InfoBytes Blog

Financial Stability Board releases supplementary guidance on sound compensation practices

On March 9, the Financial Stability Board (FSB) announced the release of its Supplementary Guidance to the FSB Principles and Standards on Sound Compensation Practices (Supplementary Guidance) relating to FSB’s Principles and Standards published in 2009. The Supplementary Guidance arises out of a 2015 workplan implemented to address concerns about compensation practices that could create misaligned incentives within financial institutions. The Supplementary Guidance, which does not contain new or additional principles and standards, provides recommendations presented in three parts: (i) “governance of compensation and misconduct risk”; (ii) “effective alignment of compensation with misconduct risk”; and (iii) “supervision of compensation and misconduct risk.” The Supplementary Guidance notes that “inappropriately structured compensation arrangements can provide individuals with incentives to take imprudent risks,” which may lead to potential harm for financial institutions and their customers or stakeholders. The Supplementary Guidance suggests that financial institutions use compensation tools as part of an overall strategy to limit risks and address misconduct, and cautions that “compensation should be adjusted for all types of risk.” 

Federal Issues Financial Stability Board Risk Management Compensation

Federal Reserve blocks national bank’s growth, cites internal governance and risk management oversight failures

On February 2, the Federal Reserve Board (Fed) cited compliance breakdowns and widespread consumer abuses as the primary factors behind its decision to issue an order to cease and desist against a national bank. In addition to blocking the bank from growing beyond $1.95 trillion in assets until the Fed approves internal governance and risk management reforms, the order also requires the bank to take actions in the areas of board effectiveness, risk management program improvement, third party reviews of plans and improvements, and reports on progress. The bank must, among other things, (i) create “separate and independent reporting lines” to the chief risk officer and the board, and (ii) enhance risk management oversight and functions, which includes creating “an effective risk identification and escalation framework.” The bank concurrently agreed to replace four current board members in 2018, with three replaced by April. Notably, the order does not require the bank to cease current activities such as accepting customer deposits or making consumer loans.

The Fed also sent letters to the bank’s former lead independent director and former chair of the board of directors (see letters here and here) to address the “many pervasive and serious compliance and conduct failures” that occurred during their tenures. Citing ineffective oversight following awareness of alleged consumer abuses, the Fed stated that the former directors failed to initiate any serious inquiry or request that the board do so. Further, the Fed asserted that the former chair of the board continued to support the sales goals that were a major cause of the identified sales practice problems and failed to initiate a serious investigation or inquiry. A third letter sent to the current board of directors outlines steps the board must take to improve senior management reporting, maintain an effective risk management structure, and ensure compensation and other incentive programs are “consistent with sound risk management objectives and promote . . . compliance with laws and regulations.” (See here and here for previous InfoBytes coverage on the alleged improper sales practices.)

In response, the bank issued a press release stating it will commit to the Fed’s requirements and will provide a compliance plan for oversight, compliance, and operational risk management to the Fed within 60 days. The plan will also outline measures already completed by the bank, and if approved by the Fed, the bank will engage independent third parties to review its adoption and implementation of the plan.

Federal Issues Federal Reserve Bank Regulatory CFPB OCC Consumer Finance Risk Management

FHFA releases 2018-2022 strategic plan

On January 29, the Federal Housing Finance Agency (FHFA) released its strategic plan for 2018-2022, which sets three strategic goals and discusses multiple factors associated with achieving each goal. FHFA’s three strategic goals for 2018-2022 are:

• Ensure safe and sound regulated entities. FHFA intends to, among other things, use a risk based system to identify supervisory concerns and monitor entities for timely remediation. Additionally, FHFA intends to monitor industry trends and market conditions for emerging risks and issue supervisory guidance and policies related to expectations for safety and soundness.
• Ensure liquidity, stability, and access in housing finance. FHFA intends to, among other things, promote ongoing liquidity in the marketplace for new and refinanced mortgages. FHA will monitor access to mortgage credit and collaborate with other regulators to identify emerging issues. FHA will support multifamily housing needs of the underserved market and promote policies that support fair access to financial services for qualified borrowers.
• Manage Fannie Mae and Freddie Mac’s ongoing conservatorships. FHFA will continue, among other things, to oversee Fannie Mae and Freddie Mac staffing, will address outstanding claims involving Fannie Mae and Freddie Mac, and will oversee the implementation of the Uniform Mortgage Data Program.

The strategic plan also identifies critical factors that may affect achievement of the above goals, including (i) economic conditions and government policies of foreign markets; (ii) market developments and legislative reform affecting the U.S. housing market; (iii) financial performance of Fannie Mae and Freddie Mac; (iv) the status of the Fannie Mae and Freddie Mac conservatorship; and (v) management of FHFA resources.

