Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On January 10, the FDIC released its Winter 2017 Supervisory Insights (see FIL-5-2018), which contains articles discussing credit management information systems and underwriting trends. The first article, “Credit Management Information Systems: A Forward-Looking Approach,” discusses, among other things, how financial institutions can incorporate forward-looking metrics to assist in identifying future issues. The article also emphasizes the importance of effective risk management programs which contain policies and procedures that support strategic decision making by senior management and board members responsible for overseeing lending activities. The second article, “Underwriting Trends and Other Highlights from the FDIC’s Credit and Consumer Products/Services Survey,” shares the recent credit survey results from examinations of FDIC-supervised financial institutions. The survey indicates that risk may be increasing in the industry based on reports of credit concentrations, increases in potentially volatile funding sources, and more “out-of-area lending.” In addition, the winter issue includes an overview of recently released regulations and supervisory guidance in its Regulatory and Supervisory Roundup.
On January 4, the Federal Reserve (Fed) issued for public comment proposed guidance setting forth core principles of effective risk management for Large Financial Institutions (“LFI”s) (“Risk Management proposal”). Given that it is increasingly likely that Congress will release financial institutions with assets below $250 billion from “SIFI” designation, the Fed’s guidance yesterday is a further effort to ensure that risk at LFIs will continue to be managed well even after many of them are no longer subject to other SIFI obligations. The proposal would apply to domestic bank holding companies and savings and loan holding companies with total consolidated assets of $50 billion or more; the U.S. operations of foreign banking organizations (“FBOs”) with combined U.S. assets of $50 billion or more; and any state member bank subsidiary of these institutions. The proposal would also apply to any systemically important nonbank financial company designated by the Financial Stability Oversight Council (“FSOC”) for Fed supervision. The proposed guidance clarifies the Fed’s supervisory expectations of these institutions’ core principals with respect to effective senior management; the management of business lines; and independent risk management (“IRM”) and controls.
The Risk Management proposal is part of the Fed’s broader initiative to develop a supervisory rating system and related guidance that would align its consolidated supervisory framework for LFIs. Last August, the Fed issued for public comment two related proposals: a new rating system for LFIs (“proposed LFI rating system”) and guidance addressing supervisory expectations for board directors (“Board Expectations proposal”). (See previous InfoBytes coverage on the proposals.) The proposed LFI rating system is designed to evaluate LFIs on whether they possess sufficient financial and operational strength and resilience to maintain safe and sound operations through a range of conditions. With regard to the Board Expectations proposal, the January 4 proposal establishes supervisory expectations relevant to the assessment of a firm’s governance and controls, which consists of three chief components: (i) effectiveness of a firm’s board of directors, (ii) management of business lines, independent risk management and controls, and (iii) recovery planning. This guidance sets forth the Fed’s expectations for LFIs with respect to the second component—the management of business lines and IRM and controls, and builds on previous supervisory guidance. In general, the proposal “is intended to consolidate and clarify the [Fed’s] existing supervisory expectations regarding risk management.”
The January 4 release delineates the roles and responsibilities for individuals and functions related to risk management. Accordingly, it is organized in three parts: (i) core principals of effective senior management; (ii) core principals of the management of business lines; and (iii) core principles of IRM and controls.
The Risk Management proposal defines senior management as “the core group of individuals directly accountable to the board of directors for the sound and prudent day-to-day management of the firm.” Two key responsibilities of senior management are overseeing the activities of the firm’s business lines and the firm’s IRM and system of internal control. The proposed guidance highlights the principle that: Senior management is responsible for managing the day-to-day operations of the firm and ensuring safety and soundness and compliance with internal policies and procedures, laws and regulations, including those related to consumer protection.
Management of Business Lines
The proposal refers to “business line management” as the core group of individuals responsible for prudent day-to-day management of a business line and accountable to senior management for that responsibility. For LFIs that are not subject to supervision by the Large Institution Supervision Coordinating Committee (“LISCC”) these expectations would apply to any business line where a significant control disruption, failure, or loss event could result in a material loss of revenue, profit, or franchise value, or result in significant consumer harm.
A firm’s business line management should:
- Execute business line activities consistent with the firm’s strategy and risk tolerance.
