[Federal Register Volume 83, Number 8 (Thursday, January 11, 2018)]
[Notices]
[Pages 1351-1362]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-00294]
=======================================================================
-----------------------------------------------------------------------
FEDERAL RESERVE SYSTEM
[Docket No. OP-1594]
Proposed Supervisory Guidance
AGENCY: Board of Governors of the Federal Reserve System (Board).
ACTION: Proposed supervisory guidance.
-----------------------------------------------------------------------
SUMMARY: The Board is seeking comment on proposed guidance describing
core principles of effective senior management, the management of
business lines, and independent risk management and controls for large
financial institutions. The proposal would apply to domestic bank
holding companies with total consolidated assets of $50 billion or
more; savings and loan holding companies with total consolidated assets
of $50 billion or more; the combined U.S. operations of foreign banking
organizations with combined U.S. assets of $50 billion or more; any
state member bank subsidiaries of the foregoing; and systemically
important nonbank financial companies designated by the Financial
Stability Oversight Council for supervision by the Board.
DATES: Comments must be received no later than March 15, 2018.
ADDRESSES: Interested parties are invited to submit written comments by
following the instructions for submitting comments at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
Email: [email protected]. Include the
docket number in the subject line of the message.
Fax: (202) 452-3819 or (202) 452-3102.
Mail: Address to Ann E. Misback, Secretary, Board of
Governors of the Federal Reserve System, 20th Street and Constitution
Avenue NW, Washington, DC 20551.
All public comments will be made available on the Board's website
at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as
submitted, unless modified for technical reasons. Accordingly, comments
will not be edited to remove any identifying or contact information.
Public comments may also be viewed electronically or in paper in Room
3515, 1801 K Street NW (between 18th and 19th Street NW), Washington,
DC 20006 between 9:00 a.m. and 5:00 p.m. on weekdays.
FOR FURTHER INFORMATION CONTACT: Michael Hsu, Associate Director, (202)
912-4330, Richard Naylor, Associate Director, (202) 728-5854, Vaishali
Sack, Manager, (202) 452-5221, April Snyder, Manager, (202) 452-3099,
David Palmer, Senior Supervisory Financial Analyst, (202) 452-2904,
Jennifer Su, Senior Supervisory Financial Analyst, (202) 475-6348,
Christine Graham, Senior Supervisory Financial Analyst, (202) 452-3005,
Division of Supervision and Regulation; Laurie Schaffer, Associate
General Counsel, (202) 452-2272, Benjamin W. McDonough, Assistant
General Counsel, (202) 452-2036, Scott Tkacz, Senior Counsel, (202)
452-2744, Keisha Patrick, Senior Counsel, (202) 452-3559, or
Christopher Callanan, Senior Attorney, (202) 452-3594, Legal Division,
Board of Governors of the Federal Reserve System, 20th and C Streets
NW, Washington, DC 20551. For the hearing impaired only,
Telecommunications Device for the Deaf (TDD) users may contact (202)
263-4869.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Background
II. LFI Rating System and Board Effectiveness Proposals
III. Implementation
IV. Objectives of the Proposed Guidance
V. Applicability
VI. Description of the Proposed Guidance
A. Core Principles of Effective Senior Management
B. Core Principles of the Management of Business Lines
C. Core Principles of Independent Risk Management and Controls
I. Background
The Board invites comment on proposed guidance setting forth core
principles of effective senior management, the management of business
lines, and independent risk management (``IRM'') and controls for large
financial institutions (``LFIs''). This proposal is part of a broader
initiative by the Federal Reserve to develop a supervisory rating
system and related supervisory guidance that would align with its
consolidated supervisory framework for LFIs. Drawing on lessons from
the 2007-2009 financial crisis, the Federal Reserve reevaluated its
approach to supervision of LFIs, including systemically important
firms. In 2010, the Federal Reserve established the Large Institution
Supervision Coordinating Committee (``LISCC'') to coordinate its
supervisory oversight for the systemically important firms that pose
the greatest risk to U.S. financial
[[Page 1352]]
stability.\1\ In 2012, the Federal Reserve implemented a new
consolidated supervisory program for LFIs (``LFI supervision
framework'') described in SR letter 12-17.\2\ The LFI supervision
framework is focused on four core areas--capital planning and
positions, liquidity risk management and positions, governance and
controls, and resolution planning.\3\
---------------------------------------------------------------------------
\1\ Presently, the LISCC portfolio consists of eight domestic
bank holding companies, four foreign banking organizations, and one
nonbank financial company designated by the Financial Stability
Oversight Council (``FSOC'') for supervision by the Federal Reserve.
The domestic bank holding companies are: (1) Bank of America
Corporation; (2) Bank of New York Mellon Corporation; (3) Citigroup
Inc.; (4) Goldman Sachs Group, Inc.; (5) JP Morgan Chase & Co.; (6)
Morgan Stanley; (7) State Street Corporation; and (8) Wells Fargo &
Company. The foreign banking organizations are: (1) Barclays PLC;
(2) Credit Suisse Group AG; (3) Deutsche Bank AG; and (4) UBS AG.
The nonbank financial company is Prudential Financial, Inc. The list
of firms included in the LISCC supervisory program is available at
https://www.federalreserve.gov/bankinforeg/large-institution-supervision.htm. Hereinafter in this preamble, these firms may be
referred to as ``LISCC firms.''
\2\ See SR letter 12-17/CA letter 12-14, ``Consolidated
Supervision Framework for Large Financial Institutions,'' (referred
to as ``SR letter 12-17'' in this preamble).
\3\ The Board previously set forth expectations for resolution
planning for domestic LISCC firms in SR letter 14-8, ``Consolidated
Recovery Planning for Certain Large Domestic Bank Holding
Companies.''
---------------------------------------------------------------------------
II. LFI Rating System and Board Effectiveness Proposals
In August 2017, the Board invited comment on two proposals that
relate to this guidance, a new rating system for LFIs (``proposed LFI
rating system'') \4\ and proposed guidance addressing supervisory
expectations for boards of directors (``BE proposal'').\5\ On November
17, 2017, the Board extended the public comment period for the proposed
LFI rating system and BE proposal until February 15, 2018, to give the
public an opportunity to understand and comment on the proposed LFI
rating system, the BE proposal, and this proposed guidance together.
---------------------------------------------------------------------------
\4\ 82 FR 39049 (August 17, 2017). The proposed LFI rating
system would apply to all bank holding companies with total
consolidated assets of $50 billion or more; all non-insurance, non-
commercial savings and loan holding companies with total
consolidated assets of $50 billion or more; and U.S. intermediate
holding companies of foreign banking organizations established
pursuant to the Federal Reserve's Regulation YY.
\5\ 82 FR 37219 (August 9, 2017).
---------------------------------------------------------------------------
The proposed LFI rating system would provide a supervisory
evaluation of whether a firm possesses sufficient financial and
operational strength and resilience to maintain safe and sound
operations through a range of conditions. Consistent with the LFI
supervision framework, the proposed LFI rating system would include
assessments of a firm's capital, liquidity, and governance and
controls. As discussed further below, the BE proposal and this proposal
set forth supervisory expectations relevant to the assessment of a
firm's governance and controls.
The governance and controls component would consist of three
elements: (i) Effectiveness of a firm's board of directors, (ii)
management of business lines and independent risk management and
controls, and (iii) recovery planning (for domestic LISCC firms only).
To facilitate comment on the proposed LFI rating system, the
preamble to the proposed LFI rating system included a summary which
previewed the proposed expectations included in this proposal. This
proposal is generally consistent with that summary, with two
exceptions. First, this proposal expands the scope of the guidance to
foreign banking organizations.\6\ Second, this proposal adopts slightly
different terminology than is used in the proposed LFI rating system to
describe expectations for the management of business lines. However,
the change does not change the substance of those expectations
described in the proposed LFI rating system.\7\ The Board would expect
to apply the terminology used in this guidance in any final LFI rating
system; however, this change would not impact the supervisory
assessment of a firm's management of business lines for purposes of the
governance and controls component rating.
---------------------------------------------------------------------------
\6\ The preamble to the proposed LFI rating system described the
management of business lines and IRM and controls for domestic LFIs,
and noted that adjustments to extend applicability of the guidance
to the U.S. operations of FBOs may be made prior to issuing this
guidance for public comment. This preamble highlights those
adjustments.
\7\ See discussion of this change in section VI.B of this
preamble.
---------------------------------------------------------------------------
The BE proposal sets forth attributes of an effective board of
directors. It is intended to better distinguish the supervisory
expectations for boards from those of senior management and encourage
boards to focus time and attention on their core responsibilities.\8\
The expectations in the BE proposal would inform the Board's evaluation
of the effectiveness of a firm's board of directors under the
governance and control component of the proposed LFI rating system.
