Insight: U.S. OCC’s “heightened expectations” standards for bank governance, and how to meet them
By Abel Picardi, Compliance Complete
NEW YORK, Mar. 21 (Thomson Reuters Accelus) – Proposed risk standards for banks regulated by the Office of the Comptroller of the Currency (OCC) will expose top executives and directors of federally chartered insured institutions to greater accountability for any legal, risk or compliance shortcomings.
The OCC proposed the standards in January as way to broaden and enforce the application of its â€śheightened expectationsâ€ť for bank stability. The expectations were issued in 2010, in response to the financial crisis. The proposed guidelinesâ€™ focus on top bank governance directly aims to limit â€ťaccountability risk,â€ť or the risk that a leadership not held to the consequences of its decisions can endanger an institution.
Under the proposed guidelines, the bankâ€™s board of directors and the executive management team will be accountable for raising the standards for the organizationâ€™s risk-management practices. The board and CEO must ensure that the organization has in place a suitable governance risk framework and a business culture that adequately addresses conduct risk.
Furthermore, at a personal level, members of the board must not only show they can understand and articulate the risks facing the organization, but they must also possess the appropriate qualifications and demonstrate decision-making abilities to question the direction the organization undertakes to manage its risks.
Implementing an effective risk governance framework no longer is described diffusely as the â€śorganizationâ€™s responsibility.â€ť Failure to comply with this requirement would trigger implications to board members and the senior management team, and could possibly lead to dismissal from their fiduciary duties.
Safety and soundness issues which examiners have often addressed through best-practices guidance and recommendations as â€śmatters requiring attention,â€ť or MRAs, can under the new proposal trigger more serious enforcement actions, civil money penalties, and possible criminal referral to the Department of Justice. Once these risk standards are finalized and become effective, non-compliance with the provisions can be cited as a violation of law.
“Heightened expectations” for risk governance
The OCCâ€™sÂ proposal, issued on January 16,Â applies the post- financial crisis â€śheightened expectationsâ€ť for governance and risk management practices to large national banks, defined as institutions with consolidated assets of $50 billion or more. However, smaller institutions should also take note to these proposed requirements, given that the OCC may eventually roll out the same expectations for all organizations under its oversight.
The OCCâ€™s legal team said in drafting the proposal, â€śit underscores the view that large, complex institutions can have a significant impact on capital markets and the economy and, therefore, need to be supervised and regulated more rigorously.â€ť
The OCCâ€™s proposal follows the lead established by the Financial Stability Board (FSB), which is composed of global regulators including representatives from the Federal Reserve Bank and the U.S. Treasury Department. The FSB has been promoting new procedures to encourage the global adherence to international financial standards. It set out its standards, which are addressed in the OCCâ€™s proposal, in aÂ
Comments to the OCCâ€™s proposal are due by March 28, 2014, but major participants have not yet submitted their views.
The text of the OCC proposal highlights five governance concepts or â€śexpectationsâ€ť for the framework and processes financial institutions need to comply with and implement.
The following will outline these expectations, along with a brief analysis and interpretation of the OCCâ€™s perspective:
1.Â Often referred to as preserving the â€śsanctity of the charter,â€ť the first expectation maintains that a primary fiduciary duties of an institutionâ€™s board of directors is to ensure that the institution operates in a safe and sound manner.
Since large banks are often one of several legal entities under a complex parent company, each bankâ€™s board must ensure that the bank does not function simply as a booking entity for its parent and that parent company decisions do not jeopardize the safety and soundness of the bank. The OCC will allow the parent company and bank subsidiary to share their focused governance and risk management practices if the risk governance complies with the OCCâ€™s proposed guidelines. Otherwise, the OCC-regulated entity must develop a separate risk governance framework adopting the strict proposed guidelines.
Interpretation and implication
In addressing this â€śexpectation,â€ť the first challenge for the financial institution is in knowing where to begin in developing a plan to assess its structure and framework.
First, the financial institutionâ€™s board members should designate and pass a resolution establishing a â€śspecial review subcommitteeâ€ť to fully assess the organizationâ€™s current governance and risk framework, both from the standpoint of the parent company and bank subsidiary. A gap analysis should reveal disparities between the two entities, and more importantly, where the organization stands relative to the proposed guidelines and industry best practices.
The subcommittee may consist of (in the majority) independent directors, plus representatives from senior management including: the chief executive, chief compliance executive, chief operating executive, the heads of human resources, auditing, risk, and legal departments as well as business-unit heads. The subcommittee shall be charged with the following tasks:
- Assessing the current organizational structure.
- Conducting a gap analysis to determine efficiencies, which will need to be implemented as outlined by the OCCâ€™s proposed guidelines. The gap analysis should highlight differences between the current framework and the specific regulatory â€śexpectationsâ€ť outlined within the OCCâ€™s proposal.
- Developing a strategic plan to address the efficiencies identified by the gap analysis.
