[Federal Register Volume 85, Number 105 (Monday, June 1, 2020)]
[Notices]
[Pages 33278-33287]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-10292]
[[Page 33278]]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
[Docket ID OCC-2019-0018]
FEDERAL RESERVE SYSTEM
[Docket ID OP-1679]
FEDERAL DEPOSIT INSURANCE CORPORATION
RIN 3064-ZA09
NATIONAL CREDIT UNION ADMINISTRATION
RIN 3133-AF05
Interagency Guidance on Credit Risk Review Systems
AGENCY: Office of the Comptroller of the Currency (OCC), Treasury;
Board of Governors of the Federal Reserve System (Board); Federal
Deposit Insurance Corporation (FDIC); and National Credit Union
Administration (NCUA).
ACTION: Final guidance.
-----------------------------------------------------------------------
SUMMARY: The OCC, the Board, the FDIC, and the NCUA (collectively, the
agencies) are issuing final guidance for credit risk review (final
guidance). This guidance is relevant to all institutions supervised by
the agencies and replaces Attachment 1 of the 2006 Interagency Policy
Statement on the Allowance for Loan and Lease Losses. The final
guidance discusses sound management of credit risk, a system of
independent, ongoing credit review, and appropriate communication
regarding the performance of the institution's loan portfolio to its
management and board of directors.
DATES: The final guidance is available on June 1, 2020.
FOR FURTHER INFORMATION CONTACT:
OCC: Beth Nalyvayko, Bank Examiner, or Lou Ann Francis, Director,
Commercial Credit Risk, (202) 649-6670; or Kevin Korzeniewski, Counsel,
Chief Counsel's Office, (202) 649-5490. For persons who are hearing
impaired, TTY, (202) 649-5597.
Board: Constance Horsley, Deputy Associate Director, (202) 452-
5239; Kathryn Ballintine, Manager, (202) 452-2555; or Carmen Holly,
Lead Financial Institution Policy Analyst (202) 973-6122; or Alyssa
O'Connor, Attorney, Legal Division, (202) 452-3886, Board of Governors
of the Federal Reserve System, 20th and C Streets NW, Washington, DC
20551.
FDIC: Thomas F. Lyons, Chief, Policy & Program Development,
[email protected] (202) 898-6850); George J. Small, Senior Examination
Specialist, Risk Management Policy, [email protected] (917) 320-2750,
Risk Management Supervision; Ann M. Adams, Senior Examination
Specialist, Risk Management Policy, [email protected] (347) 751-2469,
Risk Management Supervision; or Andrew B. Williams II, Counsel,
[email protected]; (202) 898-3591), Supervision and Legislation
Branch, Legal Division, Federal Deposit Insurance Corporation; 550 17th
Street NW, Washington, DC 20429.
NCUA: Vincent H. Vieten, Senior Credit Specialist (703) 518-6618;
Uduak Essien, Director (703) 518-6399, Division of Credit Markets; or
Ian Marenna, Associate General Counsel (703) 518-6554, Office of
General Counsel.
SUPPLEMENTARY INFORMATION:
I. Background
In 2006, the OCC, the Board, the FDIC, and the NCUA (collectively
referred to as the agencies) issued the Interagency Policy Statement on
the Allowance for Loan and Lease Losses.\1\ Attachment 1 of that
statement, entitled ``Loan Review Systems,'' served as the agencies'
guidance on credit risk review (Attachment 1). Attachment 1
supplemented and aligned with other relevant agency issuances on credit
review, including the Interagency Guidelines Establishing Standards for
Safety and Soundness.\2\
---------------------------------------------------------------------------
\1\ See OCC Bulletin 2006-47; FDIC Financial Institution Letter
FIL-105-2006; Federal Reserve Supervision and Regulation (SR) letter
06-17; NCUA Accounting Bulletin No. 06-01.
\2\ 12 CFR part 30, appendix A (OCC); 12 CFR part 208, appendix
D-1 (Board); 12 CFR part 364 appendix A (FDIC). Also see 12 CFR part
723 (NCUA).
---------------------------------------------------------------------------
In October 2019, the agencies invited public comment on proposed
guidance on credit risk review (proposed guidance or proposal).\3\ The
proposed guidance would update and clarify Attachment 1. It also would
adjust terminology to be consistent with the current expected credit
losses (CECL) methodology, a recent accounting standards change.\4\ The
agencies are adopting the proposed guidance in final form (final
guidance), with certain revisions as discussed below. The final
guidance replaces Attachment 1 as the agencies' guidance on credit risk
review systems for all supervised institutions and is being issued as a
standalone document. Attachment 1 is rescinded as of June 1, 2020.
---------------------------------------------------------------------------
\3\ Interagency Guidance on Credit Risk Review Systems, 84 FR
55679 (Oct. 17, 2019).
\4\ See Financial Accounting Standards Board's, Accounting
Standards Codification Topic 326, which revises the accounting for
the allowances for credit losses (ACLs) and introduces the CECL
methodology. [The agencies' final guidance on CECL is contained in a
separate document published elsewhere in this issue of the Federal
Register.]
---------------------------------------------------------------------------
II. Overview of Comments
The agencies collectively received 19 comments on the proposed
guidance. Commenters included trade associations, banks, credit unions,
and members of the public.
Most commenters expressed general support for the guidance.
Commenters noted that the proposed guidance reflected sound practices
and principles, incorporated the core elements of credit risk review,
and did not represent a fundamental shift from Attachment 1. Some
commenters raised concerns including that the guidance was too
prescriptive.
The comments addressed a wide range of topics, and in some
instances, commenters requested clarifications to certain aspects of
the proposed guidance. For example, commenters discussed the role of
credit risk review including its relation to other functions, such as
internal audit; the appropriate scope, depth and frequency of credit
risk review activities; internal responsibility for an institution's
risk rating framework; the process for adjudicating risk rating
disputes; the communication of credit risk review results and
qualifications of credit risk review personnel; credit risk review in
the context of retail portfolios; and the use of technology and data in
credit risk review.
A number of commenters expressed concern with what they viewed as
the one-size-fits-all approach of the proposed guidance and the
potential burden to smaller institutions. Commenters requested that the
agencies specifically tailor the guidance to emphasize flexibility
based on an institution's risk profile or even exempt small
institutions from the guidance.
Some commenters discussed independence of the credit risk review
function and acknowledged that credit risk review provides a critical
and independent assurance role but noted that role has expanded in
scope and may overlap with duties performed by other functions
resulting in a duplication of efforts.
Commenters also expressed concern generally with the implementation
of the CECL methodology; the relationship of the proposed guidance to
Allowances for Credit Losses (ACL); and whether CECL would make credit
risk review more burdensome, particularly for smaller institutions.
[[Page 33279]]
III. Discussion of Comments on the Proposed Guidance
The agencies are finalizing the guidance with targeted changes and
clarifications to address the concerns raised by commenters. The
comments, and any revisions to the final guidance, are discussed below
and grouped based on the three questions posed in the proposal and
other related topics raised by commenters. The agencies' three
questions asked whether the proposed guidance reflected sound
practices, whether the proposed guidance was appropriate for
institutions of differing sizes, and whether the agencies should
include additional factors in the proposed guidance to help credit risk
review achieve a sufficient degree of independence.\5\
---------------------------------------------------------------------------
\5\ Question 1: To what extent does the proposed credit review
guidance reflect current sound practices for an institution's credit
risk review activities? What elements should be added or removed,
and why? Question 2: To what extent is the proposed credit review
guidance appropriate for institutions of all asset sizes? What
elements should be added or removed for institutions of differing in
sizes, and why? Question 3: What, if any, additional factors should
the agencies consider incorporating into the guidance to help
achieve a sufficient degree of independence and why? To what extent
does the approach described for small or rural institutions with
fewer resources or employees provide for an appropriate degree of
independence in the credit review function? What if any
modifications should the agencies consider and why?
