Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events

Filter

Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • Buckley Sandler Insights: Fed's LFI Risk Management Principles Open for Comments

    Agency Rule-Making & Guidance

    On January 4, the Federal Reserve (Fed) issued for public comment proposed guidance setting forth core principles of effective risk management for Large Financial Institutions (“LFI”s) (“Risk Management proposal”). Given that it is increasingly likely that Congress will release financial institutions with assets below $250 billion from “SIFI” designation, the Fed’s guidance yesterday is a further effort to ensure that risk at LFIs will continue to be managed well even after many of them are no longer subject to other SIFI obligations. The proposal would apply to domestic bank holding companies and savings and loan holding companies with total consolidated assets of $50 billion or more; the U.S. operations of foreign banking organizations (“FBOs”) with combined U.S. assets of $50 billion or more; and any state member bank subsidiary of these institutions. The proposal would also apply to any systemically important nonbank financial company designated by the Financial Stability Oversight Council (“FSOC”) for Fed supervision. The proposed guidance clarifies the Fed’s supervisory expectations of these institutions’ core principals with respect to effective senior management; the management of business lines; and independent risk management (“IRM”) and controls.

    The Risk Management proposal is part of the Fed’s broader initiative to develop a supervisory rating system and related guidance that would align its consolidated supervisory framework for LFIs. Last August, the Fed issued for public comment two related proposals: a new rating system for LFIs (“proposed LFI rating system”) and guidance addressing supervisory expectations for board directors (“Board Expectations proposal”). (See previous InfoBytes coverage on the proposals.) The proposed LFI rating system is designed to evaluate LFIs on whether they possess sufficient financial and operational strength and resilience to maintain safe and sound operations through a range of conditions. With regard to the Board Expectations proposal, the January 4 proposal establishes supervisory expectations relevant to the assessment of a firm’s governance and controls, which consists of three chief components: (i) effectiveness of a firm’s board of directors, (ii) management of business lines, independent risk management and controls, and (iii) recovery planning. This guidance sets forth the Fed’s expectations for LFIs with respect to the second component—the management of business lines and IRM and controls, and builds on previous supervisory guidance. In general, the proposal “is intended to consolidate and clarify the [Fed’s] existing supervisory expectations regarding risk management.”

    The January 4 release delineates the roles and responsibilities for individuals and functions related to risk management. Accordingly, it is organized in three parts: (i) core principals of effective senior management; (ii) core principals of the management of business lines; and (iii) core principles of IRM and controls.

    Senior Management

    The Risk Management proposal defines senior management as “the core group of individuals directly accountable to the board of directors for the sound and prudent day-to-day management of the firm.” Two key responsibilities of senior management are overseeing the activities of the firm’s business lines and the firm’s IRM and system of internal control. The proposed guidance highlights the principle that: Senior management is responsible for managing the day-to-day operations of the firm and ensuring safety and soundness and compliance with internal policies and procedures, laws and regulations, including those related to consumer protection.

    Management of Business Lines

    The proposal refers to “business line management” as the core group of individuals responsible for prudent day-to-day management of a business line and accountable to senior management for that responsibility. For LFIs that are not subject to supervision by the Large Institution Supervision Coordinating Committee (“LISCC”) these expectations would apply to any business line where a significant control disruption, failure, or loss event could result in a material loss of revenue, profit, or franchise value, or result in significant consumer harm.

    A firm’s business line management should:

    • Execute business line activities consistent with the firm’s strategy and risk tolerance.
    • Identify, measure, and manage the risks associated with the business activities under a broad range of conditions, incorporating input from IRM.
    • Provide a business line with the resources and infrastructure sufficient to manage the business line’s activities in a safe and sound manner, and in compliance with applicable laws and regulations, including those related to consumer protection, as well as policies, procedures, and limits.
    • Ensure that the internal control system is effective for the business line operations.
    • Be held accountable, with business line staff, for operating within established policies and guidelines, and acting in accordance with applicable laws, regulations, and supervisory guidance, including those related to consumer protection.

