Background

The Office of the Comptroller of the Currency Heightened Standards and the Federal Reserve Board Enhanced Prudential Standards are a direct result of the financial crisis of 2007-2008 and are more properly seen as complementary rather than conflicting requirements. The Office of the Comptroller of the Currency (OCC) Heightened Standards (HS)[1] primarily deal with the responsibilities of the Board of Directors (BOD) of nationally chartered large banks and their risk management duties. The Federal Reserve Board’s (FRB’s) Enhanced Prudential Standards (EPS)[2] while including the accountability and responsibilities of the BOD does not qualify as many parameters; however, it includes further requirements to the risk management function and other (liquidity and capital) obligations.

As a practical matter, all large banks and Foreign Banking Organizations (FBOs) are regulated by the FRB at either the Holding Company or the Intermediary Holding Company level. Many large bank’s holding companies have a national bank charter and are directly required to follow the OCC’s HS. The FRB already expects much of this at large Holding companies; Accenture suggests this as a best practice to large FBO’s new Intermediary Holding Companies (IHC).

It is Accenture’s view that the FRB when reviewing the various holding companies’ boards for Enhanced Prudential Standards (EPS) compliance will expect adherence to the OCC’s HS. In effect, large FBOs and Banks will have to be compliant with both regulations. Proper planning at the start of a Dodd-Frank project implementation and including all elements of both proposals may help institutions save a great deal of time and money in the longer run.

From a planning and practical perspective any top down approach should include the OCC’s HS when formulating the new organizational structure needed to comply with the FRB’s EPS. Committee charters and policies may wish to incorporate verbatim the wording from the legislation. Data aggregation, coalition and distribution to serve the needs of management in its oversight function at each level (line of business (LOB) and legal vehicle) will be the crucial measure of success. Cross LOB business and special purpose vehicles (SPV) always were and remain the most problematic areas.

Overview

The remainder of this paper details the 5 HS expected by the OCC and an edited copy from the Federal Register on the FRB’s EPS. While large FBOs are not directly required to comply with the OCC directives, a best in class process would certainly follow the spirit of the missive.

OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches

Following the financial crisis, the OCC developed a set of 5 ‘‘heightened expectations’’ to enhance its supervision and strengthen the governance and risk management practices of large national banks. These expectations are now the standards for large banks and many large regional banks will be encouraged to adopt these standards.

  1. The first expectation, often referred to as preserving the sanctity of the charter, maintains that one of the primary fiduciary duties of an institution’s board of directors is to ensure that the institution operates in a safe and sound manner.
    • Since large banks are often one of several legal entities under both a complex parent company structure and an inherent complex organizational structure, each bank’s board must ensure that the bank does not function simply as a booking entity for its parent and that parent company decisions do not jeopardize the safety and soundness of the bank. This often requires separate and focused governance and risk management practices.
  2. The second expectation generally requires large institutions to have a well-defined personnel management program that ensures appropriate staffing levels, provides for orderly succession, and provides for compensation tools to appropriately motivate and retain talent that does not encourage imprudent risk taking.
  3. The third expectation pertains to risk appetite (or tolerance) and involves institutions defining and communicating an acceptable risk appetite across the organization, including measures that address the amount of capital, earnings, or liquidity that may be at risk on a firm-wide basis, the amount of risk that may be taken in each line of business, and the amount of risk that may be taken in each key risk category monitored by the institution.
  4. The OCC also expects institutions to have reliable oversight programs, including the development and maintenance of strong audit and risk management functions. This expectation involves institutions comparing the performance of their audit and risk management functions to the OCC’s standards and leading industry practices and taking appropriate action to address material gaps.
  5. The fifth expectation focuses on the board of directors’ willingness to provide a credible challenge to bank management’s decision-making and thus requests independent directors to acquire a thorough understanding of an institution’s risk profile and to use this information to ask probing questions of management and to ensure that senior management prudently addresses risks.

Description of the OCC’s Guidelines Establishing Heightened Standards

The proposed Guidelines consist of three parts. Part I provides an introduction to the Guidelines, explains their scope, and defines key terms used throughout the Guidelines. Part II sets forth the minimum standards for the design and implementation of a Bank’s risk governance framework (Framework). Part III provides the minimum standards for the board of directors’ (Board) oversight of the Framework.