---------------------------------------------------------------------------
The agencies emphasize that credit risk review is a significant
risk management function separate from the determination of the
appropriate reserve for credit losses. While the results of the credit
risk review can help ensure that the ACLs or Allowance for Loan and
Lease Losses (ALLL) adequately reflects risk in the institution's loan
portfolio, the agencies are addressing the implementation of CECL
separately from the final guidance.
A. General Application of Guidance
Some commenters indicated the guidance was too prescriptive; in one
case, a commenter considered the guidance excessively detailed and not
aligned with current practices for credit unions in particular. Others
indicated that the proposed guidance reflected foundational principles
and outlined elements of a sound credit risk program without mandating
how credit risk review should operate. Commenters also raised concerns
that the proposed guidance would be enforced as a regulation.
An effective credit risk review function is integral to the safe
and sound operation of every insured depository institution. To assist
institutions in the creation and operation of such functions, the
agencies have developed the final guidance to describe a broad set of
practices and principles for developing and maintaining a credit risk
review function consistent with safe and sound credit risk management
practices and the Interagency Guidelines Establishing Standards for
Safety and Soundness.\6\ However, the final guidance does not establish
any requirements or rules, nor does it mandate implementation of a
specific system or prescribe specific actions with which institutions
must comply.
---------------------------------------------------------------------------
\6\ Supra note 2.
---------------------------------------------------------------------------
One commenter expressed general concern about guidance being
applicable to all institutions, including credit unions, because the
commenter considered credit union operational practices as distinct
from those of other institutions. Another commenter called for the
guidance to address how it intersects with the NCUA Examiner's Guide.
The NCUA notes that credit risk is related to the characteristics of
the loan, and not the type of institution providing the financing. This
guidance is an appropriate reference to assist in establishing a credit
risk review function for both credit union and other institutions' loan
portfolios. Furthermore, the final guidance aligns with the NCUA
Examiner's Guide for commercial loans \7\ and 12 CFR part 723 of the
NCUA's regulations, and the NCUA supports the recommendations in this
final guidance as it pertains to retail and consumer loan portfolios.
The NCUA Examiner's Guide will be updated to reflect this new guidance.
---------------------------------------------------------------------------
\7\ See the Commercial and Member Business Loans section of the
NCUA Examiner's Guide (Commercial and Member Business Loans >
Commercial Loan Administration>Independent Loan Review).
---------------------------------------------------------------------------
B. Elements of the Guidance
Commenters addressed the role of credit risk review; scope, depth,
and frequency of reviews; responsibility for and determination of risk
ratings; timely communication of results; qualifications of credit risk
review personnel; tailoring of the guidance to retail portfolios; and
use of technology in the credit risk review process.
1. Role of Credit Risk Review
Some commenters called for the guidance to better delineate between
the responsibilities of credit risk review and other functions. As
provided in footnote 5 \8\ of the final guidance, the role of credit
risk review is distinct from the roles of other groups within an
institution that are also responsible for monitoring, managing, and
reporting credit risk. The agencies reiterate that institutions have
flexibility to determine the specific roles, responsibilities, and
duties of these different groups. The core responsibilities of a credit
risk review system are discussed in the final guidance under the
objectives of an effective credit risk review system, and include the
prompt identification of loans with credit weaknesses and the
validation and adjustment of risk ratings.
---------------------------------------------------------------------------
\8\ Footnote 5 states that credit risk review may be referred to
as loan review, credit review, asset quality review, or another name
as chosen by an institution. The role of, expectations for, and
scope of credit risk review as discussed in this document are
distinct from the roles, expectations, and scope of work performed
by other groups within an institution that are also responsible for
monitoring, managing and reporting credit risk. Examples may be
those involved with lending functions, independent risk management,
loan work outs, and accounting. Each institution indicates in its
own policies and procedures the specific roles and responsibilities
of these different groups, including separation of duties. A credit
risk review unit, or individuals serving in that role, can rely on
information provided by other units in developing its own
independent assessment of credit risk in loan portfolios, but the
credit risk review unit critically evaluates such information to
maintain its own view, as opposed to relying exclusively on such
information.
---------------------------------------------------------------------------
One commenter disagreed that a primary objective of credit risk
review was to promptly identify all loans with actual and potential
credit weaknesses. The commenter believed that this responsibility
primarily lies with the credit administration function while credit
risk review would identify such loans using a sample-based approach.
The guidance does not singularly assign the process of risk
identification to credit risk review; effective ongoing credit
administration practices allow other credit risk functions to have a
role in the prompt detection of changes in loan quality and appropriate
adjustments to the risk rating. As part of its independent risk rating
validation process, credit risk review may identify loans with
significant weaknesses and identifiable losses and adjust the risk
rating accordingly. The emphasis for credit risk review or any party
identifying credit risk is on timely and accurate identification of
credit weaknesses so that action can be taken to strengthen credit
quality and minimize loss.
Several commenters asked for clarification of credit risk review's
role in relation to internal audit. As discussed in footnote 4 \9\ of
the final
[[Page 33280]]
guidance, the credit risk review function is not intended to be
performed by an institution's internal audit function. The March 2003
Interagency Statement on the Internal Audit Function and Its
Outsourcing (2003 policy statement) \10\ discusses the coordination of
the internal audit function with risk monitoring functions, such as the
credit risk review function. The 2003 policy statement provides that
coordination of credit risk review with the internal audit function can
facilitate the reporting of material risk and control issues to the
audit committee, increase the overall effectiveness of these monitoring
functions, better utilize available resources, and enhance the
institution's ability to comprehensively manage risk.
---------------------------------------------------------------------------
\9\ Footnote 4 states that the credit risk review function is
not intended to be performed by an institution's internal audit
function. However, as discussed in the agencies' March 2003
Interagency Policy Statement on the Internal Audit Function and its
Outsourcing (2003 policy statement), some institutions coordinate
the internal audit function with several risk monitoring functions,
such as the credit risk review function. The 2003 policy statement
states that coordination of credit risk review with the internal
audit function can facilitate the reporting of material risk and
control issues to the audit committee, increase the overall
effectiveness of these monitoring functions, better utilize
available resources, and enhance the institution's ability to
comprehensively manage risk. However, an effective internal audit
function maintains the ability to independently audit the credit
risk review function. (The NCUA was not an issuing agency of the
2003 policy statement.)
\10\ The 2003 policy statement was issued by the Board, OCC, and
FDIC on March 17, 2003. See SR Letter 03-5, OCC Bulletin 2003-12,
FDIC Financial Institution Letter FIL-21-2003. NCUA was not a party
to the issuance.
---------------------------------------------------------------------------
Commenters noted that credit risk review and other banking units
should coordinate their activities and requested clarification of
whether it would be appropriate for credit risk review or for other
internal functions within a credit risk review system to perform
activities that are compliance or operational in nature, such as
confirming proper lien perfection and collateral documentation.
Commenters also stated that credit risk review provides support to
financial and regulatory reporting functions but does not directly
deliver outputs to these functions, and requested that the proposed
guidance be clarified in this regard.