    Independent Risk Management and Controls

    The Risk Management proposal describes core principles of a firm’s independent risk management function, system of internal control, and internal audit function. The guidance does not prescribe in detail the governance structure for a firm’s IRM and controls. While the guidance does not dictate specifics regarding governance structure, it does set forth requirements with respect to the roles of the Chief Risk Officer and Chief Audit Executive:

    • The CRO should establish and maintain IRM that is appropriate for the size, complexity, and risk profile of the firm.
    • The Chief Audit Executive should have clear roles and responsibilities to establish and maintain an internal audit function that is appropriate for the size, complexity and risk profile of the firm.

    The proposal requires that a firm’s IRM function be sufficient to provide an objective, critical assessment of risks and evaluates whether a firm remains aligned with its stated risk tolerance. Specifically, a firm’s IRM function should:

    • Evaluate whether the firm’s risk tolerance appropriately captures the firm’s material risks and confirm that the risk tolerance is consistent with the capacity of the risk management framework.
    • Establish enterprise-wide risk limits consistent with the firm’s risk tolerance and monitor adherence to such limits.
    • Identify and measure the firm’s risks.
    • Aggregate risks and provide an independent assessment of the firm’s risk profile.
    • Provide the board and senior management with risk reports that accurately and concisely convey relevant, material risk data and assessments in a timely manner.

    With regard to internal controls, the proposed guidance builds upon the expectations described in the Fed’s Supervisory Letter 12-17. A firm should have a system of internal control to guide practices, provide appropriate checks and balances, and confirm quality of operations. In particular, the guidance states that a firm should:

    • Identify its system of internal control and demonstrate that it is commensurate with the firm’s size, scope of operations, activities, risk profile, strategy, and risk tolerance, and consistent with all applicable laws and regulations, including those related to consumer protection.
    • Regularly evaluate and test the effectiveness of internal controls, and monitor functioning of controls so that deficiencies are identified and communicated in a timely manner.

    With respect to internal audit, the proposed guidance does not expand upon the Fed’s expectations; rather it references existing supervisory expectations. The proposed guidance highlights that a firm should adhere to the underlying principle that its internal audit function should examine, evaluate, and perform independent assessments of the firm’s risk management and internal control systems and report findings to senior management and the firm’s audit committee.

    Comments on the Fed’s proposed guidance are due by March 15.

    Agency Rule-Making & Guidance Federal Reserve Risk Management LFI SIFIs Bank Regulatory Bank Supervision

    Share page with AddThis
  • House Passes Legislation Modifying Systemic Risk Designation Requirements

    Federal Issues

    The House voted 288-130 on December 19 to pass legislation modifying Dodd-Frank Act asset requirements for systemic risk designations of bank holding companies. Under H.R. 3312, the Systemic Risk Designation Improvement Act of 2017, bank holding companies that are subject to increased capital requirements and heightened supervision by the Federal Reserve (Fed) will no longer be automatically designated as systemically important financial institutions (SIFIs) if their asset threshold is $50 billion or greater. Instead, the Fed will review a bank holding company’s size, interconnectedness, infrastructure, “global cross-jurisdictional activity,” and complexity to determine whether it should be designated as a SIFI. Relatedly, the Senate Banking Committee is currently considering a separate measure, S. 2155, which would, among other things, increase the SIFI asset threshold to $250 billion.

    Federal Issues Federal Legislation Dodd-Frank SIFIs Bank Regulatory

    Share page with AddThis
  • Continuing Resolution Extends National Flood Insurance Program Deadline to December 22

    Federal Issues

    As previously reported in InfoBytes, the House voted 237-189 on November 14 to pass legislation reforming and reauthorizing the National Flood Insurance Program (NFIP) for five years before it expired at the beginning of December. A continuing resolution (H.J. Res. 123), passed by both the Senate and House and signed into law by President Trump on December 8, amended the expiration date of Fiscal Year 2018 appropriations to December 22, and extended the NFIP another two weeks. The Senate Banking Committee is still waiting to act on a flood insurance bill. 