---------------------------------------------------------------------------
\8\ ``Board'' or ``board of directors'' also refers to
committees of the board of directors, as appropriate.
At this time, recovery planning expectations apply only to
domestic bank holding companies in the LISCC portfolio. See SR
letter 14-8, ``Consolidated Recovery Planning for Certain Large
Domestic Bank Holding Companies.'' Should the Federal Reserve expand
the scope of recovery planning expectations to encompass additional
firms, this rating will reflect such expectations for the broader
set of firms.
---------------------------------------------------------------------------
III. Implementation
The proposed LFI rating system would provide a supervisory
evaluation of whether a firm possesses sufficient financial and
operational strength and resilience to maintain safe and sound
operations through a range of conditions. This proposed guidance builds
upon the proposed LFI rating system framework by providing additional
detail regarding supervisory expectations for a firm's management of
business lines and independent risk management and controls. For firms
that would be subject to the proposed LFI rating system, these
expectations would help inform the Federal Reserve's overall
supervisory evaluation, for purposes of the proposed LFI rating system,
of each firm's governance and controls to support the firm's financial
and operational strength and resilience, which would be reflected by
the governance and controls component rating under the proposed LFI
rating system.\9\
---------------------------------------------------------------------------
\9\ The Federal Reserve expects to finalize the proposed
guidance for use in assigning initial ratings under the LFI rating
system beginning in 2018. If the proposed LFI rating system were
finalized before this proposed guidance, the Federal Reserve would
use existing supervisory guidance to help inform its evaluation of
each firm's governance and controls for purposes of the proposed LFI
rating system, until such time that this proposed guidance is
finalized.
For firms that would be subject to this proposed guidance but
not subject to the proposed LFI rating system, this proposed
guidance would help inform the Federal Reserve's evaluation of the
firm's overall safety and soundness and the effectiveness of its
risk management practices.
---------------------------------------------------------------------------
The Federal Reserve would not expect to examine all of a firm's
business lines which are subject to this proposed guidance during a
single year. Instead, consistent with its current supervisory practice,
the Federal Reserve would use a risk-based approach to determine which
business lines of a firm to examine or review during the year. In
conducting its supervisory planning for an upcoming exam cycle, the
Federal Reserve would consider factors related to the potential for
weaknesses in a firm's governance and controls.\10\ Such factors would
include the size and complexity of the business line, recent
supervisory experience, the relative growth and maturity of the
business line, and significant changes to strategy, structure, or
management since the last
[[Page 1353]]
exam cycle. In order to minimize unnecessary duplication for firms
subject to this guidance, the Federal Reserve would, to the extent
possible, evaluate a firm's governance and controls in coordination
with other relevant Federal and state agencies, particularly the
primary regulators of the firm's insured depository institution
subsidiaries.
---------------------------------------------------------------------------
\10\ For supervisory planning purposes, the Federal Reserve may
reevaluate at any time which areas of a firm to examine or review,
as circumstances warrant.
---------------------------------------------------------------------------
IV. Objectives of the Proposed Guidance
The proposed guidance is intended to consolidate and clarify the
Federal Reserve's existing supervisory expectations regarding risk
management.\11\ In addition, the proposed guidance is designed to
delineate the roles and responsibilities for individuals and functions
related to risk management. It would complement the BE proposal by
aligning the attributes of senior management with those of an effective
board of directors. For instance, the BE proposal provides that an
effective board of directors sets the firm's strategy and risk
tolerance, and this proposal contemplates that the firm's senior
management implements the strategy and risk tolerance approved by the
board. In this way, the proposed guidance would better distinguish the
supervisory expectations for boards from those of senior management.
The proposal also defines the roles and responsibilities for various
individuals and functions within an organization that are accountable
for risk management, including a firm's senior management, business
line management, and independent risk management and audit functions.
Delineating roles and responsibilities for risk management should
enable the Federal Reserve to provide firms with more specific and
consistent supervisory feedback.
---------------------------------------------------------------------------
\11\ For firms subject to this proposed guidance, the proposed
guidance would supersede SR letter 95-51, ``Rating the Adequacy of
Risk Management Processes and Internal Controls at State Member
Banks and Bank Holding Companies.'' SR letter 95-51 was superseded
by SR letter 16-11 for state member banks, bank holding companies,
and savings and loan holding companies (including insurance and
commercial savings and loan holding companies) with less than $50
billion in total consolidated assets, and FBOs with consolidated
U.S. assets of less than $50 billion. See SR letter 16-11,
``Supervisory Guidance for Assessing Risk Management at Supervised
Institutions with Total Consolidated Assets Less than $50 Billion.''
---------------------------------------------------------------------------
V. Applicability
The proposed guidance would apply to domestic bank holding
companies with total consolidated assets of $50 billion or more;
savings and loan holding companies with total consolidated assets of
$50 billion or more; the combined U.S. operations of foreign banking
organizations (``FBOs'') with combined U.S. assets of $50 billion or
more; any state member bank subsidiaries of the foregoing; and
systemically important nonbank financial companies designated by FSOC
for supervision by the Board.\12\
---------------------------------------------------------------------------
\12\ As described in the proposed guidance, references to
``firm'' refer to all entities subject to this guidance, including
the combined U.S. operations of an FBO, unless the context requires
otherwise.
---------------------------------------------------------------------------
For FBOs, the proposed guidance would apply to an FBO's combined
U.S. operations, including branch and subsidiary operations. This scope
would be consistent with certain requirements of the Board's Regulation
YY, which requires, among other things, FBOs to establish a risk
management framework that covers both the U.S. branch and U.S. non-
branch subsidiary operations, establish a U.S. risk committee to
oversee the risks of the combined U.S. operations, and employ a chief
risk officer (``CRO'') based in the United States.\13\
---------------------------------------------------------------------------
\13\ 12 CFR 252.155. For an FBO, references to CRO mean the U.S.
CRO. Unlike this proposal, the BE proposal would not apply to the
U.S. operations of a foreign banking organization, due to concerns
of extraterritoriality and differences in organizational structure
and legal requirements in other jurisdictions. In the preamble to
the BE proposal, the Board stated that it was considering applying
that guidance to the boards of directors of U.S. intermediate
holding companies, and sought comment on that proposed application.
---------------------------------------------------------------------------
Given that an FBO's combined U.S. operations are part of a larger
global organization, the proposed guidance notes that certain elements
of an FBO's governance framework may be located outside of the United
States. In this event, the proposed guidance provides that these
elements should enable effective governance and risk management by the
U.S. senior management, the U.S. risk committee, and the intermediate
holding company (``IHC'') board (as applicable), and should facilitate
U.S. supervisors' ability to assess the adequacy of governance and
controls in the combined U.S. operations.
The proposed guidance also applies to nonbank financial companies
supervised by the Board and insurance or commercial savings and loan
holding companies with total consolidated assets of $50 billion or
more. The concepts set forth in the proposed guidance relate to
fundamental risk management practices that are applicable to all LFIs.
VI. Description of the Proposed Guidance
The proposed guidance is organized in three parts: (1) Core
principles of effective senior management; (2) core principles of the
management of business lines; and (3) core principles of IRM and
controls.
A. Core Principles of Effective Senior Management
The proposed guidance sets forth core principles of effective
senior management. Senior management is defined as the core group of
individuals directly accountable to the board of directors for the
sound and prudent day-to-day management of the firm. Under the board's
oversight, a firm's senior management is responsible for managing the
day-to-day operations of the firm and ensuring safety and soundness and
compliance with laws and regulations, including those related to
consumer protection, and internal policies and procedures. Two key
responsibilities of senior management are overseeing the activities of
the firm's business lines (individually and collectively) and the
firm's IRM and system of internal control. In addition to the general
expectations regarding senior management, the IRM and controls section
of the proposed guidance sets forth specific expectations for the CRO
and chief audit executive (``CAE''), as these individuals have specific
responsibilities related to IRM and internal audit, respectively.
The proposed guidance tailors the application of these expectations
for an FBO, given that the combined U.S. operations are part of a
larger global organization. For instance, the proposed guidance notes
that the risk tolerance for the combined U.S. operations may be
developed separately for the IHC and branch operations, respectively,
and notes that the strategy for the combined U.S. operations may mean
the manner in which the U.S. operations support the global strategy.
The proposal also notes that for an FBO, ``senior management'' can
refer to individuals located inside or outside the United States who
are accountable to the IHC board, U.S. risk committee, or global board
of directors with respect to the U.S. operations.\14\
---------------------------------------------------------------------------
\14\ To facilitate a full understanding by the FBO of risks
presented by the U.S. operations, the proposed guidance states that
senior management should fully understand U.S.-based risks and
communicate information on those risks to global management so that
U.S.-based risks are included in the aggregate risk assessment.
