According to the final rule recently issued by the Office of the Comptroller of the Currency (OCC) formalizing the agency’s “heightened expectations” supervisory regime, the largest U.S. federally chartered depository institutions must implement a framework (Framework) to improve risk management and ensure their boards can challenge decisions made by top executives. “Heightened expectations” requires the banks affected to have independent board members, define their “risk appetite,” and put in place across different business lines officers with authority over audit and managing risk.

As we noted when the proposed rule was issued, the minimum standards being prescribed by the OCC are being issued in the form of guidelines in an appendix 12 C.F.R. Part 30, rather than as formal regulations. The OCC’s intent in doing so is to give itself more flexibility in determining whether to require a non-compliant institution to submit a formal remediation plan or to tailor a different remedy, taking into account the institution’s particular circumstances and its self-corrective or remedial efforts. 

This flexible approach is consistent with Section 39 of the Federal Deposit Insurance Act, which authorizes the appropriate Federal banking agency to prescribe safety and soundness standards in the form of either regulations or guidelines. The regulations or guidelines are enforceable under existing provisions in the Part 30 regulations. In either event, however, the statute authorizes the issuance of an order and the subsequent enforcement of that order in court, independent of any other enforcement action that may be available to the OCC in a particular case. 

The guidelines apply to any national bank, federal savings association, or insured Federal branch of a foreign bank (all of them referred to here for convenience as a “bank”), so long as it has average total consolidated assets of $50 billion or more measured on the basis of average total consolidated assets for the previous four calendar quarters (a “covered institution”). Unlike some other regulatory regimes predicated on asset size, once that threshold is crossed, there is no turning back even if the institution has four quarters with less than $50 billion in total consolidated assets (unless the OCC determines otherwise).

In addition, the OCC recognizes that insured Federal branches do not have a U.S. board of directors and that their risk governance frameworks will vary due to the variety of activities performed in the branch. Consequently, the OCC intends to apply the final guidelines to insured Federal branches in a flexible manner.

For the most part, the final rule is substantially the same as the OCC’s proposed rule, but somewhat less prescriptive in certain respects. Perhaps the most significant change made in response to criticisms of the proposed rule is the elimination of certain requirements that would have made directors responsible for the bank’s day-to-day management. The OCC apparently did not intend to impose managerial responsibilities on directors or suggest that the board must guarantee results under the Framework. Accordingly, in response to suggestions made in certain comment letters, the final guidelines provide that each board of directors, consistent with its traditional strategic and oversight role, should require management to establish and implement an effective Framework that meets the minimum standards described in the guidelines.

The OCC still expects covered institutions to have at least two independent directors who are not part of the bank’s or the parent company’s management. These directors should be given ongoing training on the panoply of the bank’s products, services, business lines, and risks, as well as on laws, regulations, and supervisory requirements applicable to the bank. The OCC did, however, modify the independent directors provision slightly to be consistent with standards set forth by the Federal Reserve Board in its enhanced prudential standards rule issued under Section 165 of the Dodd-Frank legislation.

The final guidelines continue to provide that a bank’s board of directors should actively oversee the bank’s risk-taking activities and hold management accountable for adhering to the Framework. The OCC deems it vital that directors of covered institutions understand risk-taking activities and oversee those activities and are in a position to provide a “credible challenge” to management. In doing so, the board is permitted to rely on input from independent risk management and internal audit. In reliance on that information, directors should question, challenge, and, when necessary, oppose recommendations and decisions made by management that could cause the bank’s risk profile to exceed its risk appetite or potentially endanger safety and soundness.

Another slight liberalization from the original proposal is somewhat greater flexibility in permitting banks to use their parent company’s risk Framework. As originally proposed, the guidelines permitted a bank to use such a Framework if the bank, through a documented assessment to be conducted annually, demonstrated that its risk profile and that of its parent company were substantially the same and the parent company’s risk governance Framework complied with the proposed guidelines.

To be considered “substantially the same,” the following conditions had to be met:  

• The bank’s average total consolidated assets would represent 95 percent or more of the parent company’s average total consolidated assets.
• The bank’s total assets under management would represent 95 percent or more of the parent company’s total assets under management.
• The bank’s total off-balance sheet exposures would represent 95 percent or more of the parent company’s total off-balance sheet exposures.

The final guidelines, among other things, simplify the test by removing the provisions relating to assets under management and off-balance sheet exposures. In addition, the guidelines have now clarified that, even if the two Frameworks do not qualify as “substantially the same,” the bank may, in consultation with the OCC, incorporate or rely upon certain components of the parent’s Framework when developing its own Framework.

The proposed guidelines reserved the OCC’s authority to apply “heightened expectations” to a bank whose average total consolidated assets are less than $50 billion upon a determination that such bank’s operations are highly complex or otherwise present a heightened risk. The final guidelines have clarified that the OCC expects to use this authority only if a bank’s operations are highly complex relative to its risk-management capabilities but does not intend to do so regarding community banks. Elsewhere in the release, the OCC states that such authority “applies only in the limited circumstances where that institution’s parent company also controls at least one covered institution.”

Notwithstanding the disclaimer, we have some lingering concern that, over time, examiners will impose on community banks various elements of the “heightened expectations” guidelines under the label “best practices.” 

This discussion merely highlights certain aspects of the final guidelines and does not constitute a complete summary. Interested readers should pay special attention to other aspects of the guidelines, including the definition and responsibilities of front line units and the role and responsibilities of the internal audit function.

The final guidelines were published in the Federal Register on September 11, 2014. By their terms, the guideline will become effective on or about November 10 for covered institutions with over $750 billion in average total consolidated assets. Covered institutions between $100 billion and $750 billion in asset size must be in compliance within six months of the Federal Register publication (i.e., by March 11, 2015), while those between $50 billion and $100 billion in asset size must be in compliance within 18 months of publication (i.e., by March 11, 2016). Institutions with less than $50 billion in average total consolidated assets but that subsequently grow beyond this threshold must come into compliance within 18 months from the as-of date of the most recent Call Report used in the calculation of the average.