[Federal Register Volume 85, Number 105 (Monday, June 1, 2020)]
[Notices]
[Pages 33278-33287]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-10292]



[[Page 33278]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

[Docket ID OCC-2019-0018]

FEDERAL RESERVE SYSTEM

[Docket ID OP-1679]

FEDERAL DEPOSIT INSURANCE CORPORATION

RIN 3064-ZA09

NATIONAL CREDIT UNION ADMINISTRATION

RIN 3133-AF05


Interagency Guidance on Credit Risk Review Systems

AGENCY: Office of the Comptroller of the Currency (OCC), Treasury; 
Board of Governors of the Federal Reserve System (Board); Federal 
Deposit Insurance Corporation (FDIC); and National Credit Union 
Administration (NCUA).

ACTION: Final guidance.

-----------------------------------------------------------------------

SUMMARY: The OCC, the Board, the FDIC, and the NCUA (collectively, the 
agencies) are issuing final guidance for credit risk review (final 
guidance). This guidance is relevant to all institutions supervised by 
the agencies and replaces Attachment 1 of the 2006 Interagency Policy 
Statement on the Allowance for Loan and Lease Losses. The final 
guidance discusses sound management of credit risk, a system of 
independent, ongoing credit review, and appropriate communication 
regarding the performance of the institution's loan portfolio to its 
management and board of directors.

DATES: The final guidance is available on June 1, 2020.

FOR FURTHER INFORMATION CONTACT: 
    OCC: Beth Nalyvayko, Bank Examiner, or Lou Ann Francis, Director, 
Commercial Credit Risk, (202) 649-6670; or Kevin Korzeniewski, Counsel, 
Chief Counsel's Office, (202) 649-5490. For persons who are hearing 
impaired, TTY, (202) 649-5597.
    Board: Constance Horsley, Deputy Associate Director, (202) 452-
5239; Kathryn Ballintine, Manager, (202) 452-2555; or Carmen Holly, 
Lead Financial Institution Policy Analyst (202) 973-6122; or Alyssa 
O'Connor, Attorney, Legal Division, (202) 452-3886, Board of Governors 
of the Federal Reserve System, 20th and C Streets NW, Washington, DC 
20551.
    FDIC: Thomas F. Lyons, Chief, Policy & Program Development, 
[email protected] (202) 898-6850); George J. Small, Senior Examination 
Specialist, Risk Management Policy, [email protected] (917) 320-2750, 
Risk Management Supervision; Ann M. Adams, Senior Examination 
Specialist, Risk Management Policy, [email protected] (347) 751-2469, 
Risk Management Supervision; or Andrew B. Williams II, Counsel, 
[email protected]; (202) 898-3591), Supervision and Legislation 
Branch, Legal Division, Federal Deposit Insurance Corporation; 550 17th 
Street NW, Washington, DC 20429.
    NCUA: Vincent H. Vieten, Senior Credit Specialist (703) 518-6618; 
Uduak Essien, Director (703) 518-6399, Division of Credit Markets; or 
Ian Marenna, Associate General Counsel (703) 518-6554, Office of 
General Counsel.

SUPPLEMENTARY INFORMATION: 

I. Background

    In 2006, the OCC, the Board, the FDIC, and the NCUA (collectively 
referred to as the agencies) issued the Interagency Policy Statement on 
the Allowance for Loan and Lease Losses.\1\ Attachment 1 of that 
statement, entitled ``Loan Review Systems,'' served as the agencies' 
guidance on credit risk review (Attachment 1). Attachment 1 
supplemented and aligned with other relevant agency issuances on credit 
review, including the Interagency Guidelines Establishing Standards for 
Safety and Soundness.\2\
---------------------------------------------------------------------------

    \1\ See OCC Bulletin 2006-47; FDIC Financial Institution Letter 
FIL-105-2006; Federal Reserve Supervision and Regulation (SR) letter 
06-17; NCUA Accounting Bulletin No. 06-01.
    \2\ 12 CFR part 30, appendix A (OCC); 12 CFR part 208, appendix 
D-1 (Board); 12 CFR part 364 appendix A (FDIC). Also see 12 CFR part 
723 (NCUA).
---------------------------------------------------------------------------

    In October 2019, the agencies invited public comment on proposed 
guidance on credit risk review (proposed guidance or proposal).\3\ The 
proposed guidance would update and clarify Attachment 1. It also would 
adjust terminology to be consistent with the current expected credit 
losses (CECL) methodology, a recent accounting standards change.\4\ The 
agencies are adopting the proposed guidance in final form (final 
guidance), with certain revisions as discussed below. The final 
guidance replaces Attachment 1 as the agencies' guidance on credit risk 
review systems for all supervised institutions and is being issued as a 
standalone document. Attachment 1 is rescinded as of June 1, 2020.
---------------------------------------------------------------------------

    \3\ Interagency Guidance on Credit Risk Review Systems, 84 FR 
55679 (Oct. 17, 2019).
    \4\ See Financial Accounting Standards Board's, Accounting 
Standards Codification Topic 326, which revises the accounting for 
the allowances for credit losses (ACLs) and introduces the CECL 
methodology. [The agencies' final guidance on CECL is contained in a 
separate document published elsewhere in this issue of the Federal 
Register.]
---------------------------------------------------------------------------

II. Overview of Comments

    The agencies collectively received 19 comments on the proposed 
guidance. Commenters included trade associations, banks, credit unions, 
and members of the public.
    Most commenters expressed general support for the guidance. 
Commenters noted that the proposed guidance reflected sound practices 
and principles, incorporated the core elements of credit risk review, 
and did not represent a fundamental shift from Attachment 1. Some 
commenters raised concerns including that the guidance was too 
prescriptive.
    The comments addressed a wide range of topics, and in some 
instances, commenters requested clarifications to certain aspects of 
the proposed guidance. For example, commenters discussed the role of 
credit risk review including its relation to other functions, such as 
internal audit; the appropriate scope, depth and frequency of credit 
risk review activities; internal responsibility for an institution's 
risk rating framework; the process for adjudicating risk rating 
disputes; the communication of credit risk review results and 
qualifications of credit risk review personnel; credit risk review in 
the context of retail portfolios; and the use of technology and data in 
credit risk review.
    A number of commenters expressed concern with what they viewed as 
the one-size-fits-all approach of the proposed guidance and the 
potential burden to smaller institutions. Commenters requested that the 
agencies specifically tailor the guidance to emphasize flexibility 
based on an institution's risk profile or even exempt small 
institutions from the guidance.
    Some commenters discussed independence of the credit risk review 
function and acknowledged that credit risk review provides a critical 
and independent assurance role but noted that role has expanded in 
scope and may overlap with duties performed by other functions 
resulting in a duplication of efforts.
    Commenters also expressed concern generally with the implementation 
of the CECL methodology; the relationship of the proposed guidance to 
Allowances for Credit Losses (ACL); and whether CECL would make credit 
risk review more burdensome, particularly for smaller institutions.

[[Page 33279]]

III. Discussion of Comments on the Proposed Guidance

    The agencies are finalizing the guidance with targeted changes and 
clarifications to address the concerns raised by commenters. The 
comments, and any revisions to the final guidance, are discussed below 
and grouped based on the three questions posed in the proposal and 
other related topics raised by commenters. The agencies' three 
questions asked whether the proposed guidance reflected sound 
practices, whether the proposed guidance was appropriate for 
institutions of differing sizes, and whether the agencies should 
include additional factors in the proposed guidance to help credit risk 
review achieve a sufficient degree of independence.\5\
---------------------------------------------------------------------------

    \5\ Question 1: To what extent does the proposed credit review 
guidance reflect current sound practices for an institution's credit 
risk review activities? What elements should be added or removed, 
and why? Question 2: To what extent is the proposed credit review 
guidance appropriate for institutions of all asset sizes? What 
elements should be added or removed for institutions of differing in 
sizes, and why? Question 3: What, if any, additional factors should 
the agencies consider incorporating into the guidance to help 
achieve a sufficient degree of independence and why? To what extent 
does the approach described for small or rural institutions with 
fewer resources or employees provide for an appropriate degree of 
independence in the credit review function? What if any 
modifications should the agencies consider and why?
---------------------------------------------------------------------------

    The agencies emphasize that credit risk review is a significant 
risk management function separate from the determination of the 
appropriate reserve for credit losses. While the results of the credit 
risk review can help ensure that the ACLs or Allowance for Loan and 
Lease Losses (ALLL) adequately reflects risk in the institution's loan 
portfolio, the agencies are addressing the implementation of CECL 
separately from the final guidance.

