[Federal Register Volume 85, Number 193 (Monday, October 5, 2020)]
[Notices]
[Pages 62802-62804]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-21892]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency


Agency Information Collection Activities: Information Collection 
Renewal; Comment Request; OCC Guidelines Establishing Heightened 
Standards for Certain Large Insured National Banks, Insured Federal 
Savings Associations, and Insured Federal Branches

AGENCY: Office of the Comptroller of the Currency (OCC), Treasury.

ACTION: Notice and request for comment.

-----------------------------------------------------------------------

SUMMARY: The OCC, as part of its continuing effort to reduce paperwork 
and respondent burden, invites the general public and other Federal 
agencies to take this opportunity to comment on a continuing 
information collection, as required by the Paperwork Reduction Act of 
1995 (PRA). In accordance with the requirements of the PRA, the OCC may 
not conduct or sponsor, and the respondent is not required to respond 
to, an information collection unless it displays a currently valid 
Office of Management and Budget (OMB) control number. The OCC is 
soliciting comment concerning the renewal of its information collection 
titled, ``OCC Guidelines Establishing Heightened Standards for Certain 
Large Insured National Banks, Insured Federal Savings Associations, and 
Insured Federal Branches.''

DATES: Comments must be submitted on or before December 4, 2020.

ADDRESSES: Commenters are encouraged to submit comments by email, if 
possible. You may submit comments by any of the following methods:
     Email: [email protected].
     Mail: Chief Counsel's Office, Attention: Comment 
Processing, Office of the Comptroller of the Currency, Attention: 1557-
0321, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
     Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, 
Washington, DC 20219.
     Fax: (571) 465-4326.
    Instructions: You must include ``OCC'' as the agency name and 
``1557-0321'' in your comment. In general, the OCC will publish 
comments on www.reginfo.gov without change, including any business or 
personal information provided, such as name and address information, 
email addresses, or phone numbers. Comments received, including 
attachments and other supporting materials, are part of the public 
record and subject to public disclosure. Do not include any information 
in your comment or supporting materials that you consider confidential 
or inappropriate for public disclosure.
    You may review comments and other related materials that pertain to 
this information collection beginning on the date of publication of the 
second notice for this collection.\1\
---------------------------------------------------------------------------

    \1\ Following the close of this notice's 60-day comment period, 
the OCC will publish a second notice with a 30-day comment period.
---------------------------------------------------------------------------

     Viewing Comments Electronically: Go to www.reginfo.gov. 
Click on the ``Information Collection Review'' tab. Underneath the 
``Currently under Review'' section heading, from the drop-down menu 
select ``Department of Treasury'' and then click ``submit.'' This 
information collection can be located by searching by OMB control 
number ``1557-0321'' or ``OCC Guidelines Establishing Heightened 
Standards for Certain Large Insured National Banks, Insured Federal 
Savings Associations, and Insured Federal Branches.'' Upon finding the 
appropriate information collection, click on the related ``ICR 
Reference Number.'' On the next screen, select ``View Supporting 
Statement and Other Documents'' and then click on the link to any 
comment listed at the bottom of the screen.
     For assistance in navigating www.reginfo.gov, please 
contact the Regulatory Information Service Center at (202) 482-7340.

FOR FURTHER INFORMATION CONTACT: Shaquita Merritt, OCC Clearance 
Officer, (202) 649-5490 or, for persons who are deaf or hard of 
hearing, TTY, (202) 649-5597, Chief Counsel's Office, Office of the 
Comptroller of the Currency, 400 7th Street SW, Suite 3E-218, 
Washington, DC 20219.