---------------------------------------------------------------------------
B. Core Principles of the Management of Business Lines
The proposed guidance sets forth core principles of the management
of business lines. Business line management is defined as the core
[[Page 1354]]
group of individuals responsible for the prudent day-to-day management
of the business line and who report directly to senior management.\15\
Business line management is expected to execute business line
activities consistent with the firm's strategy and risk tolerance,
identify and manage risk within the business line, provide sufficient
resources and infrastructure to the business line, ensure the business
line has the appropriate system of internal control, and ensure
accountability for operating within established policies and guidelines
and in accordance with laws and regulations, including those related to
consumer protection.
---------------------------------------------------------------------------
\15\ The proposed guidance defines a business line as a defined
unit or function of a financial institution, including associated
operations and support that provides related products or services to
meet the firm's business needs and those of its customers. This
definition would include units such as Corporate Treasury and IT
support. For an FBO, a business line would include all business
lines that are present in the United States.
---------------------------------------------------------------------------
For a LISCC firm, due to its size, risk profile, and systemic
importance of operations, the core principles of the management of
business lines would apply to all of the firm's business lines. For an
LFI that is not a LISCC firm, the core principles of the management of
business lines would apply to any business line where a significant
control disruption, failure, or loss event could result in a material
loss of revenue, profit, or franchise value, or result in significant
consumer harm.\16\ The proposed guidance uses slightly different
terminology than the proposed LFI rating system to describe the core
principles of the management of business lines. The proposed LFI rating
system referred to these principles as relating to the ``management of
core business lines.'' For a LISCC firm, ``core'' business lines were
defined to include all business lines, whereas for other LFIs, ``core''
business lines were defined to include any business line where a
significant control disruption, failure, or loss event could result in
a material loss of revenue, profit, or franchise value, or result in
significant consumer harm. Although this proposal uses the term
``management of business lines,'' the principles would apply to the
same business lines that were identified as ``core'' in the proposed
LFI rating system. The revised terminology is intended to simplify the
guidance.
---------------------------------------------------------------------------
\16\ Any business line of an LFI that is not a LISCC firm which
does not meet this definition (and thus would not be subject to the
core principles of the management of business lines included in Part
II of the proposed guidance) would be expected to maintain
appropriate risk management practices to ensure the firm's safety
and soundness. In addition, the supervisory expectations concerning
effective senior management oversight and IRM and controls described
in Parts I and III of the proposed guidance, respectively, would
apply across the entire firm. For example, supervisory expectations
regarding senior management's responsibility for maintaining and
implementing an effective risk management framework and ensuring
that the firm appropriately manages risk consistent with the firm's
strategy and risk tolerance extends to its management of the firm as
a whole, and not be limited to the individual business lines covered
by Part II of the proposed guidance.
---------------------------------------------------------------------------
The proposed guidance does not include specific expectations
regarding organizational structure at firms and states that business
line management may also serve as senior management. If business line
management is not part of senior management, business line management
is responsible for fully engaging senior management, so that senior
management can effectively carry out their responsibilities.
For an FBO, the proposed guidance acknowledges that a business line
in the United States may be part of a larger global business line and
clarifies that the guidance applies only to that portion of the
business conducted in the United States. The proposed guidance notes
that business line management should ensure that business line risks
are comprehensively captured, with consideration given to risks outside
of the United States that may impact the FBO's U.S. operations.\17\
---------------------------------------------------------------------------
\17\ Conversely, to ensure that risks of the U.S. operations are
appropriately communicated to global management, business line
management would be expected to provide sufficient information to
global management and escalate issues, as appropriate, to enable an
understanding of U.S. risk.
---------------------------------------------------------------------------
C. Core Principles of Independent Risk Management and Controls
The proposed guidance describes core principles of a firm's IRM and
controls, which refers to a firm's independent risk management
function, system of internal control, and internal audit function.\18\
The proposal sets forth responsibilities of the CRO and CAE, the
members of senior management responsible for IRM and internal audit,
respectively. As described in the proposed guidance, both the CRO and
CAE should have clear roles and responsibilities to establish and
maintain an IRM and internal audit function, respectively, that are
appropriate for the size, complexity, and risk profile of the firm.
---------------------------------------------------------------------------
\18\ The proposed guidance defines the term ``internal
controls'' as the policies, procedures, systems and processes
designed to provide reasonable assurance regarding: The
effectiveness and efficiency of operations; reliability of financial
reporting (including risk reporting); compliance with laws and
regulations (including those related to consumer protection); and
safeguarding of assets and information.
---------------------------------------------------------------------------
The proposed guidance describes expectations for a firm's IRM,
which include evaluating the firm's risk tolerance; establishing
enterprise-wide risk limits and monitoring adherence to those limits;
identifying, measuring, and aggregating risks; providing an independent
assessment of the firm's risk profile; and providing risk reports to
the board and senior management. The proposed guidance builds upon the
framework set forth in Regulation YY, which requires a firm to have an
independent risk management function.\19\
---------------------------------------------------------------------------
\19\ 12 CFR 252.33, 252.155. See also SR letter 12-17.
---------------------------------------------------------------------------
While IRM would be expected to evaluate the firm's risk tolerance,
the proposed guidance would not set the expectation that IRM would have
sole responsibility for the risk tolerance. Depending on a firm's
organizational structure, it may be appropriate for business line
management to provide input into the risk tolerance or drive its
development. The proposed guidance would assign responsibility for
enterprise-wide risk limits to IRM, but acknowledge that business line
management may develop its own limits for internal business line use
and may provide input to the risk limit-setting process defined by IRM.
However, the internal limits of a business line should not be less
stringent than the limits set by IRM because the IRM limits should be
the operative, formal, and binding limits across the firm.
For internal controls, the proposed guidance expands upon the
expectation for internal controls described in SR letter 12-17. As
described in the proposed guidance, a firm should identify its system
of internal control and demonstrate that that system is commensurate
with the firm's size, scope of operations, activities, risk profile,
strategy, and risk tolerance; demonstrate that it is consistent with
all applicable laws and regulations; regularly evaluate and test the
effectiveness of internal controls; and monitor the functioning of
controls so that deficiencies are identified and communicated in a
timely manner. The proposed guidance provides that developing and
maintaining effective internal controls is the responsibility of
several parties, including business line management.
The strength of a firm's internal audit practices are an important
consideration in the Federal Reserve's supervisory assessment of the
effectiveness of the firm's governance and controls. This proposed
guidance would not expand upon the Federal Reserve's expectations
[[Page 1355]]
for internal audit; instead the proposed guidance references existing
guidance.\20\
---------------------------------------------------------------------------
\20\ The Federal Reserve issued guidance outlining the key
components of an effective internal audit function in SR letter 03-
5, ``Amended Interagency Guidance on the Internal Audit Function and
its Outsourcing,'' and followed that with supplemental guidance in
SR letter 13-1/CA letter 13-1, ``Supplemental Policy Statement on
the Internal Audit Function and Its Outsourcing.''
---------------------------------------------------------------------------
VII. Request for Comments
The Board invites comments on all aspects of the proposed guidance,
including responses to the following questions:
(1) What considerations beyond those outlined in this proposal
should be considered in the Federal Reserve's assessment of whether an
LFI has sound governance and controls such that the firm has sufficient
financial and operational strength and resilience to maintain safe and
sound operations?
(2) How could the roles and responsibilities between the board of
directors set forth in the proposed board effectiveness guidance, and
between the senior management, business line management, and IRM be
clarified?
(3) What, if any, aspects of the structure and coverage of IRM and
controls should be addressed more specifically by the guidance?
(4) The proposal tailors expectations for FBOs, recognizing that
the U.S. operations are part of a larger organization. How could this
tailoring be improved?
(5) In what ways, if any, does the guidance diverge from industry
practice? How could the guidance better reflect industry practice while
facilitating effective risk management and controls? Are there any
existing standards for internal control frameworks to which the
guidance should follow more closely?
(6) Other supervisory communications have used the term ``risk
appetite'' instead of risk tolerance. Are the terms ``risk appetite''
and ``risk tolerance'' used interchangeably within the industry, and
what confusion, if any, is created by the terminology used in this
guidance?
(7) The proposal would adopt different terminology than is used in
the proposed LFI rating system, and the Board expects to align the
terminology so the element in the governance and controls component
would change from ``management of core business lines'' to ``management
of business lines.'' Does this proposal clearly explain this expected
change? Do commenters anticipate any impact from this change?
Paperwork Reduction Act
In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C.
3501-3521) (``PRA''), the Board may not conduct or sponsor, and a
respondent is not required to respond to, an information collection
unless it displays a currently valid Office of Management and Budget
(``OMB'') control number. The Board reviewed the proposed supervisory
guidance under the authority delegated to the Board by OMB.
