structures to ensure roles and responsibilities of individual units align with these heightened standards.
- Covered bank’s use of parent’s framework – The guidelines state: “A covered bank may use its parent company’s risk governance framework in its entirety, without modification, if the framework meets these minimum standards, the risk profiles of the parent company and the covered bank are substantially the same … and the covered bank has demonstrated through a documented assessment that its risk profile and its parent company’s risk profile are substantially the same. The assessment should be conducted at least annually, in conjunction with the review and update of the risk governance framework performed by independent risk management….”
Protiviti Comment: This provision deals with the similarities between the covered bank and its parent holding company. Even in cases where the risk profile between the bank and the holding company is substantially the same, we believe the bank may still need to develop some additional framework. In most cases, the 95 percent threshold will probably not be met.
- When risk profiles are not substantially the same – The guidelines state: “When the parent company’s and covered bank’s risk profiles are not substantially the same, a covered bank may, in consultation with the OCC, incorporate or rely on components of its parent company’s risk governance framework when developing its own risk governance framework to the extent those components are consistent with the objectives of these Guidelines.”
Protiviti Comment: This clarification makes clear that, while some additional components may need to be developed, covered banks need not devise completely separate and redundant frameworks.
- Strategic plan – The CEO is responsible for the development of a written strategic plan with input from front-line units, independent risk management, and internal audit. The strategic plan should cover, at a minimum, a three-year period and account for changes to the risk governance framework as the institution’s risk profile changes. Additionally, the plan must be reviewed, updated and approved by the board at least annually. The board would be required to monitor management’s efforts to implement the strategic plan.
Protiviti Comment: This language clarification is most appropriate and closely aligns with traditional roles and responsibilities of management and the board.
- Risk appetite statement – Covered banks should have a comprehensive written statement that articulates their risk appetite and provides the basis for their risk governance framework. This statement is required to include both qualitative components and quantitative limits. Qualitative components should be reflective of a safe and sound “risk culture”3 and the quantitative limits should incorporate stress testing processes, as appropriate, and the institution’s earnings, capital and liquidity levels.
The guidelines state: “Risk appetite means the aggregate level and types of risk the Board and management are willing to assume to achieve a covered bank’s strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements.”
Protiviti Comment: The OCC’s end in mind is for large banks to state their appetite for risk formally by setting benchmarks for capital strength, liquidity and earnings, along with "the amount of risk that may be taken in each line of business, and the amount of risk that may be taken in each key risk category monitored by the institution.” In our view, this is an area that will require immediate attention by many banks.
- Use of limit structures for concentration risk – The guidelines in Paragraph F. of Part II state: “Concentration and front-line unit risk limits. The risk governance framework should include concentration risk limits and, as applicable, front-line unit risk limits, for the relevant risks. Concentration and front-line unit risk limits should limit excessive risk taking and, when aggregated across such units, provide that these risks do not exceed the limits established in the covered bank’s risk appetite statement.”
Protiviti Comment: Institutions should evaluate the extent to which they utilize risk appetite at multiple levels throughout the organization as well as how they accomplish it. In evaluating this proposed provision, our sense is that the OCC is focused on cascading the risk appetite statement downward into the institution to establish more granular risk tolerances and thresholds, and apply greater discipline in risk governance. For many institutions, this requirement will present a challenge. To illustrate, the focus on concentration risk could require enhanced policies, processes and procedures to: (1) define the scope of concentration risk; (2) establish formal concentration limits; (3) clarify roles, responsibilities and accountabilities for managing concentration risk (including adjustments to compensation structures); (4) report, manage and monitor concentration risk; and (5) enforce established limits through formal review processes and escalation protocols. Thus, institutions may require strengthening of their internal controls, periodically assessing the adequacy of allocated capital given the level of concentration risk in their loan and asset portfolios, and adjusting allocated capital for changes in circumstances. Accordingly, we believe it is possible the OCC may issue more prescriptive guidance surrounding concentration risk, which would add further complexities to the compliance process.
The guidelines on concentration risk (Paragraph I. of Part II) state: “Concentration risk management. The risk governance framework should include policies and supporting processes appropriate for the covered bank’s size, complexity, and risk profile for effectively identifying, measuring, monitoring, and controlling the covered bank’s concentrations of risk.”
Protiviti Comment: These and other comments (for example, Paragraph F of Part II) indicate that the OCC will continue to place significant importance on concentration risk, and not just traditional credit, counterparty and funds providers, but concentrations of all types including third party, vendor, etc. We recommend that the risk governance framework around concentration risk be specific and analyzed down to the line-ofbusiness level. Accordingly, institutions should consider how they evaluate and manage concentration risk because, as discussed further above, the OCC’s proposal could require strengthening of internal controls and assessment and adjustment of allocated capital over time as circumstances change.
- Guidance relating to CRO and CAE roles – The guidelines state: “Chief Audit Executive (CAE) means an individual who leads internal audit and is one level below the Chief Executive Officer (CEO) in the Bank’s organizational structure. Chief Risk Executive (CRE) means an individual who leads an independent risk management unit and is one level below the CEO in the Bank’s organizational structure.”