A. General Application of Guidance

    Some commenters indicated the guidance was too prescriptive; in one 
case, a commenter considered the guidance excessively detailed and not 
aligned with current practices for credit unions in particular. Others 
indicated that the proposed guidance reflected foundational principles 
and outlined elements of a sound credit risk program without mandating 
how credit risk review should operate. Commenters also raised concerns 
that the proposed guidance would be enforced as a regulation.
    An effective credit risk review function is integral to the safe 
and sound operation of every insured depository institution. To assist 
institutions in the creation and operation of such functions, the 
agencies have developed the final guidance to describe a broad set of 
practices and principles for developing and maintaining a credit risk 
review function consistent with safe and sound credit risk management 
practices and the Interagency Guidelines Establishing Standards for 
Safety and Soundness.\6\ However, the final guidance does not establish 
any requirements or rules, nor does it mandate implementation of a 
specific system or prescribe specific actions with which institutions 
must comply.
---------------------------------------------------------------------------

    \6\ Supra note 2.
---------------------------------------------------------------------------

    One commenter expressed general concern about guidance being 
applicable to all institutions, including credit unions, because the 
commenter considered credit union operational practices as distinct 
from those of other institutions. Another commenter called for the 
guidance to address how it intersects with the NCUA Examiner's Guide. 
The NCUA notes that credit risk is related to the characteristics of 
the loan, and not the type of institution providing the financing. This 
guidance is an appropriate reference to assist in establishing a credit 
risk review function for both credit union and other institutions' loan 
portfolios. Furthermore, the final guidance aligns with the NCUA 
Examiner's Guide for commercial loans \7\ and 12 CFR part 723 of the 
NCUA's regulations, and the NCUA supports the recommendations in this 
final guidance as it pertains to retail and consumer loan portfolios. 
The NCUA Examiner's Guide will be updated to reflect this new guidance.
---------------------------------------------------------------------------

    \7\ See the Commercial and Member Business Loans section of the 
NCUA Examiner's Guide (Commercial and Member Business Loans > 
Commercial Loan Administration>Independent Loan Review).
---------------------------------------------------------------------------

B. Elements of the Guidance

    Commenters addressed the role of credit risk review; scope, depth, 
and frequency of reviews; responsibility for and determination of risk 
ratings; timely communication of results; qualifications of credit risk 
review personnel; tailoring of the guidance to retail portfolios; and 
use of technology in the credit risk review process.
1. Role of Credit Risk Review
    Some commenters called for the guidance to better delineate between 
the responsibilities of credit risk review and other functions. As 
provided in footnote 5 \8\ of the final guidance, the role of credit 
risk review is distinct from the roles of other groups within an 
institution that are also responsible for monitoring, managing, and 
reporting credit risk. The agencies reiterate that institutions have 
flexibility to determine the specific roles, responsibilities, and 
duties of these different groups. The core responsibilities of a credit 
risk review system are discussed in the final guidance under the 
objectives of an effective credit risk review system, and include the 
prompt identification of loans with credit weaknesses and the 
validation and adjustment of risk ratings.
---------------------------------------------------------------------------

    \8\ Footnote 5 states that credit risk review may be referred to 
as loan review, credit review, asset quality review, or another name 
as chosen by an institution. The role of, expectations for, and 
scope of credit risk review as discussed in this document are 
distinct from the roles, expectations, and scope of work performed 
by other groups within an institution that are also responsible for 
monitoring, managing and reporting credit risk. Examples may be 
those involved with lending functions, independent risk management, 
loan work outs, and accounting. Each institution indicates in its 
own policies and procedures the specific roles and responsibilities 
of these different groups, including separation of duties. A credit 
risk review unit, or individuals serving in that role, can rely on 
information provided by other units in developing its own 
independent assessment of credit risk in loan portfolios, but the 
credit risk review unit critically evaluates such information to 
maintain its own view, as opposed to relying exclusively on such 
information.
---------------------------------------------------------------------------

    One commenter disagreed that a primary objective of credit risk 
review was to promptly identify all loans with actual and potential 
credit weaknesses. The commenter believed that this responsibility 
primarily lies with the credit administration function while credit 
risk review would identify such loans using a sample-based approach. 
The guidance does not singularly assign the process of risk 
identification to credit risk review; effective ongoing credit 
administration practices allow other credit risk functions to have a 
role in the prompt detection of changes in loan quality and appropriate 
adjustments to the risk rating. As part of its independent risk rating 
validation process, credit risk review may identify loans with 
significant weaknesses and identifiable losses and adjust the risk 
rating accordingly. The emphasis for credit risk review or any party 
identifying credit risk is on timely and accurate identification of 
credit weaknesses so that action can be taken to strengthen credit 
quality and minimize loss.
    Several commenters asked for clarification of credit risk review's 
role in relation to internal audit. As discussed in footnote 4 \9\ of 
the final

[[Page 33280]]

guidance, the credit risk review function is not intended to be 
performed by an institution's internal audit function. The March 2003 
Interagency Statement on the Internal Audit Function and Its 
Outsourcing (2003 policy statement) \10\ discusses the coordination of 
the internal audit function with risk monitoring functions, such as the 
credit risk review function. The 2003 policy statement provides that 
coordination of credit risk review with the internal audit function can 
facilitate the reporting of material risk and control issues to the 
audit committee, increase the overall effectiveness of these monitoring 
functions, better utilize available resources, and enhance the 
institution's ability to comprehensively manage risk.
---------------------------------------------------------------------------

    \9\ Footnote 4 states that the credit risk review function is 
not intended to be performed by an institution's internal audit 
function. However, as discussed in the agencies' March 2003 
Interagency Policy Statement on the Internal Audit Function and its 
Outsourcing (2003 policy statement), some institutions coordinate 
the internal audit function with several risk monitoring functions, 
such as the credit risk review function. The 2003 policy statement 
states that coordination of credit risk review with the internal 
audit function can facilitate the reporting of material risk and 
control issues to the audit committee, increase the overall 
effectiveness of these monitoring functions, better utilize 
available resources, and enhance the institution's ability to 
comprehensively manage risk. However, an effective internal audit 
function maintains the ability to independently audit the credit 
risk review function. (The NCUA was not an issuing agency of the 
2003 policy statement.)
    \10\ The 2003 policy statement was issued by the Board, OCC, and 
FDIC on March 17, 2003. See SR Letter 03-5, OCC Bulletin 2003-12, 
FDIC Financial Institution Letter FIL-21-2003. NCUA was not a party 
to the issuance.
---------------------------------------------------------------------------