The proposed supervisory guidance contains a collection of
information subject to the PRA. Recordkeeping requirements are found in
the proposed guidance. Among expectations for business line management,
the proposed guidance states that business line management should
establish specific business and risk objectives for business lines, and
establish policies and guidelines that delineate accountability within
the business line. In addition, the proposed guidance sets expectations
for a firm's IRM function, including related to the scope of a firm's
risk limits and an expectation for written risk assessment that would
be provided to the senior management and, as appropriate, the board.
The proposed guidance also sets expectations for internal audit,
including an expectation for an internal audit risk assessment and
audit reports.
Comments are invited on:
a. Whether the collections of information are necessary for the
proper performance of the Board's functions, including whether the
information has practical utility;
b. The accuracy or the estimate of the burden of the information
collections, including the validity of the methodology and assumptions
used;
c. Ways to enhance the quality, utility, and clarity of the
information to be collected;
d. Ways to minimize the burden of the information collections on
respondents, including through the use of automated collection
techniques or other forms of information technology; and
e. Estimates of capital or startup costs and costs of operation,
maintenance, and purchase of services to provide information.
All comments will become a matter of public record. Comments on
aspects of this notice that may affect reporting, recordkeeping, or
disclosure requirements and burden estimates should be sent to:
Secretary, Board of Governors of the Federal Reserve System, 20th and C
Streets NW, Washington, DC 20551. A copy of the comments may also be
submitted to the OMB desk officer by mail to U.S. Office of Management
and Budget, 725 17th Street NW, #10235, Washington, DC 20503; facsimile
to (202) 395-6974; or email to [email protected], Attention,
Federal Banking Agency Desk Officer.
Proposed Information Collection
Report title: Governance and Controls Guidance.
Agency form number: FR 4204.
OMB control number: 7100-NEW.
Frequency: Annual.
Respondents: Domestic bank and savings and loan holding companies
with total consolidated assets of $50 billion or more, systemically
important nonbank financial companies designated by FSOC for
supervision by the Board, the U.S. operations of FBOs with combined
U.S. assets of $50 billion or more, and state member bank subsidiaries
of the foregoing.
Legal authorization and confidentiality: This information
collection is voluntary. The Board has determined that the collection
of information is authorized by section 5(c) of the Bank Holding
Company Act (12 U.S.C. 1844(c)), section 10(b) of the Homeowners' Loan
Act (12 U.S.C. 1467a(b)(4), section 113 of the Dodd-Frank Act (12
U.S.C. 5323). The information contained would be considered
confidential pursuant to exemption 8 of the Freedom of Information Act
(5 U.S.C. 552(b)(8)).
Estimated number of respondents: 56.
Estimated average hours per response: 3,872 hours initial setup,
560 hours for ongoing.
Estimated annual burden hours: 216,832 hours initial setup, 31,360
hours for ongoing.
Regulatory Flexibility Analysis
The Federal Reserve is providing an initial regulatory flexibility
analysis with respect to this proposal. While the proposed guidance is
not being adopted as a rule, the Federal Reserve has considered the
potential impact of the proposal on small banking organizations using
considerations that would apply if the Regulatory Flexibility Act, 5
U.S.C. 601 et seq. (``RFA'') were applicable. Based on the Board's
analysis and for the reasons stated below, the Board believes that the
proposed guidance will not have a significant economic impact on a
substantial number of small entities.
Under regulations issued by the Small Business Administration, a
small entity includes a depository institution, bank holding company,
or savings and loan holding company with assets of $550 million or less
(``small banking
[[Page 1356]]
organizations''). As of June 1, 2017, there were approximately 3,539
small banking organizations. As described above, the proposed guidance
would apply only to all bank holding companies with total consolidated
assets of $50 billion or more; state member banks of such bank holding
companies; all savings and loan holding companies with total
consolidated assets of $50 billion or more; systemically important
nonbank financial companies designated by FSOC for supervision by the
Federal Reserve; and the U.S. operations of FBOs with combined U.S.
assets of $50 billion or more. Small banking organizations would
therefore not be subject to the proposed guidance. As a result, the
proposed guidance should have any impact on small banking
organizations. In light of the foregoing, the Board believes that the
proposed guidance will not have a significant economic impact on small
banking organizations supervised by the Board.
Text for the Proposed Supervisory Guidance on Management of Business
Lines and Independent Risk Management and Controls for Large Financial
Institutions
Introduction
Governance and controls involves (i) the oversight of a firm by its
board of directors, (ii) management of business lines and independent
risk management (IRM) and controls, and (iii) for domestic Large
Institution Supervision Coordinating Committee (LISCC) firms only,
recovery planning. This guidance sets forth the second part of the
Federal Reserve's expectations for large financial institutions (LFIs
or firms)--core principles of the management of business lines and IRM
and controls. This guidance also builds upon supervisory guidance
previously issued by the Federal Reserve.\21\
---------------------------------------------------------------------------
\21\ See SR letter 12-17/CA letter 12-14, ``Consolidated
Supervision Framework for Large Financial Institutions.'' Other laws
and regulations set forth requirements for corporate governance and
risk management, including the risk and liquidity risk management
requirements in Regulation YY (12 CFR part 252).
---------------------------------------------------------------------------
Guidance related to the first part of governance and controls, the
oversight of a firm by its board of directors (BE Guidance), was
released earlier.\22\ It describes attributes of an effective board of
directors and distinguishes a board's responsibilities from those of a
firm's senior management.
---------------------------------------------------------------------------
\22\ See 82 FR 37219 (August 9, 2017) for the proposed
Supervisory Guidance on Board of Directors' Effectiveness for
Domestic Bank and Savings and Loan Holding Companies With Total
Consolidated Assets of $50 Billion or More (Excluding Intermediate
Holding Companies of Foreign Banking Organizations Established
Pursuant to the Federal Reserve's Regulation YY), and Systemically
Important Nonbank Financial Companies Designated by the Financial
Stability Oversight Council for Supervision by the Federal Reserve.
---------------------------------------------------------------------------
Like the BE Guidance, the supervisory expectations described in
this guidance regarding the management of business lines and IRM and
controls would help inform the Federal Reserve's overall supervisory
evaluation of a firm's governance and controls to support the firm's
financial and operational strength and resilience. Among other factors,
this evaluation would be an input to the governance and controls
component rating under the proposed LFI rating system.\23\
---------------------------------------------------------------------------
\23\ See 82 FR 39049 (August 17, 2017) for the proposed large
financial institutions rating system (LFI rating system). For firms
that would be subject to this guidance but not subject to the
proposed LFI rating system, this guidance would help inform the
Federal Reserve's evaluation of the firm's overall safety and
soundness and the effectiveness of its risk management practices.
---------------------------------------------------------------------------
I. Applicability
The guidance applies to domestic bank holding companies (BHCs) and
domestic savings and loan holding companies with total consolidated
assets of $50 billion or more, the combined U.S. operations of foreign
banking organizations (FBOs) with combined U.S. assets of $50 billion
or more, and any state member bank subsidiaries of the foregoing. The
guidance also applies to systemically important nonbank financial
companies designated by the Financial Stability Oversight Council
(FSOC) for supervision by the Board.
Application to Foreign Banking Organizations
Regulation YY requires FBOs with combined U.S. assets of $50
billion or more to maintain a U.S. risk committee to oversee the risk
management framework of the combined U.S. operations.\24\ Regulation YY
also requires FBOs with U.S. non-branch assets of $50 billion or more
to establish an intermediate holding company (IHC), which is governed
by a board of directors or managers with equivalent rights, powers,
privileges, duties, and responsibilities to those of a board of
directors of a domestic corporation.\25\ The Federal Reserve's
expectations for governance of the combined U.S. operations of an FBO
are generally consistent with its expectations for governance of large
domestic firms and, in this guidance, a reference to ``firm'' should be
taken also as a reference to the combined U.S. operations of an FBO,
unless the context requires otherwise. Given that an FBO's combined
U.S. operations are part of a larger global organization, the Federal
Reserve anticipates that certain elements of an FBO's governance
framework may be located outside of the United States. In this event,
these elements should enable effective governance and risk management
by the U.S. senior management, the U.S. risk committee, and the IHC
board (as applicable), and should facilitate U.S. supervisors' ability
to assess the adequacy of governance and controls in the combined U.S.
operations.
---------------------------------------------------------------------------
\24\ 12 CFR 252.155(a).
\25\ 12 CFR 252.153(a)(2)(ii).
