[Federal Register Volume 79, Number 176 (Thursday, September 11, 2014)]
[Rules and Regulations]
[Pages 54518-54549]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-21224]



[[Page 54517]]

Vol. 79

Thursday,

No. 176

September 11, 2014

Part VI





 Department of the Treasury





-----------------------------------------------------------------------





Office of the Comptroller of the Currency





-----------------------------------------------------------------------





12 CFR Parts 30, 168, and 170





OCC Guidelines Establishing Heightened Standards for Certain Large 
Insured National Banks, Insured Federal Savings Associations, and 
Insured Federal Branches; Integration of Regulations; Final Rule

  Federal Register / Vol. 79, No. 176 / Thursday, September 11, 2014 / 
Rules and Regulations  

[[Page 54518]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Parts 30, 168, and 170

[Docket ID OCC-2014-001]
RIN 1557-AD78


OCC Guidelines Establishing Heightened Standards for Certain 
Large Insured National Banks, Insured Federal Savings Associations, and 
Insured Federal Branches; Integration of Regulations

AGENCY: Office of the Comptroller of the Currency, Treasury.

ACTION: Final rules and guidelines.

-----------------------------------------------------------------------

SUMMARY: The Office of the Comptroller of the Currency (OCC) is 
adopting guidelines, issued as an appendix to its safety and soundness 
standards regulations, establishing minimum standards for the design 
and implementation of a risk governance framework (Framework) for large 
insured national banks, insured Federal savings associations, and 
insured Federal branches of foreign banks (banks) with average total 
consolidated assets of $50 billion or more and minimum standards for a 
board of directors in overseeing the Framework's design and 
implementation (final Guidelines). The standards contained in the final 
Guidelines will be enforceable by the terms of a Federal statute that 
authorizes the OCC to prescribe operational and managerial standards 
for national banks and Federal savings associations. In addition, as 
part of our ongoing efforts to integrate the regulations of the OCC and 
those of the Office of Thrift Supervision (OTS), the OCC is adopting 
final rules and guidelines that make its safety and soundness standards 
regulations and guidelines applicable to both national banks and 
Federal savings associations and that remove the comparable Federal 
savings association regulations and guidelines. The OCC is also 
adopting other technical changes to the safety and soundness standards 
regulations and guidelines.

DATES: The final rule is effective November 10, 2014. Compliance dates 
for the final Guidelines vary as specified.

FOR FURTHER INFORMATION CONTACT: Molly Scherf, Deputy Comptroller, 
Large Bank Supervision, (202) 649-6210, or Stuart Feldstein, Director, 
Andra Shuster, Senior Counsel, or Henry Barkhausen, Attorney, 
Legislative & Regulatory Activities Division, (202) 649-5490, for 
persons who are deaf or hard of hearing, TTY, (202) 649-5597, or Martin 
Chavez, Attorney, Securities and Corporate Practices Division, (202) 
649-5510, 400 7th Street SW., Washington, DC 20219.

SUPPLEMENTARY INFORMATION:

Background

    The recent financial crisis demonstrated the destabilizing effect 
that large, interconnected financial companies can have on the national 
economy, capital markets, and the overall financial stability of the 
banking system. The financial crisis and the accompanying legislative 
response underscore the importance of strong bank supervision and 
regulation of the financial system. Congress passed the Dodd-Frank Wall 
Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act) \1\ 
to address, in part, weaknesses in the framework for the supervision 
and regulation of large U.S. financial companies.\2\ These legislative 
developments highlight the view that large, complex institutions can 
have a significant impact on capital markets and the economy and, 
therefore, need to be supervised and regulated more rigorously.
---------------------------------------------------------------------------

    \1\ Public Law 111-203, 124 Stat. 1376 (2010).
    \2\ See, e.g., 12 U.S.C. 5365 (requiring enhanced prudential 
standards for certain bank holding companies and nonbank financial 
companies).
---------------------------------------------------------------------------

    As a result of the financial crisis, the OCC developed a set of 
``heightened expectations'' to enhance our supervision and strengthen 
the governance and risk management practices of large national 
banks.\3\ These heightened expectations reflected the OCC's supervisory 
experience during the financial crisis and addressed weaknesses the OCC 
observed in large institutions' governance and risk management 
practices during this time. Through its work with the Financial 
Stability Board and Basel Committee on Banking Supervision, the OCC 
found that many supervisors are establishing, or are considering 
establishing, similar expectations for the financial institutions they 
regulate.\4\
---------------------------------------------------------------------------

    \3\ Further background information on the heightened 
expectations program is included in the notice of proposed 
rulemaking entitled OCC Guidelines Establishing Heightened Standards 
for Certain Large Insured National Banks, Insured Federal Savings 
Associations, and Insured Federal Branches; Integration of 
Regulations. 79 FR 4282, 4283 (Jan. 27, 2014).
    \4\ See Financial Stability Board, Thematic Review on Risk 
Governance Peer Review Report (Feb. 12, 2013); Principles for An 
Effective Risk Appetite Framework (Nov. 18, 2013). See also Basel 
Committee on Banking Supervision, Principles for effective risk data 
aggregation and risk reporting (Jan. 2013).
---------------------------------------------------------------------------

    In January 2014, the OCC invited public comment on proposed rules 
and guidelines addressing the following two topics: (i) Guidelines 
establishing minimum standards for the design and implementation of a 
Framework for large insured national banks, insured Federal savings 
associations, and insured Federal branches and minimum standards for 
boards of directors overseeing the Framework of these institutions 
(proposed Guidelines); and (ii) the integration of 12 CFR parts 30 and 
170 (proposed integration rules and integration guidelines).\5\
---------------------------------------------------------------------------

    \5\ 79 FR 4282 (Jan. 27, 2014).
---------------------------------------------------------------------------

    After carefully considering the comments we received on the 
proposed Guidelines, the OCC is adopting these final Guidelines as a 
new Appendix D to part 30 of our regulations. As described more fully 
below, the final Guidelines supersede the OCC's previous heightened 
expectations program with respect to covered banks.\6\ The OCC, as the 
primary financial regulatory agency for national banks and Federal 
savings associations, believes that the final Guidelines further the 
goal of the Dodd-Frank Act to strengthen the financial system by 
focusing management and boards of directors on strengthening risk 
management practices and governance, thereby minimizing the probability 
and impact of future crises. In addition, the final Guidelines will 
provide greater certainty to covered banks about the OCC's risk 
management expectations and improve examiners' ability to assess 
compliance with the standards contained in Appendix D. The OCC is also 
adopting the proposed integration rules and integration guidelines 
substantially as proposed, with minor technical changes.
---------------------------------------------------------------------------

    \6\ The OCC has adopted a definition of the term ``covered 
bank'' to clarify the scope of the final Guidelines. This definition 
is discussed in the definitions section of this preamble.
---------------------------------------------------------------------------

    We have set forth below a summary of the comments we received, and 
a detailed description of the proposed Guidelines, significant 
comments, and the standards contained in the final Guidelines.

Notice of Proposed Rulemaking: Summary of General Comments

    The OCC received 25 comment letters on the proposed Guidelines from 
financial institutions and trade associations, among others, and 
received no comment letters on the proposed integration rules and 
integration guidelines. The comments addressed all major sections of 
the proposed Guidelines. To improve understanding of the issues raised 
by

[[Page 54519]]

commenters, the OCC met with a number of these commenters to discuss 
issues relating to the proposed Guidelines, and summaries of these 
meetings are available on a public Web site.\7\
---------------------------------------------------------------------------

    \7\ See http://www.regulations.gov/index.jsp#!docketDetail;D=OCC-2014-0001.
---------------------------------------------------------------------------

    Many commenters expressed support for the broader goals of the 
proposed Guidelines. At the same time, other commenters raised concerns 
with various provisions in the proposed Guidelines. For example, 
commenters argued that the proposed Guidelines were too prescriptive 
and requested the OCC to revise the final Guidelines to be more 
principles-based and to provide additional flexibility in applying the 
Guidelines to different types of banks.
    Some commenters also interpreted the proposed Guidelines as 
prohibiting banks from utilizing their parent company's risk governance 
framework and resources. These commenters noted that this could result 
in conflicting standards, increased risk, and a duplication of systems 
and resources and urged the OCC to allow the bank to leverage existing 
holding company risk management processes.
    Commenters also generally opposed categorizing certain 
organizational units as front line units. These commenters noted that 
organizational units such as legal, human resources, finance, and 
information technology do not create the types of risk that should be 
subject to these Guidelines and thus the OCC should not classify them 
as front line units. Finally, some commenters argued that the proposed 
Guidelines inappropriately assigned managerial responsibilities to the 
board of directors that would distract the board from its strategic and 
oversight role.
    As discussed more fully below, the OCC has revised the final 
Guidelines in response to the issues and information provided by 
commenters, and has made technical changes to the final rule and 
guidelines integrating 12 CFR parts 30 and 170. These modifications to 
the final Guidelines and explanations that address comments are 
described in the section-by-section description of the final 
Guidelines.

Enforcement of the Guidelines

    The OCC is adopting the final Guidelines pursuant to section 39 of 
the Federal Deposit Insurance Act (FDIA).\8\ Section 39 authorizes the 
OCC to prescribe safety and soundness standards in the form of a 
regulation or guidelines. For national banks, these standards currently 
include three sets of guidelines issued as appendices to part 30 of our 
regulations. Appendix A contains operational and managerial standards 
that relate to internal controls, information systems, internal audit 
systems, loan documentation, credit underwriting, interest rate 
exposure, asset growth, asset quality, earnings, and compensation, fees 
and benefits. Appendix B contains standards on information security and 
Appendix C contains standards that address residential mortgage lending 
practices. The safety and soundness standards for Federal savings 
associations are found in Appendices A and B to 12 CFR part 170. Part 
30, part 170, and Appendices A and B were issued on an interagency 
basis and are comparable.\9\
---------------------------------------------------------------------------

    \8\ 12 U.S.C. 1831p-1. Section 39 was enacted as part of the 
Federal Deposit Insurance Corporation Improvement Act of 1991, 
Public Law 102-242, section 132(a), 105 Stat. 2236, 2267-70 (Dec. 
19, 1991).
    \9\ As discussed further below, the OCC is also adopting final 
rules and guidelines that make part 30 and its appendices applicable 
to Federal savings associations, and that remove part 170.
---------------------------------------------------------------------------

    Section 39 prescribes different consequences depending on whether 
the agency issues regulations or guidelines. Pursuant to section 39, if 
a national bank or Federal savings association \10\ fails to meet a 
standard prescribed by regulation, the OCC must require it to submit a 
plan specifying the steps it will take to comply with the standard. If 
a national bank or Federal savings association fails to meet a standard 
prescribed by guideline, the OCC has the discretion to require the 
submission of such a plan.\11\ The issuance of these heightened 
standards as guidelines rather than as a regulation provides the OCC 
with supervisory flexibility to pursue the course of action that is 
most appropriate given the specific circumstances of a covered bank's 
failure to meet one or more standards, and the covered bank's self-
corrective and remedial responses.
---------------------------------------------------------------------------

    \10\ Section 39 of the FDIA applies to ``insured depository 
institutions,'' which would include insured Federal branches of 
foreign banks. While we do not specifically refer to these entities 
in this discussion, it should be read to include them.
    \11\ See 12 U.S.C. 1831p-1(e)(1)(A)(i) and (ii). In either case, 
however, the statute authorizes the issuance of an order and the 
subsequent enforcement of that order in court, independent of any 
other enforcement action that may be available in a particular case.
---------------------------------------------------------------------------

    The OCC has procedural rules contained in part 30 that implement 
the enforcement remedies prescribed by section 39. Under these 
provisions, the OCC may initiate the enforcement process when it 
determines, by examination or otherwise, that a national bank or 
Federal savings association has failed to meet the standards set forth 
in the final Guidelines.\12\ Upon making that determination, the OCC 
may request, through letter or Report of Examination, that the national 
bank or Federal savings association submit a compliance plan to the OCC 
detailing the steps the institution will take to correct the 
deficiencies and the time within which it will take those steps. This 
request is termed a Notice of Deficiency. Upon receiving a Notice of 
Deficiency from the OCC, the national bank or Federal savings 
association must submit a compliance plan to the OCC for approval 
within 30 days.
---------------------------------------------------------------------------

    \12\ For national banks and Federal savings associations, the 
procedures governing the determination and notification of failure 
to satisfy a standard prescribed pursuant to section 39, the filing 
and review of compliance plans, and the issuance, if necessary, of 
orders are set forth in our regulations at 12 CFR 30.3, 30.4, and 
30.5.
---------------------------------------------------------------------------

    If a national bank or Federal savings association fails to submit 
an acceptable compliance plan, or fails materially to comply with a 
compliance plan approved by the OCC, the OCC may issue a Notice of 
Intent to Issue an Order pursuant to section 39 (Notice of Intent). The 
bank or savings association then has 14 days to respond to the Notice 
of Intent. After considering the bank's or savings association's 
response, the OCC may issue the order, decide not to issue the order, 
or seek additional information from the bank or savings association 
before making a final decision. Alternatively, the OCC may issue an 
order without providing the bank or savings association with a Notice 
of Intent. In this case, the bank or savings association may appeal 
after-the-fact to the OCC, and the OCC has 60 days to consider the 
appeal and render a final decision. Upon the issuance of an order, a 
bank or savings association will be deemed to be in noncompliance with 
part 30. Orders are formal, public documents, and they may be enforced 
in district court or through the assessment of civil money penalties 
under 12 U.S.C. 1818.

Description of the OCC's Guidelines Establishing Heightened Standards

    The final Guidelines consist of three sections. Section I provides 
an introduction to the Guidelines, explains the scope of the 
Guidelines, and defines key terms used throughout the Guidelines. 
Section II sets forth the minimum standards for the design and 
implementation of a covered bank's Framework. Section III provides the 
minimum standards for the board of directors' oversight of the 
Framework.

[[Page 54520]]

Section I: Introduction

    Under the proposed Guidelines, the OCC would expect a bank to 
establish and implement a Framework for managing and controlling the 
bank's risk taking. The proposed Guidelines established the minimum 
standards for the design and implementation of the Framework and the 
minimum standards for the board of directors in overseeing the 
Framework's design and implementation.
    The proposed Guidelines permitted a bank to use its parent 
company's risk governance framework if the bank has a risk profile that 
is substantially the same as its parent company's risk profile, the 
parent company's risk governance framework complies with the proposed 
Guidelines, and the bank demonstrates through a documented assessment 
that its risk profile and its parent company's risk profile are 
substantially the same. The proposed Guidelines provided that the bank 
should conduct this assessment at least annually or more often in 
conjunction with the review and update of the Framework performed by 
independent risk management as set forth in paragraph II.A. of the 
proposed Guidelines.
    Under the proposed Guidelines, a parent company's and bank's risk 
profiles would be considered substantially the same if, as of the most 
recent quarter-end Federal Financial Institutions Examination Council 
Consolidated Reports of Condition and Income (Call Report), the 
following conditions are met: (i) The bank's average total consolidated 
assets represent 95 percent or more of the parent company's average 
total consolidated assets; (ii) the bank's total assets under 
management represent 95 percent or more of the parent company's total 
assets under management; and (iii) the bank's total off-balance sheet 
exposures represent 95 percent or more of the parent company's total 
off-balance sheet exposures. As provided in the proposed Guidelines, a 
bank that did not satisfy this test could submit to the OCC for 
consideration an analysis that demonstrates that the risk profile of 
the parent company and the bank are substantially the same based on 
other factors.
    The proposed Guidelines provided that the bank would need to 
develop its own Framework if the parent company's and bank's risk 
profiles are not substantially the same. The bank's Framework should 
ensure that the bank's risk profile is easily distinguished and 
separate from its parent company's for risk management and supervisory 
reporting purposes and that the safety and soundness of the bank is not 
jeopardized by decisions made by the parent company's board of 
directors or management.
    Several commenters argued that it was inefficient and 
counterproductive to require a bank to create a second risk framework 
in addition to the parent company's framework. According to the 
commenters, a separate bank-specific risk framework would be isolated 
from the overall enterprise risk framework and undermine the goals of 
sound risk management. Other commenters indicated that banks should be 
allowed to use their parent company's risk governance framework because 
the Dodd-Frank Act requires bank holding companies to serve as a source 
of strength for their insured depository institution subsidiaries.
    Some commenters also interpreted the proposed Guidelines to 
prohibit the bank from using any components of the parent company's 
risk governance framework unless the risk profiles of the bank and its 
parent holding company are substantially the same. Commenters argued 
that the OCC should change the threshold for the substantially the same 
determination from 95 percent to 85 percent. They noted that in certain 
other regulatory contexts special treatment is granted when the total 
assets of an insured depository institution comprise 85 percent or more 
of the assets of its parent company.\13\ One commenter argued that the 
current Call Report and holding company reporting forms do not contain 
parallel line items for assets under management and off-balance sheet 
exposures, making it problematic to establish that a bank is above the 
95 percent threshold under those measures. Several commenters also 
suggested that the OCC should allow multiple subsidiary banks of a 
parent company to aggregate their asset sizes in order to meet the 95 
percent threshold. The commenters noted that some banking organizations 
conduct banking activities through multiple charters and that a 
prohibition on aggregation would result in unnecessary and duplicative 
risk management programs.
---------------------------------------------------------------------------

    \13\ See, e.g., 12 CFR 243.4(a)(3)(i)(B).
---------------------------------------------------------------------------

    The OCC is making a few modifications to the introductory section. 
The final Guidelines continue to establish minimum standards for the 
design and implementation of a covered bank's Framework and minimum 
standards for the covered bank's board of directors in providing 
oversight of the Framework's design and implementation. The OCC notes 
that these standards are not intended to be exclusive, and that they 
are in addition to any other applicable requirements in law or 
regulation. For example, the OCC expects covered banks to continue to 
comply with the operational and management standards articulated in 
Appendix A to part 30, including those related to internal controls, 
internal audit systems, risk management, and management information 
systems.
    Paragraph 3. of the final Guidelines clarifies that a covered bank 
may use its parent company's risk governance framework in its entirety, 
without modification, if the framework meets these minimum standards 
and the risk profiles of the parent company and the covered bank are 
substantially the same as demonstrated through a documented assessment. 
The covered bank should conduct this assessment at least annually in 
conjunction with the review and update of the Framework performed by 
independent risk management pursuant to paragraph II.A.
    Paragraph 4. of the final Guidelines continues to set forth the 
substantially the same test, but simplifies the test by removing the 
provisions relating to assets under management and off-balance sheet 
exposures. Under the final Guidelines, a parent company's and covered 
bank's risk profiles are substantially the same if, as reported on the 
covered bank's Call Report for the four most recent consecutive 
quarters, the covered bank's average total consolidated assets 
represent 95 percent or more of the parent company's average total 
consolidated assets.\14\ The final Guidelines also provide that a 
covered bank that does not satisfy this test may submit a written 
analysis to the OCC for consideration and approval that demonstrates 
that the risk profile of the parent company and the covered bank are 
substantially the same based upon other factors.
---------------------------------------------------------------------------

    \14\ The final Guidelines clarify that average total 
consolidated assets for a parent company means the average of the 
parent company's total consolidated assets, as reported on the 
parent company's Form FR Y-9C to the Board of Governors of the 
Federal Reserve System (Board), or equivalent regulatory report, for 
the four most recent consecutive quarters.
---------------------------------------------------------------------------

    The OCC has determined not to lower the 95 percent threshold, as 
suggested by some commenters. The 95 percent threshold in the final 
Guidelines functions as a safe harbor, above which a covered bank will 
not need to create its own Framework. If a covered bank and its parent 
company have substantially the same risk profile, the covered bank can 
use any and all components of the parent company's risk governance 
framework as its own, provided the parent company's framework complies 
with the final

[[Page 54521]]

Guidelines. A covered bank that does not meet the 95 percent threshold 
can use components of its parent company's framework, provided those 
components meet the criteria outlined in the Guidelines.
    The OCC believes a high threshold is necessary to ensure that a 
covered bank's Framework appropriately considers the sanctity of each 
national bank or Federal savings association charter within a parent 
company's legal entity structure. During the financial crisis, the OCC 
and some boards of directors were unable to accurately assess certain 
national banks' risk profiles because their respective parent company's 
risk management practices were assessing, managing, and reporting risks 
by line of business, rather than legal entity. In addition, decisions 
by some parent companies' boards of directors and management teams 
leading up to the crisis created unacceptable risk levels in their 
national bank subsidiaries. As a result, these parent companies were 
unable to provide financial or other support to their bank subsidiaries 
despite the fact that a parent company is expected to serve as a source 
of strength for its bank subsidiaries.
    The covered bank's Framework should ensure that the covered bank's 
risk profile is easily distinguished and separate from its parent 
company for risk management and supervisory reporting purposes and that 
the safety and soundness of the covered bank is not jeopardized by 
decisions made by the parent company's board of directors and 
management. This includes ensuring that assets and businesses are not 
transferred into the covered bank from nonbank entities without proper 
due diligence and ensuring that complex booking structures established 
by the parent company protect the safety and soundness of the covered 
bank.
    Although the final Guidelines continue to provide that a covered 
bank should establish its own Framework when the parent company's and 
covered bank's risk profiles are not substantially the same, the 
Guidelines also clarify that even in these cases a covered bank may, in 
consultation with the OCC, incorporate or rely on components of its 
parent company's risk governance framework when developing its own 
Framework to the extent those components are consistent with the 
objectives of these Guidelines. It is important to note that neither 
the proposed Guidelines nor the final Guidelines prohibit a covered 
bank from using those components of its parent company's risk 
governance framework that are appropriate for the covered bank. Indeed, 
the OCC encourages covered banks to leverage their parent company's 
risk governance framework to the extent appropriate, including using 
employees of the parent company. For example, it may be appropriate for 
the same individual to serve as Chief Risk Executive or Chief Audit 
Executive of a covered bank and its parent company.
    We note that the extent to which a covered bank may use its parent 
company's framework will vary depending on the circumstances. For 
example, it may be appropriate for a covered bank to use the parent 
company's framework without modification where there is significant 
similarity between the covered bank's and parent company's risk 
profiles, or where the parent company's framework provides for focused 
governance and risk management of the covered bank. Conversely, a 
covered bank may incorporate fewer components of the parent company's 
framework where the risk profiles of the covered bank and parent are 
less similar, or the parent company's risk governance framework is less 
focused on the covered bank. In these situations, it may be necessary 
to modify components of the parent company's risk governance framework 
that the covered bank incorporates or relies on to ensure the bank's 
risk profile is easily distinguished from that of its parent and that 
decisions made by the parent do not jeopardize the safety and soundness 
of the covered bank. It is expected that the covered bank will consult 
with OCC examiners to determine which components of a parent company's 
risk governance framework may be used to ensure that the covered bank's 
Framework complies with the Guidelines.
    The OCC recognizes that covered banks operate within their overall 
parent company's risk governance framework, and that covered banks may 
realize efficiencies when their parent company's risk governance 
framework is consistent with these Guidelines. However, modifications 
may be necessary when the parent company's risk management objectives 
are different than the covered bank's risk management objectives. For 
example, a parent company's board of directors and management will need 
to understand and manage aggregate risks that cross legal entities, 
while a covered bank's board and management will need to understand and 
manage only the covered bank's individual risk profile. The OCC 
believes these distinct goals and processes are complementary. The 
covered bank should work closely with its parent company to promote 
efficiencies and synergies between the two risk governance frameworks.

