Our Take: financial services regulatory update – May 10, 2024

Change remains a constant in financial services regulation. Read "our take" on the latest developments and what they mean.

Current topics – May 10, 2024

1. Regulators re-propose joint rule on incentive-based compensation

  • What happened? On May 6th, the FDIC, OCC, and FHFA re-proposed a rule on incentive-based compensation that was previously proposed in 2016 and 2011 to implement Section 956 of the Dodd-Frank Act (DFA), which requires federal financial regulators to issue regulations to prohibit incentive-based compensation that encourages inappropriate risks at any financial institution with consolidated assets of at least $1 billion.
  • What does the proposal say? The text of the new re-proposal is identical to the 2016 version, with questions on several potential changes:

 

Proposal details (identical to 2016)

Key questions on potential changes

Tiered approach

Covered institutions are categorized into three tiers based on average total consolidated assets with thresholds of $1 billion, $50 billion and $250 billion in assets (Level 3, Level 2 and Level 1 covered institutions, respectively). More stringent rules apply to incentive-based compensation paid to “senior executive officers” and “significant risk-takers” at Level 1 and Level 2 institutions.

The re-proposal asks about modifying this to a two-tier approach with $50 billion as the primary threshold to trigger enhanced requirements and requiring institutions to identify significant-risk takers with disclosure of their identification methodology to their primary regulator.

Limits

At Level 1 and Level 2 institutions, the maximum earned incentive for senior executive officers is limited to 125% of the target amount, and for significant risk-takers is limited to 150%. There are no fixed limits on the size of potential targets but there are prohibitions on basing performance measures solely on comparison to industry peer performance and basing incentive compensation solely on revenue or transaction volume.

The re-proposal asks whether the limits should be higher or lower as well as whether the relative performance restrictions should apply only to a more limited group of employees. It also asks about requiring performance measures and targets to be set before the beginning of the performance period.

Deferral

Includes incentive compensation deferral periods up to four years after the end of the performance period with minimum deferral amounts between 40-60% depending on whether the covered institution is Level 1 or Level 2 and whether the individual is a senior executive officer or significant risk-taker.

The re-proposal asks whether Level 1 and Level 2 employees should be treated more similarly with regard to deferrals as well as whether longer performance periods can provide risk balancing benefits similar to those provided by deferral.

Downward adjustment, forfeiture and clawback

Includes requirements to respond to various adverse outcomes by reducing incentive compensation that has not yet been awarded. It further requires a minimum seven year period from the end of vesting to clawback incentive compensation in the event of misconduct, fraud or intentional misrepresentation.

The re-proposal asks about requiring specific events to trigger forfeiture, downward adjustment and/or clawback rather than leaving it to the institution’s discretion.

Governance and reporting

Covered institutions would be required to have a compensation committee made up of members that are not senior executive officers and take input from the risk and audit committees, as well as annual assessments of the effectiveness of the institution’s executive compensation program. They would be subject to seven-year record retention requirements, with records disclosed to regulators on request.

The re-proposal asks whether assessments should be submitted more or less frequently to the committee.

  • What’s next? Section 956 of the DFA requires the Fed, FDIC, FHFA, NCUA, OCC and SEC to jointly propose and finalize an incentive-based compensation rule. Until all six agencies are in agreement, the proposal will not be published in the Federal Register. The SEC and NCUA are expected to issue their versions of the proposal soon, while Fed Chair Jerome Powell said in a recent hearing that he “would like to understand the problem we’re solving and then I would like to see a proposal that addresses that problem.”

Our Take

A false re-start? 13 years after it was first mandated by the DFA, this re-proposal comes after last year’s bank failures raised questions about senior executive compensation and consequences for significant risk management lapses. However, with even one holdout agency, it will not have an official comment period much less be on track for timely finalization - particularly with the looming election. Fed Vice Chair for Supervision Michael Barr will almost certainly be asked if the Board’s position has changed from Powell’s past skepticism when he appears before Congress next week.

Don’t write it off just yet. Unless Congress reverses or amends DFA Section 956, the requirement to implement incentive compensation rulemaking remains on the books and the 2016 proposal remains the most likely starting point for any future attempts. Accordingly, covered institutions should refresh their analyses of how their incentive compensation programs would need to change to comply with the re-proposal, including by determining their in-scope employee populations as well as the impact of any senior hiring or transitions. As part of this effort, they should broadly evaluate how their compensation programs account for risk management and compliance. Given the widespread public criticism of the failed banks’ executive compensation programs, institutions should consider reasons beyond regulatory requirements, such as potential reputational harm, to ensure that their compensation programs are effectively aligned with risk management outcomes.