---------------------------------------------------------------------------
Core Principles of Effective Senior Management, Management of Business
Lines, and Independent Risk Management (IRM) and Controls
This guidance sets forth core principles of effective senior
management, the management of a firm's business lines \26\ and IRM and
controls.\27\
---------------------------------------------------------------------------
\26\ For a LISCC firm, due to its size, risk profile, and
systemic importance, the guidance would apply to all of the firm's
business lines. For an LFI that is not a LISCC firm, the
expectations for management of business lines would apply only to
business lines where a significant control disruption, failure, or
loss event would result in a material loss of revenue, profit, or
franchise value, or result in significant consumer harm. Other
business lines of these firms which do not meet that definition
would be expected to maintain appropriate risk management practices
to ensure the firm's safety and soundness. The expectations included
in this guidance relating to effective senior management oversight
and IRM and controls would apply across the entire firm, and are not
limited to the individual business lines that are subject to the
expectations concerning the management of business lines.
\27\ IRM and controls refers to a firm's independent risk
management function, system of internal control, and internal audit
function.
---------------------------------------------------------------------------
I. Core Principles of Effective Senior Management
Principle: Senior management is responsible for managing the day-to-day
operations of the firm and ensuring safety and soundness and compliance
with internal policies and procedures, laws, and regulations, including
those related to consumer protection.
Under the board's oversight, a firm's senior management is
responsible for managing the day-to-day operations of the firm, and for
ensuring safety and soundness and compliance with internal policies and
procedures, laws, and regulations, including those related to consumer
protection.\28\ Two key
[[Page 1357]]
responsibilities of senior management are overseeing the activities of
the firm's business lines (individually and collectively) and the
firm's IRM and controls.
---------------------------------------------------------------------------
\28\ The term ``senior management'' refers to the core group of
individuals directly accountable to the board of directors for the
sound and prudent day-to-day management of the firm. For an FBO,
``senior management'' can refer to individuals located inside or
outside the United States who are accountable to the IHC board, U.S.
risk committee, or global board of directors with respect to the
U.S. operations.
``Board'' or ``board of directors'' also refers to committees of
the board of directors, as appropriate.
---------------------------------------------------------------------------
Senior management is responsible for implementing the firm's
strategy and risk tolerance approved by the board.\29\ Senior
management should implement the strategic and risk objectives across
the firm to support the firm's long-term resiliency and safety and
soundness, including the firm's ability to withstand the impact of a
range of stressed conditions.\30\ Senior management should ensure the
firm's infrastructure, staffing, and resources are sufficient to carry
out the firm's strategy and manage the firm's activities in a safe and
sound manner, and in compliance with applicable laws and regulations,
including those related to consumer protection, as well as policies,
procedures, and limits. Senior management should also identify when
there is a risk that the firm's activities collectively may deviate
from the firm's strategy and risk tolerance and escalate such instances
to the board of directors.
---------------------------------------------------------------------------
\29\ See 82 FR 37219 (August 9, 2017). ``Risk tolerance'' is
defined as the aggregate level and types of risk the board and
senior management are willing to assume to achieve the firm's
strategic business objectives, consistent with applicable capital,
liquidity, and other requirements and constraints.
For an FBO, the U.S. risk committee should approve the risk
tolerance for the combined U.S. operations (which may be developed
separately for the IHC and branch operations, respectively). The
strategy for the combined U.S. operations may mean the manner in
which the U.S. operations support the global strategy.
\30\ Risk objectives are the level and type of risks a business
line plans to assume in its activities relative to the level and
type specified in the firmwide risk tolerance. For example, a
residential mortgage business unit should specify the level and type
of credit risk, interest-rate risk, or other risks it plans to
assume in its activities relative to the level and type specified in
the risk tolerance.
---------------------------------------------------------------------------
Senior management is responsible for maintaining and implementing
an effective risk management framework and ensuring the firm
appropriately manages risk consistent with its strategy and risk
tolerance.\31\ This includes establishing clear responsibilities and
accountability for the identification, measurement, management, and
control of risk. Senior management is responsible for promoting and
enforcing prudent risk-taking behaviors and business practices,
including through the firm's compensation and performance management
programs. Senior management is responsible for developing and
maintaining the firm's policies and procedures and system of internal
control, commensurate with the firm's size, scope of operations,
activities, and risk profile, to ensure compliance with laws and
regulations, including those related to consumer protection, and
consistency with supervisory expectations.\32\ Senior management should
also periodically assess the risk management framework as a whole to
ensure that the framework remains comprehensive and appropriate and has
kept pace with changes in the business line's products, services, and
activities as well as changes in economic conditions and the broader
market environment.
---------------------------------------------------------------------------
\31\ For FBOs, regardless of whether a firm's senior management
resides in the United States, senior management should fully
understand the risks of U.S operations and communicate information
on the risks of combined U.S. operations to global management so
that these risks are included in the aggregate risk assessment of
the global organization. Further, senior management with authority
over budgeting or strategy for the combined U.S. operations should
allocate appropriate resources and expertise to meet the
expectations of this guidance.
\32\ The term ``internal controls'' refers to the policies,
procedures, systems and processes designed to provide reasonable
assurance regarding: The effectiveness and efficiency of operations;
reliability of financial reporting (including risk reporting);
compliance with laws and regulations (including those related to
consumer protection); and safeguarding of assets and information.
---------------------------------------------------------------------------
Senior management should ensure effective communication and
information sharing across the entire firm. Senior management should
also address any impediments to the effective flow of information,
including those that could result in decisions being made or actions
being taken in isolation.
In overseeing the firm's day-to-day operations, senior management
should base its decisions and actions, as well as its communications
with the board, on a full understanding of the firm's risks and
activities. Therefore, senior management should have in place robust
mechanisms for:
Keeping apprised of drivers and trends related to current
and emerging risks, material limit breaches, and other material issues;
Maintaining and assessing the firm's system of internal
control;
Staying informed about material deficiencies and
limitations in risk management and control practices, and ensuring that
such deficiencies are remediated in a timely fashion;
Assessing the potential impact of the firm's activities
and risk positions on the firm's capital,\33\ liquidity, and overall
risk profile;
---------------------------------------------------------------------------
\33\ References to ``capital'' in this section are not
applicable to branches or agencies of an FBO.
---------------------------------------------------------------------------
Assessing the firm's financial and nonfinancial
performance relative to the firm's strategy and risk objectives;
Maintaining robust management information systems to
support oversight of the firm's activities and risk positions, and to
provide information to the board; and
Maintaining current succession and contingency staffing
plans for key positions.
Senior management is responsible for providing timely, useful, and
accurate information to the board. Senior management should also be
responsive to direction from the board and to the board's informational
needs. Further, senior management is responsible for ensuring
resolution of risk management issues (including those identified by the
firm and outstanding supervisory matters), escalating issues to the
board, and communicating issues internally when appropriate. Senior
management should regularly report to the board on responses to, and
remediation of, material audit and supervisory findings, risk
management and control deficiencies, material compliance issues
(including those related to consumer protection), and the outcomes of
risk reviews which may result in remedial actions.
II. Core Principles of the Management of Business Lines
This section sets forth core principles of the management of
business lines, including critical operations.\34\ As used in this
guidance, business line management refers to the core group of
individuals responsible for prudent day-to-day management of a business
line and accountable to senior management for that responsibility.\35\
---------------------------------------------------------------------------
\34\ A business line is a defined unit or function of a
financial institution, including associated operations and support
that provides related products or services to meet the firm's
business needs and those of its customers. Under certain
organizational structures, a business line may cross legal entities
or geographic jurisdictions.
``Critical operations'' are those operations, including
associated services, functions and support, the failure or
discontinuance of which, in the view of the firm or the Federal
Reserve, would pose a threat to the financial stability of the
United States. All of the expectations for the management of
business lines apply to critical operations.
\35\ Depending on a firm's organizational structure, business
line management may or may not be members of senior management. If
management of a business line is not a member of senior management,
business line management is responsible for fully engaging senior
management, so that senior management can effectively carry out its
responsibilities.
---------------------------------------------------------------------------
For a LISCC firm, due to its size, risk profile, and systemic
importance, these principles apply to all of the firm's business lines.
For an LFI that is not a LISCC firm, these principles apply to
[[Page 1358]]
any business line in which a significant control disruption, failure,
or loss event could result in a material loss of revenue, profit, or
franchise value, or result in significant consumer harm.
A business line may cross legal entities or geographic
jurisdictions. In instances where a business line of an FBO is part of
a larger business conducted outside of the United States, expectations
apply only to the portion of that business conducted in the United
States.\36\
---------------------------------------------------------------------------
\36\ Business line management of the U.S. operations should
ensure that business line risks are captured comprehensively with
consideration given to risks outside the United States that may
impact the FBO's combined U.S. operations. Moreover, business line
management should provide sufficient information to global
management and escalate issues, as appropriate, to enable an
understanding of the risks from the combined U.S. operations.
