Risk governance: OCC codifies risk standards, paving the way for increased enforcement actions

February 2014
  • Print-friendly version

The Office of the Comptroller of the Currency (OCC) recently issued a Notice of Proposed Rulemaking to establish formal guidelines incorporating thirteen standards for a bank’s risk governance framework, and six standards for a bank’s board of directors (Guidelines). Public comments are due by March 28, 2014.

The Guidelines are consistent with the heightened expectations for strong risk management frameworks that the OCC has been communicating as part of its Large Bank Program post-financial crisis, and are also generally consistent with practices adopted by the G-SIBs under the Federal Reserve’s watch. However, the formalization of these standards will greatly enhance clarity around the OCC’s expectations and more importantly make these standards “rules,” thus significantly enhancing the OCC’s enforcement power and authority.

The following are the Guidelines’ key takeaways:

  • The Guidelines are proposed pursuant to Section 39 of the Federal Deposit Insurance Act, thereby giving the OCC the authority to issue formal, public enforcement actions in response to significant noncompliance. Due to the more discretionary nature of risk governance supervision vis-à-vis more rules-based supervision (e.g., AML), the prospect of such an enforcement action further increases the complexity for banks in their management of reputational risk. While the Guidelines make clear the OCC’s expectations, they also provide the OCC with sharper teeth in terms of enforceability.
  • The Guidelines apply not only to institutions that are part of the OCC’s Large Bank Program, but to all large insured national banks, insured federal savings associations, and insured federal branches of foreign banks with average total consolidated assets of $50 billion or more. We anticipate the group of banks in scope will include the 19 banks in the Large Bank Program and 8 additional midsized banks. The OCC has reserved authority to include institutions below the $50 billion threshold if the entity’s operations are highly complex or otherwise present a heightened risk. However, the Guidelines also allow the OCC to delay or modify application to certain banks – e.g., the OCC notes that it expects to tailor certain standards for the boards of federal branches of foreign banks.
  • Many covered midsized banks will need to enhance their risk management practices to meet the Guidelines, particularly around risk appetite, strategic planning, and risk data aggregation and reporting. Some midsized banks may benefit from the Guidelines’ provision that allows a bank with a risk profile that is substantially the same as that of its parent company, to use the risk governance framework of its parent to satisfy the Guidelines. To take advantage of this provision, the risk profiles of the two entities must be “substantially the same,” meaning the latest call report must show that the bank’s average assets, average assets under management, and total off-balance sheet exposures represent 95% or more of the parent’s in the three categories. This requirement thus requires a bank to be about the mirror image of its parent, including in size
  • Certain institutions, particularly Foreign Banking Organizations, will need to carefully navigate differences between the OCC’s Guidelines, and other agencies’ standards. Although guidelines are typically issued on an interagency basis, neither the Federal Deposit Insurance Corporation (FDIC) nor the Federal Reserve Board (FRB) joined the OCC’s proposal. The Guidelines present potential conflicts with the FRB’s proposed Enhanced Prudential Standards (EPS) for systemically important financial institutions (SIFIs) applied at the holding company level, and with FRB/FDIC policies for resolving insured banks. Such differences will be particularly felt by Foreign Banking Organizations (FBOs) that own an OCC-supervised institution and will be required to establish an Intermediate Holding Company (IHC) under the proposed EPS for FBOs. For instance, under the EPS, FBOs will need to establish a board risk committee at the IHC level; however, the Guidelines establish requirements for independent directors at the bank level who in theory would not be representing the interests of the IHC shareholders.

This Financial Services Regulatory Brief analyzes the Guidelines’ standards for risk governance and for the board of directors, assesses the current state of the industry against the standards, and suggests what banks should do next.

Related reading: