[Federal Register Volume 87, Number 191 (Tuesday, October 4, 2022)]
[Notices]
[Pages 60160-60170]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-21414]


=======================================================================
-----------------------------------------------------------------------

FEDERAL RESERVE SYSTEM

[Docket No. OP-1765]


Framework for the Supervision of Insurance Organizations

AGENCY: Board of Governors of the Federal Reserve System (Board).

ACTION: Final guidance.

-----------------------------------------------------------------------

SUMMARY: The Board is adopting a new supervisory framework for 
depository institution holding companies significantly engaged in 
insurance activities, referred to as supervised insurance 
organizations. The framework provides a supervisory approach that is 
designed specifically to reflect the differences between banking and 
insurance. Within the framework, the application of supervisory 
guidance and the assignment of supervisory resources is based 
explicitly on a supervised insurance organization's complexity and 
individual risk profile. The framework establishes the supervisory 
ratings applicable to these organizations with rating definitions that 
reflect specific supervisory requirements and expectations. It also 
emphasizes the Board's policy to rely to the fullest extent possible on 
work done by other relevant supervisors, describing, in particular, the 
way it relies on reports and other supervisory information provided by 
state insurance regulators to minimize supervisory duplication.

DATES: Effective November 3, 2022.

FOR FURTHER INFORMATION CONTACT: Thomas Sullivan, Senior Associate 
Director, (202) 475-7656; Lara Lylozian, Deputy Associate Director, 
(202) 475-6656; Matt Walker, Manager, (202) 872-4971; Brad Roberts, 
Lead Insurance Policy Analyst, (202) 452-2204; or Joan Sullivan, Senior 
Insurance Policy Analyst, (202) 912-4670, Division of Supervision and 
Regulation; or Dafina Stewart, Assistant General Counsel, (202) 872-
7589; Andrew Hartlage, Senior Counsel, (202) 452-6483; Christopher 
Danello, Senior Attorney, (202) 736-1960; or Evan Hechtman, Senior 
Attorney, (202) 263-4810, Legal Division, Board of Governors of the 
Federal Reserve System, 20th and C Streets NW, Washington, DC 20551. 
For users of TTY-TRS, please call 711 from any telephone, anywhere in 
the United States.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Background
II. Notice of Proposed Guidance and Overview of Comments
III. Overview of Final Guidance and Modifications From the Proposal
IV. Final Guidance
    A. Proportionality--Supervisory Activities and Expectations
    B. Supervisory Ratings
    C. Incorporating the Work of Other Supervisors
    D. Additional Comments
V. Regulatory Analysis
    A. Paperwork Reduction Act
Appendix A--Text of Insurance Supervisory Framework

I. Background

    The Board supervises and regulates companies that control one or 
more banks (bank holding companies) and companies that are not bank 
holding companies that control one or more savings associations 
(savings and loan holding companies, and together with bank holding 
companies, depository institution holding companies). Congress gave the 
Board regulatory and supervisory authority for bank holding companies 
through the enactment of the Bank Holding Company Act of 1956 (BHC 
Act).\1\ The Board's regulation and supervision of savings and loan 
holding companies began in 2011 when provisions of the Dodd-Frank Wall 
Street Reform and Consumer Protection Act (Dodd-Frank Act) \2\ 
transferring supervision and regulation of savings and loan holding 
companies from the Office of Thrift Supervision to the Board took 
effect.\3\ Upon this transfer, the Board became the federal supervisory 
agency for all depository institution holding companies, including a 
portfolio of firms significantly engaged in insurance activities 
(supervised insurance organizations).\4\
---------------------------------------------------------------------------

    \1\ Ch. 240, 70 Stat. 133.
    \2\ Public Law 111-203, 124 Stat. 1376 (2010).
    \3\ Dodd-Frank Act tit. III, 124 Stat. at 1520-70.
    \4\ Although currently all supervised insurance organizations 
are savings and loan holding companies, the proposed framework would 
apply to any depository institution holding company that meets the 
criteria of a supervised insurance organization.
---------------------------------------------------------------------------

    The Board has a long-standing policy of supervising holding 
companies on a consolidated basis. Consolidated supervision encompasses 
all legal entities within a holding company

[[Page 60161]]

structure and supports an understanding of the organization's complete 
risk profile and its ability to address financial, managerial, 
operational, or other deficiencies before they pose a danger to its 
subsidiary depository institution(s). The Board's current supervisory 
approach for noninsurance depository institution holding companies 
assesses holding companies whose primary risks are largely related to 
the business of banking. The risks arising from insurance activities, 
however, are materially different from traditional banking risks. The 
top-tier holding company for some supervised insurance organizations is 
an insurance underwriting company, which is subject to supervision and 
regulation by the relevant state insurance regulator as well as 
consolidated supervision from the Board; for all supervised insurance 
organizations, the state insurance regulators supervise and regulate 
the business of insurance underwriting companies. Additionally, instead 
of producing consolidated financial statements based on generally 
accepted accounting principles, many of these firms only produce legal 
entity financial statements based on Statutory Accounting Principles 
(SAP) established by states through the National Association of 
Insurance Commissioners (NAIC).
    The Board has recognized these differences in its supervision and 
regulation of supervised insurance organizations. For example, in 2013, 
when the Board made significant revisions to its regulatory capital 
framework, the Board determined not to apply it to this group of 
companies, stating that it would ``explore further whether and how the 
proposed rule should be modified for these companies in a manner 
consistent with section 171 of the Dodd-Frank Act and safety and 
soundness concerns.'' \5\ In 2019, the Board invited comment on a 
proposal to establish a risk-based capital framework designed 
specifically for supervised insurance organizations, termed the 
Building Block Approach, that would adjust and aggregate existing legal 
entity capital requirements to determine an enterprise-wide capital 
requirement.\6\ In addition, in 2018, the Board did not apply to these 
firms the supervisory rating systems applicable to other depository 
institution holding companies.\7\ The insurance supervisory framework 
represents a significant step in the continuation of the Board's 
tailored approach to supervision and regulation for supervised 
insurance organizations.
---------------------------------------------------------------------------

    \5\ 78 FR 62017, 62027 (October 11, 2013).
    \6\ 84 FR 57240 (October 24, 2019).
    \7\ See 83 FR 58724 (November 21, 2018); 83 FR 56081 (November 
9, 2018).
---------------------------------------------------------------------------

II. Notice of Proposed Guidance and Overview of Comments

    On February 4, 2022, the Board invited public comment on a proposed 
framework for the supervision of insurance organizations (proposal).\8\ 
The proposal would have established a transparent framework for 
consolidated supervision of supervised insurance organizations. A 
depository institution holding company would have been considered a 
supervised insurance organization if it were an insurance underwriting 
company or if over 25 percent of its consolidated assets were held by 
insurance underwriting subsidiaries. The proposed framework would have 
consisted of a risk-based approach to establishing supervisory 
expectations, assigning supervisory resources, and conducting 
supervisory activities; a supervisory rating system; and a description 
of how examiners would work with state insurance regulators to limit 
the burden associated with supervisory duplication.
---------------------------------------------------------------------------

    \8\ 87 FR 6537 (February 4, 2022).
---------------------------------------------------------------------------

    The comment period on the proposal closed on May 5, 2022.\9\ The 
Board received four comments on the proposal. In addition, 
representatives of the Federal Reserve met with stakeholders and 
obtained supplementary information from certain commenters. Commenters 
generally supported the proposal. However, commenters also requested 
additional clarity on certain aspects of the proposal and provided 
suggestions on potential changes.
---------------------------------------------------------------------------

    \9\ The comment period on the proposal was extended by the 
Board. See 87 FR 17089 (March 25, 2022).
---------------------------------------------------------------------------

III. Overview of Final Guidance and Modifications From the Proposal

    The final insurance supervisory framework adopts the core elements 
of the proposal with certain modifications to address comments 
received. Consistent with the proposal, the final framework consists of 
a risk-based approach to establishing supervisory expectations, 
assigning supervisory resources, and conducting supervisory activities; 
applies tailored supervisory ratings; and describes how Federal Reserve 
examiners will rely to the fullest extent possible on the work of state 
insurance regulators to limit supervisory duplication. The final 
guidance has been modified from the proposal to include additional 
clarity in various sections, including with respect to the complexity 
classification and applicable guidance. The final guidance also 
includes additional references to incorporating the work performed by 
state insurance regulators and allows for noncomplex supervised 
insurance organizations to be rated up to every other year.