    Commenters noted that credit risk review and other banking units 
should coordinate their activities and requested clarification of 
whether it would be appropriate for credit risk review or for other 
internal functions within a credit risk review system to perform 
activities that are compliance or operational in nature, such as 
confirming proper lien perfection and collateral documentation. 
Commenters also stated that credit risk review provides support to 
financial and regulatory reporting functions but does not directly 
deliver outputs to these functions, and requested that the proposed 
guidance be clarified in this regard.
    While duties such as assuring lien perfection and collateral 
confirmation might not be directly undertaken by the credit risk review 
function, evaluation and confirmation of such actions is within the 
scope of the credit risk review function and a key aspect of an 
assessment of the overall quality of the credit. The credit risk review 
function may use information generated by other functions when 
developing an independent assessment of credit risk, but footnote 5 of 
the final guidance provides that such information is typically subject 
to critical challenge and evaluation and a credit risk review function 
typically does not rely exclusively on such information.
    Some commenters indicated that credit risk review should not have a 
role in evaluating workout plans, and requested that related language 
be eliminated from the guidance. An effective workout plan is typically 
designed to rehabilitate a troubled credit or to maximize the amount of 
repayment ultimately collected and is therefore a loss mitigation 
strategy. For this reason, Attachment 1 included similar language to 
the proposed guidance on workout plans, as effective workout plans are 
critical to managing risk in a loan portfolio. Since assessment of such 
strategies is within the scope of the credit risk review's role, the 
final guidance retains the reference to evaluating workout plans.
    One commenter stated that one part of the proposed guidance allows 
institutions to have a system concept for structuring credit risk 
review whereas the latter part of the proposed guidance defined 
specific roles for a credit review function. The commenter requested 
clarification on the words ``system'' and ``function'' as used in the 
guidance. The agencies have seen institutions use both terms when 
referring to credit risk review, with the term used generally depending 
on the size of the institution and composition of its risk review 
framework. While the agencies incorporated both terms to provide 
flexibility to institutions, the terms can be used interchangeably 
depending on the institution's existing framework.
2. Scope
    Commenters suggested that the agencies consider the nature of a 
loan portfolio and the history and experience of an institution's 
management team when determining the scope of credit risk review. 
Commenters requested that the proposed guidance indicate that credit 
review practices can be tailored when loans are seasoned and have a 
history of performance and enhanced collateral positions. Some 
commenters recommended that credit risk review focus on higher risk or 
newer loans. The agencies reaffirm that, as stated in the proposal, 
institutions may tailor their credit risk review practices based on a 
number of factors, including the nature of the institution's loan 
portfolio and overall risk profile.
    Commenters requested clarification about whether the proposed 
guidance covered non-lending activities. One commenter indicated that 
these activities should not be within the scope of credit risk review, 
while other commenters disagreed. Some commenters suggested that all 
references to ``loans'' in the proposed guidance be changed to a 
broader term that incorporates assets other than loans, such as 
securities.
    In response, the agencies recognize that credit risk may arise from 
activities that are not specific to lending and encourage institutions 
to consider whether such activities should be included in the scope of 
the credit risk review function. For example, institutions that hold 
investment securities or engage in capital markets, treasury, or 
automated clearinghouse activities may elect to include the credit risk 
related to these activities in the scope of a review. While the 
examples of non-lending credit activities cited here are not 
exhaustive, and may not apply to all institutions, they illustrate 
other areas that management and the board of directors may consider in 
the development of a review plan that reflects the risk profile of the 
institution.
    Further, some commenters expressed the view that smaller banks and 
credit unions may have difficulty in identifying concentrations of 
credit risk and other loans affected by common repayment factors. 
Commenters stated that the phrase ``common repayment factors'' could 
lead to a much larger scope of review. The OCC, Board, and FDIC note 
that, under the Interagency Guidelines Establishing Standards for 
Safety and Soundness,\11\ insured depository institutions should 
establish and maintain a system that is commensurate with the 
institution's size and the nature and scope of its operations to 
identify problem assets and prevent deterioration in those assets, 
which includes considering the size and potential risks of material 
asset concentrations. The reference to ``common repayment factors'' is 
meant to provide flexibility to institutions to consider a variety of 
factors that are applicable to the institution's circumstances and 
which may lead to a concentration of credit risk.
---------------------------------------------------------------------------

    \11\ Supra note 2.
---------------------------------------------------------------------------

    Commenters suggested that credit risk review focus on loans that 
contain major, significant, or critical exceptions to policy, rather 
than ``approved'' exceptions or loans with minor or administrative 
policy exceptions. Commenters also suggested that there may be 
``major'' exceptions to policy with strong mitigating factors that 
suggest these exceptions may not warrant a focus in the review process. 
The final guidance is not prescriptive and allows for institutions to 
set their own parameters for determining the materiality of policy 
exceptions that

[[Page 33281]]

should fall into the scope of a credit review.
    Further, commenters suggested that credit risk review focus on 
loans with high-risk indicators and asked the agencies to clarify that 
institutions can define ``segments of the loan portfolio experiencing 
rapid growth.'' Commenters suggested that it is appropriate for banks 
and credit unions to define their own ``rapid growth'' targets for 
credit review and to have independent loan review verify those targets. 
This final guidance emphasizes that an effective scope is risk-based 
and includes loans or portfolios that have high-risk indicators, 
exceptions to policy, are experiencing rapid growth, or have other risk 
attributes. The final guidance provides examples of high-risk 
indicators and other characteristics of loans that may warrant 
additional review, but does not prescribe specific targets or 
thresholds. Institutions can select their own high-risk indicators, 
keeping in mind how the indicators fit the characteristics of the 
overall portfolio and how the indicators help to reinforce safe and 
sound practices.
3. Depth
    Commenters noted that the language in the proposed guidance stating 
that loans selected for credit risk review are evaluated for 
``sufficiency of credit and collateral documentation'' was too broad. 
The final guidance does not recommend that credit risk review perform 
or oversee the loan documentation process. However, because inadequate 
loan documentation and lien perfection may adversely impact the risk 
rating and could result in losses for a financial institution, 
effective credit risk review often includes the evaluation of loan 
documentation as part of the overall assessment of the credit risk of a 
particular transaction. In doing so, effective credit risk review 
assesses and evaluates information from departments responsible for 
loan documentation and highlights identified concerns in the reports to 
management, including recommendations for their resolution.
    One commenter recommended removing language in the proposed 
guidance stating that loans selected for credit risk review are 
evaluated for ``quality of the information used in the credit loss 
estimation process, including the reasonableness of assumptions used 
and the timeliness of charge-offs.'' The commenter suggested that 
credit review should not validate the translation of loss numbers; 
rather, internal audit and external auditors should review accuracy, 
timeliness, and consistency of charge-offs.
    The bullet in the proposed guidance mentioning quality of the 
information used in the credit loss estimation process was not intended 
to expand the review of such information beyond that of the original 
Attachment 1. The focus of Attachment 1 was on assessing the adequacy 
of the identification and related impairment calculation of 
individually impaired loans under the ALLL methodology, a process which 
will no longer be applicable to loans evaluated under CECL. In order to 
direct the focus and applicability of the review under both allowance 
methodologies, the agencies have revised the language in the final 
guidance to read as follows: ``The appropriateness of credit loss 
estimation for those credits with significant weaknesses including the 
reasonableness of assumptions used, and the timeliness of charge-
offs.'' Additionally, the agencies acknowledge that the calculation of 
estimated ACL or ALLL is not the role of credit risk review. However, 
effective credit risk review results help ensure that the ACL or ALLL 
adequately reflects risk in the credit portfolio. In performing its 
assessment of reasonableness, credit risk review can leverage work 
performed in this area by other functions, such as internal audit.
    Several commenters suggested that evaluating the validity of 
underwriting assumptions was too broad of an activity for credit risk 
review, and could imply that credit risk review is responsible for back 
testing assumptions. Commenters suggested that the agencies should 
instead refer to evaluating the ``reasonableness'' of assumptions, such 
as borrower cash flow forecasts. In response, the final guidance has 
been revised to provide that such loans, and segments of portfolios, 
selected for review are generally reviewed for the reasonableness of 
assumptions. Back testing the validity of assumptions is often a part 
of the underwriting and monitoring processes. Credit risk review can 
use this information, if available, when making their assessments.
    Commenters indicated that institutions should receive credit during 
a review if back testing of initial loan risk ratings shows a high 
level of accuracy. Similarly, commenters suggested that the agencies' 
guidance should focus less on risk evaluation, but instead focus on the 
front-end loan evaluation by bank staff. The focus of the credit risk 
review system is on the assessment of credit quality in the credit 
portfolios, which is an important input into the determination of the 
ACL and ALLL. An effective credit risk review system considers any 
information available that can impact or provide insight into the 
quality of the portfolio. To the extent that back testing results are 
available, they can be considered by credit risk review staff in their 
assessment of credit quality.
4. Frequency
    Several commenters raised questions about the frequency of credit 
risk reviews and requested clarification as to when it is appropriate 
for reviews to be conducted less frequently than annually. Commenters 
suggested there are instances in which less frequent reviews are 
appropriate, such as for well-managed institutions with lower risk 
portfolios. Commenters also requested that the proposed guidance 
respect the authority of a board of directors to approve when audits 
and loan reviews are completed, and how frequently reports are 
reviewed. With respect to the credit risk review policy, one commenter 
suggested that frequency of review should be determined by a firm's 
board of directors.
    Consistent with the principles in the final guidance, each 
institution has the flexibility to set the scope of coverage and 
frequency of reviews based on the institution's specific circumstances 
while continuing to operate in a safe and sound manner. Accordingly, 
the agencies have clarified in the final guidance that effective credit 
risk reviews are typically performed annually. However, in certain 
circumstances more frequent reviews may be necessary. Reviews that are 
less frequent are typically well supported and reflective of low risk 
portfolios, are conducted consistent with safe and sound practices, and 
are approved by the institution's board of directors or board committee 
thereof. The agencies have clarified in the final guidance that an 
effective credit risk review system starts with a written credit risk 
review policy that is typically reviewed and approved at least 
annually.
5. Risk rating responsibility and adjudication
    Several commenters observed that the proposed guidance provided an 
opportunity to establish which area or department at the institution 
will have responsibility over risk rating dispositions within the 
credit review function. Commenters asked if credit risk review should 
always be the final arbiter of a risk rating, even if credit risk 
review's rating is less conservative than that determined by the 
business line. Commenters requested that the proposed guidance clarify 
that an institution's board of directors retains