- Engaging a reputable law firm and a consultancy firm familiar with the financial institution and other similar firms in the same industry. These characteristics ensure that the organization will receive quality expert advice during the development of the risk assessment review and in carrying out the deliverables outlined in the strategic plan.
In the strategic plan, the financial institution should:
- Designate independent board members to oversee the business and capable to challenge the managementâ€™s decision-making process.
- Develop and require an ongoing assessment process of all the business activities and entities housing these activities. Review the respective risk management framework for each entity.
- If necessary, restructure reporting lines within the organization to include parent company and subsidiary level. This effort should be outlined and documented to demonstrate independence among the three lines of defense. The general auditor should be reporting to the boardâ€™s audit committee, with a dotted line to the CEO. The chief risk executive and chief compliance executive should be delineated in the same manner.
- Determine the organizationâ€™s risk appetite and develop a risk statement describing the risk limits for each business function. Policies and procedures should be revised to address risk assessments, measurements, remediation, reporting, validation/stress testing, re-evaluation/monitoring, re-assessments, and auditing for compliance to the proposed guidelines. Scheduling periodic monitoring of events and tasks will be essential in providing sustainability of these processes.
- Train on and communicate the changes outlined in the plan. Success in execution of the plan relies on employees understanding the revised framework and how it affects their daily responsibilities. The OCC expects financial institutions to develop a comprehensive training program covering all complex business activities and products transacted by the organization. The program is to encompass members of the board and executive suite, as well as employees from the front-line units.
- Once the strategic plan has been vetted by the hired experts, the plan may be shared with the examining manager of the OCC or the respective regulator having oversight over the financial institution. The sharing is intended to obtain feedback on any omissions, and second, to enhance communications with the regulator and demonstrate that the financial institution will share critical information with significant impact during the next scheduled examination. This will also create goodwill between the financial institution and the regulator in ensuring that there will no â€śsurprisesâ€ť at the next examination event.
- After obtaining the OCCâ€™s feedback, a resolution should be introduced during the next board meeting and adopted by the board, along with a demonstration of the CEOâ€™s commitment.
- Develop a written document signed by all affected stakeholders and set various deadlines to carry out the tasks highlighted in the plan.
2.Â The second expectation generally requires large institutions to have a well-defined personnel management program that ensures appropriate staffing levels, provides for orderly succession, recommends compensation tools to appropriately motivate and retain talent and does not encourage imprudent risk-taking.
Interpretation and implementation
The strategic plans would have to consider the employees possessing skills, expertise and capabilities suitable to undertake responsibilities outlined in the plan.
The top-down review would assess capabilities from board members and senior management, including the top officers, down to the employees on the front-line units. Succession plans would have to be realistic in determining whether the organization could fill a vacated position without disrupting business.
Executive compensation has been in the forefront of the criticisms bestowed on U.S. financial institutions, mainly during periods when the financial institutions were incurring losses, or worse yet, receiving taxpayer help. The industry challenge remains to develop compensation strategies for top executives that help an organization keep and attract talented employees, while avoiding public and regulatory opposition.
The OCC and other regulators want to be sure financial institutions can ensure organizational continuity during a crisis.
3.Â The third OCC expectation pertains to risk appetite (or tolerance) and involves institutions defining and communicating an acceptable risk appetite across the organization. This includes measures that address the amount of capital, earnings, or liquidity that may be at risk on a firm-wide basis, the amount of risk that may be taken in each line of business, and the amount of risk that may be taken in each key risk category monitored by the institution.
Interpretation and implementation
To determine an acceptable risk appetite across the organization, a well-defined risk assessment must be developed and implemented, and a lack of such assessment would render the results inadequate measurement of the organizationâ€™s risk tolerance level.
In determining its risk appetite, the firm should be able to demonstrate consideration of all relevant risks, including counterparty risks; off-balance sheet and contingent risks; reputational risks; and other risks arising from the firmâ€™s relationship with affiliates and subsidiaries entities.
Financial institutions, in the past, have embedded accepted risk limits within the business functions. However, the process and elements that were utilized were at best, subjective and at times not meaningful. The OCCâ€™s expectation is to raise the level of effectiveness in developing the appropriate risk tolerance for the organization, and to provide best practice processes with a re-evaluation and adjustment undertaking in order to annually re-balance and capture the current and potential risks within the organization.
4.Â The fourth OCC expectation refers to financial institutions developing robust and reliable oversight programs, including the development and maintenance of strong audit and risk management functions.
Interpretation and implication
The OCCâ€™s proposal highlights the need for financial institutions to give more attention to the second and third lines of defense — after the line managers and risk staff — by specifically addressing the independent risk management and internal audit functions. This does not mean focusing on funding alone, but also the empowerment of these functions to bring about a â€śsaferâ€ť and consistent approach in managing the inherent and residual risks embedded within the business lines.