    Federal Issues OCC Bank Regulatory National Flood Insurance Program Trump

    Share page with AddThis
  • Otting Sworn in as Comptroller of the Currency; Pushes for Regulation Review

    Federal Issues

    On November 27, Joseph M. Otting was sworn in as the next Comptroller of the Currency following Senate confirmation on November 16. Otting commented in a statement prepared for his swearing-in that he understands “as a career banker” the value and importance of “effective supervision” as well as “the challenges bankers face as they work to meet customer needs while coping with unnecessary regulatory burden that makes it more difficult and complicated than necessary.” Otting asserted that in order for regulations to be effective, modifications must be made as the nation’s needs change. Otting’s stated priorities include “enhancing the value of national bank and federal savings association charters, reducing unnecessary burden, and promoting economic opportunity while maintaining the safety and soundness of the federal banking system.”

    Federal Issues OCC Bank Regulatory

    Share page with AddThis
  • OCC Presents First National Bank Charter Since the Financial Crisis

    Agency Rule-Making & Guidance

    On October 27, Acting Comptroller of Currency, Keith A. Noreika, issued the first full-service national bank charter since the financial crisis to a banking institution in Florida. The institution is also the first de novo national bank and de novo approved for federal deposit insurance in Florida since the financial crisis. While presenting the charter, Noreika commented on the rarity of de novo banks and encouraged better efficiency in the process for their establishment in order to, “create more economic opportunity for consumers, businesses, and communities across the nation.”

    As previously covered by InfoBytes, the House Financial Services Committee held a hearing in March related to the “de novo drought” and to examine the impact the Dodd-Frank Act has had on the creation of new financial institutions.

    Agency Rule-Making & Guidance Lending OCC Bank Regulatory Federal Issues

    Share page with AddThis
  • Federal Banking Regulatory Agencies Issue Proposed Rulemaking to Simplify Regulatory Capital Rule

    Agency Rule-Making & Guidance

    On September 27, the Federal Reserve Board, the FDIC, and the OCC (agencies) issued a joint notice of proposed rulemaking to simplify capital rule compliance requirements and reduce the regulatory burden in accordance with the Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA). Among other things, the proposed rule will “apply a simpler regulatory capital treatment” for mortgage servicing assets, certain deferred tax assets, investments in unconsolidated financial institutions, and capital issued by a consolidated subsidiary of a banking organization and held by third parties, or minority interest. To assist banks in evaluating the potential impact of the proposal, the agencies provided an estimation tool template and summary of the proposal. As previously discussed in InfoBytes, the agencies—all members of the Federal Financial Institutions Examination Council (FFIEC)—issued a report in March following an EGRPRA review, in which the agencies outlined initiatives designed to reduce regulatory burdens, particularly on community banks and savings associations. In a statement issued by FDIC Chairman Martin J. Gruenberg, commenters are encouraged to also consider methods for simplifying existing regulatory capital rules impacting community banks. Comments on the joint proposed rule are due 60 days after publication in the Federal Register.

    Agency Rule-Making & Guidance Bank Regulatory Capital Requirements Federal Reserve FDIC OCC EGRPRA FFIEC Federal Register

    Share page with AddThis
  • NYDFS Issues Reminder on Cybersecurity Regulation Compliance Effective August 28

    State Issues

    On August 28, the New York Department of Financial Services (NYDFS) issued an announcement reminding all NYDFS-regulated banks, insurance companies, and other financial services institutions that they must now begin complying with the state’s “first-in-nation cybersecurity regulation.” As previously covered in Infobytes, the regulation took effect March 1, 2017, but August 28 was the first compliance date. Covered entities are now required to implement the following: (i) a cybersecurity program designed to protect consumers’ private data; (ii) board/senior officer-approved written policy or policies; (iii) a designated Chief Information Security Officer to help protect an entity’s data and systems; and (iv) “controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.” Furthermore, covered entities must begin reporting cybersecurity events through NYDFS’ online cybersecurity portal. (See previous InfoBytes coverage here.) Notices of exemption may be filed within “30 days of the determination that the covered entity is exempt,” and covered entities must file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018. NYDFS also released a series of frequently asked questions to provide assistance to institutions when complying with the regulation’s requirements.