[[Page 33282]]

the responsibility for maintaining a bank's credit risk rating and 
establishing relevant policies. Some commenters questioned whether the 
proposed guidance would require institutions to employ an arbitration 
process.
    The agencies believe that the language as proposed describes a 
clear disposition process for adjudicating risk ratings that is 
flexible for institutions of all sizes. In particular, the final 
guidance addresses risk rating differences between the credit risk 
review and areas responsible for loan approval. Typically, the lower 
credit quality classification or risk rating assigned by credit risk 
review prevails unless there is additional information that would 
support a higher credit quality classification or risk rating. The 
final guidance also discusses a risk rating framework that is 
consistent with safe and sound practices and the agencies' guidelines 
for supervisory classifications.\12\
---------------------------------------------------------------------------

    \12\ Two commenters requested clarification from the NCUA 
regarding whether credit unions are required to adopt the loan 
classification system described in footnote 7 of the guidance. The 
NCUA does not require credit unions to adopt the regulatory 
classifications of substandard, doubtful or loss. However, NCUA does 
support the use of these classifications, as defined by the other 
banking agencies, as an effective method for rating adversely 
classified loan risk. See the Commercial and Member Business Loans 
section of the NCUA Examiner's Guide (Commercial and Member Business 
Loans > Credit Risk Rating Systems> Credit Risk Rating Categories).
---------------------------------------------------------------------------

6. Communication of Results
    In general, commenters expressed support for credit risk review 
reporting directly to the board of directors. Other commenters 
indicated that the language in the proposed guidance was too 
prescriptive, particularly regarding communication to the board at 
least quarterly. Commenters recommended that the proposed guidance 
permit boards of directors to tailor their policies based on the size, 
scope, and complexity of the loan portfolio, as well as to the 
complexity of a loan itself.
    The agencies believe that it is consistent with safe and sound 
lending practices to have the credit risk review function report 
findings regularly and directly to the institution's board of directors 
or a committee thereof. Institutions have discretion to determine the 
frequency and extent of such reporting, taking into account the nature 
of their loan portfolios and the importance of informing the board of 
directors on credit risk. To clarify this flexibility, the proposed 
guidance was revised to state that effective communication typically 
involves providing results of the credit risk reviews to the board of 
directors or appropriate board committee quarterly. This change 
emphasizes that quarterly reporting of results is a typical practice, 
but institutions have room to adjust the frequency given their risk 
profile and consistent with safety and soundness.
    One commenter noted that the guidance should specifically recommend 
tracking forward-looking indicators to help identify risk trends to 
support informed decisions and proactive risk mitigation. The agencies 
acknowledge that forward-looking indicators such as portfolio 
concentration trends, shifting underwriting standards, and risk rating 
migrations are consistent with proactive risk management activities. 
The agencies recognize that institutions may develop internal 
parameters for establishing, tracking, and reporting forward-looking 
indicators of credit exposure that are specific to the institution's 
business model and lending activities. The agencies believe that 
language in the proposed guidance is sufficient to address this issue.
    Commenters also requested that the agencies clarify that only 
``material'' deficiencies and weaknesses that remain unresolved beyond 
the scheduled time frames for correction should be promptly reported to 
senior management and the board of directors or appropriate board 
committee. The agencies believe that an effective credit review system 
should report all noted deficiencies and weaknesses to the board of 
directors. Credit review may prioritize findings of weaknesses or 
deficiencies; however, allowing management to determine the materiality 
of findings can compromise the independence of the credit review 
process.
7. Qualifications of Personnel
    One commenter suggested that footnote 4 of the proposed guidance be 
revised to emphasize the importance of the qualifications, 
independence, and expertise of personnel conducting the internal audit 
of a credit risk review system or function. The OCC, Board, and FDIC 
believe that the qualifications of audit personnel are sufficiently 
addressed in the 2003 policy statement, which is referenced in the 
final guidance.
    One commenter noted that with respect to credit risk review staff, 
knowledge of an institution's membership and experience with 
underwriting are key factors in determining the qualifications of 
credit risk review personnel. This final guidance broadly addresses the 
experience of personnel, which would include knowledge of the 
institution's portfolio and experience with underwriting. Specific 
personnel qualifications are the purview of management and the board 
and are typically reflective of the institution's business model.
8. Retail and Consumer Portfolios
    The agencies received a number of comments regarding the 
differences in characteristics between retail (consumer) and commercial 
loan portfolios, as well as the processes, techniques, tools, data and 
technology used to conduct credit risk review of retail loan 
portfolios. One commenter stated that the proposed guidance 
inadequately differentiated between product types and exposures of 
commercial and retail loans. The commenter stated that the use of 
manual review of individual loans to assign and validate risk ratings 
would be impractical for a large portfolio of smaller retail loans.
    The agencies recognize that differences between retail and most 
commercial loans and portfolios may justify differences in approaches, 
techniques, and tools for conducting credit risk review. The proposed 
guidance was designed so that institutions may apply its principles to 
the review of all loans and portfolios, including retail loan 
portfolios. In response to comments received, the agencies have made 
revisions to the final guidance in order to provide flexibility to 
institutions in determining the scope and depth of the loan review for 
all loan portfolios. The revisions for the final guidance discussed 
below reflect existing industry practices. They are applicable to all 
types of loan portfolios, but especially for retail portfolios.
    Specifically, the final guidance includes language in a new bullet 
under the ``Scope of Reviews'' section, which acknowledges that 
institutions may determine the scope of the credit risk review by 
segmenting or grouping loans based on similar risk characteristics, 
such as those related to borrower risk, transaction risk, and other 
risk factors. The new bullet is intended to provide clarity and reflect 
existing industry practices for retail portfolios. Similar references 
to portfolio segments have been made in the ``Depth of Transaction or 
Portfolio Reviews'' and ``Communication and Distribution of Results'' 
sections.
    Additionally, the final guidance includes language in a new sub-
bullet under ``Depth of Transaction Reviews.'' The sub-bullet indicates 
that, with regard to evaluating credit quality,