IV. Final Guidance

A. Proportionality--Supervisory Activities and Expectations

Risk Profile, Complexity Classification, Risk Assessment
    In the proposal, the terms ``risk profile,'' ``complexity 
classification,'' and ``risk assessment'' would have been used to 
describe the Board's approach to aligning its supervision with the risk 
of a firm. Under the proposal, an organization's risk profile would 
have depended on its products, investments, and strategy and would have 
been assessed independent of supervisory opinions or approach. The 
complexity classification would have been the Federal Reserve's 
preliminary view of the organization's risk profile and would have been 
used primarily to determine the level of supervisory resources needed 
to effectively supervise an organization. A supervised insurance 
organization would have been classified as either complex or noncomplex 
when the organization initially became subject to Federal Reserve 
supervision and only re-classified if the organization's risk profile 
significantly changed (typically the result of a major acquisition or 
divestiture). The risk assessment would have been an exercise typically 
completed annually by Federal Reserve examiners to support a discussion 
of the organization's material risks, ensuring that supervisory 
activities planned for the following year were risk-focused and did not 
duplicate work done by other regulators. Commenters requested clarity 
on the differences between these three terms as used in the proposal. 
The final guidance maintains these terms and their intended 
definitions, but the text has been adjusted to clarify how they will be 
used.
Complexity Classification
    Under the proposal, supervised insurance organizations would have 
been classified as either complex or noncomplex based on a list of 
characteristics. The complexity classification would have been the 
initial driver for the assignment of supervisory resources, with 
complex supervised insurance organizations being assigned a dedicated 
supervisory

[[Page 60162]]

team. The complexity classification would have also been a driver for 
the application of supervisory guidance. Organizations with over $100 
billion of consolidated depository institution assets or that are 
designated as an internationally active insurance group (IAIG) would 
have automatically been classified as complex. Commenters requested 
additional transparency regarding the factors considered when making 
the complexity classification and suggested additional factors for 
consideration, such as the source of funding for non-insurance 
operations. Commenters also suggested removing the $100 billion 
consolidated depository institution asset threshold, removing the 
automatic complex classification for IAIGs in exchange for a 
materiality view of international exposure, attaching specific weights 
to the factors listed in the proposal, and providing organizations the 
opportunity to appeal or request a review of the complexity 
classification.
    To ensure that organizations with similar sized banking operations 
are supervised consistently by the Federal Reserve, the final guidance 
retains the $100 billion consolidated depository institution asset 
threshold as proposed. The automatic complex classification proposed 
for IAIGs has been removed from the final guidance and instead the 
materiality of an insurance organization's international operations 
will be considered as part of the complexity classification decision. 
While weights were not added to the factors in order to preserve the 
flexibility needed to properly classify organizations of differing 
business and risk profiles, the factors in the final guidance are 
sequenced in order of expected relative priority. The Board believes 
that these factors are broad enough to cover the additional factors 
suggested by commenters. In response to the comments, and to promote 
transparency, the complexity classification work program used to 
support the complexity classification decision made by the Board will 
be published on the Board's website. The work program provides 
additional clarity regarding the information leveraged to make the 
complexity classification and several of the factors suggested by 
commenters are included in the work program as questions related to a 
listed factor. The final guidance also clarifies that an organization 
can request a review of its complexity classification if it has 
experienced a significant change to its risk profile.
Supervisory Activities
    Under the proposal, supervisory activities would have focused on 
material risks to the consolidated organization and leveraged the work 
performed by the firm's functional regulators. Additionally, under the 
proposal, ratings examinations would have been performed annually for 
all supervised insurance organizations, including those classified as 
noncomplex. Commenters requested that supervisory activities focus on 
material risks not subject to oversight by other regulators and that, 
where appropriate, Federal Reserve examiners coordinate the timing and 
scope of supervisory activities with other regulators to avoid 
duplication. Specifically for noncomplex supervised insurance 
organizations, commenters requested that Federal Reserve examiners 
align periodic rating examinations with the frequency used by other 
regulators and limit the frequency of examinations to every other year, 
as described in SR letter 13-21,\10\ ``Inspection Frequency and Scope 
Requirements for Bank Holding Companies and Savings and Loan Holding 
Companies with Total Consolidated Assets of $10 Billion or Less.''
---------------------------------------------------------------------------

    \10\ See SR letter 13-21, ``Inspection Frequency and Scope 
Requirements for Bank Holding Companies and Savings and Loan Holding 
Companies with Total Consolidated Assets of $10 Billion or Less.''
---------------------------------------------------------------------------

    The final guidance emphasizes that supervisory activities focus 
primarily on material risks that could impede the organization's 
ability to act as a source of strength for its depository 
institution(s). Supervisory activities are also used to develop a 
better understanding of an organization's business and risk profile and 
to monitor the safety and soundness of the organization, including its 
adherence to applicable laws and regulations. As the consolidated 
supervisor, it is important for Federal Reserve examiners to understand 
all material risks to the organization. Federal Reserve examiners work 
closely with other regulators to promote knowledge sharing and to 
avoid, to the greatest extent possible, supervisory duplication. This 
includes discussing annual supervisory plans and coordinating the 
timing of supervisory activities. Under the final guidance, noncomplex 
supervised insurance organizations may be rated every other year, 
depending on the organization's risk profile.
Supervisory Expectations
    Under the proposal, the requirement that supervised insurance 
organizations comply with all applicable laws and regulations, operate 
in a safe-and-sound manner, and act as a source of strength for their 
depository institution(s) would have been emphasized. Expectations 
within supervisory guidance published by the Board related to specific 
firm practices would have been tailored to reflect the firm's business 
and risk profile. Commenters were supportive of this tailoring and 
requested that the framework explicitly allow for supervisory 
expectations to differ by business line. Commenters also requested 
clarity regarding the applicability of SR letter 12-17,\11\ 
``Consolidated Supervision Framework for Large Financial Institutions'' 
to supervised insurance organizations.
---------------------------------------------------------------------------

    \11\ See SR letter 12-17, ``Consolidated Supervision Framework 
for Large Financial Institutions.''
---------------------------------------------------------------------------

    Supervisory guidance issued by the Board often provides examples of 
practices that the Board generally considers consistent with safety-
and-soundness standards. Most guidance issued by the Board provides 
examples specific to banking operations. The final guidance 
communicates that other practices used by supervised insurance 
organizations for their other business lines, including for insurance 
operations, may be different without being considered unsafe or 
unsound. When making an assessment of whether a different practice is 
unsafe or unsound, Federal Reserve examiners will work with supervised 
insurance organizations and their functional regulators, including 
state insurance regulators. The final guidance clarifies that it 
supersedes SR letter 12-17 for supervised insurance organizations.
    One commenter also requested the Board provide additional clarity 
on supervisory expectations by continually updating the list of 
applicable guidance found in SR letter 14-9,\12\ ``Incorporation of 
Federal Reserve Policies into the Savings and Loan Holding Company 
Supervision Program.'' SR letter 14-9 was issued after supervisory 
authority for savings and loan holding companies was transferred from 
the Office of Thrift Supervision to the Board in order to clarify the 
applicability of guidance issued before the transfer. Guidance issued 
since the transfer has expressly stated its applicability to savings 
and loan holding companies, and this practice will continue. 
Accordingly, the Board does not intend to continually update SR letter 
14-9 in this way.
---------------------------------------------------------------------------

    \12\ See SR letter 14-9, ``Incorporation of Federal Reserve 
Policies into the Savings and Loan Holding Company Supervision 
Program.''