    State Issues Privacy/Cyber Risk & Data Security NYDFS Compliance Bank Regulatory

    Share page with AddThis
  • Federal Banking Regulators Issue Proposal to Simplify Capital Requirements to Provide Regulatory Relief to Community Banks

    Agency Rule-Making & Guidance

    On August 22, the Federal Reserve, FDIC and OCC issued a proposed rule that capital requirements set to take effect in January 2018 would be suspended under a proposed rule for banking organizations not subject to the advanced approaches capital rules, such as community and midsized banks— generally those with less than $250 billion in total assets and fewer than $10 billion in foreign exposure. The federal banking regulators proposed the suspension as they develop a proposal that would simplify capital requirements to reduce regulatory burden. Banks subject to the advance approaches capital rules will still be required to comply with the capital rule requirements taking effect January 1, 2018. The proposal would pause the fully phased-in Basel III requirements regarding the treatment of mortgage servicing assets, certain deferred tax assets, investments in the capital instruments of unconsolidated financial institutions, and minority interests (see FDIC Financial Institution Letter FIL-34-2017). According to a press release issued by the FDIC, “the transitional treatment for those items is scheduled to be replaced with a different treatment on January 1, 2018.” FDIC Vice Chairman Thomas M. Hoenig issued a statement supporting the proposal but pushed for the need to provide additional relief for community banks such as predicating relief based on banking activities and tangible equity rather than asset size.

    Comments on the proposed rule are due 30 days after publication in the Federal Register.

    Agency Rule-Making & Guidance Basel Federal Reserve FDIC OCC Mortgages Community Banks Bank Regulatory

    Share page with AddThis
  • FDIC Releases August List of CRA Compliance Examinations

    Federal Issues

    On August 4, the FDIC published its monthly list of state nonmember banks recently evaluated for compliance with the Community Reinvestment Act (CRA). The list reports CRA evaluation ratings assigned to institutions in May 2017 as required by the Financial Institutions Reform, Recovery, and Enforcement Act of 1989. Monthly lists of all state nonmember banks and their evaluations that have been made publically available can be accessed through the FDIC’s website. Of the 68 banks evaluated, four were rated “Outstanding,” 62 received a “Satisfactory” rating, and two were rated “Needs to Improve.”

    Federal Issues FDIC CRA Banking Bank Regulatory FIRREA

    Share page with AddThis
  • Federal Reserve Issues Guidance Regarding Roles of Bank Boards, Requests Comments on New SIFI Rating System

    Agency Rule-Making & Guidance

    Guidance Regarding Roles of Bank Boards.

    On August 3, the Federal Reserve (Fed) took an important step towards easing the heavy regulatory burden placed on the boards of directors at the largest U.S. banking organizations, when it issued for public comment a corporate governance proposal intended to “enhance the effectiveness of boards of directors” and “refocus the Federal Reserve supervisory expectations for the largest firms’ boards of directors on their core responsibilities, which will promote the safety and soundness of the firms.”

    The proposal is a result of a multi-year review conducted by the Fed of practices of boards of directors, particularly at the largest banking institutions. The Fed focused on the challenges boards face, the factors that make boards effective, and the ways in which boards influence the safety and soundness of their firms and promote compliance within. The key takeaways of this review included:

    • supervisory expectations for boards of directors and senior management have become increasingly difficult to distinguish;
    • boards devote a significant amount of time satisfying supervisory expectations that do not directly relate to board’s core responsibilities; and
    • boards of large financial institutions face significant information flow challenges, which can result in boards being overwhelmed by the complexity and quantity of information received. 