Federal Issues FHA Risk Management Fannie Mae Freddie Mac Mortgages

OCC highlights supervisory priorities in fall 2017 semiannual risk report

On January 18, the OCC announced the release of its Semiannual Risk Perspective for Fall 2017, identifying key risk areas for national banks and federal savings associations. Top supervisory priorities will focus on credit, operational, and compliance risk. As previously discussed in the spring 2017 semiannual report, compliance risk continues to be an ongoing concern, particularly as banks continue to adopt new technologies to help them comply with anti-money laundering rules and the Bank Secrecy Act (BSA), in addition to addressing increased cybersecurity challenges and new consumer protection laws. (See previous InfoBytes coverage here.) The OCC commented that these types of risks can be mitigated by banks with “appropriate due diligence and ongoing oversight.”

Specific areas of particular concern include the following:

• easing of commercial credit underwriting practices;
• increasing complexity and severity of cybersecurity threats, including phishing scams that are the primary method of breaching bank data systems;
• using limited third-party service providers for critical operations, which can create “concentrated points of failure resulting in systemic risk to the financial services sector”;
• compliance challenges under the BSA; and
• challenges in risk management involving consumer compliance regulations.

The report also raises concerns about new requirements under the Military Lending Act along with pending changes to data collection under the Home Mortgage Disclosure Act, which could pose compliance challenges. It further discusses a new standard taking effect in 2020 for measuring expected credit losses, which “may pose operational and strategic risk to some banks when measuring and assessing the collectability of financial assets.”

The data relied on in the report was effective as of June 30, 2017.

Federal Issues Agency Rule-Making & Guidance OCC Risk Management Bank Regulatory Third-Party Bank Secrecy Act HMDA Military Lending Act Vendor Management Anti-Money Laundering Privacy/Cyber Risk & Data Security

FDIC releases winter 2017 Supervisory Insights

On January 10, the FDIC released its Winter 2017 Supervisory Insights (see FIL-5-2018), which contains articles discussing credit management information systems and underwriting trends. The first article, “Credit Management Information Systems: A Forward-Looking Approach,” discusses, among other things, how financial institutions can incorporate forward-looking metrics to assist in identifying future issues. The article also emphasizes the importance of effective risk management programs which contain policies and procedures that support strategic decision making by senior management and board members responsible for overseeing lending activities. The second article, “Underwriting Trends and Other Highlights from the FDIC’s Credit and Consumer Products/Services Survey,” shares the recent credit survey results from examinations of FDIC-supervised financial institutions. The survey indicates that risk may be increasing in the industry based on reports of credit concentrations, increases in potentially volatile funding sources, and more “out-of-area lending.” In addition, the winter issue includes an overview of recently released regulations and supervisory guidance in its Regulatory and Supervisory Roundup.

Federal Issues FDIC Banking Bank Supervision Risk Management

Buckley Sandler Insights: Fed's LFI Risk Management Principles Open for Comments

On January 4, the Federal Reserve (Fed) issued for public comment proposed guidance setting forth core principles of effective risk management for Large Financial Institutions (“LFI”s) (“Risk Management proposal”). Given that it is increasingly likely that Congress will release financial institutions with assets below $250 billion from “SIFI” designation, the Fed’s guidance yesterday is a further effort to ensure that risk at LFIs will continue to be managed well even after many of them are no longer subject to other SIFI obligations. The proposal would apply to domestic bank holding companies and savings and loan holding companies with total consolidated assets of $50 billion or more; the U.S. operations of foreign banking organizations (“FBOs”) with combined U.S. assets of $50 billion or more; and any state member bank subsidiary of these institutions. The proposal would also apply to any systemically important nonbank financial company designated by the Financial Stability Oversight Council (“FSOC”) for Fed supervision. The proposed guidance clarifies the Fed’s supervisory expectations of these institutions’ core principals with respect to effective senior management; the management of business lines; and independent risk management (“IRM”) and controls.

The Risk Management proposal is part of the Fed’s broader initiative to develop a supervisory rating system and related guidance that would align its consolidated supervisory framework for LFIs. Last August, the Fed issued for public comment two related proposals: a new rating system for LFIs (“proposed LFI rating system”) and guidance addressing supervisory expectations for board directors (“Board Expectations proposal”). (See previous InfoBytes coverage on the proposals.) The proposed LFI rating system is designed to evaluate LFIs on whether they possess sufficient financial and operational strength and resilience to maintain safe and sound operations through a range of conditions. With regard to the Board Expectations proposal, the January 4 proposal establishes supervisory expectations relevant to the assessment of a firm’s governance and controls, which consists of three chief components: (i) effectiveness of a firm’s board of directors, (ii) management of business lines, independent risk management and controls, and (iii) recovery planning. This guidance sets forth the Fed’s expectations for LFIs with respect to the second component—the management of business lines and IRM and controls, and builds on previous supervisory guidance. In general, the proposal “is intended to consolidate and clarify the [Fed’s] existing supervisory expectations regarding risk management.”

