Insight: U.S. OCC’s “heightened expectations” standards for bank governance, and how to meet them
By Abel Picardi, Compliance Complete
NEW YORK, Mar. 21 (Thomson Reuters Accelus) – Proposed risk standards for banks regulated by the Office of the Comptroller of the Currency (OCC) will expose top executives and directors of federally chartered insured institutions to greater accountability for any legal, risk or compliance shortcomings.
The OCC proposed the standards in January as way to broaden and enforce the application of its “heightened expectations” for bank stability. The expectations were issued in 2010, in response to the financial crisis. The proposed guidelines’ focus on top bank governance directly aims to limit ”accountability risk,” or the risk that a leadership not held to the consequences of its decisions can endanger an institution.
Under the proposed guidelines, the bank’s board of directors and the executive management team will be accountable for raising the standards for the organization’s risk-management practices. The board and CEO must ensure that the organization has in place a suitable governance risk framework and a business culture that adequately addresses conduct risk.
Furthermore, at a personal level, members of the board must not only show they can understand and articulate the risks facing the organization, but they must also possess the appropriate qualifications and demonstrate decision-making abilities to question the direction the organization undertakes to manage its risks.
Implementing an effective risk governance framework no longer is described diffusely as the “organization’s responsibility.” Failure to comply with this requirement would trigger implications to board members and the senior management team, and could possibly lead to dismissal from their fiduciary duties.
Safety and soundness issues which examiners have often addressed through best-practices guidance and recommendations as “matters requiring attention,” or MRAs, can under the new proposal trigger more serious enforcement actions, civil money penalties, and possible criminal referral to the Department of Justice. Once these risk standards are finalized and become effective, non-compliance with the provisions can be cited as a violation of law.
“Heightened expectations” for risk governance
The OCC’s proposal, issued on January 16, applies the post- financial crisis “heightened expectations” for governance and risk management practices to large national banks, defined as institutions with consolidated assets of $50 billion or more. However, smaller institutions should also take note to these proposed requirements, given that the OCC may eventually roll out the same expectations for all organizations under its oversight.
The OCC’s legal team said in drafting the proposal, “it underscores the view that large, complex institutions can have a significant impact on capital markets and the economy and, therefore, need to be supervised and regulated more rigorously.”
The OCC’s proposal follows the lead established by the Financial Stability Board (FSB), which is composed of global regulators including representatives from the Federal Reserve Bank and the U.S. Treasury Department. The FSB has been promoting new procedures to encourage the global adherence to international financial standards. It set out its standards, which are addressed in the OCC’s proposal, in a
Comments to the OCC’s proposal are due by March 28, 2014, but major participants have not yet submitted their views.
The text of the OCC proposal highlights five governance concepts or “expectations” for the framework and processes financial institutions need to comply with and implement.
The following will outline these expectations, along with a brief analysis and interpretation of the OCC’s perspective:
1. Often referred to as preserving the “sanctity of the charter,” the first expectation maintains that a primary fiduciary duties of an institution’s board of directors is to ensure that the institution operates in a safe and sound manner.
Since large banks are often one of several legal entities under a complex parent company, each bank’s board must ensure that the bank does not function simply as a booking entity for its parent and that parent company decisions do not jeopardize the safety and soundness of the bank. The OCC will allow the parent company and bank subsidiary to share their focused governance and risk management practices if the risk governance complies with the OCC’s proposed guidelines. Otherwise, the OCC-regulated entity must develop a separate risk governance framework adopting the strict proposed guidelines.
Interpretation and implication
In addressing this “expectation,” the first challenge for the financial institution is in knowing where to begin in developing a plan to assess its structure and framework.
First, the financial institution’s board members should designate and pass a resolution establishing a “special review subcommittee” to fully assess the organization’s current governance and risk framework, both from the standpoint of the parent company and bank subsidiary. A gap analysis should reveal disparities between the two entities, and more importantly, where the organization stands relative to the proposed guidelines and industry best practices.
The subcommittee may consist of (in the majority) independent directors, plus representatives from senior management including: the chief executive, chief compliance executive, chief operating executive, the heads of human resources, auditing, risk, and legal departments as well as business-unit heads. The subcommittee shall be charged with the following tasks:
- Assessing the current organizational structure.
- Conducting a gap analysis to determine efficiencies, which will need to be implemented as outlined by the OCC’s proposed guidelines. The gap analysis should highlight differences between the current framework and the specific regulatory “expectations” outlined within the OCC’s proposal.
- Developing a strategic plan to address the efficiencies identified by the gap analysis.