Scope and Compliance Date

    The proposed Guidelines applied to a bank with average total 
consolidated assets equal to or greater than $50 billion as of the 
effective date of the Guidelines (calculated by averaging the bank's 
total consolidated assets, as reported on the bank's Call Reports, for 
the four most recent consecutive quarters). For those banks with 
average total consolidated assets less than $50 billion as of the 
effective date of the Guidelines, but that subsequently have average 
total consolidated assets of $50 billion or greater, the proposed 
Guidelines applied to such banks on the as-of date of the most recent 
Call Report used in the calculation of the average.
    Several commenters objected to the $50 billion threshold. Some 
commenters suggested that the OCC increase the threshold to one more 
consistent with the complexity of the bank and the heightened risk the 
bank posed. One commenter suggested using the $250 billion threshold in 
the Basel III advanced approaches.\15\ Another commenter favored 
eliminating the $50 billion threshold and instead adopting a 
principles-based approach that applies the Guidelines to banks whose 
operations are highly complex or present a heightened risk.
---------------------------------------------------------------------------

    \15\ See 12 CFR 3.100(b)(1)(i).
---------------------------------------------------------------------------

    Some commenters requested that the OCC provide banks not previously 
subject to the OCC's heightened expectations program with a year or 
longer to comply with the final Guidelines. Other commenters argued 
that the OCC should permit an institution that becomes newly subject to 
the Guidelines a minimum of two years to achieve full compliance. 
Several commenters argued that the OCC should allow banks previously 
subject to the OCC's heightened expectations program a minimum of one 
year from the date of the final Guidelines because of the new and more 
detailed requirements contained in the Guidelines.
    The OCC believes that the final Guidelines should apply to any bank 
with average total consolidated assets equal to or greater than $50 
billion,\16\

[[Page 54522]]

but recognizes that covered banks with assets equal to or greater than 
$50 billion may differ in the degree of risk they present and, 
therefore, as described below, we are making several changes to this 
section to address the compliance date for covered banks based on size 
and experience with the heightened expectations program. In addition, 
we note that the $50 billion asset criteria is a well understood 
threshold that the OCC and other Federal banking regulatory agencies 
have used to demarcate larger, more complex banking organizations from 
smaller, less complex banking organizations.\17\ Accordingly, the final 
Guidelines retain the $50 billion threshold.
---------------------------------------------------------------------------

    \16\ The approach for calculating average total consolidated 
assets under the final Guidelines is the same as that in the 
proposed Guidelines. Specifically, the final Guidelines provide that 
average total consolidated assets for a covered bank means the 
average of the covered bank's total consolidated assets, as reported 
on the covered bank's Call Reports for the four most recent 
consecutive quarters.
    \17\ See 12 CFR 46.1 (stress testing); 12 CFR 252.30 (enhanced 
prudential standards for bank holding companies with total 
consolidated assets of $50 billion or more).
---------------------------------------------------------------------------

    The OCC is also clarifying that the final Guidelines will apply to 
any bank with average total consolidated assets less than $50 billion 
in the limited circumstances where that institution's parent company 
controls at least one covered bank.\18\ This would include both sister 
banks of the covered bank as well as covered bank subsidiaries and 
sister bank subsidiaries that are banks (e.g., insured credit card 
banks or insured trust banks). The meaning of the terms ``bank,'' 
``covered bank,'' and ``control'' is discussed in the Definitions 
section below.
---------------------------------------------------------------------------

    \18\ The OCC notes that many of the covered banks it regulates 
are part of a larger holding company structure that includes smaller 
OCC-supervised insured depository institutions. In some instances, 
the OCC has observed that a covered bank's parent company does not 
pay sufficient attention to the operations of these smaller 
entities. The OCC is expressly including these smaller entities in 
the definition of ``covered bank'' because the OCC believes that a 
covered bank's parent company should devote adequate attention to 
assessing and managing the risk associated with these entities' 
activities. The OCC notes that, as with covered banks with average 
total consolidated assets of $50 billion or more, these smaller 
banks may incorporate or rely on appropriate components of their 
parent company's risk governance framework.
---------------------------------------------------------------------------

    As noted above, the final Guidelines contain a schedule that 
phases-in the date for a covered bank to comply with the final 
Guidelines. A covered bank with average total consolidated assets equal 
to or greater than $750 billion should comply with the final Guidelines 
by the effective date, i.e., 60 days after these Guidelines are 
published in the Federal Register. A covered bank with average total 
consolidated assets equal to or greater than $100 billion but less than 
$750 billion as of the effective date should comply with the final 
Guidelines within six months from the effective date.
    A covered bank with average total consolidated assets equal to or 
greater than $50 billion but less than $100 billion as of the effective 
date should comply with these Guidelines within 18 months from the 
effective date. A covered bank with average total consolidated assets 
less than $50 billion that is a covered bank because that bank's parent 
company controls at least one other covered bank as of the effective 
date should comply with these Guidelines on the same date that such 
other covered bank should comply. Finally, a covered bank with less 
than $50 billion in average total consolidated assets on the effective 
date of the final Guidelines that subsequently becomes subject to the 
Guidelines because its average total consolidated assets are equal to 
or greater than $50 billion should comply with the Guidelines within 18 
months from the as-of date of the most recent Call Report used in the 
calculation of the average.\19\ The OCC notes that larger institutions 
have been subject to the OCC's heightened expectations program since 
2010 and should need less time to comply with the final Guidelines. 
Other covered banks have been subject to certain aspects of the 
heightened expectations program and therefore may require additional 
time to comply with all aspects of the final Guidelines.
---------------------------------------------------------------------------

    \19\ Once a covered bank becomes subject to the final Guidelines 
because its average total consolidated assets have reached or 
exceeded the $50 billion threshold, it is required to continue to 
comply with the Guidelines even if its average total consolidated 
assets subsequently drop below $50 billion, unless the OCC 
determines otherwise and exercises its reservation of authority as 
discussed below.
---------------------------------------------------------------------------

Reservation of Authority

    In order to maintain supervisory flexibility, the proposed 
Guidelines reserved the OCC's authority to apply the Guidelines to a 
bank whose average total consolidated assets are less than $50 billion 
if the OCC determines that such bank's operations are highly complex or 
otherwise present a heightened risk as to require compliance with the 
Guidelines. The proposed Guidelines provided that the OCC would 
consider the complexity of products and services, risk profile, and 
scope of operations to determine whether a bank's operations are highly 
complex or present a heightened risk.
    Conversely, the proposed Guidelines also reserved the OCC's 
authority to delay the application of the Guidelines to any bank, or 
modify the Guidelines as applicable to certain banks. Additionally, the 
proposed Guidelines provided that the OCC may determine that a bank is 
no longer required to comply with the Guidelines. The OCC would 
generally make this determination if a bank's operations are no longer 
highly complex or no longer present a heightened risk that would 
require continued compliance with the Guidelines. Finally, the proposal 
provided that the OCC would apply notice and response procedures, when 
appropriate, consistent with those set out in 12 CFR 3.404 when 
exercising any of these reservations of authority.
    Some commenters expressed concern about the OCC's use of 
reservation of authority to apply the Guidelines to banks below the $50 
billion threshold, particularly community banks. Other commenters 
asserted that the proposed Guidelines should apply to a bank below the 
$50 billion threshold only when the bank's risk profile is elevated and 
the bank has met a list of objective factors.
    After reviewing the comments, the OCC is finalizing the reservation 
of authority paragraph substantially as proposed with minor technical 
changes. The final Guidelines provide that the OCC reserves the 
authority to apply the Guidelines, in whole or in part, to a bank below 
the $50 billion threshold if the OCC determines that the bank's 
operations are highly complex or otherwise present a heightened risk. 
The OCC expects to utilize this authority only if a bank's operations 
are highly complex relative to its risk-management capabilities, and 
notes that ``[t]his is a high threshold that only will be crossed in 
extraordinary circumstances.'' \20\ The OCC does not intend to exercise 
this reservation of authority to apply the final Guidelines to 
community banks.\21\
---------------------------------------------------------------------------

    \20\ The Honorable Thomas J. Curry, Comptroller of the Currency, 
Address at the American Bankers Association Risk Management Forum 
(Apr. 10, 2014).
    \21\ See id. (``Some community bankers may be reading that 
language as a loophole that we will use to impose onerous new 
requirements on community banks. I want to assure you that this is 
not the case and not our intent.'').
---------------------------------------------------------------------------

    Consistent with the proposal, the final Guidelines reserve the 
OCC's authority to extend the time for compliance with the Guidelines, 
modify the Guidelines, or to determine that compliance with the 
Guidelines is no longer appropriate for a particular covered bank. The 
OCC would generally make this determination if a covered bank's 
operations are no longer highly complex or no longer present a 
heightened risk based on consideration of the factors articulated in 
the Guidelines. The final Guidelines continue to provide that the OCC 
will apply notice and response procedures, when appropriate, consistent 
with those set out in 12 CFR

[[Page 54523]]

3.404 when exercising any of these reservations of authority.

Insured Federal Branches

    As discussed above, the proposed Guidelines applied to an insured 
Federal branch of a foreign bank with average total consolidated assets 
of $50 billion or more. We noted in the preamble to the proposed 
Guidelines that, pursuant to the reservation of authority, the OCC may 
modify the Guidelines to tailor them for insured Federal branches due 
to their unique nature.
    Some commenters requested that the OCC delay any decision regarding 
application of the Guidelines to an insured Federal branch pending a 
more definite determination of what such tailoring contemplates. In 
particular, these commenters requested that the OCC clarify the 
treatment of independent risk management and internal audit, and the 
role for the foreign bank's governing body under the Guidelines. Some 
commenters also asserted that the proposed Guidelines did not 
adequately address that an insured Federal branch does not have a board 
of directors. Some commenters also argued that the final Guidelines 
should provide each insured Federal branch considerable flexibility to 
apply them in a manner best suited to its circumstances.
    After reviewing the comments, the OCC has determined that the final 
Guidelines will apply to insured Federal branches with $50 billion or 
more in average total consolidated assets. However, the OCC recognizes 
that insured Federal branches do not have a U.S. board of directors and 
that their risk governance frameworks will vary due to the variety of 
activities performed in the branch. As a result, the OCC intends to 
apply the final Guidelines in a flexible manner to insured Federal 
branches. For example, if an insured Federal branch were to become 
subject to these final Guidelines, the OCC would apply the Guidelines 
in a manner that takes into account the nature, scope, and risk of the 
branch's activities. This means that the OCC will consult with the 
insured Federal branch to adapt the final Guidelines in an appropriate 
manner to the branch's operations.
    In addition, the final Guidelines omit footnote one from the 
proposal which provided that, in the case of an insured Federal branch, 
the board of directors means the managing official in charge of the 
branch. In the event an insured Federal branch becomes subject to the 
final Guidelines, OCC examiners will consult with the branch to 
determine the appropriate person or committee to undertake the 
responsibilities assigned to the board of directors under the final 
Guidelines. The OCC continues to expect that all Federal branches have 
risk governance frameworks in place that are commensurate with the 
level of risk taken in or outside the U.S. impacting U.S. operations.

Preservation of Existing Authority

    As discussed above, the final Guidelines are enforceable pursuant 
to section 39 of the FDIA and part 30 of our rules. Section I of the 
Guidelines also provides that nothing in section 39 or the Guidelines 
in any way limits the authority of the OCC to address unsafe or unsound 
practices or conditions or other violations of law.

Definitions

    The proposed Guidelines defined several terms, including Chief 
Audit Executive, Chief Risk Executive, front line unit, independent 
risk management, internal audit, risk appetite, and risk profile. With 
the exception of the front line unit definition, the OCC is adopting 
these definitions substantially as proposed, with certain clarifying 
and technical changes. The final Guidelines also include definitions 
for the terms bank, control, and covered bank.
    Bank. The proposed Guidelines defined the term ``bank'' in the 
scope section of the proposed Guidelines \22\ to mean any insured 
national bank, insured Federal savings association, or insured Federal 
branch of a foreign bank with average total consolidated assets equal 
to or greater than $50 billion as of the effective date of the 
Guidelines. The OCC is moving this definition to paragraph I.E. 
Definitions to consolidate all of the definitions in one location. 
Under the final Guidelines, the term ``bank'' means any insured 
national bank, insured Federal savings association, or insured Federal 
branch of a foreign bank. As discussed below, the OCC is also 
introducing the term ``covered bank'' to more clearly indicate the 
types of institutions covered by these Guidelines.
---------------------------------------------------------------------------

    \22\ See proposed Guidelines I.A.
---------------------------------------------------------------------------

    Chief Audit Executive. The proposed Guidelines defined the term 
``Chief Audit Executive'' (CAE) as an individual who leads internal 
audit and is one level below the Chief Executive Officer (CEO) in the 
bank's organizational structure. The OCC received no comments and is 
adopting this definition as proposed with one technical change.
    Chief Risk Executive. The proposed Guidelines defined the term 
``Chief Risk Executive'' (CRE) as an individual who leads an 
independent risk management unit and is one level below the CEO in the 
bank's organizational structure. The proposal noted that some banks 
designate one CRE, while others designate risk-specific CREs.\23\ In 
the latter situation, the proposal provided that the bank should have a 
process for coordinating the activities of all independent risk 
management units so they can provide an aggregated view of risks to the 
CEO and the board of directors or the board's risk committee. The 
proposal solicited comment on the advantages and disadvantages of 
having a single CRE versus having multiple, risk-specific CREs.
---------------------------------------------------------------------------

    \23\ See 79 FR 4282, 4285 n.15 (Jan. 27, 2014).
---------------------------------------------------------------------------

    Commenters disagreed on this issue. Some commenters noted that it 
is advantageous for a single CRE to provide oversight to all 
independent risk management units, and argued that a single CRE is 
necessary to ensure a cohesive and coordinated approach to risk 
management. Other commenters asserted that requiring a single CRE would 
be too prescriptive for the varied risk profiles and organizational 
designs among banks, and noted that such a requirement may not be 
appropriate to the size, scale, and complexity of each institution. In 
addition, these commenters noted that having two or three executives 
performing CRE functions and having access to the board of directors 
can provide additional perspective to the board.
    After reviewing the comments received, the OCC is adopting the 
definition substantially as proposed with one clarifying change. The 
final Guidelines provide that Chief Risk Executive means an individual 
who leads an independent risk management unit and is one level below 
the CEO in a covered bank's organizational structure.\24\ The final 
definition expressly states that a covered bank may have more than one 
CRE. Because the OCC did not receive compelling information regarding 
the appointment of a single CRE, we are providing covered banks 
flexibility in determining the appropriate number of CREs. The OCC 
continues to believe, however, that a covered bank with multiple, risk-
specific CREs should have effective processes for coordinating the 
activities of all independent risk management units so that they can 
provide an aggregated view of all risks to the CEO

[[Page 54524]]

and the board of directors or the board's risk committee.
---------------------------------------------------------------------------

    \24\ See final Guidelines paragraph I.E.3.
---------------------------------------------------------------------------

    Control. As discussed below, the OCC is adopting a definition of 
the term ``covered bank'' to clarify the scope of the final Guidelines. 
The definition of the term ``covered bank'' turns, in part, on the 
definition of ``control.'' While the concept of control was discussed 
in the proposed Guidelines,\25\ the proposal did not include a 
definition of this term.
---------------------------------------------------------------------------

    \25\ See 79 FR 4285.
---------------------------------------------------------------------------

    The OCC is adopting a definition of the term ``control'' that is 
based on the definition provided in 12 CFR 3.2. Under the final 
Guidelines, a parent company controls a covered bank if it: (i) Owns, 
controls, or holds with power to vote 25 percent or more of a class of 
voting securities of the covered bank; or (ii) consolidates the covered 
bank for financial reporting purposes. The OCC believes that this 
definition will assist institutions in determining whether they are a 
``covered bank,'' and therefore subject to the final Guidelines.
    Covered Bank. In order to clarify the scope of the final 
Guidelines, the OCC is adopting a definition of the term covered bank. 
Under the final Guidelines, the term covered bank means any bank: (i) 
With average total consolidated assets equal to or greater than $50 
billion; (ii) with average total consolidated assets less than $50 
billion if that bank's parent company controls at least one covered 
bank; or (iii) with average total consolidated assets less than $50 
billion, if the OCC determines that the bank's operations are highly 
complex or otherwise present a heightened risk as to warrant the 
application of the final Guidelines. The OCC believes that this 
definition accurately reflects the scope of the proposed Guidelines, 
and has made changes throughout the text of the Guidelines to 
incorporate this term.
    Front line unit. The proposed Guidelines defined the term ``front 
line unit'' as any organizational unit within the bank that: (i) 
Engages in activities designed to generate revenue for the parent 
company or bank; (ii) provides services, such as administration, 
finance, treasury, legal, or human resources to the bank; or (iii) 
provides information technology, operations, servicing, processing, or 
other support to any organizational unit covered by the proposed 
Guidelines.\26\
---------------------------------------------------------------------------

    \26\ See proposed Guidelines I.C.3. The proposal clarified that 
servicing includes activities done in support of front line lending 
units, such as collecting monthly payments, forwarding principal and 
interest payments to the current lender in the event a loan has been 
sold, maintaining escrow accounts, paying taxes and insurance 
premiums, and taking steps to collect overdue payments. The proposal 
also provided that processing refers to activities such as item 
processing (e.g., sorting of checks), inputting loan, deposit, and 
other contractual information into information systems, and 
administering collateral tracking systems. See 79 FR 4286 n.17-18.
---------------------------------------------------------------------------

    Several commenters strongly opposed this definition claiming that 
it inappropriately includes organizational units that do not ``own'' or 
create risk, such as legal, compliance, finance, human resources, and 
information technology. These commenters suggested that these types of 
organizational units mainly perform risk mitigation or support 
functions and therefore should not be subject to the standards in the 
Guidelines. Other commenters expressed concern that the proposed 
definition would subordinate the views of these types of organizational 
units to independent risk management thus, for example, potentially 
subjecting legal decisions and advice to review by independent risk 
management and internal audit.
    Some commenters also noted that organizational units may have many 
different functions, only some of which involve accountability for risk 
that warrants treatment under these Guidelines. One commenter suggested 
that, in such cases, the OCC classify part of the unit as a front line 
unit. One commenter suggested that the front line unit definition 
should include revenue-generating business units and personnel who 
provide functional support to these units, such as legal advisory 
services or technology development, when those personnel are 
compensated by and report into the business unit. Finally, several 
commenters urged the OCC to provide flexibility to determine how 
service and support functions should fit into the bank's risk 
governance framework.
    After carefully considering the comments, the OCC is making several 
changes to this definition. Under the final Guidelines, a front line 
unit means, except as otherwise provided, any organizational unit or 
function thereof in a covered bank that is accountable for one of 
several enumerated risks \27\ and that either: (i) Engages in 
activities designed to generate revenue or reduce expenses for the 
parent company or covered bank; (ii) provides operational support or 
servicing to any organizational unit or function within the covered 
bank in the delivery of products or services to customers; or (iii) 
provides technology services to any organizational unit or function 
covered by these Guidelines. Thus, to meet the definition of a front 
line unit, an organizational unit or function would need to be 
accountable for a risk and also meet one of three additional criteria 
that capture the types of risk-taking activities these Guidelines are 
intended to address. The final Guidelines also provide that a front 
line unit does not ordinarily include an organizational unit or 
function thereof within a covered bank that provides legal services to 
the covered bank.
---------------------------------------------------------------------------

    \27\ These risks are credit risk, interest rate risk, liquidity 
risk, price risk, operational risk, compliance risk, strategic risk, 
or reputation risk, as described in the ``Large Bank Supervision'' 
booklet of the Comptroller's Handbook (Jan. 2010).
---------------------------------------------------------------------------

    The OCC believes that this revised definition provides greater 
flexibility to identify and classify organizational units or functions 
thereof that are responsible for risks covered by these Guidelines as 
front line units. Specifically, this definition makes it possible for 
part of an organizational unit to qualify as a front line unit without 
implicating the entire organizational unit. For example, in some 
institutions, the Chief Financial Officer's organizational unit may be 
responsible for setting goals and providing oversight to enterprise-
wide expense reduction initiatives. These initiatives have the 
potential to create one or more risks, if actions taken to achieve cost 
saving goals inappropriately weaken risk management practices or 
internal controls. With regard to this responsibility, the finance 
organizational unit would be a front line unit, subject to the 
oversight and challenge of independent risk management. However, the 
finance organizational unit would not be a front line unit with regard 
to its responsibility to establish, assess, or report on line of 
business compliance with other enterprise-wide policies and procedures, 
such as those associated with preparing the covered bank's financial 
statements.
    The final definition also clarifies that, if an organizational unit 
or function is accountable for a risk within a covered bank, it is 
considered a front line unit whether or not it created the risk. The 
purpose of this change is to make clear that a front line unit's 
responsibility for, or ownership of, a risk may arise by engaging in 
the activity that originally created the risk within the covered bank, 
or when the organizational unit is assigned accountability for a risk 
that was created by another organizational unit. For example, 
accountability for an individual loan or a portfolio of loans and its 
associated risks may transfer from one organizational unit or function 
to another within a covered bank. The organizational unit or function 
that assumes responsibility for the loan or loan portfolio becomes a 
front line unit

[[Page 54525]]

at the time accountability for the risk is transferred.
    Conversely, there may be circumstances where an organizational unit 
may have some accountability for one or more risks, but may not meet 
other provisions of the definition and thus would not be a front line 
unit for purposes of these Guidelines. For example, one of the primary 
responsibilities of human resources is to design and implement 
compensation programs, which, if not designed and implemented properly, 
could motivate inappropriate risk-taking behavior. However, human 
resources does not meet any of the three additional criteria, and 
therefore, is not a front line unit for purposes of these Guidelines. 
The OCC believes excluding human resources from the definition of front 
line unit is appropriate, given that the compensation programs it 
designs and implements are designed with input from other 
organizational units and subject to the review and approval of the 
board of directors, or a committee thereof. The board of directors may, 
at its discretion, request input from independent risk management on 
the design and implementation of the compensation program or individual 
compensation plans, regardless of whether human resources is a front 
line unit. Furthermore, the other activities in which human resources 
engages are not directly related to the types of risks covered by these 
Guidelines.
    The proposed Guidelines provided that an organizational unit that 
engages in activities designed to generate revenue for the parent 
company or the bank would be a front line unit. The final Guidelines 
modify this provision to provide that a front line unit could include 
an organizational unit or function that engages in activities designed 
to generate revenue or ``reduce expenses.'' The purpose of this change 
is to more effectively include within the front line unit definition 
certain functions within an organizational unit without including the 
entire unit.
    Under the proposal, a front line unit included an organizational 
unit that ``provides information technology, operations, servicing, 
processing, or other support to any organizational unit covered by 
these Guidelines.'' The OCC notes that, in the revised definition, an 
organizational unit or function accountable for risk may be a front 
line unit if it ``provides operational or servicing support to any 
organizational unit or function within the covered bank in the delivery 
of products or services to customers.'' The OCC revised this definition 
because the proposed definition was too broad and could create issues 
similar to those raised by commenters with regard to including all 
aspects of organizational units such a finance, human resources, etc., 
in the front line unit definition. The revised definition is more 
focused on the organizational units and functions that the OCC intended 
to include in the definition of front line unit.
    Finally, the OCC agreed with commenters that the definition of a 
front line unit should not ordinarily include an organizational unit or 
function thereof that provides legal services to the covered bank. The 
OCC notes, however, that there may be instances where the General 
Counsel is responsible for functions that extend beyond legal services. 
The OCC expects that examiners will determine whether these functions 
meet the definition of a front line unit, independent risk management, 
or internal audit and will discuss with covered banks whether any 
determinations made by the covered bank conflict with the final 
Guidelines.
    Independent risk management. The proposed Guidelines defined the 
term independent risk management as any organizational unit within the 
bank that has responsibility for identifying, measuring, monitoring, or 
controlling aggregate risks. The proposal noted that these units 
maintain independence from front line units by following the reporting 
structure specified in the proposed Guidelines. Under the proposal's 
reporting structure, the board of directors or the board's risk 
committee reviews and approves the Framework and any material policies 
established under the Framework. In addition, the board of directors or 
the board's risk committee approves all decisions regarding the 
appointment or removal of the CRE and approves the annual compensation 
and salary adjustment of the CRE. The proposal clarified that the board 
of directors or the board's risk committee should receive 
communications from the CRE on the results of independent risk 
management's risk assessments and activities, and other matters that 
the CRE determines are necessary.\28\ The proposal also provided that 
the board of directors or its risk committee should make appropriate 
inquiries of management or the CRE to determine whether there are scope 
or resource limitations that impede the ability of independent risk 
management to execute its responsibilities.\29\
---------------------------------------------------------------------------

    \28\ 79 FR 4287.
    \29\ Id.
---------------------------------------------------------------------------

    The proposed definition specified that the CEO oversees the CRE's 
day-to-day activities. The proposal clarified that this includes 
resolving disagreements between front line units and independent risk 
management that cannot be resolved by the CRE and front line unit(s) 
executive(s), and overseeing budgeting and management accounting, human 
resources administration, internal communications and information 
flows, and the administration of independent risk management's internal 
policies and procedures.\30\ Finally, the proposed definition provided 
that no front line unit executive oversees any independent risk 
management unit.
---------------------------------------------------------------------------

    \30\ Id.
---------------------------------------------------------------------------

    Some commenters noted that the proposed Guidelines suggest that 
cooperative or integrated relationships between independent risk 
management and front line units could undermine the independence of 
independent risk management. These commenters argued that independent 
risk management's effectiveness can be enhanced through active 
involvement with business units, and that the final Guidelines should 
recognize the benefits of, and not create impediments to, this 
engagement.
    Commenters also addressed the relationship between a parent 
company's and bank's independent risk management functions. Some 
commenters noted that the proposal conflicts with other regulatory 
authorities insofar as those authorities expect risk officers at the 
bank to report into the parent company's risk management function, 
whereas the proposal provided that the CRE of the bank should report to 
a bank's CEO. Other commenters expressed the view that the proposed 
Guidelines appear to require a bank to have a separate chief risk 
officer and separate risk management organization from its parent 
company. These commenters argued that requiring risk management 
activities at the bank separately from the same activities at the 
parent company would be duplicative and increase compliance costs.
    One commenter noted that the provision regarding the CEO's 
oversight of the CRE's day-to-day activities suggested too prescriptive 
a level of involvement. This commenter noted that while the CEO should 
be accountable for these activities, he or she should not be required 
to be personally involved in the day-to-day activities of other 
executives. This commenter requested the OCC to clarify that the CEO 
should not be expected to become significantly involved in the details 
of independent risk management.