While duties such as assuring lien perfection and collateral
confirmation might not be directly undertaken by the credit risk review
function, evaluation and confirmation of such actions is within the
scope of the credit risk review function and a key aspect of an
assessment of the overall quality of the credit. The credit risk review
function may use information generated by other functions when
developing an independent assessment of credit risk, but footnote 5 of
the final guidance provides that such information is typically subject
to critical challenge and evaluation and a credit risk review function
typically does not rely exclusively on such information.
Some commenters indicated that credit risk review should not have a
role in evaluating workout plans, and requested that related language
be eliminated from the guidance. An effective workout plan is typically
designed to rehabilitate a troubled credit or to maximize the amount of
repayment ultimately collected and is therefore a loss mitigation
strategy. For this reason, Attachment 1 included similar language to
the proposed guidance on workout plans, as effective workout plans are
critical to managing risk in a loan portfolio. Since assessment of such
strategies is within the scope of the credit risk review's role, the
final guidance retains the reference to evaluating workout plans.
One commenter stated that one part of the proposed guidance allows
institutions to have a system concept for structuring credit risk
review whereas the latter part of the proposed guidance defined
specific roles for a credit review function. The commenter requested
clarification on the words ``system'' and ``function'' as used in the
guidance. The agencies have seen institutions use both terms when
referring to credit risk review, with the term used generally depending
on the size of the institution and composition of its risk review
framework. While the agencies incorporated both terms to provide
flexibility to institutions, the terms can be used interchangeably
depending on the institution's existing framework.
2. Scope
Commenters suggested that the agencies consider the nature of a
loan portfolio and the history and experience of an institution's
management team when determining the scope of credit risk review.
Commenters requested that the proposed guidance indicate that credit
review practices can be tailored when loans are seasoned and have a
history of performance and enhanced collateral positions. Some
commenters recommended that credit risk review focus on higher risk or
newer loans. The agencies reaffirm that, as stated in the proposal,
institutions may tailor their credit risk review practices based on a
number of factors, including the nature of the institution's loan
portfolio and overall risk profile.
Commenters requested clarification about whether the proposed
guidance covered non-lending activities. One commenter indicated that
these activities should not be within the scope of credit risk review,
while other commenters disagreed. Some commenters suggested that all
references to ``loans'' in the proposed guidance be changed to a
broader term that incorporates assets other than loans, such as
securities.
In response, the agencies recognize that credit risk may arise from
activities that are not specific to lending and encourage institutions
to consider whether such activities should be included in the scope of
the credit risk review function. For example, institutions that hold
investment securities or engage in capital markets, treasury, or
automated clearinghouse activities may elect to include the credit risk
related to these activities in the scope of a review. While the
examples of non-lending credit activities cited here are not
exhaustive, and may not apply to all institutions, they illustrate
other areas that management and the board of directors may consider in
the development of a review plan that reflects the risk profile of the
institution.
Further, some commenters expressed the view that smaller banks and
credit unions may have difficulty in identifying concentrations of
credit risk and other loans affected by common repayment factors.
Commenters stated that the phrase ``common repayment factors'' could
lead to a much larger scope of review. The OCC, Board, and FDIC note
that, under the Interagency Guidelines Establishing Standards for
Safety and Soundness,\11\ insured depository institutions should
establish and maintain a system that is commensurate with the
institution's size and the nature and scope of its operations to
identify problem assets and prevent deterioration in those assets,
which includes considering the size and potential risks of material
asset concentrations. The reference to ``common repayment factors'' is
meant to provide flexibility to institutions to consider a variety of
factors that are applicable to the institution's circumstances and
which may lead to a concentration of credit risk.
---------------------------------------------------------------------------
\11\ Supra note 2.
---------------------------------------------------------------------------
Commenters suggested that credit risk review focus on loans that
contain major, significant, or critical exceptions to policy, rather
than ``approved'' exceptions or loans with minor or administrative
policy exceptions. Commenters also suggested that there may be
``major'' exceptions to policy with strong mitigating factors that
suggest these exceptions may not warrant a focus in the review process.
The final guidance is not prescriptive and allows for institutions to
set their own parameters for determining the materiality of policy
exceptions that
[[Page 33281]]
should fall into the scope of a credit review.
Further, commenters suggested that credit risk review focus on
loans with high-risk indicators and asked the agencies to clarify that
institutions can define ``segments of the loan portfolio experiencing
rapid growth.'' Commenters suggested that it is appropriate for banks
and credit unions to define their own ``rapid growth'' targets for
credit review and to have independent loan review verify those targets.
This final guidance emphasizes that an effective scope is risk-based
and includes loans or portfolios that have high-risk indicators,
exceptions to policy, are experiencing rapid growth, or have other risk
attributes. The final guidance provides examples of high-risk
indicators and other characteristics of loans that may warrant
additional review, but does not prescribe specific targets or
thresholds. Institutions can select their own high-risk indicators,
keeping in mind how the indicators fit the characteristics of the
overall portfolio and how the indicators help to reinforce safe and
sound practices.
3. Depth
Commenters noted that the language in the proposed guidance stating
that loans selected for credit risk review are evaluated for
``sufficiency of credit and collateral documentation'' was too broad.
The final guidance does not recommend that credit risk review perform
or oversee the loan documentation process. However, because inadequate
loan documentation and lien perfection may adversely impact the risk
rating and could result in losses for a financial institution,
effective credit risk review often includes the evaluation of loan
documentation as part of the overall assessment of the credit risk of a
particular transaction. In doing so, effective credit risk review
assesses and evaluates information from departments responsible for
loan documentation and highlights identified concerns in the reports to
management, including recommendations for their resolution.
One commenter recommended removing language in the proposed
guidance stating that loans selected for credit risk review are
evaluated for ``quality of the information used in the credit loss
estimation process, including the reasonableness of assumptions used
and the timeliness of charge-offs.'' The commenter suggested that
credit review should not validate the translation of loss numbers;
rather, internal audit and external auditors should review accuracy,
timeliness, and consistency of charge-offs.
The bullet in the proposed guidance mentioning quality of the
information used in the credit loss estimation process was not intended
to expand the review of such information beyond that of the original
Attachment 1. The focus of Attachment 1 was on assessing the adequacy
of the identification and related impairment calculation of
individually impaired loans under the ALLL methodology, a process which
will no longer be applicable to loans evaluated under CECL. In order to
direct the focus and applicability of the review under both allowance
methodologies, the agencies have revised the language in the final
guidance to read as follows: ``The appropriateness of credit loss
estimation for those credits with significant weaknesses including the
reasonableness of assumptions used, and the timeliness of charge-
offs.'' Additionally, the agencies acknowledge that the calculation of
estimated ACL or ALLL is not the role of credit risk review. However,
effective credit risk review results help ensure that the ACL or ALLL
adequately reflects risk in the credit portfolio. In performing its
assessment of reasonableness, credit risk review can leverage work
performed in this area by other functions, such as internal audit.
Several commenters suggested that evaluating the validity of
underwriting assumptions was too broad of an activity for credit risk
review, and could imply that credit risk review is responsible for back
testing assumptions. Commenters suggested that the agencies should
instead refer to evaluating the ``reasonableness'' of assumptions, such
as borrower cash flow forecasts. In response, the final guidance has
been revised to provide that such loans, and segments of portfolios,
selected for review are generally reviewed for the reasonableness of
assumptions. Back testing the validity of assumptions is often a part
of the underwriting and monitoring processes. Credit risk review can
use this information, if available, when making their assessments.