- Identify, measure, and manage the risks associated with the business activities under a broad range of conditions, incorporating input from IRM.
- Provide a business line with the resources and infrastructure sufficient to manage the business line’s activities in a safe and sound manner, and in compliance with applicable laws and regulations, including those related to consumer protection, as well as policies, procedures, and limits.
- Ensure that the internal control system is effective for the business line operations.
- Be held accountable, with business line staff, for operating within established policies and guidelines, and acting in accordance with applicable laws, regulations, and supervisory guidance, including those related to consumer protection.
Independent Risk Management and Controls
The Risk Management proposal describes core principles of a firm’s independent risk management function, system of internal control, and internal audit function. The guidance does not prescribe in detail the governance structure for a firm’s IRM and controls. While the guidance does not dictate specifics regarding governance structure, it does set forth requirements with respect to the roles of the Chief Risk Officer and Chief Audit Executive:
- The CRO should establish and maintain IRM that is appropriate for the size, complexity, and risk profile of the firm.
- The Chief Audit Executive should have clear roles and responsibilities to establish and maintain an internal audit function that is appropriate for the size, complexity and risk profile of the firm.
The proposal requires that a firm’s IRM function be sufficient to provide an objective, critical assessment of risks and evaluates whether a firm remains aligned with its stated risk tolerance. Specifically, a firm’s IRM function should:
- Evaluate whether the firm’s risk tolerance appropriately captures the firm’s material risks and confirm that the risk tolerance is consistent with the capacity of the risk management framework.
- Establish enterprise-wide risk limits consistent with the firm’s risk tolerance and monitor adherence to such limits.
- Identify and measure the firm’s risks.
- Aggregate risks and provide an independent assessment of the firm’s risk profile.
- Provide the board and senior management with risk reports that accurately and concisely convey relevant, material risk data and assessments in a timely manner.
With regard to internal controls, the proposed guidance builds upon the expectations described in the Fed’s Supervisory Letter 12-17. A firm should have a system of internal control to guide practices, provide appropriate checks and balances, and confirm quality of operations. In particular, the guidance states that a firm should:
- Identify its system of internal control and demonstrate that it is commensurate with the firm’s size, scope of operations, activities, risk profile, strategy, and risk tolerance, and consistent with all applicable laws and regulations, including those related to consumer protection.
- Regularly evaluate and test the effectiveness of internal controls, and monitor functioning of controls so that deficiencies are identified and communicated in a timely manner.
With respect to internal audit, the proposed guidance does not expand upon the Fed’s expectations; rather it references existing supervisory expectations. The proposed guidance highlights that a firm should adhere to the underlying principle that its internal audit function should examine, evaluate, and perform independent assessments of the firm’s risk management and internal control systems and report findings to senior management and the firm’s audit committee.
Comments on the Fed’s proposed guidance are due by March 15.
On October 27, the OCC issued Bulletin 2017-46, updating guidance related to federal bank branch supervision and licensing. The OCC issued a revised version of its “Federal Branches and Agencies” booklet, which clarifies the process for reviewing and evaluating license conversion applications by a state-licensed branch or agency operated by a foreign bank to a federal branch or agency. Bulletin 2017-46 also replaced the 2014 agency paper entitled, The OCC’s Approach to Federal Branch and Agency Supervision. The paper outlines the OCC’s framework and considerations related to (i) the regulatory approach and supervision process for large and complex federal branches and agencies (not community banks), and (ii) the general overview of the filing requirements for applications, notices, and licenses, as well as the review and decision process.
On October 31, the OCC issued Bulletin 2017-48 to update its policies and procedures regarding bank enforcement actions. The updates are designed to provide more clarity and consistency in the implementation, communication and monitoring of enforcement actions. In particular, the updates are intended to, among other things, better describe the relationship between violations, concerns identified in matters requiring attention, and enforcement actions, emphasize communication with bank management and personnel and OCC supervisors, and enhance standard processes for tracking and resolving corrective actions. The updates are effective December 1, and are reflected in its “Bank Supervision Process,” “Community Bank Supervision,” “Federal Branches and Agencies Supervision,” and “Large Bank Supervision” booklets of the Comptroller’s Handbook.