[[Page 54526]]

    The OCC is adopting the definition substantially as proposed with 
certain modifications to address commenters' concerns. The final 
Guidelines provide that independent risk management means any 
organizational unit within a covered bank that that has responsibility 
for identifying, measuring, monitoring, or controlling aggregate 
risks.\31\
---------------------------------------------------------------------------

    \31\ Final Guidelines paragraph I.E.7.
---------------------------------------------------------------------------

    Consistent with the proposal, the final Guidelines articulate a 
reporting structure that enables independent risk management to 
maintain its independence from front line units.\32\ Under this 
reporting structure, the board of directors or the board's risk 
committee reviews and approves the Framework. In addition, the final 
Guidelines clarify that a CRE should have unrestricted access to the 
board of directors and its committees with regard to risks and issues 
identified through independent risk management's activities. The board 
of directors or its risk committee approves all decisions regarding the 
appointment or removal of the CREs and approves the annual compensation 
and salary adjustment of the CREs. The final definition removes the 
provision for the CEO to oversee the CRE's (or CREs') day-to-day 
activities. The term day-to-day activities was intended to convey that 
the CEO would oversee the CRE's (or CREs') activities in a manner 
similar to the oversight the CEO provides to other direct reports. 
Given the potential for misinterpretation of the term day-to-day, and 
the fact that this expectation is implied in the CRE's (or CREs') 
reporting structure defined in the Guidelines, the OCC determined that 
this additional requirement is not necessary. The final Guidelines 
continue to provide that no front line unit executive oversees any 
independent risk management unit. Conversely, the CRE should not 
oversee any front line unit.
---------------------------------------------------------------------------

    \32\ Id.
---------------------------------------------------------------------------

    The OCC has also removed from the final definition the provision 
that the board of directors or the board's risk committee review and 
approve any material policies established under the Framework. As 
discussed below, the OCC did not intend to assign managerial 
responsibilities to the board of directors or its risk committee. The 
OCC believes that board or risk committee approval of material policies 
under the Framework would be burdensome, and that these policies should 
be approved by management instead. Nevertheless, the OCC continues to 
believe that the board of directors or the board's risk committee 
should receive communications from the CRE on the results of 
independent risk management's risk assessments and activities, and 
other matters that the CRE determines are necessary. In addition, the 
board of directors or its risk committee should make appropriate 
inquiries of management or the CRE to determine whether there are scope 
or resource limitations that impede the ability of independent risk 
management to execute its responsibilities.
    The OCC did not intend the proposed Guidelines to limit interaction 
between independent risk management and front line units, nor did the 
OCC intend to imply that the relationship between front line units and 
independent risk management should be uncooperative or adversarial. 
Instead, the OCC expects independent risk management to coordinate and 
to actively engage with front line units. However, the OCC expects that 
independent risk management will apply its own judgment when assessing 
risks and the effectiveness of risk management practices within a front 
line unit. In addition, there may be situations where independent risk 
management and front line units disagree. As provided in the proposal, 
the OCC continues to believe that these disagreements should be 
resolved by the CEO when the CRE and front line unit(s) executive(s) 
are unable to resolve these issues.
    The Guidelines, as proposed and finalized, do not limit or prevent 
an employee of a covered bank, such as a CRE, from also serving as an 
officer with the covered bank's parent company and satisfying reporting 
requirements applicable to the covered bank's parent company. 
Accordingly, if a CRE is also an employee of a covered bank's parent 
company, the final Guidelines do not prohibit the CRE from reporting to 
an executive within the parent company provided that the executive does 
not impede the CRE's independence within the covered bank's Framework. 
Similarly, as discussed above, the OCC notes that the final Guidelines 
clarify that a covered bank may use elements of a parent company's risk 
governance framework, but only to the extent that this is appropriate 
for the covered bank.
    Internal audit. The proposed Guidelines defined the term internal 
audit as the organizational unit within the bank that is designated to 
fulfill the role and responsibilities outlined in 12 CFR part 30, 
Appendix A, II.B. Similar to the proposed definition of independent 
risk management, the proposal noted that internal audit maintains 
independence from front line units and independent risk management 
units by implementing the reporting structure specified in the proposed 
Guidelines. Under the proposal's reporting structure, the board's audit 
committee reviews and approves internal audit's overall charter, risk 
assessments, and audit plans. In addition, the proposal provided that 
the audit committee approves all decisions regarding the appointment or 
removal and annual compensation and salary adjustment of the CAE. The 
proposal clarified that the audit committee should receive 
communications from the CAE on the results of internal audit's 
activities or other matters that the CAE determines are necessary and 
make appropriate inquiries of management or the CAE to determine 
whether there are scope or resource limitations that impede the ability 
of internal audit to execute its responsibilities.\33\
---------------------------------------------------------------------------

    \33\ 79 FR 4287.
---------------------------------------------------------------------------

    The proposed definition also provided that the CEO oversees the 
CAE's day-to-day activities. The proposal clarified that the CEO's 
oversight responsibilities include, but are not limited to, budgeting 
and management accounting, human resources administration, internal 
communications and information flows, and the administration of the 
unit's internal policies and procedures.\34\ The proposed definition 
also noted that in some banks, the audit committee may assume the CEO's 
responsibilities to oversee the CAE's day-to-day activities, and that 
this would be acceptable under the proposed Guidelines.\35\ Finally, 
the proposed definition provided that no front line unit executive 
oversees internal audit.
---------------------------------------------------------------------------

    \34\ 79 FR 4288.
    \35\ See proposed Guidelines I.C.5 n.2.
---------------------------------------------------------------------------

    Similar to comments on the proposed definition of independent risk 
management, comments on the proposed definition of internal audit 
focused on the organizational unit's reporting structure. Some 
commenters argued that the reporting line for the CAE was too narrow 
and requested that the final Guidelines provide more flexibility to 
permit the CAE to report to another senior executive (e.g., general 
counsel) on day-to-day issues. These commenters noted that permitting 
more flexibility supports the goals of internal audit independence and 
unfettered access to the bank's board of directors. Other commenters 
noted that internal audit and the CAE are most effective and 
independent when they report functionally to the board of directors or 
the audit committee and administratively to a suitable executive, such 
as the CEO.

[[Page 54527]]

    Some commenters also expressed the view that the proposed 
Guidelines would require a banking organization to establish 
duplicative audit departments for its parent company and each of its 
banks. These commenters noted that a centralized audit function is more 
effective and efficient, ensures consistent audit coverage, and enables 
enterprise-wide functional reviews that help to identify systemic 
issues quickly. The OCC did not intend to suggest that a covered bank 
is prohibited from using its parent company's risk governance framework 
when their respective risk profiles are not substantially the same. As 
described more fully above, the final Guidelines generally provide that 
a covered bank may rely on components of its parent company's risk 
governance framework, including internal audit, to the extent those 
components are consistent with the objectives of the final Guidelines.
    One commenter noted that the provision regarding the audit 
committee's or CEO's oversight of the CAE's day-to-day activities 
suggested a level of involvement that was too prescriptive and, in the 
case of the audit committee, too management-oriented. This commenter 
requested that the OCC modify this provision to recognize that neither 
the CEO nor audit committee should be expected to become significantly 
involved in the details of internal audit. Finally, some commenters 
argued that the audit committee should only review and approve material 
risk assessments.
    After reviewing the comments received, the OCC is adopting the 
definition of internal audit substantially as proposed with certain 
modifications. As provided in the final Guidelines, the term internal 
audit means the organizational unit within a covered bank that is 
designated to fulfill the role and responsibilities outlined in 12 CFR 
part 30, Appendix A, II.B.
    Consistent with the proposal, the final Guidelines articulate a 
reporting structure that enables internal audit to maintain its 
independence from front line units and independent risk management. 
Under the reporting structure included in the final Guidelines, the CAE 
has unrestricted access to the audit committee with regard to risks and 
issues identified through internal audit's activities. In addition, the 
audit committee reviews and approves internal audit's overall charter 
and audit plans. Further, the audit committee approves all decisions 
regarding the appointment or removal and annual compensation and salary 
adjustment of the CAE. The final definition clarifies that the audit 
committee or the CEO oversees the CAE's administrative activities. 
Finally, the final definition continues to provide that no front line 
unit executive oversees internal audit.
    The OCC agrees with comments that neither the CEO nor the audit 
committee need to be involved in the details of the CAE's daily 
activities. The final definition preserves this dual reporting 
structure, and clarifies that the CEO or the audit committee oversees 
the CAE's administrative activities, rather than the CAE's day-to-day 
activities. This reflects the OCC's belief that either the CEO or the 
audit committee should have primary oversight responsibility over the 
CAE's administrative activities. These administrative activities 
include routine personnel matters such as leave and attendance 
reporting, expense account management, and other departmental matters 
such as furniture, equipment, and supplies. In addition, revisions made 
to the definition of front line unit provide internal audit more 
flexibility to consult with other organizational units, as necessary. 
For example, the final Guidelines do not prevent internal audit from 
consulting with a covered bank's legal unit on legal matters because 
the legal unit is generally not a front line unit.
    The OCC recognizes that the proposed definition could have been 
interpreted to mean that the audit committee should review and approve 
all internal audit risk assessments, and agrees with commenters that 
this could impose operational burdens on the audit committee and 
detract from their oversight role. Therefore, the final definition 
removes this provision and clarifies that the audit committee reviews 
and approves the overall charter and audit plan. When presenting the 
audit plan to the audit committee for approval, internal audit may 
include the risk assessments that support the audit plan to assist the 
committee in carrying out its responsibilities. Finally, the OCC 
continues to expect that the audit committee should receive 
communications from the CAE on the results of internal audit's 
activities or other matters that the CAE determines are necessary and 
make appropriate inquiries of management or the CAE to determine 
whether there are scope or resource limitations that impede the ability 
of internal audit to execute its responsibilities.
    Parent company. The term ``parent company'' was used throughout the 
proposed Guidelines. One commenter noted that this term can mean a 
variety of different entities within a multi-tiered holding company 
structure.
    The OCC is adopting a definition of the term ``parent company'' to 
clarify the final Guidelines. The term parent company means the top-
tier legal entity in a covered bank's ownership structure. Thus, the 
parent company of a covered bank that is an insured national bank or 
insured Federal savings association may be a domestic or foreign 
entity.
    Risk appetite. The proposed Guidelines defined the term ``risk 
appetite'' as the aggregate level and types of risk the board of 
directors and management are willing to assume to achieve the bank's 
strategic objectives and business plan, consistent with applicable 
capital, liquidity, and other regulatory requirements. The OCC received 
no comments on this definition and is adopting it as proposed with 
minor technical changes.
    Risk profile. The proposed Guidelines defined the term risk profile 
as a point-in-time assessment of the bank's risks, aggregated within 
and across each relevant risk category, using methodologies consistent 
with the risk appetite statement described in II.E. of the proposed 
Guidelines. The OCC received no comments on this definition and is 
adopting it as proposed with minor technical changes.

Section II: Standards for Risk Governance Framework

Risk Governance Framework
    Section II of the proposed Guidelines set minimum standards for the 
design and implementation of a bank's Framework. Under paragraphs A. 
and B., the proposal required a bank to establish and adhere to a 
formal, written Framework approved by the board of directors or its 
risk committee that is reviewed and updated at least annually (and as 
often as needed) by independent risk management to address changes in 
the bank's risk profile caused by internal or external factors or the 
evolution of industry risk management practices. We received no 
comments on this section, however we are making clarifying changes. We 
have added a provision stating that the Framework should include 
delegations of authority from the board of directors to management 
committees and executive officers as well as risk limits established 
for material activities. The Framework should also include processes 
for management's reports to the board of directors covering policy, 
limit compliance, and exceptions. In addition, we have added that the 
review of the Framework should include changes resulting from emerging 
risks and the covered bank's strategic plans.

[[Page 54528]]

Scope of Risk Governance Framework
    Under the proposed Guidelines, the Framework would cover certain 
specified risk categories that apply to the bank. These categories are 
credit risk, interest rate risk, liquidity risk, price risk, 
operational risk, compliance risk, strategic risk, and reputation risk.
    One commenter requested clarification regarding the meaning of 
reputation and strategic risk and argued that the OCC should provide 
additional clarification or remove these two risk types. The final 
Guidelines continue to include all eight categories of risk, which are 
described in existing OCC guidance.\36\ The OCC recognizes that 
industry practices for managing reputation and strategic risks are less 
developed than those associated with other risk categories. However, it 
is important for boards of directors and management teams to 
incorporate these risks into their decision-making processes. 
Therefore, for purposes of the final Guidelines, the OCC expects front 
line units, independent risk management, and internal audit to consider 
these risks when carrying out their responsibilities under the 
Guidelines.
---------------------------------------------------------------------------

    \36\ See ``Large Bank Supervision'' booklet of the Comptroller's 
Handbook (Jan. 2010) (describing these risks).
---------------------------------------------------------------------------

Roles and Responsibilities
    Paragraphs II.C.1. through 3. of the final Guidelines set forth the 
roles and responsibilities for front line units, independent risk 
management, and internal audit.\37\ These units are fundamental to the 
design and implementation of the Framework. As we noted in the preamble 
to the proposed Guidelines, they are often referred to as the ``three 
lines of defense'' and, together, should establish an appropriate 
system to control risk taking. These units should keep the board of 
directors informed of the covered bank's risk profile and risk 
management practices to allow the board of directors to provide 
credible challenges to management's recommendations and decisions. In 
addition, the independent risk management and internal audit units must 
have unrestricted access to the board, or a committee thereof, with 
regard to their risk assessments, findings, and recommendations, 
independent from front line unit management and, when necessary, the 
CEO. This unrestricted access to the board of directors is critical to 
the integrity of the Framework.
---------------------------------------------------------------------------

    \37\ These roles and responsibilities are in addition to any 
roles and responsibilities set forth in Appendices A, B, and C to 
Part 30. Many of the risk management practices established and 
maintained by a covered bank to meet these standards, including loan 
review and credit underwriting and administration practices, should 
be components of its Framework, within the construct of the three 
distinct units identified in the final Guidelines. In addition, 
existing OCC guidance sets forth standards for establishing risk 
management programs for certain risks, e.g., compliance risk 
management. These risk-specific programs should also be considered 
components of the Framework, within the context of the three units 
described in paragraph II.C. of the final Guidelines.
---------------------------------------------------------------------------

    In carrying out their responsibilities within the Framework, front 
line units, independent risk management, and internal audit may engage 
the services of external experts to assist them. This expertise can be 
useful in supplementing internal expertise and providing perspective on 
industry practices. However, no organizational unit in the covered bank 
may delegate its responsibilities under the Framework to an external 
party.
    Many of the commenters expressed support for the lines of defense 
risk governance structure contained in the proposed Guidelines. Some 
commenters, however, argued that classifying all of a bank's activities 
into one of three lines of defense draws artificial bright lines that 
ignore the mix of functions performed. Other commenters noted that 
placing all units other than independent risk management and internal 
audit in the front line could force banks to significantly modify their 
organizational structures, reporting lines, and risk control practices 
and that this could impair banks' ability to effectively manage risks. 
A few commenters asked for additional guidance on the reporting 
structures for compliance and loan review programs.
    As discussed earlier, the OCC has revised the definition of front 
line unit to provide covered banks more flexibility in identifying 
front line units. The OCC believes that these revisions respond to 
commenters' concerns and more closely align the final Guidelines with 
the traditional ``lines of defense'' approach. Below, we discuss the 
role and responsibilities of front line units, independent risk 
management, and internal audit.
Role and Responsibilities of Front Line Units
    Front line units are the first of a bank's three lines of defense. 
The proposed Guidelines provided that front line units should take 
responsibility and be held accountable by the CEO and the board of 
directors for appropriately assessing and effectively managing all of 
the risks associated with their activities. The proposed Guidelines 
provided that front line units should assess, on an ongoing basis, the 
material risks associated with their activities. The front line unit 
should use these risk assessments as the basis for fulfilling the 
responsibilities that were described in paragraphs (b) and (c) of 
paragraph II.C.1. of the proposed Guidelines and for determining if 
they need to take action to strengthen risk management or reduce risk 
given changes in the unit's risk profile or other conditions.
    Paragraph (b) provided that front line units should establish and 
adhere to a set of written policies that include front line unit risk 
limits, as discussed in paragraph II.F. of the proposed Guidelines. The 
proposed Guidelines provided that these policies should ensure that 
risks associated with the front line units' activities are effectively 
identified, measured, monitored, and controlled consistent with the 
bank's risk appetite statement, concentration risk limits, and the 
bank's policies established within the Framework pursuant to paragraphs 
II.C.2.(c) and II.G. through K. of the proposed Guidelines.
    Paragraph (c) provided that front line units should also establish 
and adhere to procedures and processes necessary to ensure compliance 
with the aforementioned written policies. Paragraph (d) provided that 
front line units should adhere to all applicable policies, procedures, 
and processes established by independent risk management.
    Finally, the proposed Guidelines provided that front line units 
should develop, attract, and retain talent and maintain appropriate 
staffing levels, and establish and adhere to talent management 
processes and compensation and performance management programs that 
comply with paragraphs II.L. and II.M., respectively, of the proposed 
Guidelines.
    Some commenters expressed concern that the proposed Guidelines 
prevent front line units from relying on other organizational units to 
perform their assigned responsibilities. For example, one commenter 
argued that the proposed Guidelines could be interpreted as suggesting 
that front line units have exclusive responsibility for establishing 
risk limits, a responsibility assigned to independent risk management 
in many banks. This commenter recommended that the final Guidelines 
clarify that front line units do not have exclusive responsibility for 
establishing front line unit risk limits, and that the front line unit 
may perform this responsibility by or in conjunction with independent 
risk management. Another commenter suggested that the final Guidelines 
recognize that a front

[[Page 54529]]

line unit may use policies, procedures, and controls established by 
other organizational units, and that the front line units' 
responsibility should be contributing their expertise to the 
development of those policies, procedures and controls. Some commenters 
also requested the OCC to clarify how the responsibilities assigned to 
front line units would apply to legal services or other functions that, 
in some banks, do not report directly to a business leader.
    After reviewing the comments, the OCC is adopting the role and 
responsibilities of front line units with minor clarifying changes. To 
allow covered banks some flexibility in designing their Framework, the 
final Guidelines provide that a front line unit may fulfill its 
responsibilities either alone or in conjunction with another 
organizational unit whose purpose is to assist a front line unit in 
fulfilling its responsibilities under the Framework. In such cases, the 
Framework should establish appropriate authority and accountability for 
each responsibility in the Framework, and the organizational unit 
assisting the front line unit cannot be independent risk management. As 
the OCC observed during the financial crisis, it can be challenging to 
instill a sense of ``risk ownership'' in a front line unit when 
multiple organizational units are responsible for the risks associated 
with the front line unit's activities. Banks whose business leaders 
viewed themselves as accountable for the risks created through their 
activities fared better in the crisis than banks where accountability 
for risks were shared among multiple organizational units. The OCC 
cautions covered banks that rely on such a structure to be diligent in 
reinforcing the front line unit's accountability for the risks it 
creates.
    With respect to paragraph (c) of the final Guidelines, a front line 
unit's processes for establishing its policies should provide for 
independent risk management's review and approval of these policies to 
ensure they are consistent with other policies established within the 
Framework. Within this process, independent risk management would 
review and approve the front line unit's risk limits. The final 
Guidelines do not prescribe the process through which independent risk 
management reviews and approves policies and risk limits. In some 
covered banks, independent risk management may be involved from the 
beginning of the process through the final approval and, in other 
covered banks, the front line unit may develop risk limits internally 
and submit them to independent risk management for review, challenge, 
and approval.
    The OCC notes that the standards articulated in paragraphs (b) and 
(c) of the final Guidelines should not be interpreted as an exclusive 
list of actions front line units should take to manage risk 
effectively. Front line units should use their ongoing risk assessments 
to determine if additional actions are necessary to strengthen risk 
management practices or reduce risk. For example, there may be 
instances where front line units should take action to manage risk 
effectively, even if the covered bank has not exceeded its risk limits.
    As described above, the OCC has made revisions to the definition of 
front line unit that the OCC believes address commenters' concerns 
regarding the application of front line unit responsibilities to legal. 
Several commenters requested clarification on how compliance fits into 
the risk governance framework and expressed varying views on whether 
compliance should be considered a front line unit, independent risk 
management, internal audit, or a different organizational unit. With 
regard to compliance, the OCC's guidance is currently outlined in the 
``Compliance Management System'' booklet of the Comptroller's Handbook 
and includes responsibilities for all three lines of defense.\38\
---------------------------------------------------------------------------

    \38\ ``Compliance Management System'' booklet of the 
Comptroller's Handbook (Aug. 1996).
---------------------------------------------------------------------------

    Per the Comptroller's Handbook, a compliance risk management system 
``includes the compliance program and the compliance audit function. . 
. . The compliance program consists of the policies and procedures 
which guide employees' adherence to laws and regulations.'' \39\ Within 
the Framework, these policies and procedures would generally be the 
responsibility of the front line unit if they address risks associated 
with the front line unit's activities or independent risk management if 
they address bank-wide or aggregate risks. The Comptroller's Handbook 
further states, ``[t]he compliance audit function is independent 
testing of an institution's transactions to determine its level of 
compliance with consumer protection laws, as well as the effectiveness 
of, and adherence with, policies and procedures.'' \40\ Within the 
Framework, the independent testing may be performed by independent risk 
management, internal audit, or both.
---------------------------------------------------------------------------

    \39\ Id. at 1.
    \40\ Id.
---------------------------------------------------------------------------

    As noted previously, a few commenters asked for additional guidance 
on the reporting structure for the loan review function.\41\ Within the 
Framework, the loan review function may report to either the second or 
third line of defense. The loan review function should not report to 
the executive officer who establishes and oversees front line unit 
credit policies and individual loan underwriting decisions.
---------------------------------------------------------------------------

    \41\ The expectation that banks establish a loan review program 
are set out in 12 CFR part 30, Appendix A.
---------------------------------------------------------------------------

Role and Responsibilities of Independent Risk Management
    Independent risk management is the second of a bank's three lines 
of defense. Paragraph II.C.2. of the proposed Guidelines provided that 
independent risk management should oversee the bank's risk-taking 
activities and assess risks and issues independent of the CEO and front 
line units. The proposed Guidelines provided that independent risk 
management should take primary responsibility and be held accountable 
by the CEO and board of directors for designing a Framework 
commensurate with the bank's size, complexity, and risk profile that 
meets the Guidelines. Paragraph (b) provided that independent risk 
management should identify and assess, on an ongoing basis, the bank's 
material aggregate risks and use such risk assessments as the basis for 
fulfilling its responsibilities under paragraphs (c) and (d) of 
paragraph II.C.2., and for determining if actions need to be taken to 
strengthen risk management or reduce risk given changes in the bank's 
risk profile or other conditions. Paragraph (c) provided that 
independent risk management should establish and adhere to enterprise 
policies that include concentration risk limits that ensure that 
aggregate risks within the bank are effectively identified, measured, 
monitored, and controlled, consistent with the bank's risk appetite 
statement and all policies and processes established under paragraphs 
II.G. through K. Paragraphs (d) and (e) provided that independent risk 
management should establish and adhere to procedures and processes 
necessary to ensure compliance with the aforementioned policies and to 
ensure that the front line units meet the standards discussed in 
paragraph II.C.1.
    Paragraph (f) provided that independent risk management should 
identify and communicate to the CEO and the board of directors or its 
risk committee material risks and significant instances where 
independent risk management's assessment of risk differs