---------------------------------------------------------------------------

[[Page 60163]]

B. Supervisory Ratings

    Under the proposal, supervised insurance organizations would have 
been assigned supervisory ratings in each of three components: Capital 
Management, Liquidity Management, and Governance and Controls. The 
ratings would have been Broadly Meets Expectations, Conditionally Meets 
Expectations, Deficient-1, and Deficient-2. The definitions for the 
ratings would have been designed for supervised insurance organizations 
with particular emphasis on the obligation that the firms operate in a 
safe and sound manner and serve as a source of financial and managerial 
strength for their depository institution(s). Under the proposal, 
examples would have been included in the definitions for the Deficient-
1 and Deficient-2 ratings for the Governance and Controls component 
that included being subject to informal or formal enforcement action by 
the Federal Reserve or another regulator. Commenters indicated that 
state insurance and other regulators may have different thresholds for 
enforcement actions and that the materiality of enforcement actions 
should be of more importance than the existence of an enforcement 
action. The final guidance qualifies the example provided by referring 
to enforcement actions tied to violations of laws and regulations that 
indicate severe deficiencies in the firm's governance and controls.

C. Incorporating the Work of Other Supervisors

    Consistent with statutory requirements, under the proposal, Federal 
Reserve examiners would have relied to the fullest extent possible on 
the work performed by the firm's functional regulators, including state 
insurance regulators. This would have included coordinating with state 
insurance regulators before commencing certain supervisory activities, 
meeting periodically with state insurance regulators, and reviewing 
specific reports required of supervised insurance organizations from 
state insurance regulators. Commenters requested additional clarity 
regarding how Federal Reserve examiners would rely on the work of 
functional regulators and offered specific recommendations on ways to 
improve this reliance to avoid supervisory duplication. In response to 
these comments, the final guidance includes additional references to 
the importance of incorporating the work of other supervisors in the 
sections on proportionality and ratings. The final guidance also 
incorporates several of the suggested changes, including additional 
reports from the state insurance regulators that should be reviewed by 
Federal Reserve examiners.

D. Additional Comments

Regulatory Reporting
    Under the proposal, there would have been no changes to regulatory 
reporting required by the Federal Reserve from supervised insurance 
organizations. Given the extensive subsidiary reporting required by 
state insurance regulators and to avoid duplication, commenters 
requested that supervised insurance organizations not be required to 
report on the FR Y-6 or submit FR Y-10, FR Y-11, or FR 2314 reports for 
passive real estate and other investments held by insurance 
underwriting companies. The proposal did not contemplate any changes to 
regulatory reporting requirements, and the Board is not making any such 
changes at this time. The Board will, however, consider incorporating 
these suggestions in future revisions of these reporting forms.
Adjustments To Accommodate Different Charter Types
    Under the proposal, the framework would have included references to 
regulations applicable only to certain depository institution holding 
company charter types (savings and loan holding companies). The 
guidance is designed to apply to all organizations supervised by the 
Federal Reserve that meet the definition of a supervised insurance 
organization. Text included in the proposal applicable only to savings 
and loan holding companies has been removed from the final guidance.

V. Regulatory Analysis

A. Paperwork Reduction Act

    There is no collection of information required by this notice that 
would be subject to the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 
et seq.
This Appendix A will not publish in the CFR.

Appendix A--Text of Insurance Supervisory Framework

Framework for the Supervision of Insurance Organizations

    This framework describes the Federal Reserve's approach to 
consolidated supervision of supervised insurance organizations.\1\ 
The framework is designed specifically to account for the unique 
risks and business profiles of these firms resulting mainly from 
their insurance business. The framework consists of a risk-based 
approach to establishing supervisory expectations, assigning 
supervisory resources, and conducting supervisory activities; a 
supervisory rating system; and a description of how Federal Reserve 
examiners work with the state insurance regulators to limit 
supervisory duplication.
---------------------------------------------------------------------------

    \1\ In this framework, a ``supervised insurance organization'' 
is a depository institution holding company that is an insurance 
underwriting company, or that has over 25 percent of its 
consolidated assets held by insurance underwriting subsidiaries, or 
has been otherwise designated as a supervised insurance organization 
by Federal Reserve staff.
---------------------------------------------------------------------------

A. Proportionality--Supervisory Activities and Expectations

    Consistent with the Federal Reserve's approach to risk-based 
supervision, supervisory guidance is applied, and supervisory 
activities are conducted, in a manner that is proportionate to each 
firm's individual risk profile. This begins by classifying each 
supervised insurance organization either as complex or noncomplex 
based on its risk profile and continues with a risk-based 
application of supervisory guidance and supervisory activities 
driven by a periodic risk assessment. The risk assessment drives 
planned supervisory activities and is communicated to the firm along 
with the supervisory plan for the upcoming cycle. Supervisory 
activities are focused on resolving supervisory knowledge gaps, 
monitoring the safety and soundness of the firm, assessing the 
firm's management of risks that could potentially impact its ability 
to act as a source of managerial and financial strength for its 
depository institution(s), and monitoring for potential systemic 
risk, if relevant.

A. Complexity Classification and Supervised Activities

    The Federal Reserve classifies each supervised insurance 
organization as either complex or noncomplex based on its risk 
profile. The classification serves as the basis for determining the 
level of supervisory resources dedicated to each firm, as well as 
the frequency and intensity of supervisory activities.

Complex

    Complex firms have a higher level of risk and therefore require 
more supervisory attention and resources. Federal Reserve dedicated 
supervisory teams are assigned to execute approved supervisory plans 
led by a dedicated Central Point of Contact. The activities listed 
in the supervisory plans focus on understanding any risks that could 
threaten the safety and soundness of the consolidated organization 
or a firm's ability to act as a source of strength for its 
subsidiary depository institution(s). These activities typically 
include continuous monitoring, targeted topical examinations, 
coordinated reviews, and an annual roll-up assessment resulting in 
ratings for the three rating components. The relevance of certain 
supervisory guidance may vary among complex firms based on each 
firm's risk profile. Supervisory guidance targeted at smaller 
depository institution holding companies, for example, may be more

[[Page 60164]]

relevant for complex supervised insurance organizations with limited 
inherent exposure to a certain risk.