Part I: Introduction

Under the proposed Guidelines, the OCC would expect a Bank to establish and implement a Framework that manages and controls the Bank’s risk taking. The Guidelines establish the minimum standards for the design and implementation of the Framework and the minimum standards for the Board to use in overseeing the Framework’s design and implementation.

  • If a Bank has a risk profile that is substantially the same as its parent company, the parent company’s risk governance framework complies with these Guidelines, and the Bank has demonstrated through a documented assessment that its risk profile and its parent company’s risk profile are substantially the same, the Bank may use its parent company’s risk governance framework to satisfy the Guidelines.
    • This assessment should be conducted at least annually or more often in conjunction with the review and update of the Framework performed by an independent risk management unit.
  •  The Bank would need to develop its own Framework if the parent company’s and Bank’s risk profiles are not substantially the same. While the Bank may use certain components of the parent company’s risk governance framework, the Bank’s Framework should ensure the Bank’s risk profile is easily distinguished and separate from its parent company’s for risk management and supervisory reporting purposes and that the safety and soundness of the Bank is not jeopardized by decisions made by the parent company’s board of directors or management.
    • This includes ensuring that assets and businesses are not transferred into the Bank from non-bank entities without proper due diligence and ensuring that complex booking structures established by the parent company protect the safety and soundness of the Bank.

Part II: Standards for the Risk Governance Framework

Part II of the proposed Guidelines set out minimum standards for the design and implementation of a Bank’s Framework. Under paragraphs A. and B., a Bank should establish and adhere to a formal, written Framework that covers the following risk categories: credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputation risk.

The Framework must appropriately cover risks to the Bank’s earnings, capital, liquidity, and reputation that arise from all of its activities, including risks associated with third-party relationships. An independent risk management unit should be responsible for the design of the Framework, and for ensuring it comprehensively covers the Bank’s risks. The independent risk management unit should also review and update the Framework at least annually, and as often as needed to address changes in the Bank’s risk profile caused by internal or external factors or the evolution of industry risk management practices. The Board or its risk committee would be responsible under this proposal for approving the Framework.

Roles and responsibilities.

The Guidelines set out the proposed roles and responsibilities for the organizational units that are fundamental to the design and implementation of the Framework. These units are front line units, independent risk management, and internal audit. They are often referred to as the three lines of defense.

  • These units should also ensure that the Board has sufficient information on the Bank’s risk profile and risk management practices to provide credible challenges to management’s recommendations and decisions.
  • To ensure the Board is adequately informed, the independent risk management and internal audit units must have unfettered access to the Board, or a committee thereof, with regard to their risk assessments, findings, and recommendations, independent from front line unit management and, when necessary, the CEO. This unfettered access to the Board is critical to ensuring the integrity of the Framework.
  • Within the Framework, front line units, independent risk management, and internal audit units may engage the services of external experts to assist them. Such expertise can be useful in supplementing internal expertise and providing perspective on industry practices.
  1.  Role and responsibilities of front line units.
    • The Guidelines define front line units as any organizational unit within the Bank that: (i) Engages in activities designed to generate revenue for the parent company or Bank; (ii) Provides services, such as administration, finance, treasury, legal, or human resources, to the Bank; or (iii) Provides information technology, operations, servicing, processing, or other support to any organizational unit covered by these Guidelines.
      • The Guidelines provide that front line units should own the risks associated with their activities.
      • Front line units should be held accountable by the CEO and the Board.
        • Front line units should assess, on an ongoing basis, the material risks associated with their activities and use these risk assessments as the basis for determining if they need to take action to strengthen risk management or reduce risk given changes in the unit’s risk profile or other conditions.
        • The front line units should establish and adhere to a set of written policies that include front line unit risk limits.
        • Front line units should also establish and adhere to procedures and processes necessary to ensure compliance with the aforementioned written policies.
        • Front line units should use their ongoing risk assessments to determine if additional actions are necessary to strengthen risk management practices or reduce risk.

The design and implementation of the audit plan is an important element of internal audit’s role and responsibilities under the Framework. Internal audit should maintain a complete and current inventory of all of the Bank’s material businesses, product lines, services, and functions and assess the risks associated with each.

