What the Interagency Guidance on Credit Risk Review Systems Means for Your Institution


On May 8, 2020, the Agencies[1] released a final version of the Interagency Guidance on Credit Risk Review Systems. This final guidance applies to all institutions supervised by the Agencies and supersedes regulatory expectations for credit risk review systems documented in Attachment 1 - Loan Review Systems – of the 2006 Interagency Policy Statement on the Allowance for Loan and Lease Losses (ALLL). In this Flash Report, we highlight the major components of the final guidance, key updates and clarifications, and what they mean for your institution from a risk management perspective.

Noteworthy Clarifications

While many of the safety and soundness expectations remain substantially the same, including the focus on independence, the final guidance provides the following clarifications:

  • The roles and responsibilities of credit risk review are more clearly delineated, and the release establishes additional guidance for institutions of different sizes and complexity to achieve independence, as highlighted below:
    • Credit risk review’s role should remain distinct from other functions when executing an independent assessment of credit risk. However, credit risk review can rely on information from other functions when concluding on credit quality but must critically challenge the information and maintain an independent view. For example, when performing risk assessments that support the credit risk review plan, credit risk review can leverage inputs from other sources or functions but cannot rely exclusively on this information.
    • The guidance provides additional clarity for small and rural institutions with fewer resources or employees. Larger or more complex institutions should have a dedicated credit risk review function independent of the unit’s lending function. Smaller or rural institutions may supplement their credit review system to include qualified members of the staff from within the institution who are independent of the credits being assessed. Regardless of size and complexity, the review process must be performed by individuals who are not originating or approving specific credits, and whose compensation is not influenced by the assigned risk ratings.
  • The Agencies recognize that an effective credit risk rating framework will have differences in approaches when evaluating retail and commercial loans and portfolios, and, as such:
    • Acknowledges that institutions may determine the scope of the credit review by segmenting portfolios by similar risk characteristics, such as those related to borrower risk, transaction risk and other risk factors.
    • Recommends that when evaluating the adequacy of the sources of repayment, credit risk review can consider the business line’s use of models or other automated decision tools leveraged for credit decisioning or risk rating, and how these tools are applied. Account management strategies, portfolio management activities and collections should also be evaluated.
  • The use of key risk indicators or performance metrics to support adjustments to the frequency and scope of reviews is emphasized. For example, one approach applied by credit risk review functions to enhance their ongoing oversight of credit risk is to establish a continuous monitoring program, as discussed in Protiviti’s white paper, Credit Review: Getting to Strong via Continuous Monitoring.
  • The scope areas of credit risk review were expanded. This update may require credit risk review functions to revisit their review plans to ensure these areas are factored into their scope of coverage, or adequately considered elsewhere within the organization. The additions to the scope of reviews include:
    • Sample of not just smaller loans, but also new loans and new loan products.
    • Loans with higher-risk indicators, such as low credit score, high credit lines, or those credits approved as exceptions to policy. Institutions can select their own indicators and policy exception parameters, but they should align with the organization’s risk profile.
    • Portfolios with similar risk characteristics, including retail.
    • Portfolios experiencing rapid growth.
    • Exposures from non-lending activities, which also pose credit risk. While non-lending activities are not explicitly defined in the final guidance, the supplementary information released with it provides examples, such as investment securities, capital markets, treasury, or automated clearinghouse.
  • Guidelines for the depth of reviews not only focus on individual transactions but also portfolio reviews. The final guidance focuses on portfolio management activities, such as risk identification and adequacy of sources of repayment, which provide additional clarity from a retail perspective. The revised evaluation criteria also include evaluating reasonableness of underwriting assumptions (e.g., borrower cash flow forecasts) and creditworthiness of guarantors or sponsors.
  • Reporting requirements were modified to clarify that not only should reporting include current credit quality findings, comparative trends, and adequacy of adherence to internal policies and procedures as well as applicable laws and regulations, but should also include adequacy of the quality of underwriting and risk identification (portfolio management), as well as management’s response to findings. Management’s responsiveness should also be reported to the board.

Key Questions to Consider

While the final guidance focuses on current industry practices and procedures for smaller institutions, most financial institutions are likely already aligned with its expectations. Still, we consider it worthwhile for institutions to review and evaluate whether their credit risk review functions adhere to the updated safety and soundness expectations. Key questions to consider when assessing your institution’s adherence to the updated guidance may include:

  • Does your institution have a written credit risk review policy that is reviewed and approved by the board of directors at least annually?
  • Is your institution’s credit risk review function staffed with experienced and knowledgeable personnel who not only understand sound lending practices and the institution’s lending guidelines, but also understand the complexity and risk profile of the institution?
  • Is there clear independence of personnel who are not involved with originating or approving credit exposures and whose compensation is not influenced by the credit quality of the portfolio?
  • Is ongoing monitoring or the use of key risk indicators or performance metrics used to adjust the frequency of reviews?
  • Are changes to the risk profile of the reviewable universe effectively communicated to the board at least quarterly?
  • Does the scope of review cover all segments of the loan portfolio or other activities that pose credit risks or concentrations, and does it consider current market conditions or other external factors that may affect a borrower’s current or future ability to repay?
  • Is the scope approved by the board annually or whenever significant interim changes are made to adequately assess the quality of the current portfolio?
  • Does the depth of reviews include the evaluation of credit quality, soundness of underwriting standards and risk identification, borrower performance, adequacy of the sources of repayment, reasonableness of assumptions, creditworthiness of secondary/tertiary sources of repayment, sufficiency of documentation and lien perfection, proper approvals consistent with internal policies, adherence to covenants, compliance with internal policies and procedures, appropriateness of credit loss estimation, and accuracy of risk ratings, among other factors?
  • Does the discussion of findings include all noted deficiencies and identified weaknesses, as well as planned corrective actions conducted with appropriate loan officers and management? Are planned corrective actions monitored and followed up on, including reported to senior management and the board as applicable?
  • If credit risk review personnel and loan officers disagree about the credit quality of a loan or loan portfolio, does the lower credit quality rating prevail?
  • Does communication and distribution of results include a list of all exposures reviewed, the date of review, and a summary analysis that substantiates the risk ratings assigned to the exposures reviewed?
  • Are results of credit risk reviews communicated to the board at least quarterly, and do they include comparative trends that identify significant changes in the overall quality of the portfolio, adherence to internal policies and procedures, the quality of underwriting and risk identification, management’s responsiveness to findings, and compliance with laws and regulations?


Overall, the updated guidance largely clarifies existing guidance, with a few specific additional considerations for most institutions. Should you have any questions about particular areas of this updated guidance, in general or in relation to your institution, we would welcome the opportunity to discuss and share additional insights.

LINK TO GUIDANCE: Federal Register

[1] The term “Agencies” refers to the Office of the Comptroller of the Currency (OCC); Treasury Department; Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); and National Credit Union Administration (NCUA).


Bill Byrnes
Bill is a Managing Director with Protiviti. In his current role, Bill oversees all aspects of Protiviti’s US credit risk management practice. This includes consulting and advisory services related to the consumer and commercial business units of regional, national, and ...
Ariste Reno
Ariste is a Managing Director with Protiviti in the Risk and Compliance Practice. She has over 25 years of credit risk management, financial advisory and banking experience. She specializes in providing advisory services to clients including loss estimation for ...