Commenters indicated that institutions should receive credit during
a review if back testing of initial loan risk ratings shows a high
level of accuracy. Similarly, commenters suggested that the agencies'
guidance should focus less on risk evaluation, but instead focus on the
front-end loan evaluation by bank staff. The focus of the credit risk
review system is on the assessment of credit quality in the credit
portfolios, which is an important input into the determination of the
ACL and ALLL. An effective credit risk review system considers any
information available that can impact or provide insight into the
quality of the portfolio. To the extent that back testing results are
available, they can be considered by credit risk review staff in their
assessment of credit quality.
4. Frequency
Several commenters raised questions about the frequency of credit
risk reviews and requested clarification as to when it is appropriate
for reviews to be conducted less frequently than annually. Commenters
suggested there are instances in which less frequent reviews are
appropriate, such as for well-managed institutions with lower risk
portfolios. Commenters also requested that the proposed guidance
respect the authority of a board of directors to approve when audits
and loan reviews are completed, and how frequently reports are
reviewed. With respect to the credit risk review policy, one commenter
suggested that frequency of review should be determined by a firm's
board of directors.
Consistent with the principles in the final guidance, each
institution has the flexibility to set the scope of coverage and
frequency of reviews based on the institution's specific circumstances
while continuing to operate in a safe and sound manner. Accordingly,
the agencies have clarified in the final guidance that effective credit
risk reviews are typically performed annually. However, in certain
circumstances more frequent reviews may be necessary. Reviews that are
less frequent are typically well supported and reflective of low risk
portfolios, are conducted consistent with safe and sound practices, and
are approved by the institution's board of directors or board committee
thereof. The agencies have clarified in the final guidance that an
effective credit risk review system starts with a written credit risk
review policy that is typically reviewed and approved at least
annually.
5. Risk rating responsibility and adjudication
Several commenters observed that the proposed guidance provided an
opportunity to establish which area or department at the institution
will have responsibility over risk rating dispositions within the
credit review function. Commenters asked if credit risk review should
always be the final arbiter of a risk rating, even if credit risk
review's rating is less conservative than that determined by the
business line. Commenters requested that the proposed guidance clarify
that an institution's board of directors retains
[[Page 33282]]
the responsibility for maintaining a bank's credit risk rating and
establishing relevant policies. Some commenters questioned whether the
proposed guidance would require institutions to employ an arbitration
process.
The agencies believe that the language as proposed describes a
clear disposition process for adjudicating risk ratings that is
flexible for institutions of all sizes. In particular, the final
guidance addresses risk rating differences between the credit risk
review and areas responsible for loan approval. Typically, the lower
credit quality classification or risk rating assigned by credit risk
review prevails unless there is additional information that would
support a higher credit quality classification or risk rating. The
final guidance also discusses a risk rating framework that is
consistent with safe and sound practices and the agencies' guidelines
for supervisory classifications.\12\
---------------------------------------------------------------------------
\12\ Two commenters requested clarification from the NCUA
regarding whether credit unions are required to adopt the loan
classification system described in footnote 7 of the guidance. The
NCUA does not require credit unions to adopt the regulatory
classifications of substandard, doubtful or loss. However, NCUA does
support the use of these classifications, as defined by the other
banking agencies, as an effective method for rating adversely
classified loan risk. See the Commercial and Member Business Loans
section of the NCUA Examiner's Guide (Commercial and Member Business
Loans > Credit Risk Rating Systems> Credit Risk Rating Categories).
---------------------------------------------------------------------------
6. Communication of Results
In general, commenters expressed support for credit risk review
reporting directly to the board of directors. Other commenters
indicated that the language in the proposed guidance was too
prescriptive, particularly regarding communication to the board at
least quarterly. Commenters recommended that the proposed guidance
permit boards of directors to tailor their policies based on the size,
scope, and complexity of the loan portfolio, as well as to the
complexity of a loan itself.
The agencies believe that it is consistent with safe and sound
lending practices to have the credit risk review function report
findings regularly and directly to the institution's board of directors
or a committee thereof. Institutions have discretion to determine the
frequency and extent of such reporting, taking into account the nature
of their loan portfolios and the importance of informing the board of
directors on credit risk. To clarify this flexibility, the proposed
guidance was revised to state that effective communication typically
involves providing results of the credit risk reviews to the board of
directors or appropriate board committee quarterly. This change
emphasizes that quarterly reporting of results is a typical practice,
but institutions have room to adjust the frequency given their risk
profile and consistent with safety and soundness.
One commenter noted that the guidance should specifically recommend
tracking forward-looking indicators to help identify risk trends to
support informed decisions and proactive risk mitigation. The agencies
acknowledge that forward-looking indicators such as portfolio
concentration trends, shifting underwriting standards, and risk rating
migrations are consistent with proactive risk management activities.
The agencies recognize that institutions may develop internal
parameters for establishing, tracking, and reporting forward-looking
indicators of credit exposure that are specific to the institution's
business model and lending activities. The agencies believe that
language in the proposed guidance is sufficient to address this issue.
Commenters also requested that the agencies clarify that only
``material'' deficiencies and weaknesses that remain unresolved beyond
the scheduled time frames for correction should be promptly reported to
senior management and the board of directors or appropriate board
committee. The agencies believe that an effective credit review system
should report all noted deficiencies and weaknesses to the board of
directors. Credit review may prioritize findings of weaknesses or
deficiencies; however, allowing management to determine the materiality
of findings can compromise the independence of the credit review
process.
7. Qualifications of Personnel
One commenter suggested that footnote 4 of the proposed guidance be
revised to emphasize the importance of the qualifications,
independence, and expertise of personnel conducting the internal audit
of a credit risk review system or function. The OCC, Board, and FDIC
believe that the qualifications of audit personnel are sufficiently
addressed in the 2003 policy statement, which is referenced in the
final guidance.
One commenter noted that with respect to credit risk review staff,
knowledge of an institution's membership and experience with
underwriting are key factors in determining the qualifications of
credit risk review personnel. This final guidance broadly addresses the
experience of personnel, which would include knowledge of the
institution's portfolio and experience with underwriting. Specific
personnel qualifications are the purview of management and the board
and are typically reflective of the institution's business model.
8. Retail and Consumer Portfolios
The agencies received a number of comments regarding the
differences in characteristics between retail (consumer) and commercial
loan portfolios, as well as the processes, techniques, tools, data and
technology used to conduct credit risk review of retail loan
portfolios. One commenter stated that the proposed guidance
inadequately differentiated between product types and exposures of
commercial and retail loans. The commenter stated that the use of
manual review of individual loans to assign and validate risk ratings
would be impractical for a large portfolio of smaller retail loans.
The agencies recognize that differences between retail and most
commercial loans and portfolios may justify differences in approaches,
techniques, and tools for conducting credit risk review. The proposed
guidance was designed so that institutions may apply its principles to
the review of all loans and portfolios, including retail loan
portfolios. In response to comments received, the agencies have made
revisions to the final guidance in order to provide flexibility to
institutions in determining the scope and depth of the loan review for
all loan portfolios. The revisions for the final guidance discussed
below reflect existing industry practices. They are applicable to all
types of loan portfolios, but especially for retail portfolios.
Specifically, the final guidance includes language in a new bullet
under the ``Scope of Reviews'' section, which acknowledges that
institutions may determine the scope of the credit risk review by
segmenting or grouping loans based on similar risk characteristics,
such as those related to borrower risk, transaction risk, and other
risk factors. The new bullet is intended to provide clarity and reflect
existing industry practices for retail portfolios. Similar references
to portfolio segments have been made in the ``Depth of Transaction or
Portfolio Reviews'' and ``Communication and Distribution of Results''
sections.