OCC to Host Workshop for Bank Directors in December; FDIC, CFPB Announce Webinar to Discuss Financial Education Resources
On October 23, the OCC announced it will host a workshop December 4-6 in Albuquerque, New Mexico, for directors, senior management team members, and other key executives of OCC-supervised national community banks and federal savings associations. The “Building Blocks for Directors” workshop will (i) focus on the duties and cores responsibilities of directors and management; (ii) discuss major laws and regulations; and (iii) provide insight on the examination process.
Also on October 23, the FDIC and CFPB announced they will co-host a webinar on November 15 to discuss financial education resources designed to help people with disabilities make informed financial decisions. Topics of discussion will include recent enhancements to the FDIC’s Money Smart curriculum and the CFPB’s Your Money, Your Goals toolkit.
On October 20, the OCC released modifications to its risk management principles for new, modified, or expanded financial products and services (collectively, new activities). Bulletin 2017-43 rescinds OCC Bulletin 2004-20 and section 760 of the Office of Thrift Supervision Examination Handbook. The Bulletin provides guidance on risks in the following categories: strategic, reputational, credit, operational, compliance, and liquidity. The Bulletin also outlines the main components of an effective risk management system, such as the need for:
- “adequate due diligence and approvals before introducing a new activity”;
- “policies and procedures to properly identify, measure, monitor, report, and control risks”;
- “effective change management for new activities or affected processes and technologies”; and
- “ongoing performance monitoring and review systems.”
According to the OCC, the sophistication of a bank’s risk management system should be commensurate with the bank’s size, complexity, and risk profile. Further, “bank management and boards of directors should understand the impact of new activities on banks’ financial performance, strategic planning process, risk profiles, traditional banking models, and ability to remain competitive.”
On October 13, the OCC issued an update to its list of permissible activities for national banks, federal savings associations, and operating subsidiaries that are engaged in “the business of banking.” Activities Permissible for National Banks and Federal Savings Associations, Cumulative updates the list of permissible activities for banks, reflects precedent not previously included or issued since the last edition, streamlines certain entries for readability, and includes certain OCC interpretive letters and corporate decisions issued after the Dodd-Frank Act transferred responsibility from the Office of Thrift Supervision to the OCC. While the update consolidates existing guidance, the OCC stated that “OCC precedent remains applicable until rescinded, superseded, or revised,” and banks should not rely solely on the update for guidance but “should review the authorities cited and other relevant precedent before engaging in an activity.” Furthermore, according to an OCC-issued press release, “[i]ndividual OCC-regulated institutions may be precluded from engaging in otherwise permissible activities based on safety and soundness or other supervisory reasons.”
Basel Committee on Banking Supervision Issues Consultative Document on Implications of Fintech for the Banking Industry
As waves of innovative financial technology (fintech) continue to reshape the financial services landscape, banking institutions and their supervisors have invested significant effort in analyzing its impact and developing an appropriate response. On August 31, the Basel Committee on Banking Supervision (BCBS), the primary global standard setter for the prudential regulation of banks, weighed in. Through the release of a consultative document, Sound Practices: Implications of fintech developments for banks and bank supervisors, the BCBS identified 10 key observations, accompanied by 10 recommendations, for banks and bank supervisors to address the challenges posed by advances in fintech.
The report summarizes the main findings of a BCBS task force established to analyze developments in fintech and their impact on the banking industry. Quantifying the size and growth of fintech is difficult; among other reasons, most jurisdictions have not formally defined “fintech” (notably, the report includes a glossary of terms and acronyms related to the delivery of fintech products and services, and is the first attempt by the BCBS to provide a common definition in this space). Yet the significant number of financial products and services derived from fintech innovations and the trend of rising investment in fintech companies globally warrants attention. As the BCBS acknowledges, while the impact of fintech on banking remains uncertain, “that change could be fast-paced and significant.”
In its report, the BCBS observes that the rise of fintech innovation has resulted in “a battle for the customer relationship and customer data,” the result of which “will be crucial in determining the future role of banks.” To assess the impact of the evolution of fintech products and services, the BCBS identified five stylized scenarios describing the potential impact of fintech on banks. In addition, the BCBS assessed six case studies focused on specific innovations (e.g., big data, cloud computing, innovative payment services, and neo-banks), in order to understand the individual risks and opportunities of a specific fintech development through the different scenarios. The extent to which banks or new fintech entrants will own the customer relationship varied across each scenario. However, in almost every scenario, the position of the incumbent banks will be challenged. The BCBS finds that “a common theme across the various scenarios is that banks will find it increasingly difficult to maintain their current operating models, given technological change and customer expectations.”