---------------------------------------------------------------------------
This section is organized as follows:
A. Implementation and Execution of Strategy and Risk Tolerance
B. Risk Identification and Risk Management
C. Resources and Infrastructure
D. Business Controls
E. Accountability
A. Implementation and Execution of Strategy and Risk Tolerance
Principle: Business line management should execute business line
activities consistent with the firm's strategy and risk tolerance.
Business line management should establish specific business and
risk objectives for each business line that align with the firmwide
strategy and risk tolerance. Business line management should inform
senior management when the business line's risk management capabilities
are insufficient to achieve those business and risk objectives. In
addition, during the strategic planning process with senior management,
business line management should clearly present the risks emanating
from the business line's activities. Business line management should
explain how those risks are managed and align with the firm's risk
tolerance.
Business line management should provide information to senior
management regarding the business line's current and potential risk
profile and its alignment with the firm's risk tolerance. Information
reported should enable senior management to make critical decisions
about the business line's strategic direction and risks.
B. Risk Identification and Risk Management
Principle: Business line management should identify, measure, and
manage the risks associated with the business activities under a broad
range of conditions, incorporating input from IRM.\37\
---------------------------------------------------------------------------
\37\ As noted in the Independent Risk Management and Controls
section below, IRM is responsible for conducting a separate,
objective, critical assessment of risks and risk-taking across the
entire firm, separate from the business line's risk management
activities.
Business line management should identify, measure, and manage
current and emerging risks that stem from the business line's
activities and changes to external conditions.\38\ Where it is
difficult to assess risks quantitatively, business line management
should still assess the impact of those risks, such as through
qualitative means. These risks should include significant exposures and
activities, both on-balance and off-balance sheet, and any other
potential sources of risk related to the business line's activities.
Business line management should incorporate appropriate feedback from
IRM on business line risk positions, implementation of the risk
tolerance, and risk management practices, including risk mitigation.
---------------------------------------------------------------------------
\38\ Emerging risks include those that have yet to create a
material impact or would only arise during stressful or unlikely
circumstances. The risk assessment should include all relevant
risks, both financial and non-financial, including compliance risk.
---------------------------------------------------------------------------
In measuring risks, business line management should consider the
size and risk characteristics of the business line's exposures and
business activities. Business line management should aggregate risks,
including by business activities or products. For instance, management
of a large commercial lending business line should understand risks
affecting the business line as a whole, and also within segments of the
business line, such as large corporate exposures, commercial real
estate loans, and small business lending.
The activities of a business line should remain within risk limits
established by IRM.\39\ Business line management should consult with
senior management before allowing any exceptions to risk limits.\40\
This consultation should culminate in a well-supported decision by
management to accept the risk or reduce its risk exposure. Business
line management should subject any exceptions to risk limits to the
firm's formal approval process. A business line may need to employ risk
mitigation strategies to remain aligned with the firmwide strategy and
risk tolerance.
---------------------------------------------------------------------------
\39\ Business line management may develop its own limits for
internal business line use and may provide input to the risk limit-
setting process defined by IRM. However, the internal limits of a
business line should not be less stringent than the limits set by
IRM because the limits set by IRM should be the operative, formal,
and binding across the firm.
\40\ Business line management should evaluate breaches of risk
limits to determine whether a breach represents a weakness in the
monitoring or limits framework for the business lines, and take
appropriate remedial action.
---------------------------------------------------------------------------
A firm should have policies and procedures for vetting new business
products and initiatives. Risks from new businesses should be
identified and captured in risk management governance, infrastructure,
compliance, and processes before commencing the new business. Business
line management should escalate to senior management any required
changes or modifications to risk management systems or internal control
policies and procedures arising from the adoption of a new business or
initiative. Additionally, growth in the new business should be
consistent with the firm's risk management capabilities.
C. Resources and Infrastructure
Principle: Business line management should provide a business line with
the resources and infrastructure sufficient to manage the business
line's activities in a safe and sound manner, and in compliance with
applicable laws and regulations, including those related to consumer
protection, as well as policies, procedures, and limits.
Business line management should provide a business line with
sufficient resources and infrastructure to meet strategic objectives
while maintaining financial and operational strength and resilience
over a range of operating conditions, including stressful ones.\41\
Sufficient resources and infrastructure include personnel with
appropriate training and expertise and management information systems.
Business line management should inform senior management if the
business line's resources and infrastructure are insufficient to meet
its business objectives.
---------------------------------------------------------------------------
\41\ ``Financial strength and resilience'' is defined as
maintaining effective capital and liquidity governance and planning
processes, and sufficiency of related positions, to provide for
continuity of the consolidated organization and its core business
lines, critical operations, and banking offices through a range of
conditions.
``Operational strength and resilience'' is defined as
maintaining effective governance and controls to provide for
continuity of the consolidated organization and its core business
lines, critical operations, and banking offices, and promote
compliance with laws and regulations, including those related to
consumer protection, through a range of conditions.
---------------------------------------------------------------------------
Business line management should ensure that the business line's
[[Page 1359]]
infrastructure is sound and appropriate for the intended specific
business activities and that management information systems are
sufficiently flexible to produce ad hoc and more frequent reporting
when necessary. Business line management should address any gaps or
weaknesses identified in the existing infrastructure and escalate to
senior management if appropriate.
Business line management should ensure that the business line has:
Clearly defined staff roles and responsibilities for key
positions, as well as management reporting lines;
Appropriate separation of duties and internal controls for
effectively managing risk associated with its business strategy;
Staff with skills and experience commensurate with the
business line's activities and risks; and
Succession and contingency plans for key positions.
Business line management should provide training and development to
its staff to ensure sufficient knowledge of business line activities;
compliance, operations and risk management processes; controls; and
business continuity. Business line management should reinforce balanced
risk-taking and provide incentives for appropriate behaviors through
talent management processes, compensation arrangements, and other
performance management processes.
D. Business Controls
Principle: Business line management should ensure that the internal
control system is effective for the business line operations.
Business line management should develop and maintain an effective
system of internal control for its business line that helps to ensure
compliance with laws and regulations, including those related to
consumer protection, and supports effective risk management.\42\ For
example, a business line's system of internal control should include
access controls, change controls, and data integrity controls,
including data reconciliations, variance analysis, and data quality
logic checks. The system of internal control for a business line should
be commensurate with the business line's size, scope of operations,
activities, and risk profile. A comprehensive system of internal
control includes policies, procedures, systems, and processes specific
to the business line.
---------------------------------------------------------------------------
\42\ In developing and maintaining its system of internal
control, a business line may use the internal controls that are in
place across the firm.
---------------------------------------------------------------------------
Business line management should regularly test to ensure the
controls within its business line are functioning as expected and are
effective in managing risks. More frequent testing is appropriate for
key controls, or controls that have undergone a material change.
Business line management should ensure that deficiencies in control
design and operating effectiveness are remediated. Business line
management should provide periodic reports on the operation of controls
to senior management and escalate to senior management material
internal control deficiencies and any systematic control violations.
Finally, business line management should reassess all key controls
periodically to ensure relevancy and alignment with current approved
policies.
E. Accountability
Principle: Business line management and staff are accountable for
operating within established policies and guidelines, and acting in
accordance with applicable laws, regulations, and supervisory guidance,
including those related to consumer protection.
Business line management should establish policies and guidelines
that specify accountability, set forth clear lines of management
authority within the business line, and clearly align desired behavior
with the firm's performance management incentives. Business line
management should hold their staff accountable to the extent behavior
that is inconsistent with the board and senior management directives
and inform senior management as appropriate. Business line management
should ensure that training for new and existing employees explicitly
addresses and emphasizes the importance of professional conduct and
compliance with laws and regulations, including those related to
consumer protection.
Business line management should have ongoing and effective means to
prevent, detect, and remediate risk management and compliance failures
of business line policies and procedures, as well as policies and
limits established by the firm's senior management. Business line
management should develop processes with indicators and early warning
mechanisms to facilitate timely detection of existent and potential
issues. Business line management should actively supervise employees in
light of the firm's policies and guidelines.
III. Core Principles of Independent Risk Management and Controls
There are three key areas covered in this section: (1) IRM, which
provides an objective, critical assessment of risks and evaluates
whether a firm remains aligned with its stated risk tolerance; (2) a
system of internal control to guide practices, provide appropriate
checks and balances, and confirm quality of operations; and (3)
internal audit, which provides independent assessments of the
effectiveness of the risk management framework and the system of
internal control.
This section is organized as follows:
A. Governance, Independence, and Stature
1. Chief Risk Officer (CRO)
2. Chief Audit Executive (CAE)
B. Independent Risk Management
1. Risk Tolerance and Limits
2. Risk Identification, Measurement, and Assessment
3. Risk Reporting
C. Internal Controls
D. Internal Audit
Except for the roles of the CRO and the CAE, this guidance does not
purport to prescribe in detail the governance structure for a firm's
IRM and controls. Senior management should establish and maintain clear
lines of responsibility and accountability so that activities are
conducted in a manner that satisfies supervisory expectations.