[[Page 54530]]

from a front line unit as well as significant instances where a front 
line unit is not complying with the Framework. Paragraph (g) provided 
that independent risk management should identify and communicate to the 
board of directors or its risk committee material risks and significant 
instances where independent risk management's assessment of risk 
differs from the CEO, and significant instances where the CEO is not 
adhering to, or holding front line units accountable for adhering to, 
the Framework. In addition, the proposed Guidelines provided that 
independent risk management should develop, attract and retain talent, 
maintain appropriate staffing levels, and establish and adhere to 
talent management processes and compensation and performance management 
programs that comply with paragraphs II.L. and II.M., respectively, of 
the Guidelines.
    Commenters proposed several revisions to this section of the 
proposed Guidelines. Some commenters requested that the OCC delete the 
provision discussing independent risk management's oversight of the 
bank's risk-taking activities and assessment of risks and issues 
independent of the CEO. These commenters expressed concern that this 
suggested that the CRE would not be subject to CEO oversight with 
respect to these activities.
    Some commenters also noted that including organizational units, 
such as compliance, legal, and human resources, in the front line unit 
would require independent risk management to duplicate the control and 
support functions performed by these other units. These commenters 
noted that this would detract from independent risk management's 
responsibilities for overseeing the risk management program. Other 
commenters requested that the OCC clarify how independent risk 
management would interact with organizational units performing control 
functions. For example, some commenters were concerned that independent 
risk management's oversight function would extend to independently 
assessing the risks imposed by litigation. As described in the section 
discussing the front line unit definition, the OCC has made revisions 
to the definition of front line unit that the OCC believes addresses 
these concerns.
    The OCC is finalizing the role and responsibilities of independent 
risk management substantially as proposed, with several clarifying 
changes. The OCC has revised the role and responsibilities of 
independent risk management to remove the provision that independent 
risk management should assess risks and issues independent of the CEO. 
The OCC did not intend to suggest that independent risk management 
should not be subject to CEO oversight with respect to the assessment 
of risks and issues. Notwithstanding the CEO's oversight of the CRE and 
independent risk management, the OCC emphasizes that paragraph (f) of 
the final Guidelines continues to provide that independent risk 
management should report to the board of directors or its risk 
committee material risks and significant instances where independent 
risk management's assessment of risk differs from the CEO, as well as 
significant instances where the CEO is not adhering to, or holding 
front line units accountable for adhering to, the Framework.
    The OCC also emphasizes that the standards articulated in 
paragraphs (c) \42\ and (d) of the final Guidelines should not be 
interpreted as an exclusive list of actions independent risk management 
should take to effectively manage risk. Independent risk management 
should use its risk assessments to determine if additional actions are 
necessary to strengthen risk management practices or reduce risk. For 
example, there may be instances where independent risk management 
should take action to effectively manage risk, even if the covered 
bank's risk appetite, applicable concentration risk limits, or a front 
line unit's risk limits have not been exceeded.
---------------------------------------------------------------------------

    \42\ Paragraph (c) provides, in part, that independent risk 
management should establish and adhere to enterprise policies that 
include concentration risk limits. Consistent with the proposed 
Guidelines, a concentration of risk refers to an exposure with the 
potential to produce losses large enough to threaten a covered 
bank's financial condition or its ability to maintain its core 
operations. Risk concentration can arise in a covered bank's assets, 
liabilities, or off-balance sheet items. An example of a 
concentration of credit risk limit would be commercial real estate 
balances as a percentage of capital.
---------------------------------------------------------------------------

    The OCC also has removed paragraph (e), and redesignated paragraph 
(f) as new paragraph (e). The OCC has revised new paragraph (e) to 
clarify that independent risk management should identify and 
communicate to the CEO and the board of directors, or the risk 
committee thereof, significant instances where a front line unit is not 
adhering to the Framework, including instances when front line units do 
not meet the standards set forth in paragraph II.C.1.
Role and Responsibilities of Internal Audit
    Internal audit is the third of a bank's three lines of defense. The 
proposed Guidelines provided that internal audit should ensure that a 
bank's Framework complies with the Guidelines and is appropriate for 
the bank's size, complexity, and risk profile. Paragraph (a) provided 
that internal audit should maintain a complete and current inventory of 
all of the bank's material businesses, product lines, services, and 
functions and assess the risks associated with each,\43\ which 
collectively provide a basis for the audit plan.
---------------------------------------------------------------------------

    \43\ The preamble discussion of this paragraph provided that 
``[i]nternal audit should derive the[] [risk] ratings from its Bank-
wide risk assessments, and should periodically adjust these ratings 
based on risk assessments conducted by front line units and changes 
in the Bank's strategy and the external environment.'' See 79 FR 
4288.
---------------------------------------------------------------------------

    Paragraph (b) provided that internal audit should establish and 
adhere to an audit plan updated at least quarterly that takes into 
account the bank's risk profile as well as emerging risks and issues. 
The proposal provided that the audit plan should require internal audit 
to evaluate the adequacy of and compliance with policies, procedures, 
and processes established by front line units and independent risk 
management under the Framework. The proposal provided that changes to 
the audit plan should be communicated to the audit committee of the 
board of directors.
    Paragraph (c) provided that internal audit should report in writing 
to the audit committee conclusions, issues, and recommendations 
resulting from the audit work carried out under the audit plan. These 
reports should identify the root cause of any issue and include a 
determination of whether the root cause creates an issue that has an 
impact on one organizational unit or multiple organizational units 
within the bank, as well as a determination of the effectiveness of 
front line units and independent risk management in identifying and 
resolving issues in a timely manner.
    Paragraph (d) provided that internal audit should establish and 
adhere to processes for independently assessing the design and 
effectiveness of the Framework. The assessment should be performed at 
least annually and may be conducted by internal audit, an external 
party, or a combination of both. The assessment should include a 
conclusion on the bank's compliance with the Guidelines and the degree 
to which the bank's Framework is consistent with leading industry 
practices.
    Paragraph (e) provided that internal audit should identify and 
communicate to the audit committee significant instances where front 
line units or independent risk management are not adhering to the 
Framework. Paragraph (f) provided that internal audit should establish 
a quality assurance department

[[Page 54531]]

that ensures internal audit's policies, procedures, and processes 
comply with applicable regulatory and industry guidance, are 
appropriate for the size, complexity, and risk profile of the bank, are 
updated to reflect changes to internal and external risk factors, and 
are consistently followed. Finally, the proposed Guidelines provided 
that internal audit should develop, attract, and retain talent and 
maintain appropriate staffing levels, and establish and adhere to 
talent management processes and compensation and performance management 
programs that comply with paragraphs II.L. and II.M., respectively, of 
the proposed Guidelines.
    The OCC invited comment as to whether the final Guidelines should 
provide that independent risk management maintain a complete and 
current inventory of all of a bank's material businesses, product 
lines, services, and functions to ensure that internal audit has 
developed an accurate inventory. The OCC also requested comment on 
whether internal audit's assessment of the bank's Framework should 
include a conclusion regarding whether the Framework is consistent with 
leading industry practices. The OCC inquired as to whether such an 
assessment would be possible given the wide range of industry 
practices, and whether there were any concerns related to this 
provision.
    Commenters generally stated that the role and responsibilities 
assigned to internal audit were too prescriptive. Some commenters 
requested that the final Guidelines provide that internal audit report 
to the audit committee only on material changes to the audit plan, 
material audit findings and conclusions, and root causes of material 
audit matters. Other commenters noted that internal audit may not need 
to assess the Framework's design annually since the design of the 
Framework is not likely to materially change on a frequent basis. These 
commenters also expressed concern that the proposed Guidelines could 
permit an external party to assess the Framework, and requested that 
the final Guidelines clarify that internal audit must oversee the 
external party. Some commenters also argued that it is not necessary 
for internal audit to establish a quality assurance department because 
this is already a function of internal audit.
    Commenters also requested clarification regarding a discussion in 
the preamble to the proposed Guidelines providing, in part, that the 
audit plan should rate the risk presented by each front line unit, 
product line, service, and function, and that internal audit should 
derive these ratings from bank-wide risk assessments. Some commenters 
requested clarification regarding whether the bank-wide risk 
assessments are prepared by internal audit independently, or whether 
these assessments are prepared by internal audit in conjunction with 
front line units and/or independent risk management. Other commenters 
suggested that permitting internal audit to periodically adjust these 
ratings based on risk assessments conducted by front line units may 
compromise internal audit's independence and objectivity. Some 
commenters suggested that internal audit should conduct an independent 
assessment, and provide challenges where appropriate, to the risk 
assessments conducted by front line units.
    Commenters disagreed whether both independent risk management and 
internal audit should maintain a complete and current inventory of all 
of a bank's material businesses, product lines, services, and 
functions. Some commenters argued that front line units should be 
responsible for this inventory, rather than internal audit. Other 
commenters asserted that independent risk management should maintain 
this inventory rather than internal audit. These commenters noted that 
internal audit should review and evaluate the inventory for accuracy 
and completeness if it is maintained by independent risk management. 
Other commenters expressed the view that banks should have flexibility 
in determining whether independent risk management or internal audit is 
responsible for maintaining the inventory. These commenters emphasized 
that banks should only be required to maintain one comprehensive 
inventory, and that front line units should play a significant role in 
the creation of the inventory.
    The majority of commenters also opposed the proposed Guidelines to 
the extent they provided that internal audit's assessment of the bank's 
Framework should include a conclusion regarding whether the Framework 
is consistent with leading industry practices. Some commenters noted 
that this would be a subjective determination as there is no basis for 
determining what constitutes leading industry practices, and argued 
that this may lead covered banks to make greater use of third-party 
consultants. Some commenters also argued that this would detract from 
internal audit's core functions. Other commenters argued that there are 
a range of acceptable practices and that it is not possible to 
establish a single set of leading industry practices. The majority of 
commenters recommended removing this provision from the final 
Guidelines.
    The OCC's final Guidelines contain revisions to address some of the 
concerns raised by commenters and to provide internal audit more 
flexibility in satisfying its role and responsibilities under the 
Framework. For example, the OCC agrees with commenter suggestions that 
internal audit should report conclusions and material issues and 
recommendations to the audit committee pursuant to paragraph (c), and 
that such reports should also identify the root cause of any material 
issues. The OCC believes that this modification avoids imposing undue 
operational burdens on the audit committee and enables the committee to 
fulfill its key oversight role.
    The OCC believes that the design and implementation of the audit 
plan is an important element of internal audit's role and 
responsibilities under the Framework. The inventory of material 
processes, product lines, services, and functions and the risk 
assessments conducted by internal audit pursuant to paragraph (a) of 
the final Guidelines is commonly referred to as the ``internal audit 
universe'' and forms the basis of the audit plan. The OCC expects 
internal audit to conduct these risk assessments independent of other 
organizational units in the covered bank. As explained in the preamble 
to the proposed Guidelines, the audit plan should rate the risk 
presented by each front line unit, product line, service, and function. 
This includes activities that the covered bank may outsource to a third 
party.
    Internal audit can leverage risk assessments conducted by front 
line units or independent risk management in deriving the risk 
assessments discussed in paragraph (a), but should apply independent 
judgment in doing so.\44\ Internal audit may periodically adjust its 
risk assessments based on changes in the covered bank's strategy and 
the external environment. The audit plan should include ongoing 
monitoring to identify emerging risks and ensure that units, product 
lines, services, and functions that receive a low risk rating are 
reevaluated with reasonable frequency.
---------------------------------------------------------------------------

    \44\ The OCC does not believe that permitting internal audit to 
leverage risk assessments conducted by front line units or 
independent risk management compromises internal audit's 
independence or objectivity. Specifically, the OCC expects internal 
audit to report discrepancies in internal audit's risk ratings and a 
front line unit's or independent risk management's risk ratings to 
the audit committee of the board of directors.

---------------------------------------------------------------------------

[[Page 54532]]

    The audit plan should require internal audit to evaluate the 
adequacy of and compliance with policies, procedures, and processes 
established by front line units and independent risk management under 
the Framework. The OCC notes that this provision is in addition to 
internal audit's traditional testing of internal controls and the 
accuracy of financial records, as required by other laws and 
regulations at an appropriate frequency based on risk. This testing 
should require the evaluation of reputation and strategic risk, along 
with evaluations of independent risk management and traditional risks. 
This testing should enable internal audit to assess the appropriateness 
of risk levels and trends across the covered bank.
    Consistent with the proposal, the OCC continues to believe that all 
significant changes to the audit plan should be communicated to the 
audit committee. As discussed earlier, the OCC believes that the audit 
plan is a critical element of internal audit's role and 
responsibilities under the Framework and that significant changes to 
the audit plan are material. The final Guidelines also clarify that 
internal audit should periodically review and update the audit plan, 
rather than performing this task on a quarterly basis as provided in 
the proposed Guidelines.
    Paragraph (c) provides, in part, that internal audit should report 
in writing, conclusions and material issues and recommendations 
resulting from audit work carried out under the audit plan. The OCC 
also notes that these reports should address potential and emerging 
concerns, the timeliness of corrective actions, and the status of 
outstanding issues. Finally, audit reports should include comments on 
the effectiveness of front line units and independent risk management 
in identifying and mitigating excessive risks and identifying and 
resolving issues in a timely manner. Audit reports should also reflect 
emerging risks and internal audit's assessment of the appropriateness 
of risk levels relative to both the quality of the internal controls 
and the risk appetite statement.
    The OCC has also clarified the role and responsibilities of 
internal audit under the final Guidelines. Specifically, the final 
Guidelines provide that internal audit should assess emerging risks and 
that the quality assurance program should ensure that internal audit's 
policies, procedures, and processes are updated to reflect emerging 
risks and improvements in industry internal audit practices. The 
addition of emerging risks is intended to emphasize that internal audit 
should consider both pre-existing and prospective risks with respect to 
the relevant provisions. The OCC also believes that those individuals 
carrying out the quality assurance program should remain apprised of 
evolving industry internal audit practices, and that internal audit's 
policies, procedures, and processes should be updated to reflect these 
improved practices, as appropriate. The OCC has not removed the 
provision regarding the establishment of a quality assurance program, 
as one commenter suggested, because the OCC's supervisory experience 
indicates that not all covered banks' internal audit units include a 
quality assurance function.
    The OCC has made important revisions to internal audit's role and 
responsibilities for assessing the design and ongoing effectiveness of 
the Framework. The final Guidelines continue to provide that this 
assessment should be conducted at least annually because there may be 
situations (e.g., expansion of business, change in strategy, emerging 
risks) that cause the covered bank's risk profile to change, thereby 
justifying a reassessment of the design and ongoing effectiveness of 
the covered bank's Framework. The final Guidelines also continue to 
provide that internal audit, an external party, or both may perform 
this assessment. The OCC has not revised the final Guidelines to 
provide that internal audit must oversee this external party. The OCC 
notes that there may be situations where a covered bank wants to engage 
a third party to review the entire Framework, including internal 
audit's role in the Framework. It would not be appropriate for internal 
audit to oversee the external party in this situation. In addition, 
based on the overwhelming majority of comments, the OCC is modifying 
this paragraph to remove the provision that internal audit's assessment 
of the Framework should include a conclusion regarding whether the 
Framework is consistent with leading industry practices. However, the 
OCC notes that most covered banks that experienced difficulties during 
the financial crisis had risk management practices that were not 
commensurate with the scope of the covered bank's business activities. 
As a result, the OCC expects independent risk management, in 
conjunction with internal audit, the CEO, and the board of directors to 
assess whether the covered bank's risk management practices are 
developing in an appropriate manner and consider benchmarking these 
practices against peers, where possible.
    The final Guidelines continue to provide that internal audit should 
maintain a complete and current inventory (``audit universe'') of all 
of the covered bank's material processes, product lines, services, and 
functions. The OCC agrees with commenter suggestions that a covered 
bank should only be required to maintain one inventory. The OCC 
believes that internal audit should maintain this inventory, because it 
is a key component in the creation of the audit plan. Front line units 
and independent risk management are expected to conduct risk 
assessments as part of their responsibilities within the Framework and 
internal audit may use these risk assessments when conducting its risk 
assessment against the inventory.
Stature
    As we noted in the preamble to the proposal, a critical part of an 
effective Framework is for independent risk management and internal 
audit to have the organizational stature needed to effectively carry 
out their respective roles and responsibilities. One of the primary 
reasons for assigning CRE and CAE responsibilities to individuals who 
report directly to the CEO is to establish organizational stature for 
these units. However, evidence of stature extends beyond the reporting 
structure. Appropriate stature is evidenced by the attitudes and level 
of support provided by the board of directors, CEO, and others within 
the covered bank toward these units. The board of directors 
demonstrates support for these units by ensuring that they have the 
resources needed to carry out their responsibilities and by relying on 
the work of these units when carrying out their oversight 
responsibilities set forth in section III of the final Guidelines. The 
CEO and front line units demonstrate support by welcoming credible 
challenges from independent risk management and internal audit and 
including these units in policy development, new product and service 
deployment, changes in strategy and tactical plans, and organizational 
and structural changes.
Strategic Plan
    Paragraph D. of section II of the proposed Guidelines provided that 
the CEO should develop a written strategic plan with input from front 
line units and independent risk management. The proposal also provided 
that the board of directors should evaluate and approve the strategic 
plan and monitor management's efforts to implement it at least 
annually. Under the proposed Guidelines the strategic plan would cover 
a three-year period and would contain a comprehensive assessment of 
risks that currently have an impact on the bank or that could have an 
impact

[[Page 54533]]

on the bank during this period, articulate an overall mission statement 
and strategic objectives for the bank, and include an explanation of 
how the bank will achieve those objectives.
    The proposal also provided that the strategic plan should include 
an explanation of how the bank will update the Framework and account 
for changes in the bank's risk profile projected under the strategic 
plan. Finally, the proposed Guidelines required the bank to review, 
update and approve the strategic plan due to changes in the bank's risk 
profile or operating environment that were not contemplated when the 
plan was developed.
    Some commenters suggested that the CEO should ``oversee'' rather 
than ``develop'' the strategic plan. Other commenters recommended that 
the OCC require ``material'' risks to be included in the comprehensive 
assessment of risks. One commenter suggested that the strategic plan 
incorporate a capital plan. Some commenters objected to the requirement 
that the plan include an explanation of how the bank will update the 
Framework to account for changes in the bank's risk profile. The 
commenters argued that annual review was sufficient. Another commenter 
argued that internal audit should not be included in the development of 
the strategic plan since its involvement could compromise the 
independence of internal audit.
    The OCC is adopting this paragraph substantially as proposed with 
one minor revision. We have changed the language in the final 
Guidelines so that a CEO should be ``responsible for the development 
of,'' rather than ``develop,'' a written strategic plan. This change 
clarifies that a CEO is not individually expected to prepare the 
strategic plan. The final Guidelines do not include a materiality 
threshold for what risks covered banks must assess. While the OCC 
understands that certain de minimis risks may be excluded from the risk 
assessment, the strategic plan should comprehensively assess all risks 
that could reasonably be expected to have an impact on the covered 
bank.
    The final Guidelines, like the proposed Guidelines, require a 
three-year plan. The OCC believes that a three-year plan is necessary 
for covered banks to predict changes that could affect the bank's 
financial position. If a covered bank experiences, or expects to 
experience, significant changes over a three-year time horizon, it must 
be able to predict and manage the risks associated with those changes. 
A strategic plan of less than three years would be insufficient to 
manage longer-term risks to the covered bank. The final Guidelines also 
do not include a requirement for a specific capital plan. While the OCC 
acknowledges the importance of capital planning, the final Guidelines 
are focused on risk management rather than on ensuring adequate capital 
ratios.
    The board of directors should evaluate and approve the strategic 
plan and monitor management's efforts to implement the strategic plan 
at least annually. While the OCC expects that for some covered banks an 
annual review of the Framework may be sufficient, other covered banks 
that have undergone major changes (for example, mergers) are expected 
to update their Frameworks to account for changed circumstances. The 
final Guidelines, like the proposal, provide that the strategic plan 
should be developed with input from internal audit. The OCC believes 
that internal audit can contribute to a strategic plan while 
maintaining the appropriate level of independence.
Risk Appetite Statement
    Paragraph E. of section II of the proposed Guidelines provided that 
the bank should have a comprehensive written statement that articulates 
a bank's risk appetite and serves as a basis for the Framework 
(Statement). The term risk appetite means the aggregate level and types 
of risk the board and management are willing to assume to achieve the 
bank's strategic objectives and business plan, consistent with 
applicable capital, liquidity, and other regulatory requirements.
    The proposal noted that the Statement should include: (i) 
Qualitative components that describe a safe and sound ``risk culture'' 
\45\ and how the bank would assess and accept risks, including those 
that are difficult to quantify; and (ii) quantitative limits that 
incorporate sound stress testing processes and, as appropriate, address 
the bank's earnings, capital and liquidity position. The proposed 
Guidelines also provided that the bank should set limits at levels that 
consider appropriate capital and liquidity buffers and prompt 
management and the board to reduce risk before the bank's risk profile 
jeopardizes the adequacy of its earnings, liquidity, and capital.\46\
---------------------------------------------------------------------------

    \45\ While there is no regulatory definition of risk culture, 
for purposes of these Guidelines, risk culture can be considered the 
shared values, attitudes, competencies, and behaviors present 
throughout the covered bank that shape and influence governance 
practices and risk decisions.
    \46\ The level and types of risk covered bank management and the 
board of directors are willing to assume to achieve the bank's 
strategic objectives and business plan should be consistent with its 
capital and liquidity needs and requirements, as well as other laws 
and regulatory requirements applicable to the covered bank. The 
board is not responsible for setting specific risk limits, but the 
board is required to review and approve the Statement.
---------------------------------------------------------------------------

    One commenter objected to the language in the preamble to the 
proposed Guidelines providing that when a bank's risk profile is 
substantially the same as its parent company, the bank's board may 
tailor the parent company's risk appetite statement to make it 
applicable to the bank. According to the commenter, a bank that meets 
the ``substantially the same'' test should be able to use the same risk 
appetite statement as its parent company. Another commenter requested 
clarification on the extent to which a board of directors is required 
to approve risk limits in connection with a Statement. The commenter 
argued that bank directors are not in a position to approve all of the 
limits necessary to manage risk.
    The OCC is adopting this paragraph as proposed with only technical 
changes. As with the proposed Guidelines, the final Guidelines do not 
include a specific regulatory definition of risk culture. However, 
setting an appropriate tone at the top is critical to establishing a 
sound risk culture, and the qualitative statements within the Statement 
should articulate the core values that the board and CEO expect 
employees throughout the covered bank to share when carrying out their 
respective roles and responsibilities within the covered bank. These 
values should serve as the basis for risk-taking decisions made 
throughout the covered bank and should be reinforced by the actions of 
the board, executive management, board committees, and individuals. As 
noted in the preamble to the proposed Guidelines, evidence of a sound 
risk culture includes, but is not limited to: (i) Open dialogue and 
transparent sharing of information between front line units, 
independent risk management, and internal audit; (ii) consideration of 
all relevant risks and the views of independent risk management and 
internal audit in risk-taking decisions; and (iii) compensation and 
performance management programs and decisions that reward compliance 
with the core values and quantitative limits established in the 
Statement, and hold accountable those who do not conduct themselves in 
a manner consistent with these articulated standards.
    As described in paragraph II.E. of the final Guidelines, 
quantitative limits in a covered bank's Statement should

[[Page 54534]]

incorporate sound stress testing processes, as appropriate, and should 
address the covered bank's earnings, capital, and liquidity. The 
covered bank may set quantitative limits on a gross or net basis. 
Lagging indicators, such as delinquencies, problem asset levels, and 
losses generally will not capture the build-up of risk during healthy 
economic periods. As a result, these indicators are generally not 
useful in proactively managing risk. However, setting quantitative 
limits based on performance under various adverse scenarios would 
enable the board and management to take actions that reduce risk before 
delinquencies, problem assets, and losses reach excessive levels.
    We expect examiners to apply judgment when determining which 
quantitative limits should be based on stress testing and to consider 
several factors, including, for example, the value in using such 
measures for the risk type, the covered bank's ability to produce such 
measures, the capabilities of similarly-situated institutions, and the 
degree to which the covered bank's board and management have invested 
in the resources needed to establish such capabilities. We note that 
the Federal banking agencies issued guidance on stress testing in May 
2012.\47\ The guidance describes various stress testing approaches and 
applications, and covered banks should consider the range of approaches 
and select the one(s) most suitable when establishing quantitative 
limits. Risk limits may be designed as thresholds, triggers, or hard 
limits, depending on how the board and management choose to manage 
risk. Thresholds or triggers that prompt discussion and action before a 
hard limit is reached or breached can be useful tools for reinforcing 
risk appetite and proactively responding to elevated risk indicators.
---------------------------------------------------------------------------

    \47\ 77 FR 29458 (May 17, 2012).
---------------------------------------------------------------------------