In analyzing fintech’s potential impact, the BCBS analyzes previous waves of innovation in banking, such as ATMs, electronic payments, and the Internet. While each of these have changed the face of banking, the BCBS highlights two key differences as it concerns fintech’s potential impact: the current pace of innovation is faster now than in previous decades and the pace of adoption has also increased. As a result, the Committee warns, “the effects of innovation and disruption can happen more quickly than before, implying that incumbents may need to adjust faster.”
The BCBS stated that banking standards and supervisory expectations “should be adaptive to new innovations, while maintaining appropriate prudential standards.” Against this backdrop, the Committee concluded its report with 10 key observations and recommendations for consideration by banks and bank supervisors.
- The overarching need to ensure safety and soundness and high compliance standards without inhibiting beneficial innovation in the banking sector;
- Key risks for banks related to fintech developments, including strategic/profitability risks, operational, cyber and compliance risks;
- Implications for banks of the use of innovative enabling technologies;
- Implications for banks of the growing use of third parties, via outsourcing and/or partnerships;
- Cross-sectoral cooperation between supervisors and other relevant authorities;
- International cooperation between banking supervisors;
- Adaptation of the supervisory skillset;
- Potential opportunities for supervisors to use innovative technologies ("suptech");
- Relevance of existing regulatory frameworks for new innovative business models; and
- Key features of regulatory initiatives set up to facilitate fintech innovation.
By issuing this guidance, BCBS is prompting global regulators to address technological advancements and novel business models with the same sense of urgency that the banking and fintech industries are employing. It will be incumbent on the financial services industry – traditional and novel business models alike – to work together to inform and shape what those supervisory guidelines will look like.
Comments on BCBS’s consultative document will be accepted through October 31, 2017.
On August 30, the FDIC released its Summer 2017 Supervisory Insights (see FIL-39-2017), which contains articles discussing community bank liquidity risks and developments and changes to the Bank Secrecy Act. The first article, “Community Bank Liquidity Risk: Trends and Observations from Recent Examinations,” discusses, among other things, (i) an overview of trends in liquidity risk; (ii) the importance of liquidity risk management and contingency funding plans as bank management navigate funding, mitigate liquidity stress, and plan for the future; and (iii) “principles outlined in existing supervisory guidance.” The first article is “intended as a resource for bankers who wish to heighten awareness of prudent liquidity and funds management.” The second article, “The Bank Secrecy Act: A Supervisory Update,” emphasizes the role information collected through Bank Secrecy Act/Anti-Money Laundering (BSA/AML) programs plays in the U.S. government’s counter terrorist financing initiatives and other financial system protection measures. The article also provides an overview of the financial regulatory agency examination process, compliance program monitoring, recent trends in BSA/AML examination findings, and examples of significant deficiencies in BSA/AML compliance programs that necessitated formal remediation. In addition, the summer issue includes an overview of recently released regulations and supervisory guidance in its Regulatory and Supervisory Roundup.
Federal Reserve Issues Guidance Regarding Roles of Bank Boards, Requests Comments on New SIFI Rating System
Guidance Regarding Roles of Bank Boards.
On August 3, the Federal Reserve (Fed) took an important step towards easing the heavy regulatory burden placed on the boards of directors at the largest U.S. banking organizations, when it issued for public comment a corporate governance proposal intended to “enhance the effectiveness of boards of directors” and “refocus the Federal Reserve supervisory expectations for the largest firms’ boards of directors on their core responsibilities, which will promote the safety and soundness of the firms.”
The proposal is a result of a multi-year review conducted by the Fed of practices of boards of directors, particularly at the largest banking institutions. The Fed focused on the challenges boards face, the factors that make boards effective, and the ways in which boards influence the safety and soundness of their firms and promote compliance within. The key takeaways of this review included:
- supervisory expectations for boards of directors and senior management have become increasingly difficult to distinguish;
- boards devote a significant amount of time satisfying supervisory expectations that do not directly relate to board’s core responsibilities; and
- boards of large financial institutions face significant information flow challenges, which can result in boards being overwhelmed by the complexity and quantity of information received.