This inventory and assessment will form the basis of the audit plan. The audit plan should rate the risk presented by each front line unit, product line, service, and function. This includes activities that the Bank may outsource to a third party.

There are numerous requirements listed in the Guidelines that an audit must follow.

Stature. For the Framework to be effective, it is our view that independent risk management and internal audit units have the stature needed to effectively carry out their respective roles and responsibilities. This stature is generally evidenced by the attitudes and level of support provided by the Board, CEO, and other key stakeholders within the Bank toward these units. The Board demonstrates support for these units by ensuring that they have the resources needed to carry out their responsibilities and by relying on the work of these units when carrying out the Board’s oversight responsibilities set forth in Part III of the proposed Guidelines.

Strategic plan. Paragraph D. of Part II of the proposed Guidelines provides that the CEO should develop a written strategic plan with input from front line units, including independent risk management, and internal audit. The Board should evaluate and approve the strategic plan and monitor management’s efforts to implement it at least annually.

  • At a minimum, the strategic plan should cover a three-year period and should contain a comprehensive assessment of risks that currently impact the Bank or that could impact the Bank during this period, articulate an overall mission statement and strategic objectives for the Bank, and include an explanation of how the Bank will achieve those objectives.
  • The strategic plan should also include an explanation of how the Bank will update, as necessary, the Framework to account for changes in the Bank’s risk profile projected under the strategic plan.
  • Finally, the strategic plan should be reviewed, updated, and approved, as necessary, due to changes in the Bank’s risk profile or operating environment that were not contemplated when the strategic plan was developed.

Risk appetite statement. Paragraph E. of Part II of the proposed Guidelines provides that the Bank should have a comprehensive written statement that articulates the Bank’s risk appetite and serves as a basis for the Framework (Statement).

The Statement should include both qualitative components and quantitative limits. The qualitative components of the Statement should describe a safe and sound ‘‘risk culture” and how the Bank will assess and accept risks, including those that are difficult to quantify, on a consistent basis throughout the Bank. Setting an appropriate tone at the top is important to establishing a sound risk culture, and the qualitative statements within the Statement should articulate the core values that the Board and CEO expect employees throughout the Bank to share when carrying out their respective roles and responsibilities within the Bank.

Quantitative limits should incorporate sound stress testing processes, as appropriate, and should address the Bank’s earnings, capital, and liquidity positions. The Bank may set quantitative limits on a gross or net basis that take into account appropriate capital and liquidity buffers; in either case, these limits should be set at levels that prompt management and the Board to manage risk proactively before the Bank’s risk profile jeopardizes the adequacy of its earnings, liquidity, and capital. Lagging indicators, such as delinquencies, problem asset levels, and losses generally will not capture the build-up of risk during healthy economic periods. As a result, these indicators are generally not useful in proactively managing risk.

  • The Federal banking agencies issued guidance on stress testing in May 2012. The guidance describes various stress testing approaches and applications, and Banks should consider the range of approaches and select the one(s) most suitable when establishing quantitative limits.

Concentration and front line unit risk limits. The Guidelines provide that the Framework should include concentration risk limits and, as applicable, front line unit risk limits for the relevant risks in each front line unit to ensure these units do not create excessive risks.

Risk appetite review, monitoring, and communication processes. The proposed Guidelines provide that the Framework should require: (i) Review and approval of the Statement by the Board or the Board’s risk committee at least annually or more frequently, as necessary, based on the size and volatility of risks and any material changes in the Bank’s business model, strategy, risk profile, or market conditions; (ii) Initial communication and ongoing reinforcement of the Bank’s Statement throughout the Bank to ensure that all employees align their risk-taking decisions with the Statement; (iii) Independent risk management units to monitor the Bank’s risk profile in relation to its risk appetite and compliance with concentration risk limits and to report such monitoring to the Board or the Board’s risk committee at least quarterly; (iv) Front line units and independent risk management unit to monitor their respective risk limits at least quarterly; and (v) When necessary due to the level and type of risk, the independent risk management unit to monitor front line units’ compliance with front line unit risk limits, ongoing communication with front line units regarding adherence to these risk limits, and to report any concerns to the CEO and the Board or the Board’s risk committee, at least quarterly.