Noncomplex

    Noncomplex firms, due to their lower risk profile, require less 
supervisory oversight relative to complex firms. The supervisory 
activities for these firms occur primarily during a rating 
examination that occurs no less often than every other year and 
results in the three component ratings. The supervision of 
noncomplex firms relies more heavily on the reports and assessments 
of a firm's other relevant supervisors, although these firms may 
also be subject to continuous monitoring, targeted topical 
examinations, and coordinated reviews as appropriate. The focus and 
types of supervisory activities for noncomplex firms are also set 
based on the risks of each firm.
    Factors considered when classifying a supervised insurance 
organization as either complex or noncomplex include the absolute 
and relative size of its depository institution(s), its current 
supervisory and regulatory oversight (ratings and opinions of its 
supervisors, and the nature and extent of any unregulated and/or 
unsupervised activities), the breadth and nature of product and 
portfolio risks, the nature of its organizational structure, its 
quality and level of capital and liquidity, the materiality of any 
international exposure, and its interconnectedness with the broader 
financial system.
    For supervised insurance organizations that are commencing 
Federal Reserve supervision, the classification as complex or 
noncomplex is done and communicated during the application phase 
after initial discussions with the firm. The firm's risk profile, 
including the characteristics listed above, are evaluated by staff 
of the Board and relevant Reserve Bank before the complexity 
classification is assigned by Board staff. Large, well-established, 
and financially strong supervised insurance organizations with 
relatively small depository institutions can be classified as 
noncomplex if, in the opinion of Board staff, the corresponding 
level of supervisory oversight is sufficient to accomplish its 
objectives. Although the risk profile is the primary basis for 
assigning a classification, a firm is automatically classified as 
complex if its depository institution's average assets exceed $100 
billion. A firm may request that the Federal Reserve review its 
complexity classification if it has experienced a significant change 
to its risk profile.
    The focus, frequency, and intensity of supervisory activities 
are based on a risk assessment of the firm completed periodically by 
the supervisory team and will vary among firms within the same 
complexity classification. For each risk described in the 
Supervisory Expectations section below, the supervisory team 
assesses the firm's inherent risks and its residual risk after 
considering the effectiveness of its management of the risk. The 
risk assessment and the supervisory activities that follow from it 
take into account the assessments made by and work performed by the 
firm's other regulators. In certain instances, Federal Reserve 
examiners may be able to rely on a firm's internal audit (if it is 
rated effective) or internal control functions in developing the 
risk assessment.

B. Supervisory Expectations

    Supervised insurance organizations are required to operate in a 
safe and sound manner, to comply with all applicable laws and 
regulations, and to possess sufficient financial and operational 
strength to serve as a source of strength for their depository 
institution(s) through a range of stressful yet plausible 
conditions. The governance and risk management practices necessary 
to accomplish these objectives will vary based on a firm's specific 
risk profile, size, and complexity. Guidance describing supervisory 
expectations for safe and sound practices can be found in 
Supervision & Regulation (SR) letters published by the Board and 
other supervisory material. Supervisory guidance most relevant to a 
specific supervised insurance organization is driven by the risk 
profile of the firm. Federal Reserve examiners periodically reassess 
the firm's risk profile and inform the firm if different supervisory 
guidance becomes more relevant as a result of a material change to 
its risk profile.
    Most supervisory guidance issued by the Board is intended 
specifically for institutions that are primarily engaged in banking 
activities. Examples of specific practices provided in these 
materials may differ from (or not be applicable to) the nonbanking 
operations of supervised insurance organizations, including for 
insurance operations. The Board recognizes that practices in 
nonbanking business lines can be different than those published in 
supervisory guidance without being considered unsafe or unsound. 
When making their assessment, Federal Reserve examiners work with 
supervised insurance organizations and other involved regulators, 
including state insurance regulators, to appropriately assess 
practices that may be different than those typically observed for 
banking operations.
    This section describes general safety and soundness expectations 
and how the Board has adapted its supervisory expectations to 
reflect the special characteristics of a supervised insurance 
organization. The section is organized using the three rating 
components--Governance and Controls, Capital Management, and 
Liquidity Management.

Governance and Controls

    The Governance and Controls component rating is derived from an 
assessment of the effectiveness of a firm's (1) board and senior 
management, and (2) independent risk management and controls. All 
firms are expected to align their strategic business objectives with 
their risk appetite and risk management capabilities; maintain 
effective and independent risk management and control functions 
including internal audit; promote compliance with laws and 
regulations; and remain a source of financial and managerial 
strength for their depository institution(s). When assessing 
governance and controls, Federal Reserve examiners consider a firm's 
risk management capabilities relative to its risk exposure within 
the following areas: internal audit, credit risk, legal and 
compliance risk, market risk, model risk, and operational risk, 
including cybersecurity/information technology and third-party risk.
    Governance & Controls expectations:
     Despite differences in their business models and the 
products offered, insurance companies and banks are expected to have 
effective and sustainable systems of governance and controls to 
manage their respective risks. The governance and controls framework 
for a supervised insurance organization should:
    [cir] Clearly define roles and responsibilities throughout the 
organization;
    [cir] Include policies and procedures, limits, requirements for 
documenting decisions, and decision-making and accountability chains 
of command; and
    [cir] Provide timely information about risk and corrective 
action for non-compliance or weak oversight, controls, and 
management.
     The Board expects the sophistication of the governance 
and controls framework to be commensurate with the size, complexity, 
and risk profile of the firm. As such, governance and controls 
expectations for complex firms will be higher than that for 
noncomplex firms but will also vary based on each firm's risk 
profile.
     The Board expects supervised insurance organizations to 
have a risk management and control framework that is commensurate 
with its structure, risk profile, complexity, activities, and size. 
For any chosen structure, the firm's board is expected to have the 
capacity, expertise, and sufficient information to discharge risk 
oversight and governance responsibilities in a safe and sound 
manner.
    In assigning a rating for the Governance and Controls component, 
Federal Reserve examiners evaluate:
    Board and Senior Management Effectiveness
     The firm's board is expected to exhibit certain 
attributes consistent with effectiveness, including: (i) setting a 
clear, aligned, and consistent direction regarding the firm's 
strategy and risk appetite; (ii) directing senior management 
regarding board reporting; (iii) overseeing and holding senior 
management accountable; (iv) supporting the independence and stature 
of independent risk management and internal audit; and (v) 
maintaining a capable board and an effective governance structure. 
As the consolidated supervisor, the Board focuses on the board of 
the supervised insurance organization and its committees. Complex 
firms are expected to take into consideration the Board's guidance 
on board of directors' effectiveness.\2\ In assessing the 
effectiveness of a firm's senior management, Federal Reserve 
examiners consider the extent to which senior management effectively 
and prudently manages the day-to-day operations of the firm and 
provides for ongoing resiliency; implements the firm's strategy and 
risk appetite; identifies and manages risks; maintains an effective 
risk management framework and system of internal controls; and 
promotes prudent risk taking behaviors and business practices, 
including compliance

[[Page 60165]]

with laws and regulations such as those related to consumer 
protection and the Bank Secrecy Act/Anti-Money Laundering and Office 
of Foreign Assets Control (BSA/AML and OFAC). Federal Reserve 
examiners evaluate how the framework allows management to be 
responsible for and manage all risk types, including emerging risks, 
within the business lines. Examiners rely to the fullest extent 
possible on insurance and banking supervisors' examination reports 
and information concerning risk and management in specific lines of 
business, including relying specifically on state insurance 
regulators to evaluate and assess how firms manage the pricing, 
underwriting, and reserving risk of their insurance operations.
---------------------------------------------------------------------------

    \2\ See SR letter 21-3, ``Supervisory Guidance on Board of 
Directors' Effectiveness.''
---------------------------------------------------------------------------