The Fed expects that these issues can be remediated by allowing banks to refocus on their core responsibilities, including: (i) developing the firm’s strategy and risk tolerance; (ii) overseeing senior management and holding them accountable for effective risk management and compliance; (iii) supporting the independence of the firm’s independent risk management and internal audit functions; and (iv) adopting effective governance practices.
In April, Fed Governor Jerome Powell indicated that the financial crisis led to a “broad increase in supervisory expectations” for these boards of directors, but cautioned that the Fed needs to “ensure that directors are not distracted from conducting their key functions by overly detailed checklist of supervisory process requirements.” Explaining that the Fed was reassessing its supervisory expectations for boards, Powell stated “it is important to acknowledge that the board’s role is one of oversight, not management.”
The proposed guidance better distinguishes the supervisory expectations for boards from those of senior management, and includes new criteria by which the Fed will assess bank boards. The Fed describes effective boards as those which:
- set clear, aligned, and consistent direction regarding the firm’s strategy and risk tolerance;
- actively manage information flow and board discussions;
- hold senior management accountable;
- support the independence and stature of independent risk management and internal audit; and
- maintain a capable board composition and governance structure.
The proposal also clarifies expectations regarding internal communications within firms for communicating supervisory findings internally, stating that for all supervised firms, most supervisory findings should be communicated to the firm's senior management for corrective action, rather than to its board of directors. Such findings would only be directed to the board for corrective action when the board needs to address its corporate governance responsibilities or when senior management fails to take appropriate remedial action.
While the proposal does not address all of the post-crisis challenges faced by bank boards, it is a welcome message to the industry that the Fed recognized the need to recalibrate their expectations. The proposal also identifies existing supervisory expectations for boards of directors that could be eliminated or revised and notes that the Fed intends to continue assessing whether its expectations of bank boards require further changes.
New SIFI Rating System.
On August 3, the Fed also issued for public comment a new risk rating system for Large Financial Institutions (“LFI”s) that would replace the RFI rating system for bank holding companies with total consolidated assets of $50 billion or more; non-insurance, non-commercial savings and loan holding companies with total consolidated assets of $50 billion or more; and U.S. intermediate holding companies of foreign banking organizations established pursuant to the Fed’s Regulation YY. (The Fed will continue to use the same RFI rating system that has been in place since 2004 to evaluate community and regional bank holding companies.)
The LFI rating system is designed to evaluate LFIs on whether they possess sufficient financial and operational strength and resilience to maintain safe and sound operations through a range of conditions. The system would consist of three chief components:
- Governance and Controls
- board of directors
- management of core business lines and independent risk management and controls and
- recovery planning (for domestic bank holding companies subject to LISCC);
- Capital Planning and Positions; and
- Liquidity Risk Management and Positions.
The Governance and Control component would evaluate a LFI’s effectiveness in ensuring that the firm’s strategic business objectives are safely within the firm’s risk tolerance and ability to manage the accordant risk. The component will focus on LFIs’ effectiveness in maintaining strong, effective and independent risk management and control functions, including internal audit and compliance, and providing for ongoing resiliency.
The second and third components are intended to incorporate LFI supervision activities, including CCAR and CLAR, which will be directly reflected within the respective component ratings–resulting in a more comprehensive supervisory approach than the RFI rating system which did not incorporate the results of those supervisory activities.
Each LFI would receive a component rating using a multi-level scale (Satisfactory/Satisfactory Watch, Deficient-1 and Deficient-2). “Satisfactory Watch” would indicate that a firm is generally considered safe and sound, however certain issues require timely resolution. Any Deficiency rating would result in that LFI being considered less than “well managed.”
On July 26, the FDIC issued Financial Institution Letter FIL-31-2017 to announce updates to its Risk Management Manual of Examination Policies. The revisions, which incorporated guidance from the FDIC’s Board of Directors, updated the Report of Examination Instructions regarding matters requiring board attention and “deviations from the safety and soundness principles underlying statements of policy.” The revision also included updated instructions for examiners to use when complying with examination schedules. The letter applies to all FDIC-supervised financial institutions.