The January 4 release delineates the roles and responsibilities for individuals and functions related to risk management. Accordingly, it is organized in three parts: (i) core principals of effective senior management; (ii) core principals of the management of business lines; and (iii) core principles of IRM and controls.

Senior Management

The Risk Management proposal defines senior management as “the core group of individuals directly accountable to the board of directors for the sound and prudent day-to-day management of the firm.” Two key responsibilities of senior management are overseeing the activities of the firm’s business lines and the firm’s IRM and system of internal control. The proposed guidance highlights the principle that: Senior management is responsible for managing the day-to-day operations of the firm and ensuring safety and soundness and compliance with internal policies and procedures, laws and regulations, including those related to consumer protection.

Management of Business Lines

The proposal refers to “business line management” as the core group of individuals responsible for prudent day-to-day management of a business line and accountable to senior management for that responsibility. For LFIs that are not subject to supervision by the Large Institution Supervision Coordinating Committee (“LISCC”) these expectations would apply to any business line where a significant control disruption, failure, or loss event could result in a material loss of revenue, profit, or franchise value, or result in significant consumer harm.

A firm’s business line management should:

• Execute business line activities consistent with the firm’s strategy and risk tolerance.
• Identify, measure, and manage the risks associated with the business activities under a broad range of conditions, incorporating input from IRM.
• Provide a business line with the resources and infrastructure sufficient to manage the business line’s activities in a safe and sound manner, and in compliance with applicable laws and regulations, including those related to consumer protection, as well as policies, procedures, and limits.
• Ensure that the internal control system is effective for the business line operations.
• Be held accountable, with business line staff, for operating within established policies and guidelines, and acting in accordance with applicable laws, regulations, and supervisory guidance, including those related to consumer protection.

Independent Risk Management and Controls

The Risk Management proposal describes core principles of a firm’s independent risk management function, system of internal control, and internal audit function. The guidance does not prescribe in detail the governance structure for a firm’s IRM and controls. While the guidance does not dictate specifics regarding governance structure, it does set forth requirements with respect to the roles of the Chief Risk Officer and Chief Audit Executive:

• The CRO should establish and maintain IRM that is appropriate for the size, complexity, and risk profile of the firm.
• The Chief Audit Executive should have clear roles and responsibilities to establish and maintain an internal audit function that is appropriate for the size, complexity and risk profile of the firm.

The proposal requires that a firm’s IRM function be sufficient to provide an objective, critical assessment of risks and evaluates whether a firm remains aligned with its stated risk tolerance. Specifically, a firm’s IRM function should:

• Evaluate whether the firm’s risk tolerance appropriately captures the firm’s material risks and confirm that the risk tolerance is consistent with the capacity of the risk management framework.
• Establish enterprise-wide risk limits consistent with the firm’s risk tolerance and monitor adherence to such limits.
• Identify and measure the firm’s risks.
• Aggregate risks and provide an independent assessment of the firm’s risk profile.
• Provide the board and senior management with risk reports that accurately and concisely convey relevant, material risk data and assessments in a timely manner.

With regard to internal controls, the proposed guidance builds upon the expectations described in the Fed’s Supervisory Letter 12-17. A firm should have a system of internal control to guide practices, provide appropriate checks and balances, and confirm quality of operations. In particular, the guidance states that a firm should:

• Identify its system of internal control and demonstrate that it is commensurate with the firm’s size, scope of operations, activities, risk profile, strategy, and risk tolerance, and consistent with all applicable laws and regulations, including those related to consumer protection.
• Regularly evaluate and test the effectiveness of internal controls, and monitor functioning of controls so that deficiencies are identified and communicated in a timely manner.

With respect to internal audit, the proposed guidance does not expand upon the Fed’s expectations; rather it references existing supervisory expectations. The proposed guidance highlights that a firm should adhere to the underlying principle that its internal audit function should examine, evaluate, and perform independent assessments of the firm’s risk management and internal control systems and report findings to senior management and the firm’s audit committee.

Comments on the Fed’s proposed guidance are due by March 15.