2. Fed publishes summary of climate scenario analysis exercise

  • What happened? On May 9th, the Fed published a summary of the results of its pilot climate scenario analysis (CSA) exercise, conducted last year with the six largest U.S. banks. The exercise consisted of a: (1) physical risk module, comprising six scenarios to assess the potential damage from an increase in climate-related events, and (2) a transition risk module, including two scenarios to evaluate the impact of the transition to a lower carbon economy. The six participating banks analyzed the effect of the Fed’s scenarios on a subset of their loan portfolios - commercial real estate (CRE) for all scenarios as well as residential mortgages for physical risk and corporate loans for transition risk. The Fed has also included a set of qualitative questions requesting information on the banks’ governance, risk management practices, measurement methodologies, and lessons learned.
  • What does the summary say? The Fed described the exercise scenarios and provided non-specific details on how the participating banks conducted their scenario analysis, including their governance, controls, internal audit and model risk management. Highlighted insights include:
    • Many of the banks had previously conducted climate scenario analysis to inform their climate risk management and strategic planning or respond to requirements in foreign jurisdictions.
    • Participants generally used climate-adjusted inputs in their existing credit risk models but acknowledged that historical relationships may not hold and the models could be enhanced to better capture climate transition channels.
    • Approaches varied across the participants and they reported a high degree of uncertainty about the timing and magnitude of climate-related risks. This resulted in considerable variation in estimates of expected impacts, particularly with regard to broader implications of various transition pathways, indirect impacts, and chronic risks.
    • Participants noted several challenges with obtaining the necessary data, for example on real estate exposures, insurance, and obligors’ transition risk management, which they addressed by using third-party vendors or proxies.
    • Use of third-party vendors was common, including for catastrophe models, property damage estimates, scenario variable customization, and data. There were varied plans to continue using third-party vendors or develop in-house modeling capabilities. More broadly, they indicated plans to also invest in more granular data and customized scenarios to enhance their risk management processes.
    • The exercise demonstrated the importance of insurance market dynamics related to physical risks, with participants noting the need to understand changes in insurance pricing and availability in order to manage climate-related impacts on property prices and obligors’ cashflows.
    • Some participants went beyond the requirements of the exercise, for example by attempting to estimate indirect impacts and more thoroughly assessing how obligors plan to manage transition risks to their strategies, profitability and capital needs.
  • What’s next? The summary reaffirms that climate scenario analysis “is exploratory in nature and does not have consequences for bank capital or supervisory implications.” The Fed did not indicate any plans to repeat the exercise or expand it to other banks.

Our Take

Limited comparability amidst uncertainty. As the pilot climate scenario analysis does not have any supervisory implications or indicate any plans for future exercises, the summary report largely serves as a closer look at the climate risk management capabilities and challenges of the largest U.S. banks. Further detail may come in these banks’ disclosures for the EU’s Corporate Sustainability Reporting Directive (CSRD), California’s SB261, or the recently finalized SEC climate risk disclosures (if they survive ongoing legal challenges) as all call for firms to describe their climate scenario analysis activities. From the Fed’s perspective, the summary report shows that there is considerable difficulty in comparing individual banks’ results due to their differing approaches to models, assumptions and data on top of their varied business models and risk profiles.

Interesting insights for other banks. The summary report demonstrates that even the largest U.S. banks continue to face challenges with data availability and substantial uncertainty around climate risk impacts. Banks that did not participate in the exercise should closely review the summary to get ahead of challenges they may face as they seek to enhance their climate risk management capabilities. In particular, banks with over $100 billion in assets seeking to align with the banking regulators’ climate risk management principles may find climate scenario analysis useful to inform their assessment of their climate risk exposures – as some of the participating banks did before doing this pilot. If they take a similar approach of utilizing vendors, they should take ownership of understanding and documenting the process and methodology. Even global banks that are required to conduct climate scenario analysis by their primary regulators may find the report’s discussion of insurance dynamics valuable as most foreign exercises do not include an expectation to consider insurance coverage. Ultimately, the report shows that these challenges will require further investment, innovation and collaboration.