    When a covered bank's risk profile is substantially the same as 
that of its parent company, the covered bank's board may tailor the 
parent company's risk appetite statement to make it applicable to the 
covered bank. However, to ensure the sanctity of the national bank or 
Federal savings association charter, the board of any covered bank must 
approve the bank-level Statement and document any necessary adjustments 
or material differences between the covered bank's and parent company's 
risk profiles.
Concentration and Front Line Unit Risk Limits
    Paragraph F. of section II of the proposed Guidelines provided that 
the Framework should include concentration risk limits and, as 
applicable, front line unit risk limits for the relevant risks in each 
front line unit to ensure that these units do not create excessive 
risks. The proposal also provided that when aggregated across units, 
these risks do not exceed the limits established in the bank's risk 
appetite statement.
    One commenter suggested that the word ``ensure'' should not be used 
in this paragraph as it implies a guaranteed outcome. The commenter 
suggested a slightly different formulation of the language in this 
paragraph. The OCC is adopting this paragraph as proposed with the 
addition of the commenter's suggestion. The final Guidelines, state 
that concentration and front line unit risk limits should limit 
excessive risk taking.
Risk Appetite Review, Monitoring, and Communication Processes
    Paragraph G. of section II of the proposed Guidelines provided that 
the Framework should require: (i) Review and approval of the Statement 
by the board or the board's risk committee at least annually or more 
frequently, as necessary, based on the size and volatility of risks and 
any material changes in the bank's business model, strategy, risk 
profile, or market conditions; (ii) initial communication and ongoing 
reinforcement of the bank's Statement throughout the bank to ensure 
that all employees align their risk-taking decisions with the 
Statement; (iii) independent risk management to monitor the bank's risk 
profile in relation to its risk appetite and compliance with 
concentration risk limits and to report such monitoring to the board or 
the board's risk committee at least quarterly; (iv) front line units to 
monitor their respective risk limits and to report to independent risk 
management at least quarterly; and (v) when necessary due to the level 
and type of risk, independent risk management to monitor front line 
units' compliance with front line unit risk limits, ongoing 
communication with front line units regarding adherence to these risk 
limits, and to report any concerns to the CEO and the board or the 
board's risk committee, at least quarterly.
    We received only minor comments on this paragraph and, accordingly, 
we are adopting paragraph G. of the final Guidelines substantially as 
proposed, with a few technical changes. With regard to the monitoring 
and reporting set forth in paragraph G., we note that the frequency of 
such monitoring and reporting should be performed more often, as 
necessary, based on the size and volatility of the risks and any 
material change in the covered bank's business model, strategy, risk 
profile, or market conditions.
Processes Governing Risk Limit Breaches
    Paragraph H. of section II of the proposed Guidelines set out 
processes governing risk limit breaches. The proposal provided that the 
bank should establish and adhere to processes that require front line 
units and independent risk management, in conjunction with their 
respective responsibilities, to identify any breaches of the Statement, 
concentration risk limits, and front line unit risk limits, distinguish 
identified breaches based on the severity of their impact on the bank 
and establish protocols for when and how to inform the board, front 
line management, independent risk management, and the OCC of these 
breaches. The proposed Guidelines also provided that the bank should 
include in the protocols discussed above the requirement to provide a 
written description of how a breach will be, or has been, resolved and 
establish accountability for reporting and resolving breaches that 
include consequences for risk limit breaches that take into account the 
magnitude, frequency, and recurrence of breaches. Under the proposal, 
while both escalation and resolution processes are important elements 
of the Framework, it would be acceptable for banks to have different 
escalation and resolution processes for breaches of the Statement, 
concentration risk limits, and front line unit risk limits.
    The OCC did not receive any comments on this paragraph, and is 
adopting it as proposed with one change. We have included internal 
audit in the list of groups that will be informed of a risk limit 
breach.
Concentration Risk Management
    Paragraph I. of section II of the proposed Guidelines provided that 
the Framework should include policies and supporting processes that are 
appropriate for the bank's size, complexity, and risk profile that 
effectively identify, measure, monitor, and control the bank's 
concentration of risk. The OCC received no comments on this paragraph, 
and the final Guidelines are adopted as proposed with minor technical 
changes.
    Concentrations of risk can arise in any risk category, with the 
most common being identified with borrowers, funds providers, and 
counterparties. In addition, the OCC's eight categories of risk 
discussed earlier are not mutually

[[Page 54535]]

exclusive; any product or service may expose a covered bank to multiple 
risks and risks may also be interdependent.\48\ Furthermore, 
concentrations can exist on and off the balance sheet. Covered banks 
should continually enhance their concentration risk management 
processes to strengthen their ability to effectively identify, measure, 
monitor, and control concentrations that arise in all risk 
categories.\49\
---------------------------------------------------------------------------

    \48\ See ``Large Bank Supervision'' booklet of the Comptroller's 
Handbook (Jan. 2010).
    \49\ See ``Concentrations of Credit'' booklet of the 
Comptroller's Handbook (Dec. 2011); Interagency Supervisory Guidance 
on Counterparty Credit Risk Management at http://www.occ.gov/news-issuances/bulletins/2011/bulletin-2011-30.html.
---------------------------------------------------------------------------

Risk Data Aggregation and Reporting
    Paragraph J. of section II of the proposed Guidelines addressed 
risk data aggregation and reporting. This paragraph provided that the 
Framework should include a set of policies, supported by appropriate 
procedures and processes, designed so that the bank's risk data 
aggregation and reporting capabilities are appropriate for its size, 
complexity, and risk profile and support supervisory reporting 
requirements. The proposal provided that these policies, procedures, 
and processes should collectively provide for the design, 
implementation, and maintenance of data architecture and information 
technology infrastructure that support the bank's risk aggregation and 
reporting needs in times of normalcy and stress; the capturing and 
aggregating of risk data and reporting of material risks, 
concentrations, and emerging risks in a timely manner to the board and 
the OCC and the distribution of risk reports to all relevant parties at 
a frequency that meets the needs for decision-making purposes.
    The OCC is adopting the final Guidelines substantially as proposed 
with a few technical changes. The OCC expects covered banks to have 
risk aggregation and reporting capabilities that meet the board's and 
management's needs for proactively managing risk and ensuring the 
covered bank's risk profile remains consistent with its risk appetite.
Relationship of Risk Appetite Statement, Concentration Risk Limits, and 
Front Line Unit Risk Limits to Other Processes
    Paragraph K. of section II of the proposed Guidelines addressed the 
relationship between the Statement, concentration risk limits, and 
front line unit risk limits to other bank processes. The OCC received 
no comments on this paragraph and the OCC is adopting this section as 
proposed with minor technical changes. The covered bank's front line 
units and independent risk management should incorporate at a minimum 
the Statement, concentration risk limits, and front line unit risk 
limits into their strategic and annual operating plans, capital stress 
testing and planning processes, liquidity stress testing and planning 
processes, product and service risk management processes (including 
those for approving new and modified products and services), decisions 
regarding acquisitions and divestitures, and compensation performance 
management programs.
Talent Management Processes
    The proposed Guidelines provided that the bank should establish and 
adhere to processes for talent development, recruitment, and succession 
planning to ensure that management and employees who are responsible 
for or influence material risk decisions have the knowledge, skills, 
and abilities to effectively identify, measure, monitor, and control 
relevant risks. This paragraph also provided that a bank's talent 
management processes should ensure that the board of directors or a 
committee of the board: (i) Hires a CEO and approves the hiring of 
direct reports of the CEO with the skills and abilities to design and 
implement an effective Framework; (ii) establishes reliable succession 
plans for the CEO and his or her direct reports; and (iii) oversees the 
talent development, recruitment, and succession planning processes for 
individuals two levels down from the CEO. The proposal also provided 
that these processes should ensure that the board of directors or a 
committee of the board: (i) hires one or more CREs and a CAE that 
possess the skills and abilities to effectively implement the 
Framework; (ii) establishes reliable succession plans for the CRE and 
CAE; and (iii) oversees the talent development, recruitment, and 
succession planning processes for independent risk management and 
internal audit.
    Some commenters asserted that these provisions would impose 
administrative burdens on a bank's board of directors and 
inappropriately place operational management responsibilities on the 
board. Commenters noted that the establishment of succession plans for 
direct reports of the CEO and the oversight of talent development, 
recruitment, and succession processes for independent risk management, 
internal audit, and individuals two levels down from the CEO would be 
burdensome and are more appropriately assigned to bank management. 
These commenters argued that the OCC should remove these provisions 
from the final Guidelines.
    One commenter noted that it would be sufficient for the board of 
directors to oversee the talent development, recruitment, and 
succession planning for individuals one level down from the CEO. 
Another commenter argued that the OCC should expressly require 
succession planning for individuals two levels down from the CRE and 
CAE and require that succession plans identify one or more viable 
candidates for key positions. Another commenter construed this 
paragraph as imposing a general requirement that all banks hire 
dedicated CEOs, CREs, and CAEs, and argued that banks should be 
permitted to rely on ``dual-hatted'' employees. As previously 
discussed, the final Guidelines permit a covered bank to use components 
of its parent company's risk governance framework, including having 
employees serve in the same position at the covered bank and the parent 
company, to the extent this is appropriate for the covered bank. The 
OCC believes that this responds to this commenter's concerns.
    In light of the comments received, the OCC has revised this 
paragraph to reduce the operational burdens on the board of directors 
while maintaining appropriate board oversight of the talent management 
program for employees with significant responsibilities under the 
Framework. The final Guidelines provide that a covered bank's board of 
directors or an appropriate committee of the board should appoint a CEO 
and appoint or approve the appointment of a CAE and one or more CREs 
with the skills and abilities to carry out their roles and 
responsibilities within the Framework. This provision clarifies that 
the board of directors need not be involved in the hiring process for 
these individuals. This gives the board, or a committee thereof, the 
option to rely on management to appoint the CAE and CRE(s).\50\ 
Similarly, the final Guidelines provide that a covered bank's board of 
directors or an appropriate committee of the board should review and 
approve a written talent management program that provides for 
development, recruitment, and succession planning regarding the CEO, 
CAE, CRE(s), their direct reports, and other potential successors. The 
OCC

[[Page 54536]]

believes that this revision reduces the talent management 
responsibilities of the board of directors, or a committee thereof, 
because they are no longer expected to oversee the talent development, 
recruitment, and succession planning processes for independent risk 
management, internal audit, and individuals two levels down from the 
CEO, as provided in the proposed Guidelines. Instead, the board of 
directors, or a committee thereof, should review and approve a written 
talent management program for key employees in a covered bank's 
Framework. The OCC notes that it is very important that covered banks 
detail the development, recruitment, and succession planning for these 
individuals because they occupy critical positions in a covered bank's 
Framework.
---------------------------------------------------------------------------

    \50\ The OCC notes that the definition of ``independent risk 
management'' provides that the board of directors or its risk 
committee should approve all decisions regarding the appointment or 
removal of a CRE, while the definition of ``internal audit'' 
provides that the audit committee should approve all decisions 
regarding the appointment or removal of the CAE. See final 
Guidelines paragraphs I.E.7. and 8.
---------------------------------------------------------------------------

    Finally, the final Guidelines provide that a covered bank's board 
of directors or an appropriate committee of the board should require 
management to assign individuals specific responsibilities within the 
talent management program, and hold those individuals accountable for 
the program's effectiveness. This provision clarifies that the OCC 
expects the board of directors, or a committee thereof, to provide 
oversight to a covered bank's talent management program, and that 
responsibility for developing and implementing this program rests with 
covered bank management.
Compensation and Performance Management Programs
    The proposed Guidelines provided that a bank should establish and 
adhere to compensation and performance management programs that meet 
the requirements of any applicable statute or regulation. The proposal 
provided that these programs should be appropriate to ensure that the 
CEO, front line units, independent risk management, and internal audit 
implement and adhere to an effective Framework. The proposal also 
provided that programs should ensure that front line unit compensation 
plans and decisions appropriately consider the level and severity of 
issues and concerns identified by independent risk management and 
internal audit. The programs should be designed to attract and retain 
the talent needed to design, implement, and maintain an effective 
Framework. Finally, the proposed Guidelines provided that the programs 
should prohibit incentive-based payment arrangements, or any feature of 
any such arrangement, that encourages inappropriate risks by providing 
excessive compensation or that could lead to material financial loss.
    Some commenters supported this paragraph of the proposed 
Guidelines. One commenter argued that employee compensation should be 
linked to the entire organization's strategic goals and should 
incorporate organization-wide performance metrics. Another commenter 
requested that the OCC provide more specific standards for 
compensation. A commenter also objected to the proposed Guidelines to 
the extent they provided that the programs should ensure front line 
unit compensation plans and decisions appropriately consider the level 
and severity of issues, and instead suggested that the Guidelines 
should emphasize the timely correction of issues.
    Commenters also disagreed regarding the inclusion of the incentive 
compensation provision in the proposed Guidelines. Some commenters 
suggested that the proposed Guidelines should contain stronger language 
prohibiting incentive-based payment arrangements that encourage 
inappropriate risk. Other commenters argued that one could interpret 
this provision as creating standards beyond those established by 
existing interagency guidance as well as those set out in joint agency 
proposed rulemaking. These commenters recommended revising this 
provision to state that a bank's compensation and performance 
management programs should meet the requirements of applicable laws and 
regulations.
    After reviewing the comments received, the OCC is adopting the 
compensation and performance management program paragraph substantially 
as proposed with clarifying and technical changes. The OCC has revised 
this paragraph to provide that the compensation and performance 
management programs should ensure front line unit compensation plans 
and decisions appropriately consider the level and severity of issues 
and concerns identified by independent risk management and internal 
audit, as well as the timeliness of corrective action to resolve such 
issues and concerns. The OCC declines to remove the term ``severity,'' 
as suggested by one commenter because we believe this is an important 
factor in determining the materiality of issues and concerns.
    The OCC also has decided not to modify the remaining provisions of 
this paragraph, including the incentive compensation standard. As 
previously discussed, the final Guidelines establish minimum standards 
for the design and implementation of a covered bank's Framework and 
minimum standards for the covered bank's board of directors in 
providing oversight to the Framework's design and implementation. While 
compensation practices are an important part of a covered bank's 
Framework, the OCC notes that other authorities address this issue in 
more detail.\51\ The OCC reminds covered banks that employee 
compensation arrangements should comply with all applicable rules and 
guidance. The OCC also notes that section 956 of the Dodd-Frank Act 
\52\ requires the OCC, the Board, the FDIC, the National Credit Union 
Administration, the Securities and Exchange Commission, and the Federal 
Housing Finance Agency to jointly prescribe incentive-based regulations 
or guidelines applicable to covered institutions.\53\ The OCC notes 
that the incentive compensation standard included in the final 
Guidelines was adapted from the standard set out in section 956 of the 
Dodd-Frank Act, and that a covered bank's compensation and performance 
management programs should comply with the final regulations or 
guidelines implementing section 956 when they are issued.
---------------------------------------------------------------------------

    \51\ See 12 U.S.C. 1831p-1(c); 12 CFR part 30, Appendix A 
(requiring institutions to maintain safeguards to prevent the 
payment of compensation, fees, and benefits that are excessive or 
that could lead to material financial loss to an institution, and 
prohibiting excessive compensation as an unsafe and unsound 
practice). As provided in the Guidelines, covered banks subject to 
the final Guidelines should ensure that practices established within 
their Frameworks also meet the standards set forth in appendices A, 
B, and C to part 30. See final Guidelines II.C. note 2. We also note 
that the OCC, Board, the Federal Deposit Insurance Corporation 
(FDIC), and the OTS issued interagency guidance that addresses 
incentive-based compensation. See Guidance on Sound Incentive 
Compensation Policies, 75 FR 36395 (June 25, 2010).
    \52\ 12 U.S.C. 5641.
    \53\ See 76 FR 21170 (Apr. 14, 2011).
---------------------------------------------------------------------------

Section III: Standards for Board of Directors

    Section III of the final Guidelines sets forth the minimum 
standards for a covered bank's board of directors in providing 
oversight to the Framework's design and implementation.
    Some commenters expressed concern regarding the standards contained 
in section III of the proposed Guidelines. For example, some commenters 
argued that the proposed Guidelines would distract the board of 
directors from its strategic and oversight role. Other commenters 
asserted that the proposed Guidelines would place an undue burden on 
the board of directors by assigning managerial responsibilities to the 
board that are more properly the role

[[Page 54537]]

of bank management. Some commenters also argued that the oversight 
mandated by the proposed Guidelines would increase a board of 
directors' exposure to liability and discourage qualified individuals 
from agreeing to serve on the board.
    The OCC has revised the standards to recognize the board of 
directors' key strategic and oversight role with respect to the design 
and implementation of the Framework. The OCC believes that these 
revisions respond to commenters' concerns and avoid imposing an undue 
operational burden on the board of directors. Set forth below is a 
discussion of the minimum standards for a covered bank's board of 
directors in providing oversight to the Framework's design and 
implementation under the final Guidelines.
Require an Effective Risk Governance Framework
    Paragraph A. of section III of the proposed Guidelines provided 
that each member of the bank's board of directors has a duty to oversee 
the bank's compliance with safe and sound banking practices. The 
proposed Guidelines also provided that the board of directors should 
ensure that the bank establishes and implements an effective Framework 
that complies with the Guidelines. Finally, the proposed Guidelines 
provided that the board of directors or its risk committee should 
approve any changes to the Framework.
    Many commenters strongly opposed the use of the word ``ensure'' in 
the proposed Guidelines. Some commenters noted that the term ``ensure'' 
could be read as a guarantee of results and understood to imply that 
the board of directors is required to be involved in the day-to-day 
activities of the bank. These commenters asserted that it may make it 
more difficult for banks to attract qualified candidates for a bank's 
board of directors and may imply that the board could be held liable 
for management actions even when director oversight has been 
reasonable. Other commenters suggested that the final Guidelines should 
provide that a board of directors fulfills its oversight function by 
reviewing, evaluating, and approving a Framework that is designed, 
recommended, and implemented by management and by receiving reports on 
material compliance matters.
    Many commenters recommended that the OCC remove the word ``ensure'' 
from the final Guidelines, and provided a number of alternatives to 
address their concerns. Commenters suggested that the OCC replace 
``ensure'' with: ``Require,'' ``oversee,'' ``actively oversee,'' and 
``oversee and confirm.'' Commenters generally argued that these 
alternatives more accurately reflect the board of directors' oversight 
function.
    After reviewing the comments, the OCC is revising this paragraph of 
the final Guidelines to remove the terms ``duty'' and ``ensure.'' The 
OCC did not intend to impose managerial responsibilities on the board 
of directors, or suggest that the board must guarantee results under 
the Framework. Accordingly, consistent with commenter suggestions, the 
final Guidelines provide that the board of directors should require 
management to establish and implement an effective Framework that meets 
the minimum standards described in the Guidelines. The OCC believes 
that this revision aligns the board of directors' responsibilities 
under this paragraph with their traditional strategic and oversight 
role.
    The OCC has also modified this paragraph to reduce the operational 
burdens placed on the board of directors while maintaining their 
involvement in overseeing the Framework's design and implementation. 
The final Guidelines clarify that the board of directors or its risk 
committee should approve significant changes to the Framework and 
monitor compliance with the Framework. This revision clarifies that the 
board or risk committee should only approve significant changes to the 
Framework, rather than all changes, as provided in the proposed 
Guidelines. This change also clarifies that the board of directors or 
the risk committee should monitor compliance with the Framework. The 
board of directors or the risk committee monitors compliance with the 
Framework by overseeing management's implementation of the Framework 
and holding management accountable for fulfilling their 
responsibilities under the Framework.
Provide Active Oversight of Management
    Paragraph B. of section III of the proposed Guidelines provided 
that the board of directors should actively oversee the bank's risk-
taking activities and hold management accountable for adhering to the 
Framework. The proposed Guidelines also provided that the board of 
directors should question, challenge, and, when necessary, oppose 
management's proposed actions that could cause the bank's risk profile 
to exceed its risk appetite or threaten the bank's safety and 
soundness.
    Commenters expressed concern that these provisions would promote 
confrontation between the board of directors and bank management at 
board meetings. Some commenters argued that this would deter open and 
candid dialogue between the board of directors and bank management, and 
that emphasizing board opposition will detract from determining how 
active the board is in overseeing management actions.
    Some commenters also argued that the board of directors' oversight 
of management should not be characterized as ``active'' because it 
implies that board members are implementing and assuming management 
functions.
    The final Guidelines continue to provide that a covered bank's 
board of directors should actively oversee the covered bank's risk-
taking activities and hold management accountable for adhering to the 
Framework. The OCC believes that it is important for the board of 
directors to understand a covered bank's risk-taking activities and to 
be engaged in providing oversight to these activities. The final 
Guidelines clarify that the board of directors provides active 
oversight by relying on risk assessments and reports prepared by 
independent risk management and internal audit. Therefore, the final 
Guidelines do not contemplate that the board of directors will assume 
managerial responsibilities in providing active oversight of 
management--instead, the board is permitted to rely on independent risk 
management and internal audit to meet its responsibilities under this 
paragraph. Some boards of directors periodically engage third-party 
experts to assist them in understanding risks and issues and to make 
recommendations to strengthen board and bank practices. While the 
Guidelines focus on independent risk management and internal audit, 
they do not prohibit boards of directors from engaging third-party 
experts to also assist them in carrying out their duties.
    The final Guidelines continue to articulate the OCC's expectation 
that the board of directors should provide a credible challenge to 
management. The OCC believes that a board of directors will be able to 
provide this challenge if its members have a comprehensive 
understanding of the covered bank's risk-taking activities. During the 
financial crisis, the OCC observed that some members of the board of 
directors at certain institutions had an incomplete understanding of 
their institution's risk exposures. The OCC believes that this 
evidences both a failure to exercise adequate oversight of management 
and critically evaluate management's recommendations and decisions 
during the years preceding the financial crisis.
    The OCC believes that the capacity to dedicate sufficient time and 
energy in

[[Page 54538]]

reviewing information and developing an understanding of the key issues 
related to a covered bank's risk-taking activities is a critical 
prerequisite to being an effective director. Informed directors are 
well-positioned to engage in substantive discussions with management 
wherein the board of directors provides approval to management, 
requests guidance to clarify areas of uncertainty, and prudently 
questions the propriety of strategic initiatives. Therefore, the final 
Guidelines continue to provide that the board of directors, in reliance 
on information it receives from independent risk management and 
internal audit, should question, challenge, and when necessary, oppose 
recommendations and decisions made by management that could cause the 
covered bank's risk profile to exceed its risk appetite or jeopardize 
the safety and soundness of the covered bank. In addition to resulting 
in a more informed board of directors, the OCC expects that this 
provision will enable the board to make a determination as to whether 
management is adhering to, and understands, the Framework. For example, 
recurring breaches of risk limits or actions that cause the covered 
bank's risk profile to materially exceed its risk appetite may 
demonstrate that management does not understand or is not adhering to 
the Framework. In these situations, the board of directors should take 
action to hold the appropriate party, or parties, accountable.
    The OCC does not intend this standard to become a compliance 
exercise for the covered bank, or lead to scripted meetings between the 
board of directors and management. Instead, the OCC intends to assess 
compliance with this standard primarily by engaging OCC examiners in 
frequent conversations with directors. Likewise, the OCC does not 
expect the board of directors to evidence opposition to management 
during each board meeting. Instead, the OCC emphasizes that the board 
of directors should oppose management's recommendations and decisions 
only when necessary. The OCC believes that an environment in which 
examiners, board members, and management openly and honestly 
communicate benefits a covered bank, and expects these types of 
interactions to continue.
Exercise Independent Judgment
    The proposed Guidelines provided that in carrying out his or her 
duty to provide active oversight of bank management, a director should 
exercise sound, independent judgment. We received no comments on this 
paragraph and adopt it in the final Guidelines substantially as 
proposed. In determining whether a board member is adequately objective 
and independent, the OCC will consider the degree to which the member's 
other responsibilities conflict with his or her ability to act in the 
covered bank's interest.
Include Independent Directors
    Paragraph D. of section III of the proposed Guidelines provided 
that at least two members of a bank's board of directors should be 
independent, i.e., they should not be members of the bank's or the 
parent company's management. In the preamble to the proposal, we noted 
that this would enable the bank's board to provide effective, 
independent oversight of bank management and, to the extent the bank's 
independent directors are also members of the parent company's board, 
the OCC would expect that such directors would consider the safety and 
soundness of the bank in decisions made by the parent company that 
impact the bank's risk profile. The proposal also provided that this 
standard would not supersede other applicable regulatory requirements 
concerning the composition of a Federal savings association's board 
\54\ and that these associations must continue to comply with such 
requirements.
---------------------------------------------------------------------------

    \54\ See 12 CFR 163.33.
---------------------------------------------------------------------------

    We received a number of comments on this paragraph. Some commenters 
opposed the requirement for two independent directors. These commenters 
believe that the bank should have the flexibility to decide the 
structure of their own board based on their individual business 
requirements as long as the board appropriately controls risk. One 
commenter suggested that the requirement for two independent directors 
not apply to banks with boards with seven or fewer total directors or 
if the bank can demonstrate that it would be an undue hardship to find 
two independent directors. A few commenters noted that it would be 
better to require a percentage of independent directors rather than 
requiring a specific number. Other commenters supported this 
requirement.
    One commenter noted that our independence standard differed from 
the Board's standard in their Dodd-Frank Act section 165 rules and 
suggested that the OCC adopt the Board's standard of independence to be 
consistent.
    The OCC is retaining the requirement for covered banks to have at 
least two independent board members. However, as suggested by one 
commenter, we have revised this provision to be consistent with the 
Board's independence standard in its Dodd-Frank Act section 165 
rules.\55\ The final Guidelines provide that at least two members of 
the board of each covered bank should not be an officer or employee of 
the parent company or covered bank and has not been an officer or 
employee of the parent company or covered bank during the previous 
three years; should not be a member of the immediate family, as defined 
in the Board's Regulation Y,\56\ of a person who is, or has been within 
the last three years, an executive officer of the parent company or 
covered bank, as defined in the Board's Regulation O; \57\ and should 
qualify as an independent director under the listing standards of a 
national securities exchange, as demonstrated to the satisfaction of 
the OCC.
---------------------------------------------------------------------------