Additionally, the final guidance includes language in a new sub-
bullet under ``Depth of Transaction Reviews.'' The sub-bullet indicates
that, with regard to evaluating credit quality,
[[Page 33283]]
soundness of underwriting and risk identification, borrower
performance, and adequacy of the sources of repayment, ``[w]hen
applicable, this evaluation includes the appropriateness of automated
underwriting and credit scoring, including prudent use of overrides, as
well as the effectiveness of account management strategies,
collections, and portfolio management activities in managing credit
risk.''
The agencies have added the new sub-bullet in response to commenter
requests for more guidance on the applicability of the guidance to
retail loan portfolios. The new sub-bullet takes into account the fact
that some institutions, especially those with large retail portfolios,
may use models or other automated decision tools in their credit
decision or risk rating processes, and thus clarifies that effective
credit risk review can consider the appropriateness of the business
line's application of these tools in these processes. Further, an
effective credit risk review can consider the effectiveness of account
management strategies, such as credit line management, re-aging, and
extension/renewal in managing credit risk. An effective credit risk
review can also consider whether portfolio management activities, such
as risk identification and performance monitoring, and collection
policies and practices are commensurate with the institution's risk
profile and complexity of the products and loan structures offered.
9. Technology
Commenters posed a number of questions and comments related to the
use and governance of technology in credit risk review. Commenters
discussed the use of analytical and management information system
tools, particularly for consumer loans, and suggested that the guidance
recommend automation of risk data aggregation. The agencies believe
institutions have significant flexibility to use various types of
technology to assist in the credit risk review process; as such, the
agencies decline to recommend the use of any specific types of
technology.
One commenter expressed concern about the potential risks
associated with the use of models in various credit processes and
suggested that the proposed guidance emphasize the appropriateness and
effectiveness of reviewing credit model design, performance, and
governance. A commenter indicated that the guidance should include
robust governance of artificial intelligence algorithms. The agencies
recognize the importance of model risk management, which is discussed
in other existing guidance.\13\
---------------------------------------------------------------------------
\13\ See the interagency statement titled, Supervisory Guidance
on Model Risk Management, published by the Board in SR Letter 11-7
and OCC Bulletin 2011-12 on April 4, 2011. The FDIC adopted the
interagency statement on June 7, 2017. Institutions supervised by
the FDIC should refer to FIL 22-2017, Adoption of Supervisory
Guidance on Model Risk Management, including the statement of
applicability in the FIL.
---------------------------------------------------------------------------
C. Scalability of the Guidance
The agencies received numerous comments about whether the proposed
guidance is appropriate for institutions of all sizes. Several
commenters expressed concern with what they viewed as a one-size-fits-
all nature, and called for the proposed guidance to be tailored based
on the size and activities of the institution, as well as the
complexity of the loan portfolio. Commenters also requested
accommodations for smaller institutions, including credit unions. One
commenter stated the proposed guidance could impose higher costs on
smaller institutions because such costs cannot be spread across a large
asset base and requested the guidance provide more flexibility for
review activities. One commenter suggested that the proposed guidance
would benefit from additional discussion and analysis of how modest-
sized institutions with limited personnel would implement the guidance.
This commenter expressed concern that the proposed guidance would be
burdensome for such institutions and potentially require outsourcing of
credit risk review. Another commenter requested that the proposed
guidance specifically exempt small, non-complex rural institutions,
thereby allowing them to utilize their existing review functions.
Another commenter requested that the agencies clarify the proposed
guidance's applicability to large banks, including defining a large
institution based on asset size and examples of complex institutions
and explaining how supervisors make these determinations.
The agencies believe that the final guidance provides both small
and large institutions flexibility to tailor the credit review function
to the activities of the institution. For example, the final guidance
states that the nature of credit risk review varies based on an
institution's size, complexity, loan types, risk profile, and risk
management framework. In addition, as described under ``Independence of
Credit Risk Review Personnel,'' smaller or less complex institutions
have flexibility to use an independent committee of outside directors
or qualified members of the staff to perform the credit risk review
function. Footnote 6 \14\ of the final guidance emphasizes that small
or rural institutions that have few resources or employees may adopt
modified credit risk review procedures and methods to achieve a proper
degree of independence. As the final guidance notes, doing so is
appropriate when more robust procedures and methods are impractical.
The final guidance also notes that credit risk review systems in larger
institutions may include a dedicated credit risk review function.
Institutions of all sizes have the flexibility to tailor the various
principles and practices in the final guidance to systems appropriate
for their circumstances.
---------------------------------------------------------------------------
\14\ Footnote 6 states that small or rural institutions that
have few resources or employees may adopt modified credit risk
review procedures and methods to achieve a proper degree of
independence. For example, in the review process, such an
institution may use qualified members of the staff, including loan
officers, other officers, or directors, who are not involved with
originating or approving the specific credits being assessed and
whose compensation is not influenced by the assigned risk ratings.
It is appropriate to employ such modified procedures when more
robust procedures and methods are impractical. Institution
management and the board, or a board committee, should have
reasonable confidence that the personnel chosen will be able to
conduct reviews with the needed independence despite their position
within the loan function.
---------------------------------------------------------------------------
D. Independence Considerations
Some commenters suggested that creating the independence structure
described in the proposed guidance would be a problem for small banks
and credit unions. Commenters stated that doing so could lead to
duplicative functions and compliance burden for small banks and credit
unions, which have limited staffing. Commenters also stressed that
small credit unions may find it costly to hire third parties to ensure
the independence of the credit review function. One commenter called
for an exemption for small institutions and requested that the agencies
adopt alternative independence standards, such as those articulated in
the agencies' appraisal guidance, which would allow third-party staff
members or an independent lender to confirm the risk rating of another
lender. This commenter also suggested a rotation of duties as a way to
achieve independence in the credit risk review function. Another
commenter noted that the boards of directors of small, closely held
institutions may be involved in the credit process from the beginning,
and the board's input and participation in loan origination can be more
important
[[Page 33284]]
than the subsequent credit review that happens post origination.
As stated above, the agencies recognize that small institutions
with few resources may need to adopt modified credit risk review
procedures in order to achieve a proper degree of independence, as
previously referenced in footnote 6 of the proposed guidance. That
footnote states that small or rural institutions with few resources may
use qualified members of the staff, including loan officers, other
officers, or directors, who are not involved with originating or
approving the specific credits being assessed and whose compensation is
not influenced by the assigned risk ratings in the credit risk review
process. The footnote also states that institution management and the
board, or board committee, should have reasonable confidence that the
personnel chosen will be able to conduct reviews with the needed
independence despite their position within the loan function.
Commenters asked for clarification on the reporting structure of
credit risk review. The OCC, Board, and FDIC note that the Interagency
Guidelines Establishing Standards for Safety and Soundness \15\ state
that an institution should have internal controls and information
systems that are appropriate to the size of the institution, as well as
nature, scope and risk of its activities, including clear lines of
authority and responsibility for monitoring adherence to established
policies. This statement applies to policies for a system of
independent, ongoing credit review and appropriate communication to
management and to the board of directors. Whether or not the
institution has a dedicated credit risk review department, it is
prudent for the credit risk review function to report directly to the
institution's board of directors or a committee thereof. This reporting
structure allows the credit risk review function to provide the board
of directors with an independent assessment of the overall quality of
loan portfolios and other areas of credit exposure as mandated. Senior
management may be responsible for appropriate administrative functions,
provided such an arrangement does not compromise the independence of
the credit risk review function.
---------------------------------------------------------------------------
\15\ Supra note 2.