    The Fed expects that these issues can be remediated by allowing banks to refocus on their core responsibilities, including: (i) developing the firm’s strategy and risk tolerance; (ii) overseeing senior management and holding them accountable for effective risk management and compliance; (iii) supporting the independence of the firm’s independent risk management and internal audit functions; and (iv) adopting effective governance practices.

    In April, Fed Governor Jerome Powell indicated that the financial crisis led to a “broad increase in supervisory expectations” for these boards of directors, but cautioned that the Fed needs to “ensure that directors are not distracted from conducting their key functions by overly detailed checklist of supervisory process requirements.” Explaining that the Fed was reassessing its supervisory expectations for boards, Powell stated “it is important to acknowledge that the board’s role is one of oversight, not management.”

    The proposed guidance better distinguishes the supervisory expectations for boards from those of senior management, and includes new criteria by which the Fed will assess bank boards. The Fed describes effective boards as those which:

    • set clear, aligned, and consistent direction regarding the firm’s strategy and risk tolerance;
    • actively manage information flow and board discussions;
    • hold senior management accountable;
    • support the independence and stature of independent risk management and internal audit; and
    • maintain a capable board composition and governance structure. 

    The proposal also clarifies expectations regarding internal communications within firms for communicating supervisory findings internally, stating that for all supervised firms, most supervisory findings should be communicated to the firm's senior management for corrective action, rather than to its board of directors. Such findings would only be directed to the board for corrective action when the board needs to address its corporate governance responsibilities or when senior management fails to take appropriate remedial action. 

    While the proposal does not address all of the post-crisis challenges faced by bank boards, it is a welcome message to the industry that the Fed recognized the need to recalibrate their expectations. The proposal also identifies existing supervisory expectations for boards of directors that could be eliminated or revised and notes that the Fed intends to continue assessing whether its expectations of bank boards require further changes.

    New SIFI Rating System.

    On August 3, the Fed also issued for public comment a new risk rating system for Large Financial Institutions (“LFI”s) that would replace the RFI rating system for bank holding companies with total consolidated assets of $50 billion or more; non-insurance, non-commercial savings and loan holding companies with total consolidated assets of $50 billion or more; and U.S. intermediate holding companies of foreign banking organizations established pursuant to the Fed’s Regulation YY. (The Fed will continue to use the same RFI rating system that has been in place since 2004 to evaluate community and regional bank holding companies.) 

    The LFI rating system is designed to evaluate LFIs on whether they possess sufficient financial and operational strength and resilience to maintain safe and sound operations through a range of conditions. The system would consist of three chief components:

    • Governance and Controls
      • board of directors
      • management of core business lines and independent risk management and controls and
      • recovery planning (for domestic bank holding companies subject to LISCC);
    • Capital Planning and Positions; and
    • Liquidity Risk Management and Positions.

    The Governance and Control component would evaluate a LFI’s effectiveness in ensuring that the firm’s strategic business objectives are safely within the firm’s risk tolerance and ability to manage the accordant risk. The component will focus on LFIs’ effectiveness in maintaining strong, effective and independent risk management and control functions, including internal audit and compliance, and providing for ongoing resiliency.

    The second and third components are intended to incorporate LFI supervision activities, including CCAR and CLAR, which will be directly reflected within the respective component ratings–resulting in a more comprehensive supervisory approach than the RFI rating system which did not incorporate the results of those supervisory activities.

    Each LFI would receive a component rating using a multi-level scale (Satisfactory/Satisfactory Watch, Deficient-1 and Deficient-2). “Satisfactory Watch” would indicate that a firm is generally considered safe and sound, however certain issues require timely resolution. Any Deficiency rating would result in that LFI being considered less than “well managed.”

    Agency Rule-Making & Guidance Federal Reserve Bank Regulatory Bank Supervision Federal Register SIFIs LFI Regulation YY

    Share page with AddThis

Pages