[[Page 33283]]

soundness of underwriting and risk identification, borrower 
performance, and adequacy of the sources of repayment, ``[w]hen 
applicable, this evaluation includes the appropriateness of automated 
underwriting and credit scoring, including prudent use of overrides, as 
well as the effectiveness of account management strategies, 
collections, and portfolio management activities in managing credit 
risk.''
    The agencies have added the new sub-bullet in response to commenter 
requests for more guidance on the applicability of the guidance to 
retail loan portfolios. The new sub-bullet takes into account the fact 
that some institutions, especially those with large retail portfolios, 
may use models or other automated decision tools in their credit 
decision or risk rating processes, and thus clarifies that effective 
credit risk review can consider the appropriateness of the business 
line's application of these tools in these processes. Further, an 
effective credit risk review can consider the effectiveness of account 
management strategies, such as credit line management, re-aging, and 
extension/renewal in managing credit risk. An effective credit risk 
review can also consider whether portfolio management activities, such 
as risk identification and performance monitoring, and collection 
policies and practices are commensurate with the institution's risk 
profile and complexity of the products and loan structures offered.
9. Technology
    Commenters posed a number of questions and comments related to the 
use and governance of technology in credit risk review. Commenters 
discussed the use of analytical and management information system 
tools, particularly for consumer loans, and suggested that the guidance 
recommend automation of risk data aggregation. The agencies believe 
institutions have significant flexibility to use various types of 
technology to assist in the credit risk review process; as such, the 
agencies decline to recommend the use of any specific types of 
technology.
    One commenter expressed concern about the potential risks 
associated with the use of models in various credit processes and 
suggested that the proposed guidance emphasize the appropriateness and 
effectiveness of reviewing credit model design, performance, and 
governance. A commenter indicated that the guidance should include 
robust governance of artificial intelligence algorithms. The agencies 
recognize the importance of model risk management, which is discussed 
in other existing guidance.\13\
---------------------------------------------------------------------------

    \13\ See the interagency statement titled, Supervisory Guidance 
on Model Risk Management, published by the Board in SR Letter 11-7 
and OCC Bulletin 2011-12 on April 4, 2011. The FDIC adopted the 
interagency statement on June 7, 2017. Institutions supervised by 
the FDIC should refer to FIL 22-2017, Adoption of Supervisory 
Guidance on Model Risk Management, including the statement of 
applicability in the FIL.
---------------------------------------------------------------------------

C. Scalability of the Guidance

    The agencies received numerous comments about whether the proposed 
guidance is appropriate for institutions of all sizes. Several 
commenters expressed concern with what they viewed as a one-size-fits-
all nature, and called for the proposed guidance to be tailored based 
on the size and activities of the institution, as well as the 
complexity of the loan portfolio. Commenters also requested 
accommodations for smaller institutions, including credit unions. One 
commenter stated the proposed guidance could impose higher costs on 
smaller institutions because such costs cannot be spread across a large 
asset base and requested the guidance provide more flexibility for 
review activities. One commenter suggested that the proposed guidance 
would benefit from additional discussion and analysis of how modest-
sized institutions with limited personnel would implement the guidance. 
This commenter expressed concern that the proposed guidance would be 
burdensome for such institutions and potentially require outsourcing of 
credit risk review. Another commenter requested that the proposed 
guidance specifically exempt small, non-complex rural institutions, 
thereby allowing them to utilize their existing review functions. 
Another commenter requested that the agencies clarify the proposed 
guidance's applicability to large banks, including defining a large 
institution based on asset size and examples of complex institutions 
and explaining how supervisors make these determinations.
    The agencies believe that the final guidance provides both small 
and large institutions flexibility to tailor the credit review function 
to the activities of the institution. For example, the final guidance 
states that the nature of credit risk review varies based on an 
institution's size, complexity, loan types, risk profile, and risk 
management framework. In addition, as described under ``Independence of 
Credit Risk Review Personnel,'' smaller or less complex institutions 
have flexibility to use an independent committee of outside directors 
or qualified members of the staff to perform the credit risk review 
function. Footnote 6 \14\ of the final guidance emphasizes that small 
or rural institutions that have few resources or employees may adopt 
modified credit risk review procedures and methods to achieve a proper 
degree of independence. As the final guidance notes, doing so is 
appropriate when more robust procedures and methods are impractical. 
The final guidance also notes that credit risk review systems in larger 
institutions may include a dedicated credit risk review function. 
Institutions of all sizes have the flexibility to tailor the various 
principles and practices in the final guidance to systems appropriate 
for their circumstances.
---------------------------------------------------------------------------

    \14\ Footnote 6 states that small or rural institutions that 
have few resources or employees may adopt modified credit risk 
review procedures and methods to achieve a proper degree of 
independence. For example, in the review process, such an 
institution may use qualified members of the staff, including loan 
officers, other officers, or directors, who are not involved with 
originating or approving the specific credits being assessed and 
whose compensation is not influenced by the assigned risk ratings. 
It is appropriate to employ such modified procedures when more 
robust procedures and methods are impractical. Institution 
management and the board, or a board committee, should have 
reasonable confidence that the personnel chosen will be able to 
conduct reviews with the needed independence despite their position 
within the loan function.
---------------------------------------------------------------------------

D. Independence Considerations

    Some commenters suggested that creating the independence structure 
described in the proposed guidance would be a problem for small banks 
and credit unions. Commenters stated that doing so could lead to 
duplicative functions and compliance burden for small banks and credit 
unions, which have limited staffing. Commenters also stressed that 
small credit unions may find it costly to hire third parties to ensure 
the independence of the credit review function. One commenter called 
for an exemption for small institutions and requested that the agencies 
adopt alternative independence standards, such as those articulated in 
the agencies' appraisal guidance, which would allow third-party staff 
members or an independent lender to confirm the risk rating of another 
lender. This commenter also suggested a rotation of duties as a way to 
achieve independence in the credit risk review function. Another 
commenter noted that the boards of directors of small, closely held 
institutions may be involved in the credit process from the beginning, 
and the board's input and participation in loan origination can be more 
important

[[Page 33284]]

than the subsequent credit review that happens post origination.
    As stated above, the agencies recognize that small institutions 
with few resources may need to adopt modified credit risk review 
procedures in order to achieve a proper degree of independence, as 
previously referenced in footnote 6 of the proposed guidance. That 
footnote states that small or rural institutions with few resources may 
use qualified members of the staff, including loan officers, other 
officers, or directors, who are not involved with originating or 
approving the specific credits being assessed and whose compensation is 
not influenced by the assigned risk ratings in the credit risk review 
process. The footnote also states that institution management and the 
board, or board committee, should have reasonable confidence that the 
personnel chosen will be able to conduct reviews with the needed 
independence despite their position within the loan function.
    Commenters asked for clarification on the reporting structure of 
credit risk review. The OCC, Board, and FDIC note that the Interagency 
Guidelines Establishing Standards for Safety and Soundness \15\ state 
that an institution should have internal controls and information 
systems that are appropriate to the size of the institution, as well as 
nature, scope and risk of its activities, including clear lines of 
authority and responsibility for monitoring adherence to established 
policies. This statement applies to policies for a system of 
independent, ongoing credit review and appropriate communication to 
management and to the board of directors. Whether or not the 
institution has a dedicated credit risk review department, it is 
prudent for the credit risk review function to report directly to the 
institution's board of directors or a committee thereof. This reporting 
structure allows the credit risk review function to provide the board 
of directors with an independent assessment of the overall quality of 
loan portfolios and other areas of credit exposure as mandated. Senior 
management may be responsible for appropriate administrative functions, 
provided such an arrangement does not compromise the independence of 
the credit risk review function.
---------------------------------------------------------------------------

    \15\ Supra note 2.
---------------------------------------------------------------------------