SUPPLEMENTARY INFORMATION: Under the PRA (44 U.S.C. 3501-3520), Federal 
agencies must obtain approval from OMB for each collection of 
information that they conduct or sponsor. ``Collection of information'' 
is defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency 
requests or requirements that members of the public submit reports, 
keep records, or provide information to a third party. Section 
3506(c)(2)(A) of title 44 requires Federal agencies to provide a 60-day 
notice in the Federal Register concerning each proposed collection of 
information, including each proposed extension of an existing 
collection of information, before submitting the collection to OMB for 
approval. To comply with this requirement, the OCC is publishing notice 
of the renewal of the collection of information set forth in this 
document.
    Title: OCC Guidelines Establishing Heightened Standards for Certain 
Large Insured National Banks, Insured Federal Savings Associations, and 
Insured Federal Branches.
    OMB Control No.: 1557-0321.
    Description: The OCC's guidelines, codified in 12 CFR part 30, 
appendix D, establish minimum standards for the design and 
implementation of a risk governance framework for insured national 
banks, insured Federal savings associations, and insured Federal 
branches of a foreign bank (banks). The guidelines apply to a bank with 
average total consolidated assets: (i) Equal to or greater than $50 
billion; (ii) less than $50 billion if that bank's parent company 
controls at least one insured national bank or insured Federal savings 
association that has average total consolidated assets of $50 billion 
or greater; or (iii) less than $50 billion, if the OCC determines such 
bank's operations are highly complex or otherwise present a heightened 
risk as to warrant the application of the guidelines (covered banks). 
The guidelines also establish minimum standards for a board of 
directors in overseeing the framework's design and implementation. 
These guidelines were finalized on September 11, 2014.\2\ The OCC is 
now seeking to renew the

[[Page 62803]]

information collection associated with these guidelines.
---------------------------------------------------------------------------

    \2\ 79 FR 54518.
---------------------------------------------------------------------------

    The standards contained in the guidelines are enforceable under 
section 39 of the Federal Deposit Insurance Act (FDIA),\3\ which 
authorizes the OCC to prescribe operational and managerial standards 
for insured national banks, insured Federal savings associations, and 
insured Federal branches of a foreign bank.
---------------------------------------------------------------------------

    \3\ 12 U.S.C. 1831p-1. Section 39 was enacted as part of the 
Federal Deposit Insurance Corporation Improvement Act of 1991, 
Public Law 102-242, section 132(a), 105 Stat. 2236, 2267-70 (Dec. 
19, 1991).
---------------------------------------------------------------------------

    The guidelines formalize the OCC's heightened expectations program. 
The guidelines also further the goal of the Dodd-Frank Wall Street 
Reform and Consumer Protection Act of 2010 to strengthen the financial 
system by focusing management and boards of directors on improving and 
strengthening risk management practices and governance, thereby 
minimizing the probability and impact of future financial crises.
    The standards for the design and implementation of the risk 
governance framework, which contain collections of information, are as 
follows:

Standards for Risk Governance Framework

    Covered banks should establish and adhere to a formal, written risk 
governance framework designed by independent risk management. The 
framework should include delegations of authority from the board of 
directors to management committees and executive officers and risk 
limits for material activities. The framework should be approved by the 
board of directors or the board's risk committee, and it should be 
reviewed and updated, at least annually, by independent risk 
management.

Front Line Units

    Front line units should take responsibility and be held accountable 
by the chief executive officer (CEO) and the board of directors for 
appropriately assessing and effectively managing all of the risks 
associated with their activities. In fulfilling this responsibility, 
each front line unit should, either alone or in conjunction with 
another organizational unit that has the purpose of assisting a front 
line unit: (i) Assess, on an ongoing basis, the material risks 
associated with its activities and use such risk assessments as the 
basis for fulfilling its responsibilities and for determining if 
actions need to be taken to strengthen risk management or reduce risk 
given changes in the unit's risk profile or other conditions; and (ii) 
establish and adhere to a set of written policies that include front 
line unit risk limits. Such policies should ensure risks associated 
with the front line unit's activities are effectively identified, 
measured, monitored, and controlled, consistent with the covered bank's 
risk appetite statement, concentration risk limits, and all policies 
established within the risk governance framework. Front line units 
should also establish and adhere to procedures and processes, as 
necessary to maintain compliance with the policies described in (ii); 
and adhere to all applicable policies, procedures, and processes 
established by independent risk management. Front line units should 
also develop, attract, and retain talent and maintain staffing levels 
required to carry out the unit's role and responsibilities effectively; 
establish and adhere to talent management processes; and establish and 
adhere to compensation and performance management programs.

