The OCC issued proposed guidelines (the “Proposed Guidelines”) that would establish minimum standards for the design and implementation of a risk governance framework (the “Risk Framework”) by national banks, federal savings associations and federal branches of foreign banks with total consolidated assets of $50 billion or more (“Large Banks”). The Proposed Guidelines also would establish minimum standards for a board of directors in overseeing the Framework’s design and implementation for Large Banks. The Proposed Guidelines would be issued as a new Appendix D to the OCC’s safety and soundness regulations that appear at 12 C.F.R. Part 30 promulgated under the authority of section 39 of the Federal Deposit Insurance Act. In addition to Large Banks, the OCC said that the Proposed Guidelines could also be applied to banks smaller than Large Banks that are deemed to be highly complex or to present a heightened risk. The OCC stated that it decided to issue these minimum standards as “guidelines” rather than as “regulations” so that the OCC can retain its discretion to determine whether, in a particular case, it will require a Large Bank to submit a written remediation plan.
The Risk Framework
Under the Proposed Guidelines, a Large Bank is expected to establish and implement a Risk Framework “that manages and controls” the Large Bank’s risk taking. The Risk Framework is to be designed by an independent risk management unit and be approved annually by the Large Bank’s board of directors or risk committee. The Risk Framework is expected to be formal and in writing and cover the following categories of risk, if applicable to the Large Bank: (1) credit risk; (2) interest rate risk; (3) liquidity risk; (4) price risk; (5) operational risk; (6) compliance risk; (7) strategic risk; and (8) reputation risk.
In the Proposed Guidelines, the OCC also describes the roles and responsibilities of what the OCC characterizes as the three lines of defense to control risk taking: (i) the front-line units; (ii) independent risk management; and (iii) internal audit. The OCC stresses that risk management and internal audit must have “unfettered access to the Board, or a committee thereof” concerning their risk assessments, findings and recommendations. For the Risk Framework to be effective, it is also crucial that the risk management and internal audit functions have a sufficiently high stature within the Large Bank to allow the risk management and internal audit units to carry out their respective responsibilities effectively.
Strategic Plan and Risk Appetite Statement
Moreover, under the Proposed Guidelines, a Large Bank is expected to develop a three-year strategic plan that reflects the current and expected risks facing the depository institution. Further, the Large Bank should have a comprehensive written risk appetite statement that describes its risk appetite and ties its risk appetite to the Large Bank’s strategic objectives and business plan. Furthermore, the objectives and business plan as well as the risk appetite statement must be consistent with capital, liquidity and other regulatory requirements.
Standards for Board of Directors
The Proposed Guidelines also provide minimum standards that the Large Bank’s board of directors must meet in overseeing the Risk Framework design and implementation. The standards set for boards of directors by the Proposed Guidelines are high. For example, they speak of a board of directors’ duty to “enforce” an effective Risk Framework and require the board of directors to provide “active oversight,” which requires directors to “question, challenge, and when necessary, oppose recommendations and decisions made by management that could cause the bank’s risk profile to exceed its risk appetite or jeopardize the safety and soundness of the bank.”
The Proposed Guidelines provide that at least two members of the board of directors should not be members of the Large Bank’s (or its parent company’s) management. Moreover, the Proposed Guidelines call for a formal, ongoing training program for independent directors that includes training concerning complex bank products, services, lines of business and “risks that have a significant impact on the bank,” laws, regulations and supervisory requirements, and other topics identified by the board of directors. Furthermore, the Proposed Guidelines require a Large Bank’s board of directors to conduct an annual self-assessment regarding its risk governance effectiveness.
Comments on the Proposed Guidelines are due within 60 days of the date they are published in the Federal Register.
For more information about the contents of this alert, please contact:
Elizabeth Shea Fries
+1 617 570 1559
Consumer Financial Services
© 2016 Goodwin Procter LLP. All rights reserved. This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin Procter LLP, Goodwin Procter (UK) LLP or their attorneys. Prior results do not guarantee similar outcome.
Goodwin Procter LLP is a limited liability partnership which operates in the United States and has a principal law office located at 53 State Street, Boston, MA 02109. Goodwin Procter (UK) LLP is a separate limited liability partnership registered in England and Wales with registered number OC362294. Its registered office is at Tower 42, 25 Old Broad Street, London EC2N 1HQ. A list of the names of the members of Goodwin Procter (UK) LLP is available for inspection at the registered office. Goodwin Procter (UK) LLP is authorized and regulated by the Solicitors Regulation Authority.