Processes governing risk limit breaches. Paragraph H. of Part II of the proposed Guidelines sets out processes governing risk limit breaches. The Bank should establish and adhere to processes that require front line units and independent risk management, in conjunction with their respective responsibilities, to identify any breaches of the Statement, concentration risk limits, and front line unit risk limits, distinguish identified breaches based on the severity of their impact on the Bank and establish protocols for when and how to inform the Board, front line management, independent risk management unit, and the OCC of these breaches. The Bank should also include in the protocols discussed above the requirement to provide a written description of how a breach will be, or has been, resolved and establish accountability for reporting and resolving breaches that include consequences for risk limit breaches that take into account the magnitude, frequency, and recurrence of breaches.

Concentration risk management. Paragraph I. of Part II of the proposed Guidelines provides that the Framework should include policies and supporting processes that are appropriate for the Bank’s size, complexity, and a risk profile that effectively identifies, measures, monitors, and controls the Bank’s concentration of risk. Concentrations of risk can arise in any risk category, with the most common being identified with borrowers, funds providers, and counterparties.

Risk data aggregation and reporting. Paragraph J. of Part II of the proposed Guidelines addresses risk data aggregation and reporting. This paragraph provides that the Framework should include a set of policies, supported by appropriate procedures and processes, designed to ensure that the Bank’s risk data aggregation and reporting capabilities are appropriate for its size, complexity, and risk profile and support supervisory reporting requirements. These policies, procedures, and processes should provide for an information technology (IT) infrastructure that supports the Bank’s risk aggregation and reporting needs in both normal times and times of stress.

Relationship of risk appetite statement, concentration risk limits, and front line unit risk limits to other processes. Paragraph K. of Part II of the proposed Guidelines addresses the relationship between the Statement, concentration risk limits, and front line unit risk limits to other Bank processes. The Bank’s front line units and independent risk management should incorporate these elements into their strategic and annual operating plans, capital stress testing and planning processes, liquidity stress testing and planning processes, product and service risk management processes (including those for approving new and modified products and services), decisions regarding acquisitions and divestitures, and compensation performance management programs.

Talent management processes; compensation and performance management programs. Paragraphs L. and M. of Part II of the proposed Guidelines address the Bank’s talent management processes and compensation and performance management programs, respectively. With regard to talent management, the guidelines provide that the Bank should conduct talent development, recruitment, and succession planning to help ensure that employees who are responsible for or influence material risk decisions have the knowledge, skills, and abilities to effectively identify, measure, monitor, and control relevant risks.

Part III: Standards for Boards of Directors

Part III of the proposed Guidelines sets out the minimum standards for the Bank’s Board in providing oversight to the Framework’s design and implementation.

Ensure an effective risk governance framework. Paragraph A. of Part III of the proposed Guidelines provides that each member of the Board has a duty to oversee the Bank’s compliance with safe and sound banking practices. Consistent with this duty, the Board should ensure that the Bank establishes and implements an effective Framework that complies with the Guidelines. The Board or its risk committee should also approve any changes to the Framework.

Provide active oversight of management. Paragraph B. of Part III of the proposed Guidelines addresses Board oversight of Bank management, and generally provides that the Board should provide a credible challenge to management. Specifically, the Board should actively oversee the Bank’s risk-taking activities and hold management accountable for adhering to the Framework. The Board should also critically evaluate management’s recommendations and decisions by questioning, challenging, and, when necessary, opposing, management’s proposed actions that could cause the Bank’s risk profile to exceed its risk appetite or threaten the Bank’s safety and soundness.

Exercise independent judgment. Paragraph C. of Part III of the proposed Guidelines provides that each Board member should exercise sound, independent judgment.

Include independent directors. Paragraph D. of Part III of the proposed Guidelines provides that at least two members of a Bank’s Board should be independent, i.e., they should not be members of the Bank’s or the parent company’s management.

Provide ongoing training to independent directors. Paragraph E. of Part III provides that in order to ensure that each member of the Board has the knowledge, skills, and abilities needed to meet the standards set forth in the Guidelines, the Board should establish and adhere to a formal, ongoing training program for independent directors.

  • The training program for independent directors should include training on: (i) Complex products, services, lines of business, and risks that have a significant impact on the Bank; (ii) Laws, regulations, and supervisory requirements applicable to the Bank; and (iii) Other topics identified by the Board.

