Risk management continues to be at the top of regulatory agendas, and the OCC has taken the opportunity to offer its heightened risk guidelines for large financial institutions of more than $50 million in average consolidated assets (including national banks, federal savings associations, and federal branches of foreign banks supervised by the OCC). Initially proposed last January, the Guidelines address risk management and board governance weaknesses the OCC observed during the financial crisis and are issued pursuant to the OCC’s authority in Section 39 of the Federal Deposit Insurance Act to set safety and soundness standards.

The Guidelines follow and must be reconciled by national bank holding companies with the enterprise-wide risk management approach in the Federal Reserve’s post-Dodd-Frank “heightened prudential standards.” The Guidelines were not issued as interagency guidelines, and the FDIC likely will have its own approach for state nonmember banks to follow as will the state bank regulators.

While the OCC states that it does not intend to impose the Guidelines on community banks, it expressly reserves the right to apply the Guidelines to any national bank whose operations are “highly complex” or otherwise present a “heightened risk.” Neither term is defined in the Guidelines but derivatives activities and auto lending are mentioned in the discussion of comments received on the proposed rule.

The Guidelines mandate that a written risk governance framework be established encompassing “minimum” standards for a risk governance, including the role and responsibilities of both frontline management and internal control mechanisms. Key to this framework is the adoption by the board of a risk appetite statement for the institution, although the Guidelines provide no menu of risks which are or are not acceptable in a risk appetite statement. Instead, the board is called upon to establish and maintain “minimum” levels of oversight of this process.

The OCC identified “three lines of defense” that should together establish an appropriate system to control risk taking: frontline units, independent risk management and internal audit. Frontline management includes those departments involved in generating revenue for the bank, products or services to customers, or technology services – generally excluding back-office groups such as legal and human resources.

The Guidelines also permit a covered bank to use its parent company’s risk governance framework and internal audit function without modification if the risk profiles of the parent company and the covered bank are “substantially the same” as demonstrated through a documented assessment. Substantially, the same is defined to require that the bank’s total assets must be 95% of the parent holding company’s consolidated assets, thereby requiring bank holding companies to carefully consider conducting any significant activities outside of the subsidiary national bank if they want to avoid the costs of having a separate and independent risk governance framework at the bank.

The Guidelines make it clear that the board of the institution must play a major role in this process contemplated by the Guidelines. To that end, the board is expected to “ensure” an effective risk governance framework, provide “active oversight of management,” exercise independent judgment and make certain that independent directors are provided with ongoing formal training of the products, services and lines of businesses in addition to applicable laws and regulations.

While these concepts are not necessarily new to the world of board governance, they nevertheless highlight the increased participation expected of directors of the covered banks. Specifically, directors are encouraged to “question, challenge, and when necessary, oppose recommendations and decisions made by management that could cause the bank’s risk profile to exceed its risk appetite or jeopardize the safety and soundness of the bank.” Clearly, merely following the leader (usually the bank CEO) is not an acceptable course of conduct for a director.

To read the OCC Guidelines, click here.

Why it matters: The Guidelines are important to all OCC regulated institutions – and indeed to all banks – because they express an expectation that banks will need to do a better job than in the past of minimizing risk across the entire spectrum of the bank’s activities. As has been the case in the past in other situations, the framework embodied in the Guidelines will have a way of trickling down to smaller institutions, and regardless of their state or national charters, either through subsequent rules or through the safety and soundness examination process. To that end, all banks and their boards should play close attention to the specifics of the Guidelines and adopt the best-practices approach embodied within them, tailoring their specific practices to the bank’s own risk profile. Where deficiencies in meeting “minimum” standards and best practices are identified by examiners, enforcement actions focused at the board now inevitably follow.