- Engaging a reputable law firm and a consultancy firm familiar with the financial institution and other similar firms in the same industry. These characteristics ensure that the organization will receive quality expert advice during the development of the risk assessment review and in carrying out the deliverables outlined in the strategic plan.
In the strategic plan, the financial institution should:
- Designate independent board members to oversee the business and capable to challenge the management’s decision-making process.
- Develop and require an ongoing assessment process of all the business activities and entities housing these activities. Review the respective risk management framework for each entity.
- If necessary, restructure reporting lines within the organization to include parent company and subsidiary level. This effort should be outlined and documented to demonstrate independence among the three lines of defense. The general auditor should be reporting to the board’s audit committee, with a dotted line to the CEO. The chief risk executive and chief compliance executive should be delineated in the same manner.
- Determine the organization’s risk appetite and develop a risk statement describing the risk limits for each business function. Policies and procedures should be revised to address risk assessments, measurements, remediation, reporting, validation/stress testing, re-evaluation/monitoring, re-assessments, and auditing for compliance to the proposed guidelines. Scheduling periodic monitoring of events and tasks will be essential in providing sustainability of these processes.
- Train on and communicate the changes outlined in the plan. Success in execution of the plan relies on employees understanding the revised framework and how it affects their daily responsibilities. The OCC expects financial institutions to develop a comprehensive training program covering all complex business activities and products transacted by the organization. The program is to encompass members of the board and executive suite, as well as employees from the front-line units.
- Once the strategic plan has been vetted by the hired experts, the plan may be shared with the examining manager of the OCC or the respective regulator having oversight over the financial institution. The sharing is intended to obtain feedback on any omissions, and second, to enhance communications with the regulator and demonstrate that the financial institution will share critical information with significant impact during the next scheduled examination. This will also create goodwill between the financial institution and the regulator in ensuring that there will no “surprises” at the next examination event.
- After obtaining the OCC’s feedback, a resolution should be introduced during the next board meeting and adopted by the board, along with a demonstration of the CEO’s commitment.
- Develop a written document signed by all affected stakeholders and set various deadlines to carry out the tasks highlighted in the plan.
2. The second expectation generally requires large institutions to have a well-defined personnel management program that ensures appropriate staffing levels, provides for orderly succession, recommends compensation tools to appropriately motivate and retain talent and does not encourage imprudent risk-taking.
Interpretation and implementation
The strategic plans would have to consider the employees possessing skills, expertise and capabilities suitable to undertake responsibilities outlined in the plan.
The top-down review would assess capabilities from board members and senior management, including the top officers, down to the employees on the front-line units. Succession plans would have to be realistic in determining whether the organization could fill a vacated position without disrupting business.
Executive compensation has been in the forefront of the criticisms bestowed on U.S. financial institutions, mainly during periods when the financial institutions were incurring losses, or worse yet, receiving taxpayer help. The industry challenge remains to develop compensation strategies for top executives that help an organization keep and attract talented employees, while avoiding public and regulatory opposition.
The OCC and other regulators want to be sure financial institutions can ensure organizational continuity during a crisis.
3. The third OCC expectation pertains to risk appetite (or tolerance) and involves institutions defining and communicating an acceptable risk appetite across the organization. This includes measures that address the amount of capital, earnings, or liquidity that may be at risk on a firm-wide basis, the amount of risk that may be taken in each line of business, and the amount of risk that may be taken in each key risk category monitored by the institution.
Interpretation and implementation
To determine an acceptable risk appetite across the organization, a well-defined risk assessment must be developed and implemented, and a lack of such assessment would render the results inadequate measurement of the organization’s risk tolerance level.
In determining its risk appetite, the firm should be able to demonstrate consideration of all relevant risks, including counterparty risks; off-balance sheet and contingent risks; reputational risks; and other risks arising from the firm’s relationship with affiliates and subsidiaries entities.
Financial institutions, in the past, have embedded accepted risk limits within the business functions. However, the process and elements that were utilized were at best, subjective and at times not meaningful. The OCC’s expectation is to raise the level of effectiveness in developing the appropriate risk tolerance for the organization, and to provide best practice processes with a re-evaluation and adjustment undertaking in order to annually re-balance and capture the current and potential risks within the organization.
4. The fourth OCC expectation refers to financial institutions developing robust and reliable oversight programs, including the development and maintenance of strong audit and risk management functions.
Interpretation and implication
The OCC’s proposal highlights the need for financial institutions to give more attention to the second and third lines of defense — after the line managers and risk staff — by specifically addressing the independent risk management and internal audit functions. This does not mean focusing on funding alone, but also the empowerment of these functions to bring about a “safer” and consistent approach in managing the inherent and residual risks embedded within the business lines.