---------------------------------------------------------------------------
E. Current Expected Credit Losses
The agencies received a number of comments related to the CECL
methodology as described in FASB ASC Topic 326.\16\ Some commenters
cautioned the agencies against incorporating FASB ASC Topic 326 into
the credit review final guidance because this would create a complex
methodology that many institutions would be unable to implement. For
example, one commenter expressed concern with maintaining historical
loss experience on a segment level because loan segmentation under FASB
ASC 326 may be more granular than what is currently maintained and may
change over time. Commenters on the proposed credit review guidance
noted that while institutions with large and complex loan portfolios
typically maintain records of their historical loss experience for
credits in each of the categories in their risk rating framework, this
may not be the case in smaller institutions.
---------------------------------------------------------------------------
\16\ Refer to the final Interagency Policy Statement on
Allowances for Credit Losses published elsewhere in this issue of
the Federal Register for more details on CECL methodology.
---------------------------------------------------------------------------
The final guidance is intended to be flexible and consistent with
CECL, but it does not incorporate FASB Topic 326. The agencies have
observed that maintenance of historical loss information has
traditionally been part of an effective credit risk grading framework
for institutions of all sizes as it provides a basis for credit loss
estimation for various credit types. Institutions have flexibility in
how historical loss data information is maintained to the extent that
it provides sufficient information to inform and help confirm the
accuracy of risk rating similar credits. To provide further clarity and
to emphasize the flexibility available to institutions, the agencies
have modified the final guidance to read ``evaluation of the
institution's historical loss experience for each of the groups of
loans with similar risk characteristics into which it has segmented its
loan portfolio.''
Some commenters recommended that the agencies clarify credit risk
review's role in determining ACLs. One commenter asked for
clarification on whether credit risk review functions must conduct
risk-specific assessments on the valuations of financial assets
measured at an amortized cost basis, such as held-to-maturity
securities. With regard to institutions that produce economic forecast
estimations as a component of their ACL estimate, the commenter also
asked whether credit risk review functions should integrate and align
the economic forecast estimations into qualitative assessments of
individual loans and portfolios.
As discussed previously, the agencies are issuing this final
guidance as a standalone document separate from any guidance on
estimation of expected credit losses, as credit risk review is an
important component of safety and soundness on its own. Commenters
should refer to the Interagency Policy Statement on Allowances for
Credit Losses \17\ regarding how credit risk review can facilitate the
loss estimation process.
---------------------------------------------------------------------------
\17\ This guidance is contained in a separate document published
elsewhere in this issue of the Federal Register.
---------------------------------------------------------------------------
IV. Paperwork Reduction Act
In accordance with the requirements of the Paperwork Reduction Act
of 1995 (PRA),\18\ the agencies may not conduct or sponsor, and the
respondent is not required to respond to, an information collection
unless it displays a currently valid Office of Management and Budget
(OMB) control number.
---------------------------------------------------------------------------
\18\ 44 U.S.C. 3501-3521.
---------------------------------------------------------------------------
The final guidance will not create any new or revise any existing
collections of information under the PRA. Therefore, no information
collection request will be submitted to the OMB for review.
V. Final Guidance
The text of the final guidance is as follows:
INTERAGENCY GUIDANCE ON CREDIT RISK REVIEW SYSTEMS
Introduction
The Interagency Guidelines Establishing Standards for Safety and
Soundness (Guidelines) \1\ underscore the critical importance of credit
risk review and set safety and soundness standards for insured
depository institutions to establish a system for independent, ongoing
credit risk review, and for appropriate communication to their
management and boards of directors.\2\ This guidance, which aligns with
the Guidelines, is appropriate for all institutions \3\ and describes a
broad set of practices that can be used either within a dedicated unit
or across multiple units throughout an institution to form a credit
risk review system that is consistent with safe and sound lending
practices. This guidance outlines principles that an institution
[[Page 33285]]
should consider in developing and maintaining an effective credit risk
review system.
---------------------------------------------------------------------------
\1\ 12 CFR part 30, appendix A (OCC); 12 CFR part 208, appendix
D-1 (Board); and 12 CFR part 364, appendix A (FDIC). Part 723 of
NCUA Rules and Regulations (12 CFR part 723).
\2\ For foreign banking organization branches, agencies, or
subsidiaries not operating under single governance in the United
States, the U.S. risk committee would serve in the role of the board
of directors for purposes of this guidance.
\3\ For purposes of this guidance, regulated institutions are
those supervised by the following agencies: The Board of Governors
of the Federal Reserve System (Board), the Federal Deposit Insurance
Corporation (FDIC), the National Credit Union Administration (NCUA),
and the Office of the Comptroller of the Currency (OCC), hereafter
referred to as the ``agencies.''
---------------------------------------------------------------------------
Overview of Credit Risk Review Systems
The nature of credit risk review systems \4\ varies based on an
institution's size, complexity, loan types, risk profile, and risk
management practices. For example, in smaller or less complex
institutions, a credit risk review system may include qualified members
of the staff, including loan officers, other officers, or directors,
who are independent of the credits being assessed. In larger or more
complex institutions, a credit risk review system may include
components of a dedicated credit risk review function that are
independent of the institution's lending function.\5\ A credit risk
review system may also include various responsibilities assigned to
credit underwriting, loan administration, a problem loan workout group,
or other organizational units of an institution. Among other
responsibilities, these groups may administer the internal problem loan
reporting process, maintain the integrity of the credit risk rating
process, confirm that timely and appropriate changes are made to risk
ratings, and support the quality of information used to estimate the
Allowance for Credit Losses (ACL) or the Allowance for Loan and Lease
Losses (ALLL), as applicable. Additionally, some or all of the credit
risk review function may be performed by a qualified third party.
---------------------------------------------------------------------------
\4\ The credit risk review function is not intended to be
performed by an institution's internal audit function. However, as
discussed in the agencies' March 2003 Interagency Policy Statement
on the Internal Audit Function and its Outsourcing (2003 policy
statement), some institutions coordinate the internal audit function
with several risk monitoring functions, such as the credit risk
review function. The 2003 policy statement states that coordination
of credit risk review with the internal audit function can
facilitate the reporting of material risk and control issues to the
audit committee, increase the overall effectiveness of these
monitoring functions, better utilize available resources, and
enhance the institution's ability to comprehensively manage risk.
However, an effective internal audit function maintains the ability
to independently audit the credit risk review function. (The NCUA
was not an issuing agency of the 2003 policy statement.)
\5\ Credit risk review may be referred to as loan review, credit
review, asset quality review, or another name as chosen by an
institution. The role of, expectations for, and scope of credit risk
review as discussed in this document are distinct from the roles,
expectations, and scope of work performed by other groups within an
institution that are also responsible for monitoring, managing and
reporting credit risk. Examples may be those involved with lending
functions, independent risk management, loan work outs, and
accounting. Each institution indicates in its own policies and
procedures the specific roles and responsibilities of these
different groups, including separation of duties. A credit risk
review unit, or individuals serving in that role, can rely on
information provided by other units in developing its own
independent assessment of credit risk in loan portfolios, but the
credit risk review unit critically evaluates such information to
maintain its own view, as opposed to relying exclusively on such
information.
---------------------------------------------------------------------------
Regardless of the structure, an effective credit risk review system
accomplishes the following objectives:
Promptly identifies loans with actual and potential credit
weaknesses so that timely action can be taken to strengthen credit
quality and minimize losses.
Appropriately validates and, if necessary, adjusts risk
ratings, especially for those loans with potential or well-defined
credit weaknesses that may jeopardize repayment.
