The OCC issued final guidelines (the “Final Guidelines”) that call for strengthened governance and risk management practices at the following categories of large financial institutions with $50 billion or more in average total consolidated assets, (collectively, “Large Banks”):
- insured national banks;
- insured federal savings associations; and
- insured federal branches of foreign banks.
The Final Guidelines also apply to an OCC-regulated financial institution with less than $50 billion in total assets if its parent company controls at least one other entity that is a covered entity, i.e., a Large Bank. Furthermore, the OCC has reserved the right to apply the Final Guidelines to banks that do not meet the $50 billion threshold if the OCC determines that the bank’s operations are highly complex or otherwise present a heightened risk. Large Banks and these smaller covered entities are collectively referred to as “Covered Banks”.
The Final Guidelines are being issued as a new Appendix D to the OCC’s safety and soundness standards that appear in part 30 of the OCC’s regulations. Covered Banks are required under the Final Guidelines to “establish and adhere to a written risk governance framework to manage and control its risk-taking activities.” The Final Guidelines also set forth minimum standards applicable to boards of Covered Banks regarding oversight of risk management. Comptroller of the Currency Thomas J. Curry stated, in conjunction with the issuance of the Final Guidelines, that in the aftermath of the 2008 financial crisis, the OCC concluded “that much higher standards for risk management, internal controls, and internal audit were needed.”
The Final Guidelines are, in most respects, similar to the proposed guidelines (the “Proposed Guidelines”) that were described in the January 28, 2014 Financial Services Alert. The OCC, however, accepted certain of the suggested changes requested in public comment letters regarding the Proposed Guidelines. Importantly, in response to industry comments, the OCC revised the section of the Final Guidelines regarding responsibilities of a board of directors to “avoid imposing managerial responsibilities” on board members, and thereby reduce potential legal liability for members of a Covered Bank’s board.
The Final Guidelines are being phased in with the largest Covered Banks, those with total assets of more than $750 million, being required to comply 60 days after the date the Final Guidelines are published in the Federal Register (the “Publication Date”). Covered Banks with total assets of between $100 billion and $750 billion will be required to comply beginning six months after the Publication Date, and those with total assets between $50 billion and $100 billion will be required to comply beginning 18 months after the Publication Date. Issuance of the Final Guidelines, as guidelines rather than as regulations, provides the OCC with supervisory flexibility. The OCC has the discretion to determine whether it will require a Covered Bank that has failed to meet the heightened standards in the Final Guidelines to file a plan of remedial action. In general, the Final Guidelines provide the OCC with an additional, significant and flexible supervisory tool with which to require enhanced risk management practices and governance at Covered Banks.
With respect to the responsibility of a Covered Bank’s board of directors to oversee risk management, certain of the important changes and clarifications in the Final Guidelines from the Proposed Guidelines include:
- A statement by the OCC that, as a general matter, it intends to avoid imposing an undue operational burden on boards of directors and recognizes a board’s key strategic and oversight role with respect to the design and implementation of a Covered Bank’s risk management framework;
- Modifications to various provisions of the Proposed Guidelines that replaced the word “ensure” with “require” to clarify that board members are not guaranteeing appropriate risk management practices, but rather that they are “actively overseeing” risk management and “requiring” the Covered Bank’s management to take steps to establish and implement appropriate risk management practices;
- Elimination of a requirement that a Covered Bank’s board or board risk committee approve all material policies related to the Covered Bank’s risk management framework and replacement of this requirement with a less burdensome oversight standard;
- Modification of a requirement that a Covered Bank’s audit committee review and approve all internal audit risk assessments to a requirement that the audit committee approve the internal audit charter and the audit plan and consider whether there are scope or resource limitations that may prevent the internal audit function from effectively carrying out its responsibilities;
- Modification of a requirement that a board (or a board committee) oversee the talent development, recruitment and succession planning processes for risk management, internal audit and individuals two levels down from the Chief Executive Officer to a requirement that the board or board committee review and approve a talent management program; and
- The board (or board committee) is required to approve significant changes to the Covered Bank’s risk management framework rather than to approve all changes to the framework.
It should be noted that, as in the Proposed Guidelines, the Final Guidelines state that the board of a Covered Bank should provide a “credible challenge” to management and “when necessary, oppose management’s recommendations and decisions “that could cause the [Covered Bank’s] risk profile to exceed its risk appetite or jeopardize the safety and soundness of the [Covered Bank].”