    Independent Risk Management and Controls
     In assessing a firm's independent risk management and 
controls, Federal Reserve examiners consider the extent to which 
independent risk management effectively evaluates whether the firm's 
risk appetite framework identifies and measures all of the firm's 
material risks; establishes appropriate risk limits; and aggregates, 
assesses and reports on the firm's risk profile and positions. 
Additionally, the firm is expected to demonstrate that its internal 
controls are appropriate and tested for effectiveness and 
sustainability.
     Internal Audit is an integral part of a supervised 
insurance organization's internal control system and risk management 
structure. An effective internal audit function plays an essential 
role by providing an independent risk assessment and objective 
evaluation of all key governance, risk management, and internal 
control processes. Internal audit is expected to effectively and 
independently assess the firm's risk management framework and 
internal control systems, and report findings to senior management 
and to the firm's audit committee. Despite differences in business 
models, the Board expects the largest, most complex supervised 
insurance organizations to have internal audit practices in place 
that are similar to those at banking organizations and as such, no 
modification to existing guidance is required for these firms.\3\ At 
the same time, the Board recognizes that firms should have an 
internal audit function that is appropriate to their size, nature, 
and scope of activities. Therefore, for noncomplex firms, Federal 
Reserve examiners will consider the expectations in the insurance 
company's domicile state's Annual Financial Reporting Regulation 
(NAIC Model Audit Rule 205), or similar state regulation, to assess 
the effectiveness of a firm's internal audit function.
---------------------------------------------------------------------------

    \3\ Regulatory guidance provided in SR letter 03-5, ``Amended 
Interagency Guidance on the Internal Audit Function and its 
Outsourcing'' and SR letter 13-1, ``Supplemental Policy Statement on 
the Internal Audit Function and Its Outsourcing'' are applicable to 
complex supervised insurance organizations.
---------------------------------------------------------------------------

    The principles of sound risk management described in the 
previous sections apply to the entire spectrum of risk management 
activities of a supervised insurance organization, including but not 
limited to:
     Credit risk arises from the possibility that a borrower 
or counterparty will fail to perform on an obligation. Fixed income 
securities, by far the largest asset class held by many insurance 
companies, is a large source of credit risk. This is unlike most 
banking organizations, where loans generally make up the largest 
portion of balance sheet assets. Life insurer investment portfolios 
in particular are generally characterized by longer duration 
holdings compared to those of banking organizations. Additionally, 
an insurance company's reinsurance recoverables/receivables arising 
from the use of third-party reinsurance and participation in 
regulatory required risk-pooling arrangements expose the firm to 
additional counterparty credit risk. Federal Reserve examiners scope 
examination work based on a firm's level of inherent credit risk. 
The level of inherent risk is determined by analyzing the 
composition, concentration, and quality of the consolidated 
investment portfolio; the level of a firm's reinsurance 
recoverables, the credit quality of the individual reinsurers, and 
the amount of collateral held for reinsured risks; and credit 
exposures associated with derivatives, securities lending, or other 
activities that may also have off-balance sheet counterparty credit 
exposures. In determining the effectiveness of a firm's management 
of its credit risk, Federal Reserve examiners rely, where possible, 
on the assessments made by other relevant supervisors for the 
depository institution(s) and the insurance company(ies). In its own 
assessment, the Federal Reserve will determine whether the board and 
senior management have established an appropriate credit risk 
governance framework consistent with the firm's risk appetite; 
whether policies, procedures and limits are adequate and provide for 
ongoing monitoring, reporting and control of credit risk; the 
adequacy of management information systems as it relates to credit 
risk; and the sufficiency of internal audit and independent review 
coverage of credit risk exposure.
     Market risk arises from exposures to losses as a result 
of underlying changes in, for example, interest rates, equity 
prices, foreign exchange rates, commodity prices, or real estate 
prices. Federal Reserve examiners scope examination work based on a 
firm's level of inherent market risk exposure, which is normally 
driven by the primary business line(s) in which the firm is engaged 
as well as the structure of the investment portfolio. A firm may be 
exposed to inherent market risk due to its investment portfolio or 
as result of its product offerings, including variable and indexed 
life insurance and annuity products, or asset/wealth management 
business. While interest rate risk (IRR), a category of market risk, 
differs between insurance companies and banking organizations, the 
degree of IRR also differs based on the type of insurance products 
the firm offers. IRR is generally a small risk for U.S. property/
casualty (P/C) whereas it can be a significant risk factor for life 
insurers with certain life and annuity products that are spread-
based, longer in duration, may include embedded product guarantees, 
and can pose disintermediation risk. Equity market risk can be 
significant for life insurers that issue guarantees tied to equity 
markets, like variable annuity living benefits, and for P/C insurers 
with large common equity allocations in their investment portfolios. 
Generally foreign exchange and commodity risk is low for supervised 
insurance organizations but could be material for some complex 
firms. Firms are expected to have sound risk management 
infrastructure that adequately identifies, measures, monitors, and 
controls any material or significant forms of market risks to which 
it is exposed.
     Model risk is the potential for adverse consequences 
from decisions based on incorrect or misused model outputs and 
reports. Model risk can lead to financial loss, poor business and 
strategic decision-making, or damage to a firm's reputation. 
Supervised insurance organizations are often heavily reliant on 
models for product pricing and reserving, risk and capital 
management, strategic planning and other decision-making purposes. A 
sound model risk management framework helps manage this risk.\4\ 
Federal Reserve examiners take into account the firm's size, nature, 
and complexity, as well as the extent of use and sophistication of 
its models when assessing its model risk management program. 
Examiners focus on the governance framework, policies and controls, 
and enterprise model risk management through a holistic evaluation 
of the firm's practices. The Federal Reserve's review of a firm's 
model risk management program complements the work of the firm's 
other relevant supervisors. A sound model risk management framework 
includes three main elements: (1) an accurate model inventory and an 
appropriate approach to model development, implementation, and use; 
(2) effective model validation and continuous model performance 
monitoring; and (3) a strong governance framework that provides 
explicit support and structure for model risk management through 
policies defining relevant activities, procedures that implement 
those policies, allocation of resources, and mechanisms for 
evaluating whether policies and procedures are being carried out as 
specified, including internal audit review. The Federal Reserve 
relies on work already conducted by other relevant supervisors and 
appropriately collaborates with state insurance regulators on their 
findings related to insurance models. With respect to insurance 
models, the Federal Reserve recognizes the important role played by 
actuaries as described in actuarial standards of practice on model 
risk management. With respect to the business of insurance, Federal 
Reserve examiners focus on the firm's adherence to its own policies 
and procedures and the comprehensiveness of model validation rather 
than technical specifications such as the appropriateness of the 
model, its assumptions, or output. Federal Reserve examiners may 
request that firms provide model documentation or model validation 
reports for insurance and bank models when performing transaction 
testing.
---------------------------------------------------------------------------

    \4\ SR letter 11-7, ``Guidance on Model Risk Management'' is 
applicable to all supervised insurance organizations.
---------------------------------------------------------------------------

     Legal risk arises from the potential that unenforceable 
contracts, lawsuits, or adverse