Independent Risk Management

    Independent risk management should oversee the covered bank's risk-
taking activities and assess risks and issues independent of the front 
line units. In fulfilling these responsibilities, independent risk 
management should: (i) Take responsibility and be held responsible by 
the CEO and the board of directors for designing a comprehensive 
written risk governance framework that meets the guidelines and is 
commensurate with the size, complexity, and risk profile of the covered 
bank; (ii) identify and assess, on an ongoing basis, the covered bank's 
material aggregate risks and use such risk assessments as the basis for 
fulfilling its responsibilities and for determining if actions need to 
be taken to strengthen risk management or reduce risk given changes in 
the covered bank's risk profile or other conditions; (iii) establish 
and adhere to enterprise policies that include concentration risk 
limits that state how aggregate risks within the covered bank are 
effectively identified, measured, monitored, and controlled, consistent 
with the covered bank's risk appetite statement and all policies and 
processes established within the risk governance framework; (iv) 
establish and adhere to procedures and processes, as necessary, to 
ensure compliance with policies in (iii); (v) identify and communicate 
to the CEO and the board of directors or the board's risk committee 
material risks and significant instances where the independent risk 
management's assessment of risk differs from that of a front line unit 
and significant instances where a front line unit is not adhering to 
the risk governance framework; (vi) identify and communicate to the 
board of directors or the board's risk committee material risks and 
significant instances where independent risk management's assessment of 
risk differs from that of the CEO and significant instances where the 
CEO is not adhering to, or holding front line units accountable for 
adhering to, the risk governance framework; and (vii) develop, attract, 
and retain talent and maintain the staffing levels required to carry 
out the unit's role and responsibilities effectively while establishing 
and adhering to talent management processes and compensation and 
performance management programs.

Internal Audit

    Internal audit should ensure that the covered bank's risk 
governance framework complies with the guidelines and is appropriate 
for the size, complexity, and risk profile of the covered bank. It 
should maintain a complete and current inventory of all of the covered 
bank's material processes, product lines, services, and functions and 
assess the risks, including emerging risks, associated with each, which 
collectively provide a basis for the audit plan. It should establish 
and adhere to an audit plan that is periodically reviewed and updated, 
takes into account the covered bank's risk profile, emerging risks, and 
issues and establishes the frequency with which activities should be 
audited. The audit plan should require internal audit to evaluate the 
adequacy of and compliance with policies, procedures, and processes 
established by front line units and independent risk management under 
the risk governance framework. Significant changes to the audit plan 
should be communicated to the board's audit committee. Internal audit 
should report, in writing, conclusions, material issues, and 
recommendations from audit work carried out under the audit plan to the 
board's audit committee. Reports should identify the root cause of any 
material issues and include: (i) A determination of whether the root 
cause creates an issue that has an impact on one or more organizational 
units within the covered bank; and (ii) a determination of the 
effectiveness of front line units and independent risk management in 
identifying and resolving issues in a timely manner. Internal audit 
should establish and adhere to processes for independently assessing 
the design and ongoing effectiveness of the risk governance framework 
on at least an annual basis.

[[Page 62804]]

The independent assessment should include a conclusion on the covered 
bank's compliance with the standards set forth in the guidelines. 
Internal audit should identify and communicate to the board's audit 
committee significant instances where front line units or independent 
risk management are not adhering to the risk governance framework. 
Internal audit should establish a quality assurance program that 
ensures internal audit's policies, procedures, and processes comply 
with applicable regulatory and industry guidance, are appropriate for 
the size, complexity, and risk profile of the covered bank, are updated 
to reflect changes to internal and external risk factors, emerging 
risks, and improvements in industry internal audit practices, and are 
consistently followed. Internal audit should develop, attract, and 
retain talent and maintain staffing levels required to effectively 
carry out its role and responsibilities. Internal audit should 
establish and adhere to talent management processes and compensation 
and performance management programs that comply with the guidelines.