E. Current Expected Credit Losses

    The agencies received a number of comments related to the CECL 
methodology as described in FASB ASC Topic 326.\16\ Some commenters 
cautioned the agencies against incorporating FASB ASC Topic 326 into 
the credit review final guidance because this would create a complex 
methodology that many institutions would be unable to implement. For 
example, one commenter expressed concern with maintaining historical 
loss experience on a segment level because loan segmentation under FASB 
ASC 326 may be more granular than what is currently maintained and may 
change over time. Commenters on the proposed credit review guidance 
noted that while institutions with large and complex loan portfolios 
typically maintain records of their historical loss experience for 
credits in each of the categories in their risk rating framework, this 
may not be the case in smaller institutions.
---------------------------------------------------------------------------

    \16\ Refer to the final Interagency Policy Statement on 
Allowances for Credit Losses published elsewhere in this issue of 
the Federal Register for more details on CECL methodology.
---------------------------------------------------------------------------

    The final guidance is intended to be flexible and consistent with 
CECL, but it does not incorporate FASB Topic 326. The agencies have 
observed that maintenance of historical loss information has 
traditionally been part of an effective credit risk grading framework 
for institutions of all sizes as it provides a basis for credit loss 
estimation for various credit types. Institutions have flexibility in 
how historical loss data information is maintained to the extent that 
it provides sufficient information to inform and help confirm the 
accuracy of risk rating similar credits. To provide further clarity and 
to emphasize the flexibility available to institutions, the agencies 
have modified the final guidance to read ``evaluation of the 
institution's historical loss experience for each of the groups of 
loans with similar risk characteristics into which it has segmented its 
loan portfolio.''
    Some commenters recommended that the agencies clarify credit risk 
review's role in determining ACLs. One commenter asked for 
clarification on whether credit risk review functions must conduct 
risk-specific assessments on the valuations of financial assets 
measured at an amortized cost basis, such as held-to-maturity 
securities. With regard to institutions that produce economic forecast 
estimations as a component of their ACL estimate, the commenter also 
asked whether credit risk review functions should integrate and align 
the economic forecast estimations into qualitative assessments of 
individual loans and portfolios.
    As discussed previously, the agencies are issuing this final 
guidance as a standalone document separate from any guidance on 
estimation of expected credit losses, as credit risk review is an 
important component of safety and soundness on its own. Commenters 
should refer to the Interagency Policy Statement on Allowances for 
Credit Losses \17\ regarding how credit risk review can facilitate the 
loss estimation process.
---------------------------------------------------------------------------

    \17\ This guidance is contained in a separate document published 
elsewhere in this issue of the Federal Register.
---------------------------------------------------------------------------

IV. Paperwork Reduction Act

    In accordance with the requirements of the Paperwork Reduction Act 
of 1995 (PRA),\18\ the agencies may not conduct or sponsor, and the 
respondent is not required to respond to, an information collection 
unless it displays a currently valid Office of Management and Budget 
(OMB) control number.
---------------------------------------------------------------------------

    \18\ 44 U.S.C. 3501-3521.
---------------------------------------------------------------------------

    The final guidance will not create any new or revise any existing 
collections of information under the PRA. Therefore, no information 
collection request will be submitted to the OMB for review.

V. Final Guidance

The text of the final guidance is as follows:

INTERAGENCY GUIDANCE ON CREDIT RISK REVIEW SYSTEMS

Introduction

    The Interagency Guidelines Establishing Standards for Safety and 
Soundness (Guidelines) \1\ underscore the critical importance of credit 
risk review and set safety and soundness standards for insured 
depository institutions to establish a system for independent, ongoing 
credit risk review, and for appropriate communication to their 
management and boards of directors.\2\ This guidance, which aligns with 
the Guidelines, is appropriate for all institutions \3\ and describes a 
broad set of practices that can be used either within a dedicated unit 
or across multiple units throughout an institution to form a credit 
risk review system that is consistent with safe and sound lending 
practices. This guidance outlines principles that an institution

[[Page 33285]]

should consider in developing and maintaining an effective credit risk 
review system.
---------------------------------------------------------------------------

    \1\ 12 CFR part 30, appendix A (OCC); 12 CFR part 208, appendix 
D-1 (Board); and 12 CFR part 364, appendix A (FDIC). Part 723 of 
NCUA Rules and Regulations (12 CFR part 723).
    \2\ For foreign banking organization branches, agencies, or 
subsidiaries not operating under single governance in the United 
States, the U.S. risk committee would serve in the role of the board 
of directors for purposes of this guidance.
    \3\ For purposes of this guidance, regulated institutions are 
those supervised by the following agencies: The Board of Governors 
of the Federal Reserve System (Board), the Federal Deposit Insurance 
Corporation (FDIC), the National Credit Union Administration (NCUA), 
and the Office of the Comptroller of the Currency (OCC), hereafter 
referred to as the ``agencies.''
---------------------------------------------------------------------------

Overview of Credit Risk Review Systems

    The nature of credit risk review systems \4\ varies based on an 
institution's size, complexity, loan types, risk profile, and risk 
management practices. For example, in smaller or less complex 
institutions, a credit risk review system may include qualified members 
of the staff, including loan officers, other officers, or directors, 
who are independent of the credits being assessed. In larger or more 
complex institutions, a credit risk review system may include 
components of a dedicated credit risk review function that are 
independent of the institution's lending function.\5\ A credit risk 
review system may also include various responsibilities assigned to 
credit underwriting, loan administration, a problem loan workout group, 
or other organizational units of an institution. Among other 
responsibilities, these groups may administer the internal problem loan 
reporting process, maintain the integrity of the credit risk rating 
process, confirm that timely and appropriate changes are made to risk 
ratings, and support the quality of information used to estimate the 
Allowance for Credit Losses (ACL) or the Allowance for Loan and Lease 
Losses (ALLL), as applicable. Additionally, some or all of the credit 
risk review function may be performed by a qualified third party.
---------------------------------------------------------------------------

    \4\ The credit risk review function is not intended to be 
performed by an institution's internal audit function. However, as 
discussed in the agencies' March 2003 Interagency Policy Statement 
on the Internal Audit Function and its Outsourcing (2003 policy 
statement), some institutions coordinate the internal audit function 
with several risk monitoring functions, such as the credit risk 
review function. The 2003 policy statement states that coordination 
of credit risk review with the internal audit function can 
facilitate the reporting of material risk and control issues to the 
audit committee, increase the overall effectiveness of these 
monitoring functions, better utilize available resources, and 
enhance the institution's ability to comprehensively manage risk. 
However, an effective internal audit function maintains the ability 
to independently audit the credit risk review function. (The NCUA 
was not an issuing agency of the 2003 policy statement.)
    \5\ Credit risk review may be referred to as loan review, credit 
review, asset quality review, or another name as chosen by an 
institution. The role of, expectations for, and scope of credit risk 
review as discussed in this document are distinct from the roles, 
expectations, and scope of work performed by other groups within an 
institution that are also responsible for monitoring, managing and 
reporting credit risk. Examples may be those involved with lending 
functions, independent risk management, loan work outs, and 
accounting. Each institution indicates in its own policies and 
procedures the specific roles and responsibilities of these 
different groups, including separation of duties. A credit risk 
review unit, or individuals serving in that role, can rely on 
information provided by other units in developing its own 
independent assessment of credit risk in loan portfolios, but the 
credit risk review unit critically evaluates such information to 
maintain its own view, as opposed to relying exclusively on such 
information.
---------------------------------------------------------------------------

    Regardless of the structure, an effective credit risk review system 
accomplishes the following objectives:
     Promptly identifies loans with actual and potential credit 
weaknesses so that timely action can be taken to strengthen credit 
quality and minimize losses.
     Appropriately validates and, if necessary, adjusts risk 
ratings, especially for those loans with potential or well-defined 
credit weaknesses that may jeopardize repayment.
     Identifies relevant trends that affect the quality of the 
loan portfolio and highlights segments of those portfolios that are 
potential problem areas.
     Assesses the adequacy of and adherence to internal credit 
policies and loan administration procedures and monitors compliance 
with applicable laws and regulations.
     Evaluates the activities of lending personnel and 
management, including compliance with lending policies and the quality 
of their loan approval, monitoring, and risk assessment.
     Provides management and the board of directors with an 
objective, independent, and timely assessment of the overall quality of 
the loan portfolio.
     Provides management with accurate and timely credit 
quality information for financial and regulatory reporting purposes, 
including the determination of an appropriate ACL or ALLL, as 
applicable.