[[Page 60166]]

judgments can disrupt or otherwise negatively affect the operations 
or financial condition of a supervised insurance organization.
     Compliance risk is the risk of regulatory sanctions, 
fines, penalties, or losses resulting from failure to comply with 
laws, rules, regulations, or other supervisory requirements 
applicable to a firm. By offering multiple financial service 
products that may include insurance, annuity, banking, services 
provided by securities broker-dealers, and asset and wealth 
management products, provided through a diverse distribution 
network, supervised insurance organizations are inherently exposed 
to a significant amount of legal and compliance risk. As the 
consolidated supervisor, the Board expects firms to have an 
enterprise-wide legal and compliance risk management program that 
covers all business lines, legal entities, and jurisdictions of 
operation. Firms are expected to have compliance risk management 
governance, oversight, monitoring, testing, and reporting 
commensurate with their size and complexity, and to ensure 
compliance with all applicable laws and regulations. The principles-
based guidance in existing SR letters related to legal and 
compliance risk is applicable to supervised insurance 
organizations.\5\ For both complex and noncomplex firms, Federal 
Reserve examiners rely on the work of the firm's other supervisors. 
As described in section C, Incorporating the Work of Other 
Supervisors, the assessments, examination results, ratings, 
supervisory issues, and enforcement actions from other supervisors 
will be incorporated into a consolidated assessment of the 
enterprise-wide legal and compliance risk management framework.
---------------------------------------------------------------------------

    \5\ SR letter 08-8, ``Compliance Risk Management Programs and 
Oversight at Large Banking Organizations with Complex Compliance 
Profiles'' is applicable to complex supervised insurance 
organizations. For noncomplex firms, the Federal Reserve will assess 
legal and compliance risk management based on the guidance in SR 
letter 16-11, ``Supervisory Guidance for Assessing Risk Management 
at Supervised Institutions with Total Consolidated Assets Less than 
$100 Billion.''
---------------------------------------------------------------------------

    [cir] Money laundering, terrorist financing and other illicit 
financial activity risk is the risk of providing criminals access to 
the legitimate financial system and thereby being used to facilitate 
financial crime. This financial crime includes laundering criminal 
proceeds, financing terrorism, and conducting other illegal 
activities. Money laundering and terrorist financing risk is 
associated with a financial institution's products, services, 
customers, and geographic locations. This and other illicit 
financial activity risks can impact a firm across business lines, 
legal entities, and jurisdictions. A reasonably designed compliance 
program generally includes a structure and oversight that mitigates 
these risks and supports regulatory compliance with both BSA/AML 
OFAC requirements. Although OFAC regulations are not part of the 
BSA, OFAC compliance programs are frequently assessed in conjunction 
with BSA/AML. Supervised insurance organizations are not defined as 
financial institutions under the BSA and, therefore, are not 
required to have an AML program, unless the firm is directly selling 
certain insurance products. However, certain subsidiaries and 
affiliates of supervised insurance organizations, such as insurance 
companies and banks, are defined as financial institutions under 31 
U.S.C. 5312(a)(2) and must develop and implement a written BSA/AML 
compliance program as well as comply with other BSA regulatory 
requirements. Unlike banks, insurance companies' BSA/AML obligations 
are limited to certain products, referred to as covered insurance 
products.\6\ The volume of covered products, which the Financial 
Crimes Enforcement Network (FinCEN) has determined to be of higher 
risk, is an important driver of supervisory focus. In addition, as 
U.S. persons, all supervised insurance organizations (including 
their subsidiaries and affiliates) are subject to OFAC regulations. 
Federal Reserve examiners assess all material risks that each firm 
faces, extending to whether business activities across the 
consolidated organization, including within its individual 
subsidiaries or affiliates, comply with the legal requirements of 
BSA and OFAC regulations. In keeping with the principles of a risk-
based framework and proportionality, Federal Reserve supervision for 
BSA/AML and OFAC primarily focuses on oversight of compliance 
programs at a consolidated level and relies on work by other 
relevant supervisors to the fullest extent possible. In the 
evaluation of a firm's risks and BSA/AML and OFAC compliance 
program, however, it may be necessary for examiners to review 
compliance with BSA/AML and OFAC requirements at individual 
subsidiaries or affiliates in order to fully assess the material 
risks of the supervised insurance organization.
---------------------------------------------------------------------------

    \6\ ``Covered products'' means: a permanent life insurance 
policy, other than a group life insurance policy; an annuity 
contract, other than a group annuity contract; or any other 
insurance product with features of cash value or investment. 31 CFR 
1025.100(b). ``Permanent life insurance policy'' means an agreement 
that contains a cash value or investment element and that obligates 
the insurer to indemnify or to confer a benefit upon the insured or 
beneficiary to the agreement contingent upon the death of the 
insured. 31 CFR 1025.100(h). ``Annuity contract'' means any 
agreement between the insurer and the contract owner whereby the 
insurer promises to pay out a fixed or variable income stream for a 
period of time. 31 CFR 1025.100(a).
---------------------------------------------------------------------------

     Operational risk is the risk of loss resulting from 
inadequate or failed internal processes, people, and systems, or 
from external events. Operational resilience is the ability to 
maintain operations, including critical operations and core business 
lines, through a disruption from any hazard. It is the outcome of 
effective operational risk management combined with sufficient 
financial and operational resources to prepare, adapt, withstand, 
and recover from disruptions. A firm that operates in a safe and 
sound manner is able to identify threats, respond and adapt to 
incidents, and recover and learn from such threats and incidents so 
that it can prioritize and maintain critical operations and core 
business lines, along with other operations, services and functions 
identified by the firm, through a disruption.
    [cir] Cybersecurity/information technology risks are a subset of 
operational risk and arise from operations of a firm requiring a 
strong and robust internal control system and risk management 
oversight structure. Information Technology (IT) and Cybersecurity 
(Cyber) functions are especially critical to a firm's operations. 
Examiners of financial institutions, including supervised insurance 
organizations, utilize the detailed guidance on mitigating these 
risks in the Federal Financial Institutions Examination Council's 
(FFIEC) IT Handbooks. In assessing IT/Cyber risks, Federal Reserve 
examiners assess each firm's:
    [ssquf] Board and senior management for effective oversight and 
support of IT management;
    [ssquf] Information/cyber security program for strong board and 
senior management support, integration of security activities and 
controls through business processes, and establishment of clear 
accountability for security responsibilities;
    [ssquf] IT operations for sufficient personnel, system capacity 
and availability, and storage capacity adequacy to achieve strategic 
objectives and appropriate solutions;
    [ssquf] Development and acquisition processes' ability to 
identify, acquire, develop, install, and maintain effective IT to 
support business operations; and
    [ssquf] Appropriate business continuity management processes to 
effectively oversee and implement resilience, continuity, and 
response capabilities to safeguard employees, customers, assets, 
products, and services.
    Complex and noncomplex firms are assessed in these areas. All 
supervised insurance organizations are required to notify the 
Federal Reserve of any computer-security notification incidents.\7\
---------------------------------------------------------------------------

    \7\ SR letter 22-4, ``Contact Information in Relation to 
Computer-Security Incident Notification Requirements'' applies to 
all supervised insurance organizations.
---------------------------------------------------------------------------

    [cir] Third party risk is also a subset of operational risk and 
arises from a firm's use of service providers to perform operational 
or service functions. These risks may be inherent to the outsourced 
activity or be introduced with the involvement of the service 
provider. When assessing effective third party risk management, 
Federal Reserve examiners evaluate eight areas: (1) third party risk 
management governance, (2) risk assessment framework, (3) due 
diligence in the selection of a service provider, (4) a review of 
any incentive compensation embedded in a service provider contract, 
(5) management of any contract or legal issues arising from third 
party agreements, (6) ongoing monitoring and reporting of third 
parties, (7) business continuity and contingency of the third party 
for any service disruptions, and (8) effective internal audit 
program to assess the risk and controls of the firm's third party 
risk management program.\8\
---------------------------------------------------------------------------