Strategic Plan

    The CEO, with input from front line units, independent risk 
management, and internal audit, should be responsible for the 
development of a written strategic plan that covers, at a minimum, a 
three-year period. The board of directors should evaluate and approve 
the plan and monitor management's efforts to implement the strategic 
plan at least annually. The plan should: (i) Include a comprehensive 
assessment of risks that currently impact the covered bank or that 
could have an impact on the covered bank during the period covered by 
the strategic plan; (ii) articulate an overall mission statement and 
strategic objectives for the covered bank with an explanation of how 
the covered bank will update the risk governance framework to account 
for changes to its risk profile projected under the strategic plan; and 
(iii) be reviewed, updated, and approved due to changes in the covered 
bank's risk profile or operating environment that were not contemplated 
when the plan was developed.

Risk Appetite Statement

    A covered bank should have a comprehensive written statement that 
articulates its risk appetite that serves as the basis for the risk 
governance framework. The statement should contain both qualitative 
components that describe a safe and sound risk culture and how the 
covered bank will assess and accept risks and quantitative limits that 
include sound stress testing processes and address earnings, capital, 
and liquidity.

Risk Limit Breaches

    A covered bank should establish and adhere to processes that 
require front line units and independent risk management to: (i) 
Identify breaches of the risk appetite statement, concentration risk 
limits, and front line unit risk limits; (ii) distinguish breaches 
based on the severity of their impact; (iii) establish protocols for 
when and how to inform the board of directors, front line unit 
management, independent risk management, internal audit, and the OCC 
regarding a breach; (iv) provide a written description of the breach 
resolution; and (v) establish accountability for reporting and 
resolving breaches that include consequences for risk limit breaches 
that take into account the magnitude, frequency, and recurrence of 
breaches .

Concentration Risk Management

    The risk governance framework should include policies and 
supporting processes appropriate for the covered bank's size, 
complexity, and risk profile for effectively identifying, measuring, 
monitoring, and controlling the covered bank's concentrations of risk.

Risk Data Aggregation and Reporting

    The risk governance framework should include a set of policies, 
supported by appropriate procedures and processes, designed to provide 
risk data aggregation and reporting capabilities appropriate for the 
covered bank's size, complexity, and risk profile and to support 
supervisory reporting requirements. Collectively, these policies, 
procedures, and processes should provide for: (i) The design, 
implementation, and maintenance of a data architecture and information 
technology infrastructure that support the covered bank's risk 
aggregation and reporting needs during normal times and during times of 
stress; (ii) the capturing and aggregating of risk data and reporting 
of material risks, concentrations, and emerging risks in a timely 
manner to the board of directors and the OCC; and (iii) the 
distribution of risk reports to all relevant parties at a frequency 
that meets their needs for decision-making purposes.

Talent and Compensation Management

    A covered bank should establish and adhere to processes for talent 
development, recruitment, and succession planning. The board of 
directors or appropriate committee should review and approve a written 
talent management program. A covered bank should also establish and 
adhere to compensation and performance management programs that comply 
with any applicable statute or regulation.

Board of Directors Training and Evaluation

    The board of directors of a covered bank should establish and 
adhere to a formal, ongoing training program for all directors. The 
board of directors should also conduct an annual self-assessment.
    Type of Review: Regular review.
    Affected Public: Businesses or other for-profit.
    Estimated Number of Respondents: 23.
    Estimated Burden per Respondent: 3,776 hours.
    Estimated Total Annual Burden: 86,848 hours.
    Comments: Comments submitted in response to this notice will be 
summarized and included in the request for OMB approval. All comments 
will become a matter of public record. Comments are invited on:
    (a) Whether the collection of information is necessary for the 
proper performance of the functions of the OCC, including whether the 
information has practical utility;
    (b) The accuracy of the OCC's estimate of the burden of the 
information collection;
    (c) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (d) Ways to minimize the burden of the collection on respondents, 
including through the use of automated collection techniques or other 
forms of information technology; and
    (e) Estimates of capital or start-up costs and costs of operation, 
maintenance, and purchase of services to provide information.

Theodore J. Dowd,
Deputy Chief Counsel, Office of the Comptroller of the Currency.
[FR Doc. 2020-21892 Filed 10-2-20; 8:45 am]
BILLING CODE 4810-33-P