Agency Rule-Making & Guidance Federal Reserve Risk Management LFI SIFIs Bank Regulatory Bank Supervision

OCC Issues Updates to Risk Management Principles

On October 20, the OCC released modifications to its risk management principles for new, modified, or expanded financial products and services (collectively, new activities). Bulletin 2017-43 rescinds OCC Bulletin 2004-20 and section 760 of the Office of Thrift Supervision Examination Handbook. The Bulletin provides guidance on risks in the following categories: strategic, reputational, credit, operational, compliance, and liquidity. The Bulletin also outlines the main components of an effective risk management system, such as the need for:

• “adequate due diligence and approvals before introducing a new activity”;
• “policies and procedures to properly identify, measure, monitor, report, and control risks”;
• “effective change management for new activities or affected processes and technologies”; and
• “ongoing performance monitoring and review systems.”

According to the OCC, the sophistication of a bank’s risk management system should be commensurate with the bank’s size, complexity, and risk profile. Further, “bank management and boards of directors should understand the impact of new activities on banks’ financial performance, strategic planning process, risk profiles, traditional banking models, and ability to remain competitive.”

Agency Rule-Making & Guidance OCC Bank Supervision Risk Management Third-Party

Treasury Report Calls for Extensive Regulatory Relief to Capital Markets

On October 6, the U.S. Treasury Department published a report that focuses on capital market oversight and outlines challenges and recommendations to reduce regulatory burdens. The report, “A Financial System That Creates Economic Opportunities: Capital Markets,” is the second in a series of four the Treasury plans to issue in response to President Trump’s Executive Order 13772, which mandated a review of financial regulations for inconsistencies with promoted “Core Principles.” (See Buckley Sandler Special Alert here.) The report notes that while certain capital market regulatory framework elements function well, there remain significant challenges. Specifically, the report recommends—among other things—reducing fragmentation, overlap, and duplication in the U.S. regulatory structure. This includes focusing on effecting changes to promote efficiency and more clearly defining regulatory mandates that would allow agencies to issue joint rulemaking and foster coordination. 

Treasury’s recommendations focus primarily on market regulations but also build upon themes identified in the first report published in June 2017, which primarily focused on solutions for providing relief to banks and credit unions. The second report identifies recommendations, actions, and associated “Core Principles” within the following categories:

• “promoting access to capital for all types of companies, including small and growing businesses, through reduction of regulatory burden and improved market access to investment opportunities”;
• “fostering robust secondary markets in equity and debt”;
• “appropriately tailoring regulations on securitized products to encourage lending and risk transfer”;
• “recalibrating derivatives regulations to promote market efficiency and effective risk mitigation”;
• “ensuring proper risk management for [central counterparties] and other financial market utilities because of the critical role they play in the financial system”;
• “rationalizing and modernizing the U.S. capital markets regulatory structure and process”; and
• “advancing U.S. interests by promoting a level playing field internationally.”

A fact sheet accompanying the report further highlights Treasury’s recommendations to streamline regulations.

Federal Issues Department of Treasury Securities Capital Requirements Risk Management

White House Releases Proclamation Announcing National Cybersecurity Awareness Month

On September 30, President Trump issued a Proclamation announcing October 2017 as National Cybersecurity Awareness Month. As part of the initiative, the Department of Homeland Security (DHS) issued tools and resources for both consumers and organizations to manage cybersecurity risk. As previously covered in InfoBytes, the President issued an Executive Order earlier this year entitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” that requires agencies to submit risk management reports to DHS and develop recommendations for cybersecurity improvements affecting all critical infrastructure, including the financial services industry.

Privacy/Cyber Risk & Data Security Federal Issues Risk Management Trump Department of Homeland Security Executive Order

OCC Releases Bank Supervision Operating Plan for Fiscal Year 2018

On September 28, the OCC’s Committee on Bank Supervision released its  bank supervision operating plan (Plan) for fiscal year (FY) 2018. The Plan outlines the agency’s supervision priorities and specifically highlights the following supervisory focus areas: (i) cybersecurity and operational resiliency; (ii) commercial and retail credit loan underwriting, concentration risk management, and the allowance for loan and lease losses; (iii) business model sustainability and viability and strategy changes; (iv) Bank Secrecy Act/anti-money laundering compliance management; and (v) change management to address new regulatory requirements.

The annual Plan guides the development of supervisory strategies for individual national banks, federal savings associations, federal branches, and federal agencies, and service providers.

The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes has previously covered.

Agency Rule-Making & Guidance OCC Risk Management Anti-Money Laundering Bank Secrecy Act Compliance Lending Privacy/Cyber Risk & Data Security