    \55\ Several commenters also suggested that the OCC coordinate 
with the Board to ensure that these Guidelines are consistent with 
the Board's enhanced prudential standards relating to risk 
management that were issued under section 165 of the Dodd-Frank Act. 
See 12 U.S.C. 5365. The Board's enhanced prudential standards apply 
to a covered bank's holding company and commenters raised concerns 
that inconsistencies could create unnecessary burden. We note that 
OCC staff met with Board staff to discuss the relationship between 
these Guidelines and the Board's section 165 rules. The independence 
standard for directors in the final Guidelines is an example of the 
OCC's efforts to address potential inconsistencies.
    \56\ 12 CFR 225.41(b)(3).
    \57\ 12 CFR 215.2(e)(1).
---------------------------------------------------------------------------

Provide Ongoing Training to Directors
    Paragraph E. of section III of the proposed Guidelines provided 
that in order to ensure that each member of the board of directors has 
the knowledge, skills, and abilities needed to meet the standards set 
forth in the Guidelines, the board should establish and adhere to a 
formal, ongoing training program for directors. The proposed Guidelines 
provided that the training program apply only to independent directors 
and should include training on: (i) Complex products, services, lines 
of business, and risks that have a significant impact on the bank; (ii) 
laws, regulations, and supervisory requirements applicable to the bank; 
and (iii) other topics identified by the board of directors.
    Some commenters requested that the OCC reconsider this paragraph, 
and suggested that it may discourage qualified individuals from serving 
as bank directors. Other commenters recommended that the board of 
directors should retain discretion in directing the frequency, scope, 
and selecting the provider of training to

[[Page 54539]]

board members. These commenters also suggested that the training 
program should only include training on material laws, regulations, and 
supervisory requirements, and that the final Guidelines should permit 
banks to choose training suited to their business model, risk profile, 
and the background of board members. Another commenter suggested that 
the OCC revise this paragraph to enable a bank's independent risk 
management and/or internal audit units to recommend training to the 
board of directors.
    After considering the comments, the OCC has revised this paragraph 
in the final Guidelines to apply to all directors \58\ but to provide 
more flexibility to the board of directors in structuring a formal, 
ongoing training program for directors. Specifically, the final 
Guidelines incorporate commenters' suggestions and provide that the 
training program should consider the directors' knowledge and 
experience and the covered bank's risk profile. This revision reflects 
the OCC's belief that the training program should be tailored to the 
director's needs, experience, and education. Similarly, the final 
Guidelines provide more flexibility to covered banks to focus the 
training program on material topics because the final Guidelines 
emphasize that the program should include training on ``appropriate'' 
areas. The OCC also notes that covered banks retain discretion in 
directing the frequency, scope, and selecting the provider of training 
under the final Guidelines.
---------------------------------------------------------------------------

    \58\ This provision applies to all directors because directors 
that are members of management may not have expertise in all matters 
for which the board of directors may be providing oversight.
---------------------------------------------------------------------------

    The OCC continues to believe that the board of directors should be 
financially knowledgeable and committed to conducting diligent reviews 
of the covered bank's management team, financial status, and business 
plans. OCC examiners will evaluate each director's knowledge and 
experience, as demonstrated in their written biography and discussions 
with examiners.
Self-Assessments
    Paragraph F. of section III of the proposed Guidelines provided 
that the bank's board of directors should conduct an annual self-
assessment that includes an evaluation of the board's effectiveness in 
meeting the standards provided in section III of the Guidelines.
    The OCC received no comments and is adopting this paragraph as 
proposed. The OCC notes that the self-assessment discussed in this 
paragraph can be part of a broader self-assessment process conducted by 
the board of directors, and should result in a constructive dialogue 
among board members that identifies opportunities for improvement and 
leads to specific changes that are capable of being tracked, measured, 
and evaluated. For example, these may include broad changes that range 
from changing the board of directors' composition and structure, 
meeting frequency and agenda items, board report design or content, 
ongoing training program design or content, and other process and 
procedure topics.

Relationship Between the Guidelines and OCC's Heightened Expectations 
Program

    As discussed above, the final Guidelines will supersede the current 
heightened expectations program. The informal guidance communicated in 
a Deputy Comptroller memo and ``one page'' documents will no longer be 
used to evaluate covered banks. Examiners will assess covered bank 
governance and risk management practices using these final Guidelines 
and other existing OCC policy guidance such as handbooks and bulletins 
to identify appropriate practices and weaknesses and communicate areas 
needing improvement to the board of directors and management of covered 
banks according to existing supervisory processes as described in the 
``Bank Supervision Processes'' booklet of the Comptroller's Handbook.

Integration of Federal Savings Associations Into Part 30

    As noted above, 12 CFR parts 30 and 170 establish safety and 
soundness rules and guidelines for national banks and Federal savings 
associations, respectively. The OCC proposed to make part 30 and its 
respective appendices applicable to both national banks and Federal 
savings associations. The OCC also proposed to remove part 170, as it 
would no longer be necessary, and to make other minor changes to part 
30, including the deletion of references to rescinded OTS guidance. We 
received no comments on these amendments and therefore adopt them as 
proposed, with minor technical drafting corrections. These amendments 
are described below.
    Safety and Soundness Rules. On July 10, 1995, the Federal banking 
agencies adopted a final rule establishing deadlines for submission and 
review of safety and soundness compliance plans.\59\ The final rule 
provides that the agencies may require compliance plans to be filed by 
an insured depository institution for failure to meet the safety and 
soundness standards prescribed by guideline pursuant to section 39 of 
the FDIA. The safety and soundness rules for national banks and Federal 
savings associations are set forth at 12 CFR parts 30 and 170, 
respectively, and, with one exception discussed below, they are 
substantively the same.
---------------------------------------------------------------------------

    \59\ See 60 FR 35674.
---------------------------------------------------------------------------

    Twelve CFR part 30 establishes the procedures a national bank must 
follow if the OCC determines that the bank has failed to satisfy a 
safety and soundness standard or if the OCC requests the bank to file a 
compliance plan. Section 30.4(d) provides that if a bank fails to 
submit an acceptable compliance plan within the time specified by the 
OCC or fails in any material respect to implement a compliance plan, 
then the OCC shall require the bank to take certain actions to correct 
the deficiency. However, if a bank has experienced ``extraordinary 
growth'' during the previous 18-month period, then the rule provides 
that the OCC may be required to take certain action to correct the 
deficiency. Section 30.4(d)(2) defines ``extraordinary growth'' as ``an 
increase in assets of more than 7.5 percent during any quarter within 
the 18-month period preceding the issuance of a request for submission 
of a compliance plan.''
    Twelve CFR part 170 sets forth nearly identical safety and 
soundness rules for Federal savings associations to those applicable in 
part 30. However, in contrast to part 30, part 170 does not define 
``extraordinary growth.'' Instead, the OCC determines whether a savings 
association has undergone extraordinary growth on a case-by-case basis 
by considering various factors such as the association's management, 
asset quality, capital adequacy, interest rate risk profile, and 
operating controls and procedures.\60\
---------------------------------------------------------------------------

    \60\ See Thrift Regulatory Bulletin 3b, ``Policy Statement on 
Growth for Savings Associations'' (Nov. 26, 1996).
---------------------------------------------------------------------------

    In order to streamline and consolidate the safety and soundness 
rules applicable to national banks and Federal savings associations, 
the OCC is applying part 30 to Federal savings associations. This 
change will not subject Federal savings associations to any new 
requirements but will subject them to the section 30.4(d)(2) definition 
of ``extraordinary growth.'' This definition incorporates an objective 
standard for determining ``extraordinary growth'' that is based on an 
increase in assets over a period of time and will provide greater 
clarity and guidance to Federal savings associations on when

[[Page 54540]]

the OCC would be required to take action to correct a deficiency.
    Guidelines Establishing Standards for Safety and Soundness. In 
conjunction with the final rule establishing deadlines for compliance 
plans, the agencies jointly adopted Interagency Guidelines Establishing 
Standards for Safety and Soundness (Safety and Soundness Guidelines) as 
Appendix A to each of the agencies' respective safety and soundness 
rules. The Safety and Soundness Guidelines are set forth in Appendix A 
to parts 30 and 170 for national banks and savings associations, 
respectively. The texts of Appendix A for national banks and savings 
associations are substantively identical. Pursuant to section 39 of the 
FDIA, by adopting the safety and soundness standards as guidelines, the 
OCC may pursue the course of action that it determines to be most 
appropriate, taking into consideration the circumstances of a national 
bank's noncompliance with one or more standards, as well as the bank's 
self-corrective and remedial responses.
    In order to streamline and consolidate all safety and soundness 
guidelines in one place, this final rule amends Appendix A to part 30 
so that it also applies to Federal savings associations. This change 
will not result in any new requirements for Federal savings 
associations.
    Guidelines Establishing Information Security Standards. Section 501 
of the Gramm-Leach-Bliley Act requires the Federal banking agencies, 
the National Credit Union Administration, the Securities and Exchange 
Commission, and the Federal Trade Commission to establish appropriate 
standards relating to administrative, technical, and physical 
safeguards for customer records and information for the financial 
institutions subject to their respective jurisdictions. Section 505(b) 
requires the agencies to implement these standards in the same manner, 
to the extent practicable, as the standards prescribed pursuant to 
section 39(a) of the FDIA. Guidelines implementing the requirements of 
section 501, Interagency Guidelines Establishing Information Security 
Standards, are set forth in Appendix B to parts 30 and 170 for national 
banks and Federal savings associations, respectively.\61\ The texts of 
Appendix B for national banks and savings associations are 
substantively identical.
---------------------------------------------------------------------------

    \61\ Appendix B to part 30 currently applies to national banks, 
Federal branches and agencies of foreign banks, and any subsidiaries 
of such entities (except brokers, dealers, persons providing 
insurance, investment companies, and investment advisers).
---------------------------------------------------------------------------

    In order to streamline and consolidate all safety and soundness 
guidelines in one place, the OCC is amending Appendix B to part 30 so 
that it also applies to Federal savings associations. This change will 
not result in any new requirements for Federal savings associations.
    Guidelines Establishing Standards for Residential Mortgage Lending 
Practices. On February 7, 2005, the OCC adopted guidelines establishing 
standards for residential mortgage lending practices for national banks 
and their operating subsidiaries as Appendix C to part 30.\62\ These 
guidelines address certain residential mortgage lending practices that 
are contrary to safe and sound banking practices, may be conducive to 
predatory, abusive, unfair or deceptive lending practices, and may 
warrant a heightened degree of care by lenders.
---------------------------------------------------------------------------

    \62\ See 70 FR 6329. Appendix C currently applies to national 
banks, Federal branches and agencies of foreign banks, and any 
operating subsidiaries of such entities (except brokers, dealers, 
persons providing insurance, investment companies, and investment 
advisers).
---------------------------------------------------------------------------

    While there is no equivalent to Appendix C in part 170, Federal 
savings associations are subject to guidance on residential mortgage 
lending.\63\ For many of the same reasons that the OCC decided to 
incorporate its residential mortgage lending guidance into a single set 
of guidelines adopted pursuant to section 39, the OCC is now applying 
Appendix C to Federal savings associations. As a result, Federal 
savings associations will be subject to the same guidance on 
residential mortgage lending as national banks, thereby harmonizing 
residential mortgage lending standards for both types of institutions. 
Moreover, the application of Appendix C to Federal savings associations 
clarifies the residential mortgage lending standards applicable to 
these institutions and enhances the overall safety and soundness of 
Federal savings associations, because the Appendix C guidelines are 
enforceable pursuant to the FDIA section 39 process as implemented by 
part 30. It should be noted, however, that although the guidelines in 
Appendix C incorporate and implement some of the principles set forth 
in current Federal savings association guidance on residential real 
estate lending, they do not replace such guidance.
---------------------------------------------------------------------------

    \63\ See Examination Handbook Section 212, ``One- to Four-Family 
Residential Real Estate Lending'' (Feb. 10, 2011) (incorporating 
Regulatory Bulletin 37-18 (Mar. 31, 2007)) and OCC Bulletin 1999-38, 
``Treatment of High LTV Residential Real Estate Loans'' (Oct. 13, 
1999).
---------------------------------------------------------------------------

Description of Technical Amendments to Part 30

    We also are including in this final rule technical and conforming 
amendments to the part 30 regulations to add references to new Appendix 
D, which contains the Guidelines, where appropriate.
    The Guidelines are enforceable, pursuant to section 39 of the FDIA 
and part 30, as we have described. That enforcement mechanism is not 
necessarily exclusive, however. Nothing in the Guidelines in any way 
limits the authority of the OCC to address unsafe or unsound practices 
or conditions or other violations of law. Thus, for example, a bank's 
failure to comply with the standards set forth in these Guidelines may 
also be actionable under section 8 of the FDIA if the failure 
constitutes an unsafe or unsound practice.
    In addition, we are replacing the cross-references to 12 CFR 40.3, 
the OCC's former privacy rule, with the appropriate cite to the 
Consumer Financial Protection Bureau's (CFPB) privacy rule, 12 CFR 
1016.3, in the definitions of ``customer'' and ``customer information'' 
in Appendix B to part 30. The Dodd-Frank Act transferred to the CFPB 
Federal rulemaking authority to issue privacy rules applicable to 
national banks, as well as Federal savings associations. As a result, 
12 CFR part 40 is no longer operative and national banks now must 
comply with these rules as reissued by the CFPB.\64\
---------------------------------------------------------------------------

    \64\ The OCC removed 12 CFR part 40 from the Code of Federal 
Regulations earlier this year. 79 FR 15639 (Mar. 21, 2014).
---------------------------------------------------------------------------

    Lastly, in 12 CFR 168.5, we have replaced the reference to part 170 
with part 30 to reflect the fact that this final rule removes part 170 
and applies part 30 and its appendices to Federal savings associations.

Regulatory Analysis

Paperwork Reduction Act

    The OCC has determined that the final Guidelines involve 
information collection requirements pursuant to the provisions of the 
Paperwork Reduction Act of 1995 (the PRA) (44 U.S.C. 3501 et seq.).
    The OCC may not conduct or sponsor, and an organization is not 
required to respond to, these information collection requirements 
unless the information collection displays a currently valid Office of 
Management and Budget (OMB) control number. The OCC has submitted this 
collection to OMB pursuant to section 3507(d) of the PRA

[[Page 54541]]

and section 1320.11 of OMB's implementing regulations (5 CFR part 
1320).
    The OCC submitted this collection to OMB at the proposed rule stage 
as well. OMB filed comments instructing the OCC to examine public 
comment in response to the proposed rule and describe in the supporting 
statement of its next collection any public comments received regarding 
the collection as well as why (or why it did not) incorporate the 
commenter's recommendation. The OCC received no comments regarding the 
collection.
Abstract
    The information collection requirements are found in 12 CFR part 
30, Appendix D, which establishes minimum standards for the design and 
implementation of a risk governance framework for insured national 
banks, insured Federal savings associations, and insured Federal 
branches of a foreign bank with average total consolidated assets equal 
to or greater than $50 billion. Insured national banks and insured 
Federal savings associations with average total consolidated assets of 
less than $50 billion will also be subject to the Guidelines if that 
institution's parent company controls at least one insured national 
bank or insured Federal savings association with average total 
consolidated assets equal to or greater than $50 billion. The OCC 
reserves the authority to apply these requirements to an insured 
national bank, insured Federal savings association, or insured Federal 
branch of a foreign bank that has average total consolidated assets of 
less than $50 billion if the OCC determines that its operations are 
highly complex or otherwise present a heightened risk.
Standards for Risk Governance Framework
    Covered banks should establish and adhere to a formal, written risk 
governance framework designed by independent risk management. It should 
include delegations of authority from the board of directors to 
management committees and executive officers as well as risk limits 
established for material activities. It should be approved by the board 
of directors or the board's risk committee and reviewed and updated at 
least annually by independent risk management.
Front Line Units
    Front line units should take responsibility and be held accountable 
by the CEO and the board of directors for appropriately assessing and 
effectively managing all of the risks associated with their activities. 
In fulfilling this responsibility, each front line unit should, either 
alone or in conjunction with another organizational unit that has the 
purpose of assisting a front line unit: (i) Assess, on an ongoing 
basis, the material risks associated with its activities and use such 
risk assessments as the basis for fulfilling its responsibilities and 
for determining if actions need to be taken to strengthen risk 
management or reduce risk given changes in the unit's risk profile or 
other conditions; (ii) establish and adhere to a set of written 
policies that include front line unit risk limits. Such policies should 
ensure risks associated with the front line unit's activities are 
effectively identified, measured, monitored, and controlled, consistent 
with the covered bank's risk appetite statement, concentration risk 
limits, and all policies established within the risk governance 
framework; (iii) establish and adhere to procedures and processes, as 
necessary to maintain compliance with the policies described in (ii); 
(iv) adhere to all applicable policies, procedures, and processes 
established by independent risk management; (v) develop, attract, and 
retain talent and maintain staffing levels required to carry out the 
unit's role and responsibilities effectively; (vi) establish and adhere 
to talent management processes; and (vii) establish and adhere to 
compensation and performance management programs.
Independent Risk Management
    Independent risk management should oversee the covered bank's risk-
taking activities and assess risks and issues independent of the front 
line units by: (i) Designing a comprehensive written risk governance 
framework commensurate with the size, complexity, and risk profile of 
the covered bank; (ii) identifying and assessing, on an ongoing basis, 
the covered bank's material aggregate risks; (iii) establishing and 
adhering to enterprise policies that include concentration risk limits; 
(iv) establishing and adhering to procedures and processes, to ensure 
compliance with policies in (iii); (v) identifying and communicating to 
the CEO and board of directors or board's risk committee material risks 
and significant instances where independent risk management's 
assessment of risk differs from that of a front line unit, and 
significant instances where a front line unit is not adhering to the 
risk governance framework; (vi) identifying and communicating to the 
board of directors or the board's risk committee material risks and 
significant instances where independent risk management's assessment of 
risk differs from the CEO, and significant instances where the CEO is 
not adhering to, or holding front line units accountable for adhering 
to, the risk governance framework; and (vii) developing, attracting, 
and retaining talent and maintaining staffing levels required to carry 
out the unit's role and responsibilities effectively while establishing 
and adhering to talent management processes and compensation and 
performance management programs.
Internal Audit
    Internal audit should ensure that the covered bank's risk 
management framework complies with the Guidelines and is appropriate 
for the size, complexity, and risk profile of the covered bank. It 
should maintain a complete and current inventory of all of the covered 
bank's material processes, product lines, services, and functions, and 
assess the risks, including emerging risks, associated with each, which 
collectively provide a basis for the audit plan. It should establish 
and adhere to an audit plan, which is periodically reviewed and 
updated, that takes into account the covered bank's risk profile, 
emerging risks, issues, and establishes the frequency with which 
activities should be audited. The audit plan should require internal 
audit to evaluate the adequacy of and compliance with policies, 
procedures, and processes established by front line units and 
independent risk management under the risk governance framework. 
Significant changes to the audit plan should be communicated to the 
board's audit committee. Internal audit should report in writing, 
conclusions and material issues and recommendations from audit work 
carried out under the audit plan to the board's audit committee. 
Reports should identify the root cause of any material issue and 
include: (i) A determination of whether the root cause creates an issue 
that has an impact on one organizational unit or multiple 
organizational units within the covered bank; and (ii) a determination 
of the effectiveness of front line units and independent risk 
management in identifying and resolving issues in a timely manner. 
Internal audit should establish and adhere to processes for 
independently assessing the design and ongoing effectiveness of the 
risk governance framework on at least an annual basis. The independent 
assessment should include a conclusion on the covered bank's compliance 
with the standards set forth in the Guidelines. Internal audit should

[[Page 54542]]

identify and communicate to the board of directors or board's audit 
committee significant instances where front line units or independent 
risk management are not adhering to the risk governance framework. 
Internal audit should establish a quality assurance program that 
ensures internal audit's policies, procedures, and processes comply 
with applicable regulatory and industry guidance, are appropriate for 
the size, complexity, and risk profile of the covered bank, are updated 
to reflect changes to internal and external risk factors, emerging 
risks, and improvements in industry internal audit practices, and are 
consistently followed. Internal audit should develop, attract, and 
retain talent and maintain staffing levels required to effectively 
carry out its role and responsibilities. Internal audit should 
establish and adhere to talent management processes. Internal audit 
should establish and adhere to compensation and performance management 
programs.
Strategic Plan
    The CEO, with input from front line units, independent risk 
management, and internal audit, should be responsible for the 
development of a written strategic plan that should cover, at a 
minimum, a three-year period. The board of directors should evaluate 
and approve the plan and monitor management's efforts to implement the 
strategic plan at least annually. The plan should include a 
comprehensive assessment of risks of the covered bank, an overall 
mission statement and strategic objectives, an explanation of how the 
covered bank will update the risk governance framework to account for 
projected changes to its risk profile, and be reviewed, updated, and 
approved pursuant to changes in the covered bank's risk profile or 
operating environment that were not contemplated when the plan was 
developed.
Risk Appetite Statement
    A covered bank should have a comprehensive written statement 
outlining its risk appetite that serves as the basis for the risk 
governance framework. It should contain qualitative components that 
define a safe and sound risk culture and how the covered bank will 
assess and accept risks and quantitative limits that include sound 
stress testing processes and address earnings, capital, and liquidity.
Risk Limit Breaches
    A covered bank should establish and adhere to processes that 
require front line units and independent risk management to: (i) 
Identify breaches of the risk appetite statement, concentration risk 
limits, and front line unit risk limits; (ii) distinguish breaches 
based on the severity of their impact; (iii) establish protocols for 
disseminating information regarding a breach; (iv) provide a written 
description of the breach resolution; and (v) establish accountability 
for reporting and resolving breaches.
Concentration Risk Management
    The risk management framework should include policies and 
supporting processes appropriate for the covered bank's size, 
complexity, and risk profile for effectively identifying, measuring, 
monitoring, and controlling the covered bank's concentrations of risk.
Risk Data Aggregation and Reporting
    This risk governance framework should include a set of policies, 
supported by appropriate procedures and processes, designed to provide 
risk data aggregation and reporting capabilities appropriate for the 
covered bank's size, complexity, and risk profile and support 
supervisory reporting requirements. Collectively, these policies, 
procedures, and processes should provide for: (i) The design, 
implementation, and maintenance of a data architecture and information 
technology infrastructure that supports the covered bank's risk 
aggregation and reporting needs during normal times and during times of 
stress; (ii) the capturing and aggregating of risk data and reporting 
of material risks, concentrations, and emerging risks in a timely 
manner to the board of directors and the OCC; and (iii) the 
distribution of risk reports to all relevant parties at a frequency 
that meets their needs for decision-making purposes.
Talent Management and Compensation
    A covered bank should establish and adhere to processes for talent 
development, recruitment, and succession planning. The board of 
directors or appropriate committee should review and approve a written 
talent management program. A covered bank should also establish and 
adhere to compensation and performance management programs that comply 
with any applicable statute or regulation.
Board of Directors Training and Evaluation
    The board of directors of a covered bank should establish and 
adhere to a formal, ongoing training program for all directors. The 
board of directors should also conduct an annual self-assessment.
    Title: OCC Guidelines Establishing Heightened Standards for Certain 
Large Insured National Banks, Insured Federal Savings Associations, and 
Insured Federal Branches; Integration of Regulations.
    Burden Estimates:
    Total Number of Respondents: 31.
    Total Burden per Respondent: 3,776.
    Total Burden for Collection: 117,056.
    Comments are invited on: (1) Whether the proposed collection of 
information is necessary for the proper performance of the OCC's 
functions; including whether the information has practical utility; (2) 
the accuracy of the OCC's estimate of the burden of the proposed 
information collection, including the cost of compliance; (3) ways to 
enhance the quality, utility, and clarity of the information to be 
collected; and (4) ways to minimize the burden of information 
collection on respondents, including through the use of automated 
collection techniques or other forms of information technology.
    Comments on the collection of information should be sent to:
    Because paper mail in the Washington, DC area and at the OCC is 
subject to delay, commenters are encouraged to submit comments by email 
if possible. Comments may be sent to: Legislative and Regulatory 
Activities Division, Office of the Comptroller of the Currency, 
Attention: 1557-0321, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-
11, Washington, DC 20219. In addition, comments may be sent by fax to 
(571) 465-4326 or by electronic mail to [email protected]. 
You may personally inspect and photocopy comments at the OCC, 400 7th 
Street SW., Washington, DC 20219. For security reasons, the OCC 
requires that visitors make an appointment to inspect comments. You may 
do so by calling (202) 649-6700. Upon arrival, visitors will be 
required to present valid government-issued photo identification and to 
submit to security screening in order to inspect and photocopy 
comments.
    All comments received, including attachments and other supporting 
materials, are part of the public record and subject to public 
disclosure. Do not enclose any information in your comment or 
supporting materials that you consider confidential or inappropriate 
for public disclosure.
    You may request additional information on the collection from 
Johnny Vilela, OCC Clearance Officer, (202) 649-7265, for persons who 
are deaf or hard of hearing, TTY, (202) 649-5597, Legislative and 
Regulatory Activities Division, Office of the Comptroller of the 
Currency, 400 7th

[[Page 54543]]

Street SW., Suite 3E-218, Mail Stop 9W-11, Washington, DC 20219.
    Additionally, commenters should send a copy of their comments to 
the OMB desk officer for the agencies by mail to the Office of 
Information and Regulatory Affairs, U.S. Office of Management and 
Budget, New Executive Office Building, Room 10235, 725 17th Street NW., 
Washington, DC 20503; by fax to (202) 395-6974; or by email to 
[email protected].