Identifies relevant trends that affect the quality of the
loan portfolio and highlights segments of those portfolios that are
potential problem areas.
Assesses the adequacy of and adherence to internal credit
policies and loan administration procedures and monitors compliance
with applicable laws and regulations.
Evaluates the activities of lending personnel and
management, including compliance with lending policies and the quality
of their loan approval, monitoring, and risk assessment.
Provides management and the board of directors with an
objective, independent, and timely assessment of the overall quality of
the loan portfolio.
Provides management with accurate and timely credit
quality information for financial and regulatory reporting purposes,
including the determination of an appropriate ACL or ALLL, as
applicable.
Credit Risk Rating (or Grading) Framework
The foundation for any effective credit risk review system is
accurate and timely risk ratings to assess credit quality and identify
or confirm problem loans. An effective credit risk rating framework
includes the monitoring of individual loans and retail credit
portfolios, or segments thereof, with similar risk characteristics. An
effective framework also provides important information on the
collectibility of each portfolio for use in the determination of an
appropriate ACL or ALLL, as applicable. Further, an effective framework
generally places primary reliance on the lending staff to assign
accurate and timely risk ratings and identify emerging loan problems.
However, given the importance of the credit risk rating framework, the
lending personnel's assignment of risk ratings is typically subject to
review by qualified and independent: (i) Peers, managers, or loan
committee(s); (ii) part-time or full-time employee(s); (iii) internal
departments staffed with credit review specialists; or (iv) external
credit review consultants. A risk rating review that is independent of
the lending function and approval process can provide a more objective
assessment of credit quality.\6\
---------------------------------------------------------------------------
\6\ Small or rural institutions that have few resources or
employees may adopt modified credit risk review procedures and
methods to achieve a proper degree of independence. For example, in
the review process, such an institution may use qualified members of
the staff, including loan officers, other officers, or directors,
who are not involved with originating or approving the specific
credits being assessed and whose compensation is not influenced by
the assigned risk ratings. It is appropriate to employ such modified
procedures when more robust procedures and methods are impractical.
Institution management and the board, or a board committee, should
have reasonable confidence that the personnel chosen will be able to
conduct reviews with the needed independence despite their position
within the loan function.
---------------------------------------------------------------------------
An effective credit risk rating framework includes the following
attributes:
A formal credit risk rating system in which the ratings
reflect the risk of default and credit losses, and for which a written
description of the credit risk framework is maintained, including a
discussion of the factors used to assign appropriate risk ratings to
individual loans and retail credit portfolios, or segments thereof,
with similar risk characteristics.\7\
---------------------------------------------------------------------------
\7\ A bank or savings association may have a credit risk rating
framework that differs from the framework for loan classifications
used by the Federal banking agencies. Such banks and savings
associations should maintain documentation that translates their
risk ratings into the regulatory classification framework used by
the Federal banking agencies. This documentation will enable
examiners to reconcile the totals for the various loan
classifications or risk ratings under the institution's system to
the Federal banking agencies' categories contained in the Uniform
Agreement on the Classification and Appraisal of Securities Held by
Depository Institutions Attachment 1--Classification Definitions
(OCC: OCC Bulletin 2013-28; Board: SR Letter 13-18; and FDIC: FIL-
51-2013). The NCUA does not require credit unions to adopt a uniform
regulatory classification system. Risk rating guidance for credit
unions is set forth in NCUA letters to credit unions 10-CU-02,
``Current Risks in Business Lending and Sound Risk Management
Practices,'' issued January 2010 and 10-CU-03, ``Concentration
Risk,'' issued March 2010. See also the Commercial and Member
Business Loans section of the NCUA Examiner's Guide (Commercial and
Member Business Loans > Credit Risk Rating Systems) and the preamble
to 1 CFR parts 701, 723, and 741 Member Business Loans; Commercial
Lending: Proposed Rule July 2015.
---------------------------------------------------------------------------
Identification or grouping of loans that warrant the
special attention of management or other designated ``watch lists'' of
loans that management is more closely monitoring.\8\
---------------------------------------------------------------------------
\8\ In addition to loans designated as ``watch list,'' this
identification typically includes loans rated special mention,
substandard, doubtful, or loss.
---------------------------------------------------------------------------
Clear explanation of why particular loans warrant the
special attention of
[[Page 33286]]
management or have received an adverse risk rating.
Evaluation of the effectiveness of approved workout plans.
A method for communicating direct, periodic, and timely
information to the institution's senior management and the board of
directors or appropriate board committee on the status of loans
identified as warranting special attention or adverse classification,
and the actions taken by management to strengthen the credit quality of
those loans.
Evaluation of the institution's historical loss experience
for each of the groups of loans with similar risk characteristics into
which it has segmented its loan portfolio.\9\
---------------------------------------------------------------------------
\9\ In particular, institutions with large and complex loan
portfolios typically maintain records of their historical loss
experience for credits in each of the categories in their risk
rating framework. For banks and savings associations, these
categories are either those used by, or those that can be translated
into those used by, the Federal banking agencies.
---------------------------------------------------------------------------
Elements of an Effective Credit Risk Review System
An effective credit risk review system starts with a written credit
risk review policy \10\ that is reviewed and typically approved at
least annually by the institution's board of directors or appropriate
board committee to evidence its support of, and commitment to,
maintaining an effective system. Effective policies include a
description of the overall risk rating framework and establish
responsibilities for loan review based on the portfolio being assessed.
An effective credit risk review policy addresses the following
elements, described in more detail below: the qualifications and
independence of credit risk review personnel; the frequency, scope, and
depth of reviews; the review of findings and follow-up; and
communication and distribution of results.
---------------------------------------------------------------------------
\10\ See 12 CFR part 30, appendix A (OCC); 12 CFR part 208,
appendix D-1 (Board); and 12 CFR part 364, appendix A (FDIC). See
also 12 CFR part 723 (NCUA).
---------------------------------------------------------------------------
Qualifications of Credit Risk Review Personnel
An effective credit risk review function is staffed with personnel
who are qualified based on their level of education, experience, and
extent of formal credit training. Qualified personnel are knowledgeable
in both sound lending practices and the institution's lending
guidelines for the types of loans offered by the institution. The level
of experience and expertise for all personnel involved in the credit
risk review process is expected to be commensurate with the nature of
the risk and complexity of the portfolios. In addition, qualified
credit risk review personnel possess knowledge of relevant laws,
regulations, and supervisory guidance.
Independence of Credit Risk Review Personnel
An effective credit risk review system incorporates both the
initial identification of emerging problem loans by loan officers and
other line staff, and an assessment of loans by personnel independent
of the credit approval process. Placing primary responsibility on loan
officers, risk officers, and line staff is important for continuous
portfolio analysis and prompt identification and reporting of problem
loans. Because of frequent contact with borrowers, loan officers and
line staff can usually identify potential problems before they become
apparent to others. However, institutions should be careful to avoid
over-reliance on loan officers and line staff for identification of
problem loans. An independent assessment of risk is achieved when
personnel who perform the loan review do not have control over the loan
and are not part of or influenced by individuals associated with the
loan approval process.
While a larger institution may establish a separate department
staffed with credit review specialists, cost and volume considerations
may not justify such a system in a smaller institution. For example, in
the review process, smaller institutions may use an independent
committee of outside directors or qualified members of the staff,
including loan officers, other officers, or directors, who are not
involved with originating or approving the specific credits being
assessed and whose compensation is not influenced by the assigned risk
ratings. Whether or not the institution has a dedicated credit risk
review department, it is prudent for the credit risk review function to
report directly to the institution's board of directors or a committee
thereof, consistent with safety and soundness standards. Senior
management may be responsible for appropriate administrative functions
provided such an arrangement does not compromise the independence of
the credit risk review function.