    \8\ SR letter 13-19, ``Guidance on Managing Outsourcing Risk'' 
applies to all supervised insurance organizations.
---------------------------------------------------------------------------

Capital Management

    The Capital Management rating is derived from an assessment of a 
firm's current and stressed level of capitalization, and the

[[Page 60167]]

quality of its capital planning and internal stress testing. A 
capital management program should be commensurate with a supervised 
insurance organization's complexity and risk profile. In assigning 
this rating, the Federal Reserve examiners evaluate the extent to 
which a firm maintains sound capital planning practices through 
effective governance and oversight, effective risk management and 
controls, maintenance of updated capital policies and contingency 
plans for addressing potential shortfalls, and incorporation of 
appropriately stressful conditions into capital planning and 
projections of capital positions. The extent to which a firm's 
capital is sufficient to comply with regulatory requirements, to 
support the firm's ability to meet its obligations, and to enable 
the firm to remain a source of strength to its depository 
institution(s) in a range of stressful, but plausible, economic and 
financial environments is also evaluated.
    Insurance company balance sheets are typically quite different 
from those of most banking organizations. For life insurance 
companies, investment strategies may focus on cash flow matching to 
reduce interest rate risk and provide liquidity to support their 
liabilities, while for traditional banks, deposits (liabilities) are 
attracted to support investment strategies. Additionally, for 
insurers, capital provides a buffer for policyholder claims and 
creditor obligations, helping the firm absorb adverse deviations in 
expected claims experience, and other drivers of economic loss. The 
Board recognizes that the capital needs for insurance activities are 
materially different from those of banking activities and can be 
different between life and property and casualty insurers. Insurers 
may also face capital fungibility constraints not faced by banking 
organizations.
    In assessing a supervised insurance organization's capital 
management, the Federal Reserve relies to the fullest extent 
possible on information provided by state insurance regulators, 
including the firm's own risk and solvency assessment (ORSA) and the 
state insurance regulator's written assessment of the ORSA. An ORSA 
is an internal process undertaken by an insurance group to assess 
the adequacy of its risk management and current and prospective 
capital position under normal and stress scenarios. As part of the 
ORSA, insurance groups are required to analyze all reasonably 
foreseeable and relevant material risks that could have an impact on 
their ability to meet obligations.
    The Board expects supervised insurance organizations to have 
sound governance over their capital planning process. A firm should 
establish capital goals that are approved by the board of directors, 
and that reflect the potential impact of legal and/or regulatory 
restrictions on the transfer of capital between legal entities. In 
general, senior management should establish the capital planning 
process, which should be reviewed and approved periodically by the 
board. The board should require senior management to provide clear, 
accurate, and timely information on the firm's material risks and 
exposures to inform board decisions on capital adequacy and actions. 
The capital planning process should clearly reflect the difference 
between the risk profiles and associated capital needs of the 
insurance and banking businesses.
    A firm should have a risk management framework that 
appropriately identifies, measures, and assesses material risks and 
provides a strong foundation for capital planning. This framework 
should be supported by comprehensive policies and procedures, clear 
and well-established roles and responsibilities, strong internal 
controls, and effective reporting to senior management and the 
board. In addition, the risk management framework should be built 
upon sound management information systems.
    As part of capital management, a firm should have a sound 
internal control framework that helps ensure that all aspects of the 
capital planning process are functioning as designed and result in 
an accurate assessment of the firm's capital needs. The internal 
control framework should be independently evaluated periodically by 
the firm's internal audit function.
    The governance and oversight framework should include an 
assessment of the principles and guidelines used for capital 
planning, issuance, and usage, including internal post-stress 
capital goals and targeted capital levels; guidelines for dividend 
payments and stock repurchases; strategies for addressing capital 
shortfalls; and internal governance responsibilities and procedures 
for the capital policy. The capital policy should reflect the 
capital needs of the insurance and banking businesses based on their 
risks, be approved by the firm's board of directors or a designated 
committee of the board, and be re-evaluated periodically and revised 
as necessary.
    A strong capital management program will incorporate 
appropriately stressful conditions and events that could adversely 
affect the firm's capital adequacy and capital planning. As part of 
its capital plan, a firm should use at least one scenario that 
stresses the specific vulnerabilities of the firm's activities and 
associated risks, including those related to the firm's insurance 
activities and its banking activities.
    Supervised insurance organizations should employ estimation 
approaches to project the impact on capital positions of various 
types of stressful conditions and events, and that are independently 
validated. A firm should estimate losses, revenues, expenses, and 
capital using sound methods that incorporate macroeconomic and other 
risk drivers. The robustness of a firm's capital stress testing 
processes should be commensurate with its risk profile.

Liquidity Management

    The Liquidity Management rating is derived from an assessment of 
the supervised insurance organization's liquidity position and the 
quality of its liquidity risk management program. Each firm's 
liquidity risk management program should be commensurate with its 
complexity and risk profile.
    The Board recognizes that supervised insurance organizations are 
typically less exposed to traditional liquidity risk than banking 
organizations. Instead of cash outflows being mainly the result of 
discretionary withdrawals, cash outflows for many insurance products 
only result from the occurrence of an insured event. Insurance 
products, like annuities, that are potentially exposed to call risk 
generally have product features (i.e., surrender charges, market 
value surrenders, tax treatment, etc.) that help mitigate liquidity 
risk.
    Federal Reserve examiners tailor the application of existing 
supervisory guidance on liquidity risk management to reflect the 
liquidity characteristics of supervised insurance organizations.\9\ 
For example, guidance on intra-day liquidity management would only 
be applicable for supervised insurance organizations with material 
intra-day liquidity risks. Additionally, specific references to 
liquid assets may be more broadly interpreted to include other asset 
classes such as certain investment-grade corporate bonds.
---------------------------------------------------------------------------

    \9\ See SR letter 10-6, ``Interagency Policy Statement on 
Funding and Liquidity Risk Management.''
---------------------------------------------------------------------------

    The scope of the Federal Reserve's supervisory activities on 
liquidity risk is influenced by each firm's individual risk profile. 
Traditional property and casualty insurance products are typically 
short duration liabilities backed by short-duration, liquid assets. 
Because of this, they typically present lower liquidity risk than 
traditional banking activities. However, some non-traditional life 
insurance and retirement products create liquidity risk through 
features that allow payments at the request of policyholders without 
the occurrence of an insured event. Risks of certain other insurance 
products are often mitigated using derivatives. Any differences 
between collateral requirements related to hedging and the related 
liability cash flows can also create liquidity risk. The Board 
expects firms significantly engaged in these types of insurance 
activities to have correspondingly more sophisticated liquidity risk 
management programs.
    A strong liquidity risk management program includes cash flow 
forecasting with appropriate granularity. The firm's suite of 
quantitative metrics should effectively inform senior management and 
the board of directors of the firm's liquidity risk profile and 
identify liquidity events or stresses that could detrimentally 
affect the firm. The metrics used to measure a firm's liquidity 
position may vary by type of business.
    Federal Reserve examiners rely to the fullest extent possible on 
each firm's ORSA, which requires all firms to include a discussion 
of the risk management framework and assessment of material risks, 
including liquidity risk.
    Supervised insurance organizations are expected to perform 
liquidity stress testing at least annually and more frequently, if 
necessary, based on their risk profile. The scenarios used should 
reflect the firm's specific risk profile and include both 
idiosyncratic and system-wide stress events. Stress testing should 
inform the firm on the amount of liquid assets necessary to meet net 
cash outflows over relevant time periods, including at least a one-
year time horizon. Firms should hold a liquidity buffer