Regulatory Flexibility Analysis

    The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 et seq., 
requires generally that, in connection with a rulemaking, an agency 
prepare and make available for public comment a regulatory flexibility 
analysis that describes the impact of a rule on small entities. 
However, the regulatory flexibility analysis otherwise required under 
the RFA is not required if an agency certifies that the rule will not 
have a significant economic impact on a substantial number of small 
entities (defined in regulations promulgated by the Small Business 
Administration (SBA) to include banking organizations with total assets 
of less than or equal to $550 million) and publishes its certification 
and a brief explanatory statement in the Federal Register together with 
the rule.
    As of December 31, 2013, the OCC supervised 1,231 small entities 
based on the SBA's definition of small entities for RFA purposes. As 
discussed in the SUPPLEMENTARY INFORMATION above, the final Guidelines 
will generally be applicable only to OCC-supervised institutions that 
have average total consolidated assets of $50 billion or greater; 
therefore no small entities will be affected by the final Guidelines. 
Although the application of part 30 to Federal savings associations 
will affect a substantial number of small Federal savings associations, 
we do not associate any cost to this change. As such, pursuant to 
section 605(b) of the RFA, the OCC certifies that these final rules and 
guidelines will not have a significant economic impact on a substantial 
number of small entities.

Unfunded Mandates Reform Act Analysis

    The OCC has analyzed the final rules and guidelines under the 
factors in the Unfunded Mandates Reform Act of 1995 (UMRA) (2 U.S.C. 
1532). Under this analysis, the OCC considered whether the final rules 
and guidelines include a Federal mandate that may result in the 
expenditure by State, local, and tribal governments, in the aggregate, 
or by the private sector, of $100 million or more in any one year 
(adjusted annually for inflation). The OCC has determined that the 
final rules and guidelines will not result in expenditures by State, 
local, and tribal governments, or the private sector, of $100 million 
or more in any one year. Accordingly, the final rules and guidelines 
are not subject to section 202 of the UMRA.

List of Subjects

12 CFR Part 30

    Banks, Banking, Consumer protection, National banks, Privacy, 
Safety and soundness, Reporting and recordkeeping requirements.

12 CFR Part 168

    Consumer protection, Privacy, Reporting and recordkeeping 
requirements, Savings associations, Security measures.

12 CFR Part 170

    Accounting, Administrative practice and procedure, Bank deposit 
insurance, Reporting and recordkeeping requirements, Safety and 
soundness, Savings associations.

    For the reasons set forth in the preamble, and under the authority 
of 12 U.S.C. 93a, chapter I of title 12 of the Code of Federal 
Regulations is amended as follows:

PART 30--SAFETY AND SOUNDNESS STANDARDS

    1. The authority citation for part 30 is revised to read as 
follows:

    Authority: 12 U.S.C. 1, 93a, 371, 1462a, 1463, 1464, 1467a, 
1818, 1828, 1831p-1, 1881-1884, 3102(b) and 5412(b)(2)(B); 15 U.S.C. 
1681s, 1681w, 6801, and 6805(b)(1).


Sec.  30.1  [Amended]

0
2. Section 30.1 is amended by:
0
a. In paragraph (a):
0
i. Removing ``appendices A, B, and C'' and adding in its place 
``appendices A, B, C, and D'';
0
ii. Removing the phrase ``and federal branches of foreign banks,'' and 
adding in its place the phrase ``, Federal savings associations, and 
Federal branches of foreign banks''; and
0
b. In paragraph (b):
0
i. Removing the word ``federal'' wherever it appears and adding 
``Federal'' in its place;
0
ii. Adding the phrase ``Federal savings association, and'' after the 
phrase ``national bank,'';
0
iii. Removing the phrase ``branch or'' and adding in its place the word 
``branch and''; and
0
iv. Adding a comma after the word ``companies''.

0
3. Section 30.2 is amended by:
0
a. Removing in the second and third sentence the word ``bank'' and 
adding in its place the phrase ``national bank or Federal savings 
association''; and
0
b. Adding a final sentence to read as follows:


Sec.  30.2  Purpose.

    * * * The OCC Guidelines Establishing Heightened Standards for 
Certain Large Insured National Banks, Insured Federal Savings 
Associations, and Insured Federal Branches are set forth in appendix D 
to this part.

0
4. Section 30.3 is amended by:
0
a. Revising the section heading;
0
b. Removing the phrase ``a bank'', wherever it appears, and adding in 
its place the phrase ``a national bank or Federal savings 
association'';
0
c. In paragraph (a), removing ``the Interagency Guidelines Establishing 
Standards for Safeguarding Customer Information set forth in appendix B 
to this part, or the OCC Guidelines Establishing Standards for 
Residential Mortgage Lending Practices set forth in appendix C to this 
part'' and adding in its place ``the Interagency Guidelines 
Establishing Standards for Safeguarding Customer Information set forth 
in appendix B to this part, the OCC Guidelines Establishing Standards 
for Residential Mortgage Lending Practices set forth in appendix C to 
this part, or the OCC Guidelines Establishing Heightened Standards for 
Certain Large Insured National Banks, Insured Federal Savings 
Associations, and Insured Federal Branches set forth in appendix D to 
this part'';
0
d. In paragraph (b), adding the phrase ``to satisfy'' after the word 
``failed''; and
0
e. In paragraph (b), removing the phrase ``the bank'' and adding in its 
place the phrase ``the bank or savings association''.
    The revision reads as follows:


Sec.  30.3  Determination and notification of failure to meet safety 
and soundness standards and request for compliance plan.

* * * * *


Sec.  30.4  [Amended]

0
5. Section 30.4 is amended by:
0
a. In paragraphs (a), (d), and (e), removing the phrases ``A bank'' and 
``a bank'', wherever they appear, and adding in their place the phrases 
``A national bank or Federal savings association'' and ``a national 
bank or Federal savings association'', respectively;
0
b. In paragraph (a), the first sentence of paragraph (d)(1), and in 
paragraph (e), adding after the phrase ``the bank'', the phrase ``or 
savings association'';
0
c. In paragraph (b), removing the word ``bank'', and adding in its 
place the

[[Page 54544]]

phrase ``national bank or Federal savings association;
0
d. In paragraph (c), removing the phrase ``bank of whether the plan has 
been approved or seek additional information from the bank'', and 
adding in its place the phrase ``national bank or Federal savings 
association of whether the plan has been approved or seek additional 
information from the bank or savings association''; and
0
e. In paragraph (d)(1), removing the phrase ``bank commenced operations 
or experienced a change in control within the previous 24-month period, 
or the bank'', and adding in its place the phrase ``national bank or 
Federal savings association commenced operations or experienced a 
change in control within the previous 24-month period, or the bank or 
savings association''.


Sec.  30.5  [Amended]

0
6. Section 30.5 is amended by:
0
a. Removing the word '' bank'', wherever it appears, except in the 
first sentence of paragraph (a)(1), and adding in its place the phrase 
``national bank or Federal savings association'';
0
b. In paragraph (a)(1), removing the phrase ``bank prior written notice 
of the OCC's intention to issue an order requiring the bank'', and 
adding in its place the phrase ``national bank or Federal savings 
association prior written notice of the OCC's intention to issue an 
order requiring the bank or savings association''; and
0
c. In the fourth sentence of paragraph (a)(2), removing the word 
``matter'' and adding in its place the word ``manner''.


Sec.  30.6  [Amended]

0
7. Section 30.6 is amended by:
0
a. Removing the word ``bank'', wherever it appears, and adding in its 
place the phrase ``national bank or Federal savings association'';
0
b. Adding the phrase ``, 12 U.S.C. 1818(i)(1)'' after the word ``Act'' 
in paragraph (a); and
0
c. Adding the phrase ``12 U.S.C. 1818(i)(2)(A),'' after the word 
``Act,'' in paragraph (b).

0
8. Appendix A to Part 30 is amended by:
0
a. Revising footnote 2; and
0
b. In Section I.B.2. removing the word ``federal'' and adding in its 
place the word ``Federal''.
    The revision reads as follows:

Appendix A to Part 30--Interagency Guidelines Establishing Standards 
for Safety and Soundness

* * * * *
    \2\ For the Office of the Comptroller of the Currency, these 
regulations appear at 12 CFR Part 30; for the Board of Governors of 
the Federal Reserve System, these regulations appear at 12 CFR part 
263; and for the Federal Deposit Insurance Corporation, these 
regulations appear at 12 CFR part 308, subpart R and 12 CFR part 
391, subpart B.
* * * * *

0
9. Appendix B to part 30 is amended by:
0
a. Removing the words ``bank'' and ``bank's'', wherever they appear, 
except in Sections I.A. and I.C.2.a., and adding in their place the 
phrases ``national bank or Federal savings association'' and ``national 
bank's or Federal savings association's'', respectively; and
0
b. In Section I.A., removing the phrase ``referred to as ``the bank,'' 
are national banks, federal branches and federal agencies of foreign 
banks,'' and adding in its place the phrase ``referred to as ``the 
national bank or Federal savings association,'' are national banks, 
Federal savings associations, Federal branches and Federal agencies of 
foreign banks,'';
0
c. In Section I.C.2.d., removing the phrase ``Sec.  40.3(h) of this 
chapter'' and adding in its place the phrase ``12 CFR 1016.3(i)'';
0
d. In Section I.C.2.e., removing the phrase ``Sec.  40.3(n) of this 
chapter'' and adding in its place the phrase ``12 CFR 1016.3(p)''; and
0
e. In Supplement A to Appendix B to part 30, by revising footnotes 1, 
2, 9, 11, and 12.
    The revisions read as follows:

Appendix B to Part 30--Interagency Guidelines Establishing Information 
Security Standards

* * * * *

Supplement A to Appendix B to Part 30--Interagency Guidance on Response 
Programs for Unauthorized Access to Customer Information and Customer 
Notice

* * * * *
    \1\ This Guidance was jointly issued by the Board of Governors 
of the Federal Reserve System (Board), the Federal Deposit Insurance 
Corporation (FDIC), the Office of the Comptroller of the Currency 
(OCC), and the Office of Thrift Supervision (OTS). Pursuant to 12 
U.S.C. 5412, the OTS is no longer a party to this Guidance.
    \2\ 12 CFR part 30, app. B (OCC); 12 CFR part 208, app. D-2 and 
part 225, app. F (Board); and 12 CFR part 364, app. B and 12 CFR 
391.5 (FDIC). The ``Interagency Guidelines Establishing Information 
Security Standards'' were formerly known as ``The Interagency 
Guidelines Establishing Standards for Safeguarding Customer 
Information.''
* * * * *
    \9\ Under the Guidelines, an institution's customer information 
systems consist of all of the methods used to access, collect, 
store, use, transmit, protect, or dispose of customer information, 
including the systems maintained by its service providers. See 
Security Guidelines, I.C.2.d.
* * * * *
    \11\ See Federal Reserve SR Ltr. 13-19, Guidance on Managing 
Outsourcing Risk, Dec. 5, 2013; OCC Bulletin 2013-29, ``Third-Party 
Relationships--Risk Management Guidance,'' Oct. 30, 2013; and FDIC 
FIL 68-99, Risk Assessment Tools and Practices for Information 
System Security, July 7, 1999.
    \12\ An institution's obligation to file a SAR is set out in the 
Agencies' SAR regulations and Agency guidance. See 12 CFR 21.11 
(national banks, Federal branches and agencies); 12 CFR 163.180 
(Federal savings associations); 12 CFR 208.62 (State member banks); 
12 CFR 211.5(k) (Edge and agreement corporations); 12 CFR 211.24(f) 
(uninsured State branches and agencies of foreign banks); 12 CFR 
225.4(f) (bank holding companies and their nonbank subsidiaries); 12 
CFR part 353 (State non-member banks); and 12 CFR 390.355 (state 
savings associations). National banks and Federal savings 
associations must file SARs in connection with computer intrusions 
and other computer crimes. See OCC Bulletin 2000-14, 
``Infrastructure Threats--Intrusion Risks'' (May 15, 2000); see also 
Federal Reserve SR 01-11, Identity Theft and Pretext Calling, Apr. 
26, 2001.
* * * * *

0
10. Appendix C to part 30 is amended by:
0
a. In sections I.iv., II.B.1., II.B.2., III.A. introductory text, 
III.B. introductory text, III.B.6., III.C., III.E.4., and III.E.6., 
removing the word ``bank'' wherever it appears, and adding in its place 
the phrase ``national bank or Federal savings association'';
0
b. In section II.B. introductory text and III.D., removing the word 
``bank's'' and adding in its place the phrase ``national bank's or 
Federal savings association's'';
0
c. In sections II.B.1. and III.B.6., removing the word ``bank's'' and 
adding in its place the phrase ``bank's or savings association's''; and
0
d. Revising the second sentence of section I.i., first two sentences of 
section I.iii., section I.vi., sections I.A., I.C., I.D.2.b., II.A., 
III.E. introductory text, III.E.5., and III.F.
    The revisions read as follows:

Appendix C to Part 30--OCC Guidelines Establishing Standards for 
Residential Mortgage Lending Practices

* * * * *
    I. * * *
    i. * * * The Guidelines are designed to protect against 
involvement by national banks, Federal savings associations, Federal 
branches and Federal agencies of foreign banks, and their respective 
operating subsidiaries (together, ``national banks and Federal 
savings associations''), either directly or through loans that they 
purchase or make through intermediaries, in predatory or abusive 
residential mortgage lending

[[Page 54545]]

practices that are injurious to their respective customers and that 
expose the national bank or Federal savings association to credit, 
legal, compliance, reputation, and other risks.
* * * * *
* * * * *
    iii. In addition, national banks, Federal savings associations, 
and their respective operating subsidiaries must comply with the 
requirements and Guidelines affecting appraisals of residential 
mortgage loans and appraiser independence. 12 CFR part 34, subpart 
C, and the Interagency Appraisal and Evaluation Guidelines (OCC 
Bulletin 2010-42 (December 10, 2010). * * *
* * * * *
    vi. Finally, OCC regulations and supervisory guidance on 
fiduciary activities and asset management address the need for 
national banks and Federal savings associations to perform due 
diligence and exercise appropriate control with regard to trustee 
activities. See 12 CFR 9.6 (a), in the case of national banks, and 
12 CFR 150.200, in the case of Federal savings associations, and the 
Comptroller's Handbook on Asset Management. For example, national 
banks and Federal savings associations should exercise appropriate 
diligence to minimize potential reputation risks when they undertake 
to act as trustees in mortgage securitizations.
    A. Scope. These Guidelines apply to the residential mortgage 
lending activities of national banks, Federal savings associations, 
Federal branches and Federal agencies of foreign banks, and 
operating subsidiaries of such entities (except brokers, dealers, 
persons providing insurance, investment companies, and investment 
advisers).
* * * * *
    C. Relationship to Other Legal Requirements. Actions by a 
national bank or Federal savings association in connection with 
residential mortgage lending that are inconsistent with these 
Guidelines or Appendix A to this part 30 may also constitute unsafe 
or unsound practices for purposes of section 8 of the Federal 
Deposit Insurance Act, 12 U.S.C. 1818, unfair or deceptive practices 
for purposes of section 5 of the FTC Act, 15 U.S.C. 45, and the 
OCC's Lending Rules, 12 CFR 34.3 (Lending Rules) and Real Estate 
Lending Standards, 12 CFR part 34, subpart D, in the case of 
national banks, and 12 CFR 160.100 and 160.101, in the case of 
Federal savings associations, or violations of the ECOA and FHA.
    D. * * *
    2. * * *
    b. National bank or Federal savings association means any 
national bank, Federal savings association, Federal branch or 
Federal agency of a foreign bank, and any operating subsidiary 
thereof that is subject to these Guidelines.
    II. * * *
    A. General. A national bank's or Federal savings association's 
residential mortgage lending activities should reflect standards and 
practices consistent with and appropriate to the size and complexity 
of the bank or savings association and the nature and scope of its 
lending activities.
* * * * *
    III. * * *
    E. Purchased and Brokered Loans. With respect to consumer 
residential mortgage loans that the national bank or Federal savings 
association purchases, or makes through a mortgage broker or other 
intermediary, the national bank or Federal savings association's 
residential mortgage lending activities should reflect standards and 
practices consistent with those applied by the bank or savings 
association in its direct lending activities and include appropriate 
measures to mitigate risks, such as the following:
* * * * *
    5. Loan documentation procedures, management information 
systems, quality control reviews, and other methods through which 
the national bank or Federal savings association will verify 
compliance with agreements, bank or savings association policies, 
and applicable laws, and otherwise retain appropriate oversight of 
mortgage origination functions, including loan sourcing, 
underwriting, and loan closings.
* * * * *
    F. Monitoring and Corrective Action. A national bank's or 
Federal savings association's consumer residential mortgage lending 
activities should include appropriate monitoring of compliance with 
applicable law and the bank's or savings association's lending 
standards and practices, periodic monitoring and evaluation of the 
nature, quantity and resolution of customer complaints, and 
appropriate evaluation of the effectiveness of the bank's or savings 
association's standards and practices in accomplishing the 
objectives set forth in these Guidelines. The bank's or savings 
association's activities also should include appropriate steps for 
taking corrective action in response to failures to comply with 
applicable law and the bank's or savings association's lending 
standards, and for making adjustments to the bank's or savings 
association's activities as may be appropriate to enhance their 
effectiveness or to reflect changes in business practices, market 
conditions, or the bank's or savings association's lines of 
business, residential mortgage loan programs, or customer base.



0
11. A new Appendix D is added to part 30 to read as follows:

Appendix D to Part 30--OCC Guidelines Establishing Heightened Standards 
for Certain Large Insured National Banks, Insured Federal Savings 
Associations, and Insured Federal Branches

Table of Contents

I. Introduction
    A. Scope
    B. Compliance Date
    C. Reservation of Authority
    D. Preservation of Existing Authority
    E. Definitions
II. Standards For Risk Governance Framework
    A. Risk Governance Framework
    B. Scope of Rrisk Governance Framework
    C. Roles and Responsibilities
    1. Role and Responsibilities of Front Line Units
    2. Role and Responsibilities of Independent Risk Management
    3. Role and Responsibilities of Internal Audit
    D. Strategic Plan
    E. Risk Appetite Statement
    F. Concentration and Front Line Unit Risk Limits
    G. Risk Appetite Review, Monitoring, and Communication Processes
    H. Processes Governing Risk Limit Breaches
    I. Concentration Risk Management
    J. Risk Data Aggregation and Reporting
    K. Relationship of Risk Appetite Statement, Concentration Risk 
Limits, and Front Line Unit Risk Limits to Other Processes
    L. Talent Management Processes
    M. Compensation and Performance Management Programs
III. Standards for Board of Directors
    A. Require an Effective Risk Governance Framework
    B. Provide Active Oversight of Management
    C. Exercise Independent Judgment
    D. Include Independent Directors
    E. Provide Ongoing Training to All Directors
    F. Self-Assessments

I. Introduction

    1. The OCC expects a covered bank, as that term is defined in 
paragraph I.E. to establish and implement a risk governance 
framework to manage and control the covered bank's risk-taking 
activities.
    2. This appendix establishes minimum standards for the design 
and implementation of a covered bank's risk governance framework and 
minimum standards for the covered bank's board of directors in 
providing oversight to the framework's design and implementation 
(Guidelines). These standards are in addition to any other 
applicable requirements in law or regulation.
    3. A covered bank may use its parent company's risk governance 
framework in its entirety, without modification, if the framework 
meets these minimum standards, the risk profiles of the parent 
company and the covered bank are substantially the same as set forth 
in paragraph I.4. of these Guidelines, and the covered bank has 
demonstrated through a documented assessment that its risk profile 
and its parent company's risk profile are substantially the same. 
The assessment should be conducted at least annually, in conjunction 
with the review and update of the risk governance framework 
performed by independent risk management, as set forth in paragraph 
II.A. of these Guidelines.
    4. A parent company's and covered bank's risk profiles are 
substantially the same if, as reported on the covered bank's Federal 
Financial Institutions Examination Council Consolidated Reports of 
Condition and Income (Call Reports) for the four most recent 
consecutive quarters, the covered bank's average total consolidated 
assets, as

[[Page 54546]]

calculated according to paragraph I.A. of these Guidelines, 
represent 95 percent or more of the parent company's average total 
consolidated assets.\1\ A covered bank that does not satisfy this 
test may submit a written analysis to the OCC for consideration and 
approval that demonstrates that the risk profile of the parent 
company and the covered bank are substantially the same based upon 
other factors not specified in this paragraph.
---------------------------------------------------------------------------

    \1\ For a parent company, average total consolidated assets 
means the average of the parent company's total consolidated assets, 
as reported on the parent company's Form FR Y-9C to the Board of 
Governors of the Federal Reserve System, or equivalent regulatory 
report, for the four most recent consecutive quarters.
---------------------------------------------------------------------------

    5. Subject to paragraph I.6. of these Guidelines, a covered bank 
should establish its own risk governance framework when the parent 
company's and covered bank's risk profiles are not substantially the 
same. The covered bank's framework should ensure that the covered 
bank's risk profile is easily distinguished and separate from that 
of its parent for risk management and supervisory reporting purposes 
and that the safety and soundness of the covered bank is not 
jeopardized by decisions made by the parent company's board of 
directors and management.
    6. When the parent company's and covered bank's risk profiles 
are not substantially the same, a covered bank may, in consultation 
with the OCC, incorporate or rely on components of its parent 
company's risk governance framework when developing its own risk 
governance framework to the extent those components are consistent 
with the objectives of these Guidelines.

A. Scope

    These Guidelines apply to any bank, as that term is defined in 
paragraph I.E. of these Guidelines, with average total consolidated 
assets equal to or greater than $50 billion. In addition, these 
Guidelines apply to any bank with average total consolidated assets 
less than $50 billion if that institution's parent company controls 
at least one covered bank. For a covered bank, average total 
consolidated assets means the average of the covered bank's total 
consolidated assets, as reported on the covered bank's Call Reports, 
for the four most recent consecutive quarters.

B. Compliance Date

    1. Initial compliance. The date on which a covered bank should 
comply with the Guidelines is set forth below:
    (a) A covered bank with average total consolidated assets, as 
calculated according to paragraph I.A. of these Guidelines, equal to 
or greater than $750 billion as of November 10, 2014 should comply 
with these Guidelines on November 10, 2014;
    (b) A covered bank with average total consolidated assets, as 
calculated according to paragraph I.A. of these Guidelines, equal to 
or greater than $100 billion but less than $750 billion as of 
November 10, 2014 should comply with these Guidelines within six 
months from November 10, 2014;
    (c) A covered bank with average total consolidated assets, as 
calculated according to paragraph I.A. of these Guidelines, equal to 
or greater than $50 billion but less than $100 billion as of 
November 10, 2014 should comply with these Guidelines within 18 
months from November 10, 2014;
    (d) A covered bank with average total consolidated assets, as 
calculated according to paragraph I.A. of these Guidelines, less 
than $50 billion that is a covered bank because that bank's parent 
company controls at least one other covered bank as of November 10, 
2014 should comply with these Guidelines on the date that such other 
covered bank should comply; and
    (e) A covered bank that does not come within the scope of these 
Guidelines on November 10, 2014, but subsequently becomes subject to 
the Guidelines because average total consolidated assets, as 
calculated according to paragraph I.A. of these Guidelines, are 
equal to or greater than $50 billion after November 10, 2014, should 
comply with these Guidelines within 18 months from the as-of date of 
the most recent Call Report used in the calculation of the average.