Protiviti Comment: The OCC is defining organizational structure and reporting lines for these individuals. We feel that this is an important clarification regarding the reporting of the CAE and Chief Risk Officer (CRO). Per the Standards, the CAE and CRO are the executives who have the audit (or risk) functions reporting to them and who report to the CEO. So in situations, for example, where the General Auditor reports to the General Counsel or someone other than the CEO directly, then the General Counsel (or other executive that internal audit reports to) effectively becomes the Chief Audit Executive for purposes of the guidelines and is accountable for ensuring internal audit achieves the minimum standards. The same would apply to the Chief Risk Officer – if that individual reports to someone other than the CEO directly (for example the CFO), then the executive that reports to the CEO becomes the Chief Risk Executive for purposes of the guidelines. Accordingly, institutions should review their current organizational structure to ascertain how it compares to the standard and the implications of the guidance.
- Additional guidance in Part II – Part II of the framework must also include processes and supporting documentation for the following:
- Concentration and risk limits that limit excessive risk taking
- Risk appetite review, monitoring and communication at all levels of the organization
- Processes for addressing limit breaches
- Concentration risk management
- Risk data aggregation and reporting
- Relating risk appetite statement, concentration risk limits, and front-line unit risk limits to other processes such as strategic and annual operating plans, capital stress testing, liquidity stress testing, product risk management, acquisitions and divestitures, and compensation and performance management programs
- Talent management
- Compensation and performance management programs
Protiviti Comment: Again, the framework emphasizes formal processes and documenting evidence supporting that risk management programs and processes are well designed and operating effectively.
GUIDELINE PART III – STANDARDS FOR BOARD OF DIRECTORS
- Require an effective risk governance framework – The Board should require management to implement an effective risk governance framework that meets the minimum standards in the guidelines.
- Provide active oversight of management – The Board should oversee risk-taking activities and hold management accountable for adhering to the risk governance framework.
The guidelines on board responsibilities (Paragraph B. of Part III) state: “Provide active oversight of management. A covered bank’s board of directors should actively oversee the covered bank’s risk-taking activities and hold management accountable for adhering to the risk governance framework. In providing active oversight, the board of directors may rely on risk assessments and reports prepared by independent risk management and internal audit to support the board’s ability to question, challenge, and when necessary, oppose recommendations and decisions made by management that could cause the covered bank’s risk profile to exceed its risk appetite or jeopardize the safety and soundness of the covered bank.”
Protiviti Comment: The OCC does not expect the Board to manage the bank day to day, but there is a heavy accountability in actively overseeing and challenging management. Institutions should evaluate their board risk oversight processes in light of this guidance, including the reporting that informs those processes.
- Exercise independent judgment – When providing active oversight, board members need to exercise sound, independent judgment to ascertain when to engage management constructively on risk governance matters.
- Include independent directors – At least two members of the board of directors should not be an officer or employee of the parent company or covered bank presently or during the previous three years.
The guidelines on including independent directors (Paragraph D. of Part III) state: “Include independent directors. To promote effective, independent oversight of the covered bank’s management, at least two members of the board of directors:
1. Should not be an officer or employee of the parent company or covered bank and has not been an officer or employee of the parent company or covered bank during the previous three years; 2. Should not be a member of the immediate family, as defined in § 225.41(b)(3) of the Board of Governors of the Federal Reserve System’s Regulation Y (12 CFR 225.41(b)(3)), of a person who is, or has been within the last three years, an executive officer of the parent company or covered bank, as defined in § 215.2(e)(1) of Regulation O (12 CFR 215.2(e)(1)); and 3. Should qualify as an independent director under the listing standards of a national securities exchange, as demonstrated to the satisfaction of the OCC.”
Protiviti Comment: Placement of at least two independent members who do not hold management positions in the bank or its parent holding company could be an area in which national banks will face challenges. For example, the available pool of qualified board members is in the forefront of issues that come to mind. Institutions should consider this question in light of their current board structure, both at the holding company and bank levels, as well as any perceived obstacles to compliance. Clearly, the OCC’s intent is to introduce more independent directors into the composition of the board at the bank level.
- Provide ongoing training to directors – Establish a formal training program for all directors, considering each director’s knowledge and experience and the covered bank’s risk profile.
- Self-assessments – Conduct an annual self-assessment that includes an evaluation of its effectiveness in meeting the standards of this section.
It is likely that most large banks have taken steps to comply with many of the provisions in these final guidelines due to the fact that the OCC has been signaling change for some time. However, all banks will likely have additional work to do. The only way to know how much work is necessary is for each bank to compare their respective risk governance framework against the requirements set forth in these final guidelines. Midsize banks, in particular, would be well served to also take a close look at how these guidelines might impact them, today or in the not too distant future.
We can expect these final guidelines to become an important part of the supervisory fabric for insured institutions to be conscious of, and compliant with, as the OCC streamlines the enforcement process.