The OCC issued proposed guidelines (the “Proposed Guidelines”) that would establish minimum standards for the design and implementation of a risk governance framework (the “Risk Framework”) by national banks, federal savings associations and federal branches of foreign banks with total consolidated assets of $50 billion or more (“Large Banks”). The Proposed Guidelines also would establish minimum standards for a board of directors in overseeing the Framework’s design and implementation for Large Banks. The Proposed Guidelines would be issued as a new Appendix D to the OCC’s safety and soundness regulations that appear at 12 C.F.R. Part 30 promulgated under the authority of section 39 of the Federal Deposit Insurance Act. In addition to Large Banks, the OCC said that the Proposed Guidelines could also be applied to banks smaller than Large Banks that are deemed to be highly complex or to present a heightened risk. The OCC stated that it decided to issue these minimum standards as “guidelines” rather than as “regulations” so that the OCC can retain its discretion to determine whether, in a particular case, it will require a Large Bank to submit a written remediation plan.
The Risk Framework
Under the Proposed Guidelines, a Large Bank is expected to establish and implement a Risk Framework “that manages and controls” the Large Bank’s risk taking. The Risk Framework is to be designed by an independent risk management unit and be approved annually by the Large Bank’s board of directors or risk committee. The Risk Framework is expected to be formal and in writing and cover the following categories of risk, if applicable to the Large Bank: (1) credit risk; (2) interest rate risk; (3) liquidity risk; (4) price risk; (5) operational risk; (6) compliance risk; (7) strategic risk; and (8) reputation risk.
In the Proposed Guidelines, the OCC also describes the roles and responsibilities of what the OCC characterizes as the three lines of defense to control risk taking: (i) the front-line units; (ii) independent risk management; and (iii) internal audit. The OCC stresses that risk management and internal audit must have “unfettered access to the Board, or a committee thereof” concerning their risk assessments, findings and recommendations. For the Risk Framework to be effective, it is also crucial that the risk management and internal audit functions have a sufficiently high stature within the Large Bank to allow the risk management and internal audit units to carry out their respective responsibilities effectively.
Strategic Plan and Risk Appetite Statement
Moreover, under the Proposed Guidelines, a Large Bank is expected to develop a three-year strategic plan that reflects the current and expected risks facing the depository institution. Further, the Large Bank should have a comprehensive written risk appetite statement that describes its risk appetite and ties its risk appetite to the Large Bank’s strategic objectives and business plan. Furthermore, the objectives and business plan as well as the risk appetite statement must be consistent with capital, liquidity and other regulatory requirements.
Standards for Board of Directors
The Proposed Guidelines also provide minimum standards that the Large Bank’s board of directors must meet in overseeing the Risk Framework design and implementation. The standards set for boards of directors by the Proposed Guidelines are high. For example, they speak of a board of directors’ duty to “enforce” an effective Risk Framework and require the board of directors to provide “active oversight,” which requires directors to “question, challenge, and when necessary, oppose recommendations and decisions made by management that could cause the bank’s risk profile to exceed its risk appetite or jeopardize the safety and soundness of the bank.”
The Proposed Guidelines provide that at least two members of the board of directors should not be members of the Large Bank’s (or its parent company’s) management. Moreover, the Proposed Guidelines call for a formal, ongoing training program for independent directors that includes training concerning complex bank products, services, lines of business and “risks that have a significant impact on the bank,” laws, regulations and supervisory requirements, and other topics identified by the board of directors. Furthermore, the Proposed Guidelines require a Large Bank’s board of directors to conduct an annual self-assessment regarding its risk governance effectiveness.
Comments on the Proposed Guidelines are due within 60 days of the date they are published in the Federal Register.