3. Agencies release TPRM guide for community banks

  • What happened? On May 3rd, the Fed, FDIC and OCC released a third-party risk management (TPRM) guide for community banks. The guide is in line with the TPRM guidance issued by the agencies in June 2023.
  • What does the guide say? It provides detailed information tailored for community banks’ TPRM programs throughout the “lifecycle stages” (provided below) of third-party relationships. Specifically, it contains over 60 questions that community banks should be asking, over 50 potential sources of information to review (both internally and from the third party), and illustrative use cases. Examples throughout each lifecycle stage include:
    • Planning prior to entering a third-party relationship. Banks should consider the risk management, governance practices and potential technology issues related to the potential use of the third party.
    • Due diligence. Banks should determine whether the third party has sufficient policies, processes and controls to manage risk and comply with applicable laws. They should also make sure that the third party can adequately protect sensitive data and can promptly recover from disruptions, especially for critical services. Any reliance on subcontractors by the third party should be evaluated for potential risks.
    • Contract negotiation. Banks should consider whether proposed contracts allow them timely access to information necessary for ongoing monitoring and compliance obligations. Other considerations include the third party’s data access and retention rights, notification of disruptions and liabilities in case of contract breach or consumer harm. The guide notes that community banks may have limited negotiating power and stresses the importance of bank management understanding any resulting risks.
    • Ongoing monitoring. Banks should on an ongoing basis examine whether the third party is adequately performing its obligations or has experienced any change in financial condition or management. They should also determine whether the nature of their relationship with the third party has changed and whether new metrics are needed.
    • Termination. If a bank were to terminate its relationship with a third party, it should consider how both the bank and third party will handle intellectual property, how access to systems and data will be removed, whether the bank will have continued access to certain data to meet compliance obligations and whether the transition will impact customers.

Our Take

The regulators have provided community banks with a helpful resource - now they expect them to use it. Banks have long sought greater insight into regulatory expectations around TPRM, and the agencies have now provided ample information. The detailed information provided by the guide significantly expands upon the broad principles from the earlier June guidance, and while it is intended to assist community banks, banks of all sizes can benefit from the guide’s considerations and suggestions. Accordingly, all banks should:

  • Review upfront risk identification and assessment processes, including inherent risk questionnaires, to determine whether they capture the guide’s considerations in areas such as financial and operational capability, business continuity capabilities during disruptions and subcontractor dependencies.
  • Assess contract templates, including terms and conditions, to determine whether they should be updated to reflect considerations outlined in the guide such as those around escalation protocols and information sharing.
  • Determine whether current monitoring capabilities are sufficient to capture areas outlined in the guide such as contract obligations, business continuity plans, and audit/test results. Firms should also confirm that their monitoring programs incorporate sources of information including system and organization controls reports, internal reporting from TPRM programs, training materials, public filings and news alerts.

While the guide suggests a degree of flexibility for community banks by acknowledging that their programs should be designed commensurate with their size, complexity and risks, it ultimately reminds them that they remain responsible for any compliance failures or consumer harm. Considering that community banks’ TPRM programs continue to face obstacles related to uneven bargaining power, limited technology capabilities and resource constraints, banks are now on notice that they should prioritize enhancing their programs to close gaps quickly and effectively in anticipation of increasing scrutiny.

4. On our radar

These notable developments hit our radar recently:

  • FSOC releases report on Nonbank Mortgage Servicing. On May 10th, the Financial Stability Oversight Council (FSOC) released a report on the financial stability risks posed by non-bank mortgage servicing. The report documents the growth of the nonbank mortgage servicing sector and the critical roles that nonbank mortgage servicers play in the mortgage market. It identifies certain key vulnerabilities and makes recommendations including encouraging Congress to act to address the identified risk.
  • Fed issues Supervision and Regulation Report. On May 10th, the Fed issued its semi-annual Supervision and Regulation report summarizing the financial condition of the banking sector, recent regulatory developments and highlighting current supervisory programs and priorities. The report highlighted last week’s TPRM guidance for community banks (as outlined above) and noted that given increased delinquencies in certain loan sectors, credit risk continues to be a supervisory priority. It also highlighted cybersecurity as another supervisory priority and noted that the Fed’s Novel Activities Supervision Program is working with existing Fed supervisory teams to strengthen the oversight of banking organizations engaged in novel activities.
  • Barr, Gruenberg and Hsu to testify next week. On May 15th and 16th, the Fed’s Vice Chair for Supervision, Michael Barr, FDIC Chair Martin Gruenberg and Acting Comptroller Michael Hsu will testify in front of the House Financial Services Committee and Senate Banking Committee respectively.
  • OFR publishes final rule on data collection. On May 6th, the Office of Financial Research (OFR), published a final rule to improve transparency within the U.S. repurchase agreement (repo) market by establishing a data collection for non-centrally cleared bilateral transactions. The rule is effective on July 5th, 2024.
  • FDIC releases third-party report. On May 7th, the Special Review Committee of the FDIC Board of Directors released a report from the independent third-party review regarding the allegations of sexual harassment and other interpersonal misconduct at the FDIC. The report noted that the FDIC has failed to provide a workplace safe from sexual harassment, discrimination, and other interpersonal misconduct. It further found that management’s responses to allegations of misconduct, as well as the culture and conditions that gave rise to them, have been insufficient and ineffective.
Follow us