Credit Risk Rating (or Grading) Framework

    The foundation for any effective credit risk review system is 
accurate and timely risk ratings to assess credit quality and identify 
or confirm problem loans. An effective credit risk rating framework 
includes the monitoring of individual loans and retail credit 
portfolios, or segments thereof, with similar risk characteristics. An 
effective framework also provides important information on the 
collectibility of each portfolio for use in the determination of an 
appropriate ACL or ALLL, as applicable. Further, an effective framework 
generally places primary reliance on the lending staff to assign 
accurate and timely risk ratings and identify emerging loan problems. 
However, given the importance of the credit risk rating framework, the 
lending personnel's assignment of risk ratings is typically subject to 
review by qualified and independent: (i) Peers, managers, or loan 
committee(s); (ii) part-time or full-time employee(s); (iii) internal 
departments staffed with credit review specialists; or (iv) external 
credit review consultants. A risk rating review that is independent of 
the lending function and approval process can provide a more objective 
assessment of credit quality.\6\
---------------------------------------------------------------------------

    \6\ Small or rural institutions that have few resources or 
employees may adopt modified credit risk review procedures and 
methods to achieve a proper degree of independence. For example, in 
the review process, such an institution may use qualified members of 
the staff, including loan officers, other officers, or directors, 
who are not involved with originating or approving the specific 
credits being assessed and whose compensation is not influenced by 
the assigned risk ratings. It is appropriate to employ such modified 
procedures when more robust procedures and methods are impractical. 
Institution management and the board, or a board committee, should 
have reasonable confidence that the personnel chosen will be able to 
conduct reviews with the needed independence despite their position 
within the loan function.
---------------------------------------------------------------------------

    An effective credit risk rating framework includes the following 
attributes:
     A formal credit risk rating system in which the ratings 
reflect the risk of default and credit losses, and for which a written 
description of the credit risk framework is maintained, including a 
discussion of the factors used to assign appropriate risk ratings to 
individual loans and retail credit portfolios, or segments thereof, 
with similar risk characteristics.\7\
---------------------------------------------------------------------------

    \7\ A bank or savings association may have a credit risk rating 
framework that differs from the framework for loan classifications 
used by the Federal banking agencies. Such banks and savings 
associations should maintain documentation that translates their 
risk ratings into the regulatory classification framework used by 
the Federal banking agencies. This documentation will enable 
examiners to reconcile the totals for the various loan 
classifications or risk ratings under the institution's system to 
the Federal banking agencies' categories contained in the Uniform 
Agreement on the Classification and Appraisal of Securities Held by 
Depository Institutions Attachment 1--Classification Definitions 
(OCC: OCC Bulletin 2013-28; Board: SR Letter 13-18; and FDIC: FIL-
51-2013). The NCUA does not require credit unions to adopt a uniform 
regulatory classification system. Risk rating guidance for credit 
unions is set forth in NCUA letters to credit unions 10-CU-02, 
``Current Risks in Business Lending and Sound Risk Management 
Practices,'' issued January 2010 and 10-CU-03, ``Concentration 
Risk,'' issued March 2010. See also the Commercial and Member 
Business Loans section of the NCUA Examiner's Guide (Commercial and 
Member Business Loans > Credit Risk Rating Systems) and the preamble 
to 1 CFR parts 701, 723, and 741 Member Business Loans; Commercial 
Lending: Proposed Rule July 2015.
---------------------------------------------------------------------------

     Identification or grouping of loans that warrant the 
special attention of management or other designated ``watch lists'' of 
loans that management is more closely monitoring.\8\
---------------------------------------------------------------------------

    \8\ In addition to loans designated as ``watch list,'' this 
identification typically includes loans rated special mention, 
substandard, doubtful, or loss.
---------------------------------------------------------------------------

     Clear explanation of why particular loans warrant the 
special attention of

[[Page 33286]]

management or have received an adverse risk rating.
     Evaluation of the effectiveness of approved workout plans.
     A method for communicating direct, periodic, and timely 
information to the institution's senior management and the board of 
directors or appropriate board committee on the status of loans 
identified as warranting special attention or adverse classification, 
and the actions taken by management to strengthen the credit quality of 
those loans.
     Evaluation of the institution's historical loss experience 
for each of the groups of loans with similar risk characteristics into 
which it has segmented its loan portfolio.\9\
---------------------------------------------------------------------------

    \9\ In particular, institutions with large and complex loan 
portfolios typically maintain records of their historical loss 
experience for credits in each of the categories in their risk 
rating framework. For banks and savings associations, these 
categories are either those used by, or those that can be translated 
into those used by, the Federal banking agencies.
---------------------------------------------------------------------------

Elements of an Effective Credit Risk Review System

    An effective credit risk review system starts with a written credit 
risk review policy \10\ that is reviewed and typically approved at 
least annually by the institution's board of directors or appropriate 
board committee to evidence its support of, and commitment to, 
maintaining an effective system. Effective policies include a 
description of the overall risk rating framework and establish 
responsibilities for loan review based on the portfolio being assessed. 
An effective credit risk review policy addresses the following 
elements, described in more detail below: the qualifications and 
independence of credit risk review personnel; the frequency, scope, and 
depth of reviews; the review of findings and follow-up; and 
communication and distribution of results.
---------------------------------------------------------------------------

    \10\ See 12 CFR part 30, appendix A (OCC); 12 CFR part 208, 
appendix D-1 (Board); and 12 CFR part 364, appendix A (FDIC). See 
also 12 CFR part 723 (NCUA).
---------------------------------------------------------------------------

Qualifications of Credit Risk Review Personnel

    An effective credit risk review function is staffed with personnel 
who are qualified based on their level of education, experience, and 
extent of formal credit training. Qualified personnel are knowledgeable 
in both sound lending practices and the institution's lending 
guidelines for the types of loans offered by the institution. The level 
of experience and expertise for all personnel involved in the credit 
risk review process is expected to be commensurate with the nature of 
the risk and complexity of the portfolios. In addition, qualified 
credit risk review personnel possess knowledge of relevant laws, 
regulations, and supervisory guidance.