The OCC has outlined specific guidelines and “expectations” that the independent risk management and internal audit functions are required to address. The required tasks are basic in nature and in some cases have been previously addressed by many financial institutions.
A common deficiency in the process described by the OCC has been that when the internal audit function adopts the tasks assigned as the third line of defense, it is steered away from providing valuable advice to the business lines.
The focus becomes mainly in identifying and reporting weaknesses, and providing recommendations that are inefficient and burdensome.
The OCC provides enhanced guidance regarding this mandate, by requiring the internal audit function to transform their mission statement or charter into one that provides recommendations to add value and become proficient with the risks undertaken by the front-line units.
The OCC also introduces a few new roles for the internal audit function. It involves establishing a quality assurance department to ensure that internal audit’s 1) policies, procedures, and processes comply with applicable regulatory and industry guidance, 2) are appropriate for the size, complexity, and risk profile of the firm, 3) are updated to reflect changes to internal and external to risk factors and 4) consistently apply across all business functions.
The OCC is also contemplating whether internal audit’s assessment of the firm’s risk management framework should say whether the framework is consistent with leading industry practices. The challenge with this proposed mandate is that firms will now have to find internal auditors reliably informed about current industry practices. Compensation strategies will have to be developed in hiring proficient candidates.
The same expectations exist for the second-line defense functions. The OCC expects that they functions should align themselves along the business lines by developing tailored solutions and recommendations that are configured to the organization, rather than implementing subjective advice derived from external industry practices, but ineffective to the firm. The “one-size-fits-all” premise will not work in this case.
The tools utilized in the industry to manage the firm’s risks are becoming outdated and not in-sync with the current business environment. The OCC must address this deficiency by providing better guidance and direct the regulated institution to develop best practices processes that will work for the institution.
5. The fifth expectation focuses on the board of directors’ willingness to credibly challenge to bank management’s decisions regarding risks taken by the business lines. The OCC also expects independent directors to acquire a thorough understanding of the institution’s risk profile. The directors are to use this information to ask probing questions of management and to ensure that senior management prudently addresses risks and complies with the established framework.
Interpretation and implementation
The OCC is attempting to address one of many deficiencies exhibited during the financial crisis, where board members of large financial institutions failed to understand the implications of substantial exposures in derivatives products their firms were carrying on the books.
Board members and their organizations will be challenged to take on additional oversight and governance responsibilities regarding their firm’s business activities, especially relating to derivatives and securities products and activities conducted in multiple jurisdictions.
The strategic plan would have to outline the types of reports and quantity of information that will be presented to the board members to determine whether the firm has been managing its risks appropriately and question management’s approach. The second challenge will be to develop a training program for the independent board members, in order to understand the firm’s business activities, products and processes. Focus of the training should highlight the risk concepts and tools utilized to manage risks.
The requirement would also trigger the firm to conduct a self-assessment of the board members’ capabilities, track record of accomplishments and business background to determine whether the director is able to carry out their duties and responsibilities as outlined in the OCC’s requirement.
The financial institutions’ search for independent board members will be a difficult undertaking. Given the added demands and accountabilities board members are responsible for under the new regulatory regime, it may be less attractive for capable and experienced individuals to join the financial institutions’ boardrooms.
Compliance tips and next steps
Financial institutions, whether regulated by the OCC or another agency, must recognize that the OCC’s proposed guidelines for establishing risk standards will impose additional regulatory and accountability risks. The risk standards outlined in the proposal are not difficult to understand and assess. Certain elements are already industry standards and practices, but the challenge for financial institutions would be to configure them to the organization’s culture, risk appetite and processes.
Engaging suitable and reputable external consultants and legal firms will be an essential undertaking, and financial institutions must “get it right.” An external firm can provide an independent review of processes and strategies, and give feedback from a “regulators’ eyes” point of view. Such external firms are expected to help determine the appropriate level of resources and risk tolerance for the financial institution. Information provided by the external firms would be expected to have been vetted with regulators and other industry experts. These firms must have in-depth knowledge of the financial institution’s business activities, functions, geographical exposures and the organization’s risk culture.
The OCC’s risk standard proposal will bring about added stress and pressure to the financial institutions before during, and after regulatory examinations. The pressure will stem from ensuring that the implement risk standards, derived from the proposed guidelines, will be favorably viewed by the OCC. Once the acceptance is achieved, the next challenge is: can the financial institution maintain and sustain the standards over the long term? The OCC will now have in its “tool box” much bigger hammers, such as fines, for cracking down on non-compliance.
(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)