Supervisory expectations related to independent risk management
apply to the U.S. CRO and the U.S. risk committee of an FBO for the
combined U.S. operations in the same manner as these expectations apply
to the CRO and risk committee of a domestic holding company. For an
FBO, the internal audit function for the combined U.S. operations
should have appropriate independent oversight of those.
A. Governance, Independence, and Stature \43\
---------------------------------------------------------------------------
\43\ ``Stature'' refers to the ability and authority to
influence decisions and effect change throughout the organization,
procure resources necessary to carry out responsibilities, escalate
issues as needed to senior management and the board, and observe or
participate on relevant management committees.
---------------------------------------------------------------------------
1. Chief Risk Officer
Principle: The CRO should establish and maintain IRM that is
appropriate for the size, complexity, and risk profile of the firm.
The Board's Regulation YY requires certain firms to have a CRO with
sufficient capability and experience in identifying, assessing, and
managing risk exposures of large, complex
[[Page 1360]]
financial institutions.\44\ To promote the stature and independence of
IRM, the CRO must report directly to the board's risk committee as well
as to the CEO.\45\ The CRO also must provide reports to the board's
risk committee at least quarterly.\46\
---------------------------------------------------------------------------
\44\ 12 CFR 252.33(b); 12 CFR 252.155(b). For an FBO, references
to CRO and risk committee mean the U.S. CRO and U.S. risk committee
required under 12 CFR 252.155.
\45\ 12 CFR 252.33(b)(3)(ii). For an FBO, the U.S. CRO must
report to the U.S. risk committee and the global CRO or equivalent
management official(s) who is responsible for overseeing the
implementation of and compliance with policies and procedures
relating to risk management governance, practices, and risk controls
of the FBO (unless the Federal Reserve approves an alternate
reporting structure). 12 CFR 252.155(b)(3).
\46\ 12 CFR 252.33(a)(3)(v). This requirement does not apply to
the U.S. CRO of an FBO.
---------------------------------------------------------------------------
As part of overseeing IRM, the CRO should guide IRM to establish
and monitor compliance with enterprise-wide risk limits, identify and
aggregate the firm's risks, assess the firm's risk positions relative
to the parameters of the firm's risk tolerance, and provide relevant
risk information to senior management and the board. The CRO should
also oversee communication of the firm's risk limits to the board and
relevant firm management and staff.
The CRO should inform the board if his or her stature,
independence, or authority is not sufficient to provide objective and
independent assessments of the firm's risks, risk management
activities, and system of internal control.\47\ Further, the CRO should
be included in discussions with other senior management and the board
related to key decisions such as strategic planning and capital and
liquidity planning. The CRO should also provide input to the board on
incentive compensation plan design and effectiveness.
---------------------------------------------------------------------------
\47\ Other officers of the firm may oversee portions of
functions involved in risk management and control activities.
---------------------------------------------------------------------------
The CRO should escalate issues to senior management and the board
when activities or practices at the firmwide, risk-specific, and
business-line level do not align with the firm's overall risk
tolerance. For example, the CRO should report concerns to the board's
risk committee if the firm does not have sufficient risk management
capacity to enter into a proposed merger or new product line and
promote the taking of appropriate actions, as warranted. The CRO should
recommend constraints on risk-taking and enhancements to risk
management practices to senior management and the board. The CRO or IRM
should be involved in any proposal to waive or make exceptions to
established risk limits, including on a temporary basis, should provide
an assessment of any such proposal, and should escalate the proposal to
the board of directors as appropriate. The necessary level of approval
within IRM and escalation should be clearly articulated in policies and
procedures and commensurate with the nature of the risk limit.
The CRO should support the independence of IRM from the business
lines by establishing clearly defined roles and responsibilities, and
reporting lines. The CRO should periodically assess whether IRM has
appropriate staffing and systems; sufficient understanding of the risks
and business activities being evaluated; and sufficient authority to
identify and escalate material or persistent risk management and
control deficiencies and to challenge senior management and business
line management when warranted.
2. Chief Audit Executive
Principle: The CAE should have clear roles and responsibilities to
establish and maintain an internal audit function that is appropriate
for the size, complexity and risk profile of the firm.
A firm should have a CAE, appointed by the board, with sufficient
capability, experience, independence and stature to manage the internal
audit function's responsibilities appropriate to the size and
complexity of the firm.\48\ The CAE should effectively manage all
aspects of internal audit work on an ongoing basis, including any
internal audit work that is outsourced. The CAE should have the
authority to oversee all internal audit activities and to hire internal
audit staff with sufficient capability and stature. Under the direction
of the CAE, the internal audit function performs independent
assessments of the effectiveness of the firm's system of internal
control and the risk management framework. The CAE should report
findings, issues, and concerns to the board's audit committee and
senior management.
---------------------------------------------------------------------------
\48\ See SR letter 13-1/CA letter 13-1, ``Supplemental Policy
Statement on the Internal Audit Function and Its Outsourcing.''
---------------------------------------------------------------------------
B. Independent Risk Management \49\
---------------------------------------------------------------------------
\49\ Independent risk management is comprised of a range of risk
management functions. For example, firms should have an independent
compliance risk management function that establishes a firmwide
compliance risk management program and delineates responsibilities
for managing compliance risk. See SR letter 08-08/CA letter 08-11,
``Compliance Risk Management Programs and Oversight at Large Banking
Organizations with Complex Compliance.'' The structure and reporting
lines for such an independent compliance risk management function
may vary across firms.
---------------------------------------------------------------------------
1. Risk Tolerance and Limits
Principle: IRM should evaluate whether the firm's risk tolerance
appropriately captures the firm's material risks and confirm that the
risk tolerance is consistent with the capacity of the risk management
framework.
IRM should provide input into and evaluate the firm's risk
tolerance to ensure that it appropriately captures the firm's material
risks and aligns with the firm's strategy and the corresponding
business activities.\50\ In addition, IRM should evaluate whether the
risk tolerance:
---------------------------------------------------------------------------
\50\ The development and ongoing update of a firm's risk
tolerance is an iterative process, meaning that several parties
provide input on a continual basis. IRM's input into and evaluation
of the risk tolerance should fit into this overall process and may
occur at several different stages.
---------------------------------------------------------------------------
Addresses risks under normal and stressed conditions and
considers changes in the risk environment;
Includes risks associated with the firm's revenue
generating activities, as well as other aspects of risks inherent to
the business, such as compliance, information technology, and
cybersecurity;
Incorporates realistic risk and reward assumptions that,
for example, do not overestimate expected returns from business
activities or underestimate risks associated with business activities;
and
Guides the firm's risk-taking and risk mitigation
activities.
IRM should determine whether the firm's risk profile is consistent
with the firm's risk tolerance and assess whether the firm's risk
management framework has the capacity to manage the risks outlined in
the risk tolerance. Specifically, IRM should determine whether there
are sufficient resources and infrastructure in the relevant areas of
the firm to properly identify, manage, and report the risks associated
with the business strategies outlined in the risk tolerance, including
during stressful or unanticipated conditions.
Principle: IRM should establish enterprise-wide risk limits consistent
with the firm's risk tolerance and monitor adherence to such limits.
Under direction of the CRO, IRM should establish enterprise-wide
risk limits that are consistent with the firm's risk tolerance for the
firm's full set of risks, including risks associated with revenue
generating activities and those inherent to the business. Risk limits
should be assigned to specific risk types, business lines, legal
entities, jurisdictions, geographic areas, concentrations, products or
activities,
[[Page 1361]]
commensurate with the firm's risk profile. For example, risk limits can
cover single counterparty credit exposures, funding concentrations,
country exposures, or subprime lending activities. Risk limits should
be clear, relevant, and current. IRM should create lower-level risk
limits, such as for an individual business line, based on the
enterprise-wide risk limits.
Risk limits should be quantitative and qualitative. For instance,
quantitative limits can be set relative to earnings, assets,
liabilities, capital, liquidity, or other relevant benchmarks. IRM
should set qualitative limits--such as an expert assessment to
constrain business in a given country--as a proxy for risks or aspects
of risks that are more difficult to quantify. Risk limits should
include explicit thresholds that, if crossed, strictly prohibit the
activity generating the risk.
To the extent possible, risk limits should:
Consider the range of possible external conditions facing
the firm over a period of time;
Consider the aggregation and interaction of risks across
the firm;
Be consistent with the firm's financial resources, such as
available capital and liquidity, as well as with non-financial aspects,
such as managerial, technological, and operational resources; and
Reinforce compliance with laws and regulations, including
those related to consumer protection, and consistency with supervisory
expectations.