Independence of Credit Risk Review Personnel

    An effective credit risk review system incorporates both the 
initial identification of emerging problem loans by loan officers and 
other line staff, and an assessment of loans by personnel independent 
of the credit approval process. Placing primary responsibility on loan 
officers, risk officers, and line staff is important for continuous 
portfolio analysis and prompt identification and reporting of problem 
loans. Because of frequent contact with borrowers, loan officers and 
line staff can usually identify potential problems before they become 
apparent to others. However, institutions should be careful to avoid 
over-reliance on loan officers and line staff for identification of 
problem loans. An independent assessment of risk is achieved when 
personnel who perform the loan review do not have control over the loan 
and are not part of or influenced by individuals associated with the 
loan approval process.
    While a larger institution may establish a separate department 
staffed with credit review specialists, cost and volume considerations 
may not justify such a system in a smaller institution. For example, in 
the review process, smaller institutions may use an independent 
committee of outside directors or qualified members of the staff, 
including loan officers, other officers, or directors, who are not 
involved with originating or approving the specific credits being 
assessed and whose compensation is not influenced by the assigned risk 
ratings. Whether or not the institution has a dedicated credit risk 
review department, it is prudent for the credit risk review function to 
report directly to the institution's board of directors or a committee 
thereof, consistent with safety and soundness standards. Senior 
management may be responsible for appropriate administrative functions 
provided such an arrangement does not compromise the independence of 
the credit risk review function.
    The institution's board of directors, or a committee thereof, may 
outsource the credit risk review function to an independent third 
party.\11\ However, the responsibility for maintaining a sound credit 
risk review system remains with the institution's board of directors. 
In any case, institution personnel who are independent from the lending 
function typically assess risks, develop the credit risk review plan, 
and verify appropriate follow-up of findings. Outsourcing of the credit 
risk review function to the institution's external auditor may raise 
additional independence considerations.\12\
---------------------------------------------------------------------------

    \11\ For supervisory guidance related to outside service 
providers, refer to SR letter 13-19/CA letter 13-21, ``Guidance on 
Managing Outsourcing Risk,'' issued by the Board on December 5, 
2013; FIL-44-2008, ``Guidance for Managing Third-Party Risk,'' 
issued by the FDIC on June 6, 2008; and OCC Bulletin 2013-29, 
``Third-Party Relationships: Risk Management Guidance,'' issued by 
the OCC on October 30, 2013. For credit unions, refer to NCUA 
letters to credit unions 01-CU-20 ``Due Diligence over Third Party 
Service Providers,'' issued November 2001 and 07-CU-13 ``Evaluating 
Third Party Relationships,'' issued December 2007.
    \12\ See footnote 4.
---------------------------------------------------------------------------

Frequency of Reviews

    An effective credit risk review system provides for review and 
evaluation of an institution's significant loans, loan products, or 
groups of loans typically annually, on renewal, or more frequently when 
internal or external factors indicate a potential for deteriorating 
credit quality or the existence of one or more other risk factors. The 
credit risk review function can also provide useful continual feedback 
on the effectiveness of the lending process in order to identify any 
emerging problems. Ongoing or periodic review of an institution's loan 
portfolio is particularly important to the estimation of ACLs or the 
ALLL because loss expectations may change as the credit quality of a 
loan changes. Use of key risk indicators or performance metrics by 
credit risk review management can support adjustments to the frequency 
and scope of reviews.

Scope of Reviews

    Comprehensive and effective reviews cover all segments of the loan 
portfolio that pose significant credit risk or concentrations, and 
other loans that meet certain institution-specific criteria. A properly 
designed scope considers the current market conditions or other 
external factors that may affect a borrower's current or future ability 
to repay the loan. Establishment of an appropriate review scope also 
helps ensure that the sample of loans selected for review, or portfolio 
segments selected for review, is representative of the portfolio as a 
whole and provides reasonable assurance that any credit quality 
deterioration or unfavorable trends are identified. An effective credit 
risk review function also considers industry standards for credit risk 
review coverage consistent with the

[[Page 33287]]

institution's size, complexity, loan types, risk profile, and risk 
management practices and helps to verify whether the review scope is 
appropriate. The institution's board of directors or appropriate board 
committee typically approves the scope of the credit risk review on an 
annual basis or whenever significant interim changes are made in order 
to adequately assess the quality of the current portfolio. An effective 
scope of credit risk review is risk-based and typically includes:
     Loans over a predetermined size;
     A sufficient sample of smaller loans, new loans, and new 
loan products;
     Loans with higher risk indicators, such as low credit 
scores, high credit lines, or those credits approved as exceptions to 
policy;
     Segments of loan portfolios, including retail, with 
similar risk characteristics such as those related to borrower risk 
(e.g. credit history), transaction risk (e.g. product and/or collateral 
type), or other risk factors as appropriate;
     Segments of the loan portfolio experiencing rapid growth;
     Exposures from non-lending activities that also pose 
credit risk;
     Past due, nonaccrual, renewed, and restructured loans;
     Loans previously adversely classified and loans designated 
as warranting the special attention of the institution's management; 
\13\
---------------------------------------------------------------------------

    \13\ See footnote 8.
---------------------------------------------------------------------------

     Loans to insiders or related parties;
     Loans to affiliates;
     Loans constituting concentrations of credit risk and other 
loans affected by common repayment factors.

Depth of Transaction or Portfolio Reviews

    Loans and portfolio segments selected for review are typically 
evaluated for:
     Credit quality, soundness of underwriting and risk 
identification, borrower performance, and adequacy of the sources of 
repayment;
    [cir] When applicable, this evaluation includes the appropriateness 
of automated underwriting and credit scoring, including prudent use of 
overrides, as well as the effectiveness of account management 
strategies, collections, and portfolio management activities in 
managing credit risk;
     Reasonableness of assumptions;
     Creditworthiness of guarantors or sponsors;
     Sufficiency of credit and collateral documentation;
     Proper lien perfection;
     Proper approvals consistent with internal policies;
     Adherence to loan agreement covenants;
     Adequacy of, and compliance with, internal policies and 
procedures (such as those related to nonaccrual and classification or 
risk rating policies), laws, and regulations;
     The appropriateness of credit loss estimation for those 
credits with significant weaknesses including the reasonableness of 
assumptions used, and the timeliness of charge-offs;
     The accuracy of risk ratings and the appropriateness and 
timeliness of the identification of problem loans by loan officers.

Review of Findings and Follow-Up

    An important activity of an effective credit risk review system is 
the discussion of the review findings, including all noted 
deficiencies, identified weaknesses, and any existing or planned 
corrective actions (including time frames for correction) with 
appropriate loan officers, department managers, and senior management. 
An effective system includes processes for all noted deficiencies and 
weaknesses that remain unresolved beyond the scheduled time frames for 
correction to be promptly reported to senior management and the board 
of directors or appropriate board committee.
    It is important to resolve risk rating differences between loan 
officers and loan review personnel according to a pre-arranged process. 
That process may include formal appeals procedures and arbitration by 
an independent party or may require default to the assigned 
classification or risk rating that indicates lower credit quality. If 
credit risk review personnel conclude that a loan or loan portfolio is 
of a lower credit quality than is perceived by the portfolio management 
staff, the lower classification or risk rating typically prevails 
unless internal parties identify additional information sufficient to 
obtain the concurrence of the independent reviewer or arbiter on the 
higher credit quality classification or risk rating.

Communication and Distribution of Results

    Personnel involved in the credit risk review process typically 
prepare a list of all loans (and portfolio segments) reviewed, the date 
of review, and a summary analysis that substantiates the risk ratings 
assigned to the loans reviewed. Effective communication also typically 
involves providing results of the credit risk reviews to the board of 
directors or appropriate board committee quarterly.\14\ Comprehensive 
reporting includes comparative trends that identify significant changes 
in the overall quality of the loan portfolio, the adequacy of, and 
adherence to, internal policies and procedures, the quality of 
underwriting and risk identification, compliance with laws and 
regulations, and management's response to substantive criticisms or 
recommendations. Such comprehensive reporting provides the board of 
directors or appropriate board committee with insight into the 
portfolio and the responsiveness of management and facilitates timely 
corrective action of deficiencies.
---------------------------------------------------------------------------

    \14\ An effective credit risk review system provides for 
informing the board of directors or appropriate board committee more 
frequently than quarterly when material adverse trends are noted. 
When an institution conducts loan file reviews less frequently than 
quarterly, the board or appropriate board committee will typically 
receive results on other credit risk review activities quarterly.

Joseph M. Otting,
Comptroller of the Currency.
    By order of the Board of Governors of the Federal Reserve 
System.
Ann Misback,
Secretary of the Board.
Federal Deposit Insurance Corporation.

    Dated at Washington, DC, on or about May 7, 2020.
Robert E. Feldman,
Executive Secretary.
    By the National Credit Union Administration Board.
Gerard Poliquin,
Secretary of the Board.
[FR Doc. 2020-10292 Filed 5-29-20; 8:45 am]
 BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P; 7535-01-P