C. Reservation of Authority

    1. The OCC reserves the authority to apply these Guidelines, in 
whole or in part, to a bank that has average total consolidated 
assets less than $50 billion, if the OCC determines such bank's 
operations are highly complex or otherwise present a heightened risk 
as to warrant the application of these Guidelines;
    2. The OCC reserves the authority, for each covered bank, to 
extend the time for compliance with these Guidelines or modify these 
Guidelines; or
    3. The OCC reserves the authority to determine that compliance 
with these Guidelines should no longer be required for a covered 
bank. The OCC would generally make the determination under this 
paragraph I.C.3. if a covered bank's operations are no longer highly 
complex or no longer present a heightened risk. In determining 
whether a covered bank's operations are highly complex or present a 
heightened risk, the OCC will consider the following factors: 
Complexity of products and services, risk profile, and scope of 
operations.
    4. When exercising the authority in this paragraph I.C., the OCC 
will apply notice and response procedures, when appropriate, in the 
same manner and to the same extent as the notice and response 
procedures in 12 CFR 3.404.

D. Preservation of Existing Authority

    Neither section 39 of the Federal Deposit Insurance Act (12 
U.S.C. 1831p-1) nor these Guidelines in any way limits the authority 
of the OCC to address unsafe or unsound practices or conditions or 
other violations of law. The OCC may take action under section 39 
and these Guidelines independently of, in conjunction with, or in 
addition to any other enforcement action available to the OCC.

E. Definitions

    1. Bank means any insured national bank, insured Federal savings 
association, or insured Federal branch of a foreign bank.
    2. Chief Audit Executive means an individual who leads internal 
audit and is one level below the Chief Executive Officer in a 
covered bank's organizational structure.
    3. Chief Risk Executive means an individual who leads an 
independent risk management unit and is one level below the Chief 
Executive Officer in a covered bank's organizational structure. A 
covered bank may have more than one Chief Risk Executive.
    4. Control. A parent company controls a covered bank if it:
    (a) Owns, controls, or holds with power to vote 25 percent or 
more of a class of voting securities of the covered bank; or
    (b) Consolidates the covered bank for financial reporting 
purposes.
    5. Covered bank means any bank:
    (a) With average total consolidated assets, as calculated 
according to paragraph I.A. of these Guidelines, equal to or greater 
than $50 billion;
    (b) With average total consolidated assets less than $50 billion 
if that bank's parent company controls at least one covered bank; or
    (c) With average total consolidated assets less than $50 
billion, if the OCC determines such bank's operations are highly 
complex or otherwise present a heightened risk as to warrant the 
application of these Guidelines pursuant to paragraph I.C. of these 
Guidelines.
    6. Front Line Unit. (a) Except as provided in paragraph (b) of 
this definition, front line unit means any organizational unit or 
function thereof in a covered bank that is accountable for a risk in 
paragraph II.B. of these Guidelines that:
    (i) Engages in activities designed to generate revenue or reduce 
expenses for the parent company or covered bank;
    (ii) Provides operational support or servicing to any 
organizational unit or function within the covered bank for the 
delivery of products or services to customers; or
    (iii) Provides technology services to any organizational unit or 
function covered by these Guidelines.
    (b) Front line unit does not ordinarily include an 
organizational unit or function thereof within a covered bank that 
provides legal services to the covered bank.
    7. Independent risk management means any organizational unit 
within a covered bank that has responsibility for identifying, 
measuring, monitoring, or controlling aggregate risks. Such units 
maintain independence from front line units through the following 
reporting structure:
    (a) The board of directors or the board's risk committee reviews 
and approves the risk governance framework;
    (b) Each Chief Risk Executive has unrestricted access to the 
board of directors and its committees to address risks and issues 
identified through independent risk management's activities;
    (c) The board of directors or its risk committee approves all 
decisions regarding the appointment or removal of the Chief Risk 
Executive(s) and approves the annual compensation and salary 
adjustment of the Chief Risk Executive(s); and
    (d) No front line unit executive oversees any independent risk 
management unit.
    8. Internal audit means the organizational unit within a covered 
bank that is designated

[[Page 54547]]

to fulfill the role and responsibilities outlined in 12 CFR part 30, 
Appendix A, II.B. Internal audit maintains independence from front 
line units and independent risk management through the following 
reporting structure:
    (a) The Chief Audit Executive has unrestricted access to the 
board's audit committee to address risks and issues identified 
through internal audit's activities;
    (b) The audit committee reviews and approves internal audit's 
overall charter and audit plans;
    (c) The audit committee approves all decisions regarding the 
appointment or removal and annual compensation and salary adjustment 
of the Chief Audit Executive;
    (d) The audit committee or the Chief Executive Officer oversees 
the Chief Audit Executive's administrative activities; and
    (e) No front line unit executive oversees internal audit.
    9. Parent company means the top-tier legal entity in a covered 
bank's ownership structure.
    10. Risk appetite means the aggregate level and types of risk 
the board of directors and management are willing to assume to 
achieve a covered bank's strategic objectives and business plan, 
consistent with applicable capital, liquidity, and other regulatory 
requirements.
    11. Risk profile means a point-in-time assessment of a covered 
bank's risks, aggregated within and across each relevant risk 
category, using methodologies consistent with the risk appetite 
statement described in paragraph II.E. of these Guidelines.

II. Standards for Risk Governance Framework

    A. Risk governance framework. A covered bank should establish 
and adhere to a formal, written risk governance framework that is 
designed by independent risk management and approved by the board of 
directors or the board's risk committee. The risk governance 
framework should include delegations of authority from the board of 
directors to management committees and executive officers as well as 
the risk limits established for material activities. Independent 
risk management should review and update the risk governance 
framework at least annually, and as often as needed to address 
improvements in industry risk management practices and changes in 
the covered bank's risk profile caused by emerging risks, its 
strategic plans, or other internal and external factors.
    B. Scope of risk governance framework. The risk governance 
framework should cover the following risk categories that apply to 
the covered bank: Credit risk, interest rate risk, liquidity risk, 
price risk, operational risk, compliance risk, strategic risk, and 
reputation risk.
    C. Roles and responsibilities. The risk governance framework 
should include well-defined risk management roles and 
responsibilities for front line units, independent risk management, 
and internal audit.\2\ The roles and responsibilities for each of 
these organizational units should be:
---------------------------------------------------------------------------

    \2\ These roles and responsibilities are in addition to any 
roles and responsibilities set forth in Appendices A, B, and C to 
Part 30. Many of the risk management practices established and 
maintained by a covered bank to meet these standards, including loan 
review and credit underwriting and administration practices, should 
be components of its risk governance framework, within the construct 
of the three distinct units identified herein. In addition, existing 
OCC guidance sets forth standards for establishing risk management 
programs for certain risks, e.g., compliance risk management. These 
risk-specific programs should also be considered components of the 
risk governance framework, within the context of the three units 
described in paragraph II.C. of these Guidelines.
---------------------------------------------------------------------------

    1. Role and responsibilities of front line units. Front line 
units should take responsibility and be held accountable by the 
Chief Executive Officer and the board of directors for appropriately 
assessing and effectively managing all of the risks associated with 
their activities. In fulfilling this responsibility, each front line 
unit should, either alone or in conjunction with another 
organizational unit that has the purpose of assisting a front line 
unit:
    (a) Assess, on an ongoing basis, the material risks associated 
with its activities and use such risk assessments as the basis for 
fulfilling its responsibilities under paragraphs II.C.1.(b) and (c) 
of these Guidelines and for determining if actions need to be taken 
to strengthen risk management or reduce risk given changes in the 
unit's risk profile or other conditions;
    (b) Establish and adhere to a set of written policies that 
include front line unit risk limits as discussed in paragraph II.F. 
of these Guidelines. Such policies should ensure risks associated 
with the front line unit's activities are effectively identified, 
measured, monitored, and controlled, consistent with the covered 
bank's risk appetite statement, concentration risk limits, and all 
policies established within the risk governance framework under 
paragraphs II.C.2.(c) and II.G. through K. of these Guidelines;
    (c) Establish and adhere to procedures and processes, as 
necessary, to maintain compliance with the policies described in 
paragraph II.C.1.(b) of these Guidelines;
    (d) Adhere to all applicable policies, procedures, and processes 
established by independent risk management;
    (e) Develop, attract, and retain talent and maintain staffing 
levels required to carry out the unit's role and responsibilities 
effectively, as set forth in paragraphs II.C.1.(a) through (d) of 
these Guidelines;
    (f) Establish and adhere to talent management processes that 
comply with paragraph II.L. of these Guidelines; and
    (g) Establish and adhere to compensation and performance 
management programs that comply with paragraph II.M. of these 
Guidelines.
    2. Role and responsibilities of independent risk management. 
Independent risk management should oversee the covered bank's risk-
taking activities and assess risks and issues independent of front 
line units. In fulfilling these responsibilities, independent risk 
management should:
    (a) Take primary responsibility and be held accountable by the 
Chief Executive Officer and the board of directors for designing a 
comprehensive written risk governance framework that meets these 
Guidelines and is commensurate with the size, complexity, and risk 
profile of the covered bank;
    (b) Identify and assess, on an ongoing basis, the covered bank's 
material aggregate risks and use such risk assessments as the basis 
for fulfilling its responsibilities under paragraphs II.C.2.(c) and 
(d) of these Guidelines and for determining if actions need to be 
taken to strengthen risk management or reduce risk given changes in 
the covered bank's risk profile or other conditions;
    (c) Establish and adhere to enterprise policies that include 
concentration risk limits. Such policies should state how aggregate 
risks within the covered bank are effectively identified, measured, 
monitored, and controlled, consistent with the covered bank's risk 
appetite statement and all policies and processes established within 
the risk governance framework under paragraphs II.G. through K. of 
these Guidelines;
    (d) Establish and adhere to procedures and processes, as 
necessary, to ensure compliance with the policies described in 
paragraph II.C.2.(c) of these Guidelines;
    (e) Identify and communicate to the Chief Executive Officer and 
the board of directors or the board's risk committee:
    (i) Material risks and significant instances where independent 
risk management's assessment of risk differs from that of a front 
line unit; and
    (ii) Significant instances where a front line unit is not 
adhering to the risk governance framework, including instances when 
front line units do not meet the standards set forth in paragraph 
II.C.1. of these Guidelines;
    (f) Identify and communicate to the board of directors or the 
board's risk committee:
    (i) Material risks and significant instances where independent 
risk management's assessment of risk differs from the Chief 
Executive Officer; and
    (ii) Significant instances where the Chief Executive Officer is 
not adhering to, or holding front line units accountable for 
adhering to, the risk governance framework;
    (g) Develop, attract, and retain talent and maintain staffing 
levels required to carry out its role and responsibilities 
effectively, as set forth in paragraphs II.C.2.(a) through (f) of 
these Guidelines;
    (h) Establish and adhere to talent management processes that 
comply with paragraph II.L. of these Guidelines; and
    (i) Establish and adhere to compensation and performance 
management programs that comply with paragraph II.M. of these 
Guidelines.
    3. Role and responsibilities of internal audit. In addition to 
meeting the standards set forth in appendix A of part 30, internal 
audit should ensure that the covered bank's risk governance 
framework complies with these Guidelines and is appropriate for the 
size, complexity, and risk profile of the covered bank. In carrying 
out its responsibilities, internal audit should:
    (a) Maintain a complete and current inventory of all of the 
covered bank's material processes, product lines, services, and 
functions, and assess the risks, including emerging risks, 
associated with each, which collectively provide a basis for the 
audit plan

[[Page 54548]]

described in paragraph II.C.3.(b) of these Guidelines;
    (b) Establish and adhere to an audit plan that is periodically 
reviewed and updated that takes into account the covered bank's risk 
profile, emerging risks, and issues, and establishes the frequency 
with which activities should be audited. The audit plan should 
require internal audit to evaluate the adequacy of and compliance 
with policies, procedures, and processes established by front line 
units and independent risk management under the risk governance 
framework. Significant changes to the audit plan should be 
communicated to the board's audit committee;
    (c) Report in writing, conclusions and material issues and 
recommendations from audit work carried out under the audit plan 
described in paragraph II.C.3.(b) of these Guidelines to the board's 
audit committee. Internal audit's reports to the audit committee 
should also identify the root cause of any material issues and 
include:
    (i) A determination of whether the root cause creates an issue 
that has an impact on one organizational unit or multiple 
organizational units within the covered bank; and
    (ii) A determination of the effectiveness of front line units 
and independent risk management in identifying and resolving issues 
in a timely manner;
    (d) Establish and adhere to processes for independently 
assessing the design and ongoing effectiveness of the risk 
governance framework on at least an annual basis. The independent 
assessment should include a conclusion on the covered bank's 
compliance with the standards set forth in these Guidelines; \3\
---------------------------------------------------------------------------

    \3\ The annual independent assessment of the risk governance 
framework may be conducted by internal audit, an external party, or 
internal audit in conjunction with an external party.
---------------------------------------------------------------------------

    (e) Identify and communicate to the board's audit committee 
significant instances where front line units or independent risk 
management are not adhering to the risk governance framework;
    (f) Establish a quality assurance program that ensures internal 
audit's policies, procedures, and processes comply with applicable 
regulatory and industry guidance, are appropriate for the size, 
complexity, and risk profile of the covered bank, are updated to 
reflect changes to internal and external risk factors, emerging 
risks, and improvements in industry internal audit practices, and 
are consistently followed;
    (g) Develop, attract, and retain talent and maintain staffing 
levels required to effectively carry out its role and 
responsibilities, as set forth in paragraphs II.C.3.(a) through (f) 
of these Guidelines;
    (h) Establish and adhere to talent management processes that 
comply with paragraph II.L. of these Guidelines; and
    (i) Establish and adhere to compensation and performance 
management programs that comply with paragraph II.M. of these 
Guidelines.
    D. Strategic plan. The Chief Executive Officer should be 
responsible for the development of a written strategic plan with 
input from front line units, independent risk management, and 
internal audit. The board of directors should evaluate and approve 
the strategic plan and monitor management's efforts to implement the 
strategic plan at least annually. The strategic plan should cover, 
at a minimum, a three-year period and:
    1. Contain a comprehensive assessment of risks that currently 
have an impact on the covered bank or that could have an impact on 
the covered bank during the period covered by the strategic plan;
    2. Articulate an overall mission statement and strategic 
objectives for the covered bank, and include an explanation of how 
the covered bank will achieve those objectives;
    3. Include an explanation of how the covered bank will update, 
as necessary, the risk governance framework to account for changes 
in the covered bank's risk profile projected under the strategic 
plan; and
    4. Be reviewed, updated, and approved, as necessary, due to 
changes in the covered bank's risk profile or operating environment 
that were not contemplated when the strategic plan was developed.
    E. Risk appetite statement. A covered bank should have a 
comprehensive written statement that articulates the covered bank's 
risk appetite and serves as the basis for the risk governance 
framework. The risk appetite statement should include both 
qualitative components and quantitative limits. The qualitative 
components should describe a safe and sound risk culture and how the 
covered bank will assess and accept risks, including those that are 
difficult to quantify. Quantitative limits should incorporate sound 
stress testing processes, as appropriate, and address the covered 
bank's earnings, capital, and liquidity. The covered bank should set 
limits at levels that take into account appropriate capital and 
liquidity buffers and prompt management and the board of directors 
to reduce risk before the covered bank's risk profile jeopardizes 
the adequacy of its earnings, liquidity, and capital.\4\
---------------------------------------------------------------------------

    \4\ Where possible, covered banks should establish aggregate 
risk appetite limits that can be disaggregated and applied at the 
front line unit level. However, where this is not possible, covered 
banks should establish limits that reasonably reflect the aggregate 
level of risk that the board of directors and executive management 
are willing to accept.
---------------------------------------------------------------------------

    F. Concentration and front line unit risk limits. The risk 
governance framework should include concentration risk limits and, 
as applicable, front line unit risk limits, for the relevant risks. 
Concentration and front line unit risk limits should limit excessive 
risk taking and, when aggregated across such units, provide that 
these risks do not exceed the limits established in the covered 
bank's risk appetite statement.
    G. Risk appetite review, monitoring, and communication 
processes. The risk governance framework should require: \5\
---------------------------------------------------------------------------

    \5\ With regard to paragraphs 3., 4., and 5. in this paragraph 
II.G., the frequency of monitoring and reporting should be performed 
more often, as necessary, based on the size and volatility of risks 
and any material change in the covered bank's business model, 
strategy, risk profile, or market conditions.
---------------------------------------------------------------------------

    1. Review and approval of the risk appetite statement by the 
board of directors or the board's risk committee at least annually 
or more frequently, as necessary, based on the size and volatility 
of risks and any material changes in the covered bank's business 
model, strategy, risk profile, or market conditions;
    2. Initial communication and ongoing reinforcement of the 
covered bank's risk appetite statement throughout the covered bank 
in a manner that causes all employees to align their risk-taking 
decisions with applicable aspects of the risk appetite statement;
    3. Monitoring by independent risk management of the covered 
bank's risk profile relative to its risk appetite and compliance 
with concentration risk limits and reporting on such monitoring to 
the board of directors or the board's risk committee at least 
quarterly;
    4. Monitoring by front line units of compliance with their 
respective risk limits and reporting to independent risk management 
at least quarterly; and
    5. When necessary due to the level and type of risk, monitoring 
by independent risk management of front line units' compliance with 
front line unit risk limits, ongoing communication with front line 
units regarding adherence to these limits, and reporting of any 
concerns to the Chief Executive Officer and the board of directors 
or the board's risk committee, as set forth in paragraphs II.C.2.(e) 
and (f) of these Guidelines, all at least quarterly.
    H. Processes governing risk limit breaches. A covered bank 
should establish and adhere to processes that require front line 
units and independent risk management, in conjunction with their 
respective responsibilities, to:
    1. Identify breaches of the risk appetite statement, 
concentration risk limits, and front line unit risk limits;
    2. Distinguish breaches based on the severity of their impact on 
the covered bank;
    3. Establish protocols for when and how to inform the board of 
directors, front line unit management, independent risk management, 
internal audit, and the OCC of a risk limit breach that takes into 
account the severity of the breach and its impact on the covered 
bank;
    4. Include in the protocols established in paragraph II.H.3. of 
these Guidelines the requirement to provide a written description of 
how a breach will be, or has been, resolved; and
    5. Establish accountability for reporting and resolving breaches 
that include consequences for risk limit breaches that take into 
account the magnitude, frequency, and recurrence of breaches.
    I. Concentration risk management. The risk governance framework 
should include policies and supporting processes appropriate for the 
covered bank's size, complexity, and risk profile for effectively 
identifying, measuring, monitoring, and controlling the covered 
bank's concentrations of risk.
    J. Risk data aggregation and reporting. The risk governance 
framework should include a set of policies, supported by appropriate 
procedures and processes, designed to provide risk data aggregation 
and reporting

[[Page 54549]]

capabilities appropriate for the size, complexity, and risk profile 
of the covered bank, and to support supervisory reporting 
requirements. Collectively, these policies, procedures, and 
processes should provide for:
    1. The design, implementation, and maintenance of a data 
architecture and information technology infrastructure that support 
the covered bank's risk aggregation and reporting needs during 
normal times and during times of stress;
    2. The capturing and aggregating of risk data and reporting of 
material risks, concentrations, and emerging risks in a timely 
manner to the board of directors and the OCC; and
    3. The distribution of risk reports to all relevant parties at a 
frequency that meets their needs for decision-making purposes.
    K. Relationship of risk appetite statement, concentration risk 
limits, and front line unit risk limits to other processes. A 
covered bank's front line units and independent risk management 
should incorporate at a minimum the risk appetite statement, 
concentration risk limits, and front line unit risk limits into the 
following:
    1. Strategic and annual operating plans;
    2. Capital stress testing and planning processes;
    3. Liquidity stress testing and planning processes;
    4. Product and service risk management processes, including 
those for approving new and modified products and services;
    5. Decisions regarding acquisitions and divestitures; and
    6. Compensation and performance management programs.
    L. Talent management processes. A covered bank should establish 
and adhere to processes for talent development, recruitment, and 
succession planning to ensure that management and employees who are 
responsible for or influence material risk decisions have the 
knowledge, skills, and abilities to effectively identify, measure, 
monitor, and control relevant risks. The board of directors or an 
appropriate committee of the board should:
    1. Appoint a Chief Executive Officer and appoint or approve the 
appointment of a Chief Audit Executive and one or more Chief Risk 
Executives with the skills and abilities to carry out their roles 
and responsibilities within the risk governance framework;
    2. Review and approve a written talent management program that 
provides for development, recruitment, and succession planning 
regarding the individuals described in paragraph II.L.1. of these 
Guidelines, their direct reports, and other potential successors; 
and
    3. Require management to assign individuals specific 
responsibilities within the talent management program, and hold 
those individuals accountable for the program's effectiveness.
    M. Compensation and performance management programs. A covered 
bank should establish and adhere to compensation and performance 
management programs that comply with any applicable statute or 
regulation and are appropriate to:
    1. Ensure the Chief Executive Officer, front line units, 
independent risk management, and internal audit implement and adhere 
to an effective risk governance framework;
    2. Ensure front line unit compensation plans and decisions 
appropriately consider the level and severity of issues and concerns 
identified by independent risk management and internal audit, as 
well as the timeliness of corrective action to resolve such issues 
and concerns;
    3. Attract and retain the talent needed to design, implement, 
and maintain an effective risk governance framework; and
    4. Prohibit any incentive-based payment arrangement, or any 
feature of any such arrangement, that encourages inappropriate risks 
by providing excessive compensation or that could lead to material 
financial loss.

III. Standards for Board of Directors

    A. Require an effective risk governance framework. Each member 
of a covered bank's board of directors should oversee the covered 
bank's compliance with safe and sound banking practices. The board 
of directors should also require management to establish and 
implement an effective risk governance framework that meets the 
minimum standards described in these Guidelines. The board of 
directors or the board's risk committee should approve any 
significant changes to the risk governance framework and monitor 
compliance with such framework.
    B. Provide active oversight of management. A covered bank's 
board of directors should actively oversee the covered bank's risk-
taking activities and hold management accountable for adhering to 
the risk governance framework. In providing active oversight, the 
board of directors may rely on risk assessments and reports prepared 
by independent risk management and internal audit to support the 
board's ability to question, challenge, and when necessary, oppose 
recommendations and decisions made by management that could cause 
the covered bank's risk profile to exceed its risk appetite or 
jeopardize the safety and soundness of the covered bank.
    C. Exercise independent judgment. When providing active 
oversight under paragraph III.B. of these Guidelines, each member of 
the board of directors should exercise sound, independent judgment.
    D. Include independent directors. To promote effective, 
independent oversight of the covered bank's management, at least two 
members of the board of directors: \6\
---------------------------------------------------------------------------

    \6\ This provision does not supersede other regulatory 
requirements regarding the composition of the Board that apply to 
Federal savings associations. These institutions must continue to 
comply with such other requirements.
---------------------------------------------------------------------------

    1. Should not be an officer or employee of the parent company or 
covered bank and has not been an officer or employee of the parent 
company or covered bank during the previous three years;
    2. Should not be a member of the immediate family, as defined in 
Sec.  225.41(b)(3) of the Board of Governors of the Federal Reserve 
System's Regulation Y (12 CFR 225.41(b)(3)), of a person who is, or 
has been within the last three years, an executive officer of the 
parent company or covered bank, as defined in Sec.  215.2(e)(1) of 
Regulation O (12 CFR 215.2(e)(1)); and
    3. Should qualify as an independent director under the listing 
standards of a national securities exchange, as demonstrated to the 
satisfaction of the OCC.
    E. Provide ongoing training to all directors. The board of 
directors should establish and adhere to a formal, ongoing training 
program for all directors. This program should consider the 
directors' knowledge and experience and the covered bank's risk 
profile. The program should include, as appropriate, training on:
    1. Complex products, services, lines of business, and risks that 
have a significant impact on the covered bank;
    2. Laws, regulations, and supervisory requirements applicable to 
the covered bank; and
    3. Other topics identified by the board of directors.
    F. Self-assessments. A covered bank's board of directors should 
conduct an annual self-assessment that includes an evaluation of its 
effectiveness in meeting the standards in section III of these 
Guidelines.

PART 168--SECURITY PROCEDURES

0
12. The authority citation for part 168 continues to read as follows:

    Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1, 
1881-1884, 5412(b)(2)(B); 15 U.S.C. 1681s, 1681w, 6801, and 
6805(b)(1).


Sec.  168.5  [Amended]

0
13. Section 168.5 is amended by removing the phrase ``part 170'' 
wherever it appears and adding in its place the phrase ``part 30''.

PART 170 [REMOVED]

0
14. Remove Part 170.

    Dated: September 2, 2014.
Thomas J. Curry,
Comptroller of the Currency.
[FR Doc. 2014-21224 Filed 9-10-14; 8:45 am]
BILLING CODE 4810-33-P