OCC Proposed Guidelines Establishing Heightened Standards for Risk Governance

April 16, 2014                   

In January 2014, the Office of the Comptroller of the Currency (OCC) issued proposed guidelines establishing minimum standards for a large bank’s risk governance framework and for a board of directors’ oversight of the framework’s design and implementation (the “Proposed Guidelines”).  The Proposed Guidelines would apply to insured national banks and insured Federal branches of foreign banks with average total consolidated assets of $50 billion or more. 

Executive Summary of the OCC’s Proposal

The OCC first began informally communicating its “Heightened Expectations” program in 2010 to enhance the OCC’s supervision and strengthen the governance and risk management practices of large national banks in the wake of the crisis, and by 2012 had started examining large banks for compliance with the program.  Banks have already made significant improvements to their risk management frameworks in response to the Heightened Expectations program.  The Proposed Guidelines would, for the first time, establish written and enforceable guidelines formally implementing the OCC’s Heightened Expectations.

As described in the Proposed Guidelines, the OCC’s Heightened Expectations have five components:

1)      Preserving the “sanctity of the charter” by requiring each bank’s board to ensure that decisions of the parent company do not jeopardize the bank’s safety and soundness;

2)      Maintaining a well-defined personnel management program that ensures appropriate staffing levels, provides for orderly succession, and provides appropriate compensation incentives;

3)      Defining and communicating an appropriate risk appetite (or tolerance) for the bank;

4)      Developing reliable oversight programs including strong audit and risk management functions; and

5)      Enhancing the role of the board of directors such that it provides a credible challenge to bank management decision-making. 

In reducing these key components into formal guidelines, the Proposed Guidelines would (among other things):

• Require a bank to establish its own separate risk governance framework – rather than leveraging its parent holding company’s framework – unless (i) the bank can verify that it satisfies a quantitative test (essentially, that the bank constitutes 95% of the business of the holding company) or (ii) the OCC otherwise determines that the bank’s risk profile is “substantially the same” as its parent company’s. 
  
• Require bank risk governance frameworks to follow a “three lines of defense” model whereby: (i) the front-line business units have responsibility for assessing, managing, and controlling risks originating from their activities; (ii) second line of defense units or functions focus on measuring, managing, or controlling risks, including overseeing controls used by the first line of defense to mitigate and manage risks; and (iii) internal audit, as the third line of defense, engages in independent testing of and assurance on the entire governance, risk management, and control framework; and
• Require bank board of directors to (i) “ensure” that the bank establishes an effective risk governance framework that meets the Proposed Guidelines, (ii) oversee the talent development, recruitment, and succession planning processes for independent risk management and internal audit, and (iii) establish succession plans for certain bank officials including the Chief Risk Executive and the Chief Audit Executive.

The Clearing House View

The Clearing House Association strongly supports the OCC’s overall Heightened Expectations program for large banks and shares with the OCC its key objective – a robust, identifiable risk management framework that identifies bank-specific risks, manages those risks appropriately, and works closely with the enterprise-wide risk management framework of the holding company.

Notwithstanding this general support, however, The Clearing House is concerned that particular aspects of the Proposed Guidelines may require substantial changes to a bank’s risk management practices that would be unnecessary and potentially counterproductive to sound risk management practices.  These concerns are particularly pronounced because the Proposed Guidelines are expressly intended to facilitate the OCC’s ability to take enforcement actions when standards under the Guidelines have been breached. 

Relationship between Risk Management Frameworks of a Bank and its Parent Holding Company

As currently drafted, the Proposed Guidelines may not leave banks sufficient flexibility to harmonize bank-level and holding company-level risk management controls in a manner that is most effective and efficient given each bank’s structure and business.  As long as a parent holding company’s risk management framework meets the OCC’s Proposed Guidelines, a bank should be able to leverage aspects of the framework that appropriately address distinct bank-specific risks, rather than requiring a bank to recreate and duplicate functions, personnel, and systems at the bank level.  Failure to do so could unnecessarily limit the ability of a consolidated group to achieve a cohesive, enterprise-wide approach to risk management. 

Lines of Defense

Although The Clearing House supports the “three lines of defense” model to risk management generally, the specific way the Proposed Guidelines would implement this model raises significant concerns.  In particular, the Proposed Guidelines would assign not only revenue-generating units to the “front line,” but also non-revenue generating units (other than independent risk management and internal audit) that engage in significant control functions, such as Legal, Finance, Treasury, IT, and HR.   By failing to differentiate between the risks posed and oversight necessary for these units and those of the revenue-generating business units in the first line of defense, this approach may force banks to significantly modify their organizational structures, reporting lines, and risk control practices in a manner that could impair their ability to effectively manage risks.

Board of Directors

The Clearing House supports strong board of director oversight of banks and believes that the standards established in the Proposed Guidelines for directors are generally appropriate.  However, the Proposed Guidelines are overly prescriptive in certain respects with the potential effect of inappropriately assigning managerial and operational responsibilities to the board of directors.  For example, the Proposed Guidelines would assign responsibilities to the board of directors to establish succession plans for direct reports of the CEO and oversee talent development, recruitment, and succession processes for individuals two levels down from the CEO, for independent risk management, and for internal audit.  The Proposed Guidelines would also require a bank’s board of directors to “ensure” that the bank establishes and implements an effective risk governance framework that complies with the Proposed Guidelines, which connotes a guarantee of results.  Accordingly, the use of the word “ensure” in this context could be understood to require the board to be deeply involved in the day-to-day activities of the bank, thereby transforming a board’s core oversight function into a management function.  The OCC should clarify and revise the Guidelines so as to ensure that strong board oversight does not blur the distinction between the board and management.