Self-assessments. Paragraph F. of Part III of the proposed Guidelines provides that the Bank’s Board should conduct an annual self-assessment that includes an evaluation of the Board’s effectiveness in meeting the standards provided in Part III of the Guidelines.

Newsletter Author: Craig Unterseher

Newsletter Contact Person: Hamish Wynn, Janki A.Shah

DISCLAIMER: This blog is intended for general informational purposes only, does not take into account the reader’s specific circumstances, may not reflect the most current developments, and is not intended to provide advice on specific circumstances. Accenture disclaims, to the fullest extent permitted by applicable law, all liability for the accuracy and completeness of the information in this blog and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professional.

About Accenture

Accenture is a global management consulting, technology services and outsourcing company, with approximately 323,000 people serving clients in more than 120 countries. Combining unparalleled experience, comprehensive capabilities across all industries and business functions, and extensive research on the world’s most successful companies, Accenture collaborates with clients to help them become high-performance businesses and governments. The company generated net revenues of US$30.0 billion for the fiscal year ended Aug. 31, 2014. Its home page is www.accenture.com.

Copyright © 2015 Accenture. All rights reserved.
Accenture, its logo, and High Performance Delivered are trademarks of Accenture.

If you require advice or further details on any matters referred to, please contact your Accenture representative.

Appendix[ii]
Size Requirements FRB Requirements OCC Implementation Plan
Total consolidated assets of more than $10 billion but less than $50 billion Company-run stress tests 1. The primary fiduciary duties of an institution’s board of directors are to ensure that the institution operates in a safe and sound manner. Statement of responsibility in Charter
Total consolidated assets equal to or greater than $10 billion but less than $50 billion (if publicly-traded) Risk committee 1. The primary fiduciary duties of an institution’s board of directors are to ensure that the institution operates in a safe and sound manner. Statement of responsibility in Charter
Total consolidated assets of $50 billion or more, but combined US assets of less than $50 billion Risk-based and leverage capitalRisk managementRisk committeeLiquidity

Capital stress testing

1. The primary fiduciary duties of an institution’s board of directors are to ensure that the institution operates in a safe and sound manner.2. To have a well-defined personnel management program that ensures appropriate staffing levels, provides for orderly succession3. Involves institutions defining and communicating an acceptable risk appetite across the organization4. The development and maintenance of strong audit and risk management functions

5. The board of directors’ willingness to provide a credible challenge to bank management’s decision-making.

Statement of responsibility in CharterStatement in Board HR committee, completion target near end planBoard and Risk committee, completion early in planBoard Risk and Audit Committee, early in plan

Board HR committee

Debt to equity limits (upon grave threat determination)
Total consolidated assets of $50 billion or more, and combined US assets of $50 billion or more Risk-based and leverage capitalRisk managementRisk committeeLiquidity risk management, liquidity stress testing, and bufferCapital stress testing 1. The primary fiduciary duties of an institution’s board of directors is to ensure the institution operates in a safe and sound manner.2. To have a well-defined personnel management program that helps ensure appropriate staffing levels and provides for orderly succession3. Involves institutions defining and communicating an acceptable risk appetite across the organization4. The development and maintenance of strong audit and risk management functions

5. The board of directors’ willingness to provide a credible challenge to bank management’s decision-making.

Statement of responsibility in CharterStatement in Board HR committeeBoard and Risk committee, completion early in planBoard Risk and Audit Committee, early in plan

Board HR committee

US intermediate holding company requirement (if the foreign banking organization has US non-branch assets of $50 billion or more) Risk-based and leverage capitalRisk managementRisk committeeLiquidity

Capital stress testing

None per statute

[1] “OCC Guidelines Establishing Heighted Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of Regulations,” Office of the Comptroller of the Currency, 12 CFR Parts 30 and 170, Final rules and guidelines. Access at: http://www.occ.gov/news-issuances/news-releases/2014/nr-occ-2014-117a.pdf

[2] Board of Governors of the Federal Reserve System, press release, February 18, 2014. Access at: http://www.federalreserve.gov/newsevents/press/bcreg/20140218a.htm

Regulatory Compliance Team

Accenture Regulatory Compliance Team, Finance & Risk Practice

View Profile


Submit a Comment

Your email address will not be published. Required fields are marked *