On September 11, 2014, the Office of the Comptroller of the Currency (OCC) published final Guidelines setting out heightened risk management standards for large banking organizations under its jurisdiction. The OCC had issued proposed guidelines in January 2014 for comment and made some revisions to the final version of the Guidelines in response to those comments.
The final rule applies to those national banks, federal savings associations and federally licensed branches of non-US (covered banks) that:
- Have their deposits insured by the Federal Deposit Insurance Corporation (FDIC), and
- Have either average total consolidated assets of $50 billion or more, or average total consolidated assets of less than $50 billion if the bank’s parent holds at least one covered bank that meets the $50 billion threshold
The Guidelines are effective November 10, 2014, but compliance dates for existing covered institutions vary from November 10, 2014, to May 10, 2016, depending upon the asset size of the bank. Newly covered institutions will have 18 months from the date they become covered in order to comply. The OCC reserves its authority to, as it deems warranted, extend the compliance deadlines, impose the standards on banking organizations that do not otherwise meet the asset threshold, and/or terminate the application of the standards to those that do meet the asset threshold.
Under the Guidelines, covered banks must develop a “risk governance framework” for their risk-taking activities. The basis for the framework is the bank’s “risk appetite” statement, which must describe the aggregate level and types of risk the board of directors and management are willing to assume to achieve the bank’s strategic objectives and its business plan. The risks that are to be covered by the framework are: credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk and reputation risk.
The framework is to be in writing, designed by the bank’s independent risk management function and approved by the bank’s board of directors or its risk committee, and reviewed and updated at least annually or whenever improvements are necessary. A bank also must develop and maintain a three year strategic plan, which would contain its overall mission statement and a description of its strategic objectives, including an explanation of how the bank will achieve those objectives.
The framework also must describe the responsibilities of the bank’s front line units (such as revenue-generating functions), independent risk management function and internal audit function in assessing, managing and overseeing the bank’s risk-taking activities. These responsibilities supplement, and do not replace, those responsibilities that these functions already may have under other federal banking regulations, such as operational and management standards provided in other OCC guidelines.
The board of directors also has its role to play in this framework. Aside from adopting and reviewing the basic risk management framework, the board, which should include at least two independent directors (as defined in the Guidelines), must oversee the bank’s compliance with safe and sound banking practices (including handling its risk-taking activities) and hold management accountable for adhering to the risk governance framework. Each director also must exercise “sound, independent judgment,” undergo regular training and conduct annual self-assessments. The final rule clarified the board of directors’ oversight role over the bank, revising language in the proposal that had caused commenters to argue that the OCC was requiring board members to undertake day-to-day managerial responsibilities over the bank’s activities.
Use of parent framework
A bank subject to the Guidelines may use its parent holding company’s risk governance framework if that framework meets the standards of these Guidelines, the risk profiles of the two organizations are substantially the same and the bank has documented its assessment, conducted at least annually, that the two risk profiles are indeed substantially the same.
Finally, readers should note that these are guidelines, not formal regulations. The OCC explains that if these Guidelines had been promulgated as formal regulations, then the OCC would be obligated to require a bank that failed to meet the standards to submit a formal plan on how the failure would be rectified. Because these are guidelines, the OCC has the discretion to require a bank that failed one or more standards to submit a compliance plan when it decides it is necessary to do so.