IRM should monitor and update risk limits as appropriate,
especially as the firm's risk tolerance is updated, the firm's risk
profile changes, or external conditions change. IRM should also
identify significant trends in risk levels to evaluate whether risk-
taking and risk management practices are consistent with the firm's
strategic objectives. IRM should escalate to senior management any
material breaches of the firm's enterprise-wide risk limits and risk
tolerance, as well as instances where IRM's conclusions differ from the
conclusions of a business line.
2. Risk Identification, Measurement, and Assessment
Principle: IRM should identify and measure the firm's risks.
IRM's activities are conducted in addition to business line risk
management activities described above and should provide an objective,
critical perspective of a firm's risks. IRM should identify and measure
current and emerging risks within and across business lines and risk
types, as well as any other relevant perspectives, such as by legal
entity or jurisdiction. Where it is difficult to assess risks
quantitatively, IRM should still assess the impact of those risks, such
as through qualitative means. IRM should conduct its risk
identification and measurement work on an ongoing basis to reflect any
changes in exposures, business activities, and the broader operating
environment, including changes in law and supervisory expectations.
IRM should identify risk types, including credit, market,
operational, liquidity, interest rate, legal, compliance and related
risks (such as consumer protection and Bank Secrecy Act/anti-money
laundering). IRM should establish minimum internal standards for all of
its risk identification and measurement practices to ensure consistent
quality across different risks. IRM's standards should include both
quantitative and qualitative elements, with the latter especially
important for risks or aspects of risks that are more difficult to
quantify. The standards at a firm should be dynamic, inclusive, and
comprehensive.
To conduct effective risk identification and measurement, IRM
should have access to timely, reliable, and comprehensive information
about all risk-related exposures and activities in the firm. This
should include emerging or potential sources of risk. IRM should seek
input across the firm in identifying risks. IRM may utilize information
collected or used from business lines; however, IRM should not rely on
business line information exclusively. IRM staff should also draw upon
external information, such as peer data or market information, to
supplement their assessments.
IRM should regularly measure identified risks under both normal and
stressful operating conditions. In measuring risks, IRM should consider
the size and risk characteristics of the firm's exposures and business
activities. Within each risk type, IRM should rely on a range of
metrics and use measures appropriate to different risk types.
Principle: IRM should aggregate risks and provide an independent
assessment of the firm's risk profile.
IRM should aggregate risks across the entire firm and assess those
risks relative to the firm's risk tolerance.\51\ IRM should identify
material or critical concentrations of risks and assess the likelihood
and potential impact of those risks on the firm. Further, IRM should
identify activities or exposures that have related risk factors and
assess the combined impact of those risk factors on the firm. IRM
should assess risk information along different meaningful dimensions at
a more granular level than firmwide, such as by business line,
geographic regions, obligors, counterparties, and products, to
determine how those impact the firm's risk profile.
---------------------------------------------------------------------------
\51\ For example, IRM should be able to aggregate all retail
credit risk across the firm's different consumer business lines
(such as credit cards, residential mortgages, and auto lending).
---------------------------------------------------------------------------
IRM should conduct risk assessments using information from risk
identification, measurement, and aggregation to determine the impact of
risks on the firm and to inform senior management and the board about
the suitability of risk positions relative to risk limits and the risk
tolerance. IRM should assess risks and risk drivers within and across
business lines and risk types, as well as any other material
perspectives, such as by legal entity or jurisdiction. Further, IRM
should analyze any assumptions related to risk diversification. IRM
also should assess risk mitigation strategies, including the
effectiveness of such mitigation in a range of circumstances, and
recommend alternatives if concerns arise.
IRM should identify information gaps, uncertainties, and
limitations in risk assessments for senior management, and as
appropriate, for the board. For instance, in analyzing a new product
area or business line, IRM should acknowledge areas of insufficient
information that limit a complete assessment of the risks and provide a
measured implementation plan to obtain the necessary information.
3. Risk Reporting
Principle: IRM should provide the board and senior management with risk
reports that accurately and concisely convey relevant, material risk
data and assessments in a timely manner.
Risk reporting should be comprehensive, useful, accurate, and
timely. Risk reporting should cover current and emerging risk and
adherence to risk limits and risk concentrations as well as the firm's
ongoing strategic, capital, and liquidity planning processes. Risk
reporting should enable prompt escalation and remediation of material
problems; enhance appropriate and timely responses to identified
problems; provide current and forward-looking perspectives; and support
or influence strategic decision-making. Risk reporting should provide
information on aggregate risks within and across business lines and
risk types, as well as by legal entity or jurisdiction and significant
concentrations.
Risk reporting should be tailored to meet the differing information
needs of
[[Page 1362]]
the board, senior management, and others within the firm. The frequency
of reporting should depend on needs of the firm and the materiality of
the issues. Risk reporting should adapt to market downturns or stress
events.
C. Internal Controls
Principle: A firm should identify its system of internal control and
demonstrate that it is commensurate with the firm's size, scope of
operations, activities, risk profile, strategy, and risk tolerance, and
consistent with all applicable laws and regulations, including those
related to consumer protection.
Internal controls cover a wide range of activities and processes,
and could include the following: \52\
---------------------------------------------------------------------------
\52\ See SR letter 03-5, ``Amended Interagency Guidance on the
Internal Audit Function and its Outsourcing.''
---------------------------------------------------------------------------
Policies and procedures that set expectations for and
govern the firm's business activities and support functions; establish
appropriate levels of authority, responsibility, and accountability for
overseeing and executing the firm's activities; and establish standards
for prudent risk-taking behaviors.
Clear assignment of roles and responsibilities and
appropriate separation of duties.
Physical controls for restricting access to tangible
assets.
Approvals and appropriate dual authorizations for key
decisions, transactions, and execution of processes.
Verifications of transaction details and periodic
reconciliations, such as those comparing cash flows to account records
and statements.
Access controls, change management controls, data entry
and related controls.
Escalation procedures with a system of checks and balances
in situations that allow for managerial or employee discretion.
Internal controls instill confidence in financial reporting and are
important to ensure the integrity of the process and information relied
upon by the firm to manage itself. Developing and maintaining an
effective system of internal control is the responsibility of several
parties, including business line management.\53\ Accordingly, a firm
should assign management responsibilities for the establishment and
maintenance of internal controls. To foster an appropriate control
culture within the firm, adequate control activities should be
integrated into the daily functions of all relevant personnel. All
personnel should fully understand and adhere to policies and procedures
affecting their duties and responsibilities.
---------------------------------------------------------------------------
\53\ As described below, the internal audit function should
examine, evaluate, and perform an independent assessment of the
firm's internal control system.
Principle: A firm should regularly evaluate and test the effectiveness
of internal controls, and monitor functioning of controls so that
---------------------------------------------------------------------------
deficiencies are identified and communicated in a timely manner.
A firm should have mechanisms to test its system of internal
control and to identify and escalate issues that appear to compromise
its effectiveness. A firm should regularly evaluate and test the
quality, reliability and effectiveness of internal controls, and
monitor any potential deterioration. Generally, testing activities are
conducted at specific points in time, whereas monitoring activities are
continuous processes. The scope, frequency, and depth of testing should
consider the complexity of the firm, the results of the firm's risk
assessments, and the number and significance of the deficiencies
identified during prior testing. A firm should test and monitor
internal controls using a risk-based approach, prioritizing efforts on
controls in areas of highest risk and less effective controls.
A firm should evaluate and communicate internal control
deficiencies in a timely manner to those parties responsible for taking
corrective action, including senior management. Firms should establish
management information systems that track internal control weaknesses
and escalate serious matters to the board, senior management, and
responsible business line management, as appropriate.
D. Internal Audit
Principle: The internal audit function should examine, evaluate, and
perform independent assessments of the firm's risk management and
internal control systems and report findings to senior management and
the firm's audit committee.
An effective internal audit function provides independent assurance
to the board and senior management concerning the effectiveness of risk
management and internal control systems. The Federal Reserve issued
guidance outlining the key components of an effective internal audit
function in SR letter 03-5, and followed that with supplemental
guidance in SR letter 13-1/CA letter 13-1, ``Supplemental Policy
Statement on the Internal Audit Function and Its Outsourcing.'' The
supplemental guidance builds upon the 2003 interagency guidance of SR
letter 03-5 and further addresses the characteristics, governance, and
operational effectiveness of a firm's internal audit function. That
existing audit guidance remains in place and is not superseded by this
guidance.
By order of the Board of Governors of the Federal Reserve
System, January 5, 2018.
Ann E. Misback,
Secretary of the Board.
[FR Doc. 2018-00294 Filed 1-10-18; 8:45 am]
BILLING CODE P