The OCC has outlined specific guidelines and â€śexpectationsâ€ť that the independent risk management and internal audit functions are required to address. The required tasks are basic in nature and in some cases have been previously addressed by many financial institutions.
A common deficiency in the process described by the OCC has been that when the internal audit function adopts the tasks assigned as the third line of defense, it is steered away from providing valuable advice to the business lines.
The focus becomes mainly in identifying and reporting weaknesses, and providing recommendations that are inefficient and burdensome.
The OCC provides enhanced guidance regarding this mandate, by requiring the internal audit function to transform their mission statement or charter into one that provides recommendations to add value and become proficient with the risks undertaken by the front-line units.
The OCC also introduces a few new roles for the internal audit function. It involves establishing a quality assurance department to ensure that internal auditâ€™s 1) policies, procedures, and processes comply with applicable regulatory and industry guidance, 2) are appropriate for the size, complexity, and risk profile of the firm, 3) are updated to reflect changes to internal and external to risk factors and 4) consistently apply across all business functions.
The OCC is also contemplating whether internal auditâ€™s assessment of the firmâ€™s risk management framework should say whether the framework is consistent with leading industry practices. The challenge with this proposed mandate is that firms will now have to find internal auditors reliably informed about current industry practices. Compensation strategies will have to be developed in hiring proficient candidates.
The same expectations exist for the second-line defense functions. The OCC expects that they functions should align themselves along the business lines by developing tailored solutions and recommendations that are configured to the organization, rather than implementing subjective advice derived from external industry practices, but ineffective to the firm. The â€śone-size-fits-allâ€ť premise will not work in this case.
The tools utilized in the industry to manage the firmâ€™s risks are becoming outdated and not in-sync with the current business environment. The OCC must address this deficiency by providing better guidance and direct the regulated institution to develop best practices processes that will work for the institution.
5.Â The fifth expectation focuses on the board of directorsâ€™ willingness to credibly challenge to bank managementâ€™s decisions regarding risks taken by the business lines. The OCC also expects independent directors to acquire a thorough understanding of the institutionâ€™s risk profile. The directors are to use this information to ask probing questions of management and to ensure that senior management prudently addresses risks and complies with the established framework.
Interpretation and implementation
The OCC is attempting to address one of many deficiencies exhibited during the financial crisis, where board members of large financial institutions failed to understand the implications of substantial exposures in derivatives products their firms were carrying on the books.
Board members and their organizations will be challenged to take on additional oversight and governance responsibilities regarding their firmâ€™s business activities, especially relating to derivatives and securities products and activities conducted in multiple jurisdictions.
The strategic plan would have to outline the types of reports and quantity of information that will be presented to the board members to determine whether the firm has been managing its risks appropriately and question managementâ€™s approach. The second challenge will be to develop a training program for the independent board members, in order to understand the firmâ€™s business activities, products and processes. Focus of the training should highlight the risk concepts and tools utilized to manage risks.
The requirement would also trigger the firm to conduct a self-assessment of the board membersâ€™ capabilities, track record of accomplishments and business background to determine whether the director is able to carry out their duties and responsibilities as outlined in the OCCâ€™s requirement.
The financial institutionsâ€™ search for independent board members will be a difficult undertaking. Given the added demands and accountabilities board members are responsible for under the new regulatory regime, it may be less attractive for capable and experienced individuals to join the financial institutionsâ€™ boardrooms.
Compliance tips and next steps
Financial institutions, whether regulated by the OCC or another agency, must recognize that the OCCâ€™s proposed guidelines for establishing risk standards will impose additional regulatory and accountability risks. The risk standards outlined in the proposal are not difficult to understand and assess. Certain elements are already industry standards and practices, but the challenge for financial institutions would be to configure them to the organizationâ€™s culture, risk appetite and processes.
Engaging suitable and reputable external consultants and legal firms will be an essential undertaking, and financial institutions must “get it right.” An external firm can provide an independent review of processes and strategies, and give feedback from a â€śregulatorsâ€™ eyesâ€ť point of view. Such external firms are expected to help determine the appropriate level of resources and risk tolerance for the financial institution. Information provided by the external firms would be expected to have been vetted with regulators and other industry experts. These firms must have in-depth knowledge of the financial institutionâ€™s business activities, functions, geographical exposures and the organizationâ€™s risk culture.
The OCCâ€™s risk standard proposal will bring about added stress and pressure to the financial institutions before during, and after regulatory examinations. The pressure will stem from ensuring that the implement risk standards, derived from the proposed guidelines, will be favorably viewed by the OCC. Once the acceptance is achieved, the next challenge is: can the financial institution maintain and sustain the standards over the long term? The OCC will now have in its â€śtool boxâ€ť much bigger hammers, such as fines, for cracking down on non-compliance.
(This article was produced by the Compliance Complete service of Thomson Reuters Accelus.Â Compliance CompleteÂ provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators andÂ exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)