The institution's board of directors, or a committee thereof, may
outsource the credit risk review function to an independent third
party.\11\ However, the responsibility for maintaining a sound credit
risk review system remains with the institution's board of directors.
In any case, institution personnel who are independent from the lending
function typically assess risks, develop the credit risk review plan,
and verify appropriate follow-up of findings. Outsourcing of the credit
risk review function to the institution's external auditor may raise
additional independence considerations.\12\
---------------------------------------------------------------------------
\11\ For supervisory guidance related to outside service
providers, refer to SR letter 13-19/CA letter 13-21, ``Guidance on
Managing Outsourcing Risk,'' issued by the Board on December 5,
2013; FIL-44-2008, ``Guidance for Managing Third-Party Risk,''
issued by the FDIC on June 6, 2008; and OCC Bulletin 2013-29,
``Third-Party Relationships: Risk Management Guidance,'' issued by
the OCC on October 30, 2013. For credit unions, refer to NCUA
letters to credit unions 01-CU-20 ``Due Diligence over Third Party
Service Providers,'' issued November 2001 and 07-CU-13 ``Evaluating
Third Party Relationships,'' issued December 2007.
\12\ See footnote 4.
---------------------------------------------------------------------------
Frequency of Reviews
An effective credit risk review system provides for review and
evaluation of an institution's significant loans, loan products, or
groups of loans typically annually, on renewal, or more frequently when
internal or external factors indicate a potential for deteriorating
credit quality or the existence of one or more other risk factors. The
credit risk review function can also provide useful continual feedback
on the effectiveness of the lending process in order to identify any
emerging problems. Ongoing or periodic review of an institution's loan
portfolio is particularly important to the estimation of ACLs or the
ALLL because loss expectations may change as the credit quality of a
loan changes. Use of key risk indicators or performance metrics by
credit risk review management can support adjustments to the frequency
and scope of reviews.
Scope of Reviews
Comprehensive and effective reviews cover all segments of the loan
portfolio that pose significant credit risk or concentrations, and
other loans that meet certain institution-specific criteria. A properly
designed scope considers the current market conditions or other
external factors that may affect a borrower's current or future ability
to repay the loan. Establishment of an appropriate review scope also
helps ensure that the sample of loans selected for review, or portfolio
segments selected for review, is representative of the portfolio as a
whole and provides reasonable assurance that any credit quality
deterioration or unfavorable trends are identified. An effective credit
risk review function also considers industry standards for credit risk
review coverage consistent with the
[[Page 33287]]
institution's size, complexity, loan types, risk profile, and risk
management practices and helps to verify whether the review scope is
appropriate. The institution's board of directors or appropriate board
committee typically approves the scope of the credit risk review on an
annual basis or whenever significant interim changes are made in order
to adequately assess the quality of the current portfolio. An effective
scope of credit risk review is risk-based and typically includes:
Loans over a predetermined size;
A sufficient sample of smaller loans, new loans, and new
loan products;
Loans with higher risk indicators, such as low credit
scores, high credit lines, or those credits approved as exceptions to
policy;
Segments of loan portfolios, including retail, with
similar risk characteristics such as those related to borrower risk
(e.g. credit history), transaction risk (e.g. product and/or collateral
type), or other risk factors as appropriate;
Segments of the loan portfolio experiencing rapid growth;
Exposures from non-lending activities that also pose
credit risk;
Past due, nonaccrual, renewed, and restructured loans;
Loans previously adversely classified and loans designated
as warranting the special attention of the institution's management;
\13\
---------------------------------------------------------------------------
\13\ See footnote 8.
---------------------------------------------------------------------------
Loans to insiders or related parties;
Loans to affiliates;
Loans constituting concentrations of credit risk and other
loans affected by common repayment factors.
Depth of Transaction or Portfolio Reviews
Loans and portfolio segments selected for review are typically
evaluated for:
Credit quality, soundness of underwriting and risk
identification, borrower performance, and adequacy of the sources of
repayment;
[cir] When applicable, this evaluation includes the appropriateness
of automated underwriting and credit scoring, including prudent use of
overrides, as well as the effectiveness of account management
strategies, collections, and portfolio management activities in
managing credit risk;
Reasonableness of assumptions;
Creditworthiness of guarantors or sponsors;
Sufficiency of credit and collateral documentation;
Proper lien perfection;
Proper approvals consistent with internal policies;
Adherence to loan agreement covenants;
Adequacy of, and compliance with, internal policies and
procedures (such as those related to nonaccrual and classification or
risk rating policies), laws, and regulations;
The appropriateness of credit loss estimation for those
credits with significant weaknesses including the reasonableness of
assumptions used, and the timeliness of charge-offs;
The accuracy of risk ratings and the appropriateness and
timeliness of the identification of problem loans by loan officers.
Review of Findings and Follow-Up
An important activity of an effective credit risk review system is
the discussion of the review findings, including all noted
deficiencies, identified weaknesses, and any existing or planned
corrective actions (including time frames for correction) with
appropriate loan officers, department managers, and senior management.
An effective system includes processes for all noted deficiencies and
weaknesses that remain unresolved beyond the scheduled time frames for
correction to be promptly reported to senior management and the board
of directors or appropriate board committee.
It is important to resolve risk rating differences between loan
officers and loan review personnel according to a pre-arranged process.
That process may include formal appeals procedures and arbitration by
an independent party or may require default to the assigned
classification or risk rating that indicates lower credit quality. If
credit risk review personnel conclude that a loan or loan portfolio is
of a lower credit quality than is perceived by the portfolio management
staff, the lower classification or risk rating typically prevails
unless internal parties identify additional information sufficient to
obtain the concurrence of the independent reviewer or arbiter on the
higher credit quality classification or risk rating.
Communication and Distribution of Results
Personnel involved in the credit risk review process typically
prepare a list of all loans (and portfolio segments) reviewed, the date
of review, and a summary analysis that substantiates the risk ratings
assigned to the loans reviewed. Effective communication also typically
involves providing results of the credit risk reviews to the board of
directors or appropriate board committee quarterly.\14\ Comprehensive
reporting includes comparative trends that identify significant changes
in the overall quality of the loan portfolio, the adequacy of, and
adherence to, internal policies and procedures, the quality of
underwriting and risk identification, compliance with laws and
regulations, and management's response to substantive criticisms or
recommendations. Such comprehensive reporting provides the board of
directors or appropriate board committee with insight into the
portfolio and the responsiveness of management and facilitates timely
corrective action of deficiencies.
---------------------------------------------------------------------------
\14\ An effective credit risk review system provides for
informing the board of directors or appropriate board committee more
frequently than quarterly when material adverse trends are noted.
When an institution conducts loan file reviews less frequently than
quarterly, the board or appropriate board committee will typically
receive results on other credit risk review activities quarterly.
Joseph M. Otting,
Comptroller of the Currency.
By order of the Board of Governors of the Federal Reserve
System.
Ann Misback,
Secretary of the Board.
Federal Deposit Insurance Corporation.
Dated at Washington, DC, on or about May 7, 2020.
Robert E. Feldman,
Executive Secretary.
By the National Credit Union Administration Board.
Gerard Poliquin,
Secretary of the Board.
[FR Doc. 2020-10292 Filed 5-29-20; 8:45 am]
BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P; 7535-01-P