[[Page 60168]]

comprised of highly liquid assets to meet stressed net cash 
outflows. The liquidity buffer should be measured using appropriate 
haircuts based on asset quality, duration, and expected market 
illiquidity based on the stress scenario assumptions. Stress testing 
should reflect the expected impact on collateral requirements. For 
material life insurance operations, Federal Reserve examiners will 
rely to the greatest extent possible on information submitted by the 
firm to comply with the National Association of Insurance 
Commissioners' (NAIC) liquidity stress test framework.
    The fungibility of sources of liquidity is often limited between 
an insurance group's legal entities. Large insurance groups can 
operate with a significant number of legal entities and many 
different regulatory and operational barriers to transferring funds 
among them. Regulations designed to protect policyholders of 
insurance operating companies can limit the transferability of funds 
from an insurance company to other legal entities within the group, 
including to other insurance operating companies. Supervised 
insurance organizations should carefully consider these limitations 
in their stress testing and liquidity risk management framework. 
Effective liquidity stress testing should include stress testing at 
the legal entity level with consideration for intercompany liquidity 
fungibility. Furthermore, the firm should be able to measure and 
provide an assessment of liquidity at the top-tier depository 
institution holding company in a manner that incorporates 
fungibility constraints.
    The enterprise-wide governance and oversight framework should be 
consistent with the firm's liquidity risk profile and include 
policies and procedures on liquidity risk management. The firm's 
policies and procedures should describe its liquidity risk 
reporting, stress testing, and contingency funding plan.

B. Supervisory Ratings

    Supervised insurance organizations are expected to operate in a 
safe and sound manner, to comply with all applicable laws and 
regulations, and to possess sufficient financial and operational 
strength to serve as a source of strength for their depository 
institution(s) through a range of stressful yet plausible 
conditions. Supervisory ratings and supervisory findings are used to 
communicate the assessment of a firm. Federal Reserve examiners 
periodically assign one of four ratings to each of the three rating 
components used to assess supervised insurance organizations. The 
rating components are Capital Management, Liquidity Management, and 
Governance & Controls. The four potential ratings are Broadly Meets 
Expectations, Conditionally Meets Expectations, Deficient-1, and 
Deficient-2. To be considered ``well managed,'' a firm must receive 
a rating of Conditionally Meets Expectations or better in each of 
the three rating components. Each rating is defined specifically for 
supervised insurance organizations with particular emphasis on the 
obligation that firms serve as a source of financial and managerial 
strength for their depository institution(s). High-level definitions 
for each rating are below, followed by more specific rating 
definitions for each component.
    Broadly Meets Expectations. The supervised insurance 
organization's practices and capabilities broadly meet supervisory 
expectations. The holding company effectively serves as a source of 
managerial and financial strength for its depository institution(s) 
and possesses sufficient financial and operational strength and 
resilience to maintain safe-and-sound operations through a range of 
stressful yet plausible conditions. The firm may have outstanding 
supervisory issues requiring corrective actions, but these are 
unlikely to present a threat to its ability to maintain safe-and-
sound operations and unlikely to negatively impact its ability to 
fulfill its obligation to serve as a source of strength for its 
depository institution(s). These issues are also expected to be 
corrected on a timely basis during the normal course of business.
    Conditionally Meets Expectations. The supervised insurance 
organization's practices and capabilities are generally considered 
sound. However, certain supervisory issues are sufficiently material 
that if not resolved in a timely manner during the normal course of 
business, may put the firm's prospects for remaining safe and sound, 
and/or the holding company's ability to serve as a source of 
managerial and financial strength for its depository institution(s), 
at risk. A firm with a Conditionally Meets Expectations rating has 
the ability, resources, and management capacity to resolve its 
issues and has developed a sound plan to address the issue(s) in a 
timely manner. Examiners will work with the firm to develop an 
appropriate timeframe during which it will be required to resolve 
that supervisory issue(s) leading to this rating.
    Deficient-1. Financial or operational deficiencies in a 
supervised insurance organization's practices or capabilities put 
its prospects for remaining safe and sound, and/or the holding 
company's ability to serve as a source of managerial and financial 
strength for its depository institution(s), at significant risk. The 
firm is unable to remediate these deficiencies in the normal course 
of business, and remediation would typically require it to make 
material changes to its business model or financial profile, or its 
practices or capabilities. A firm with a Deficient-1 rating is 
required to take timely action to correct financial or operational 
deficiencies and to restore and maintain its safety and soundness 
and compliance with laws and regulations. Supervisory issues that 
place the firm's safety and soundness at significant risk, and where 
resolution is likely to require steps that clearly go beyond the 
normal course of business--such as issues requiring a material 
change to the firm's business model or financial profile, or its 
governance, risk management or internal control structures or 
practices--would generally warrant assignment of a Deficient-1 
rating. There is a strong presumption that a firm with a Deficient-1 
rating will be subject to an enforcement action.
    Deficient-2. Financial or operational deficiencies in a 
supervised insurance organization's practices or capabilities 
present a threat to its safety and soundness, have already put it in 
an unsafe and unsound condition, and/or make it unlikely that the 
holding company will be able to serve as a source of financial and 
managerial strength to its depository institution(s). A firm with a 
Deficient-2 rating is required to immediately implement 
comprehensive corrective measures and demonstrate the sufficiency of 
contingency planning in the event of further deterioration. There is 
a strong presumption that a firm with a Deficient-2 rating will be 
subject to a formal enforcement action.
    Definitions for the Governance and Controls Component Rating:
    Broadly Meets Expectations. Despite the potential existence of 
outstanding supervisory issues, the supervised insurance 
organization's governance and controls broadly meet supervisory 
expectations, supports maintenance of safe-and-sound operations, and 
supports the holding company's ability to serve as a source of 
financial and managerial strength for its depository 
institutions(s). Specifically, the firm's practices and capabilities 
are sufficient to align strategic business objectives with its risk 
appetite and risk management capabilities; maintain effective and 
independent risk management and control functions, including 
internal audit; promote compliance with laws and regulations; and 
otherwise provide for the firm's ongoing financial and operational 
resiliency through a range of conditions. The firm's governance and 
controls clearly reflect the holding company's obligation to act as 
a source of financial and managerial strength for its depository 
institution(s).
    Conditionally Meets Expectations. Certain material financial or 
operational weaknesses in a supervised insurance organization's 
governance and controls practices may place the firm's prospects for 
remaining safe and sound through a range of conditions at risk if 
not resolved in a timely manner during the normal course of 
business. Specifically, if left unresolved, these weaknesses may 
threaten the firm's ability to align strategic business objectives 
with its risk appetite and risk-management capabilities; maintain 
effective and independent risk management and control functions, 
including internal audit; promote compliance with laws and 
regulations; or otherwise provide for the firm's ongoing resiliency 
through a range of conditions. Supervisory issues may exist related 
to the firm's internal audit function, but internal audit is still 
regarded as effective.
    Deficient-1. Deficiencies in a supervised insurance 
organization's governance and controls put its prospects for 
remaining safe and sound through a range of conditions at 
significant risk. The firm is unable to remediate these deficiencies 
in the normal course of business, and remediation would typically 
require a material change to the firm's business model or financial 
profile, or its governance, risk management or internal control 
structures or practices.
    Examples of issues that may result in a Deficient-1 rating 
include, but are not limited to:
     The firm may be currently subject to, or expected to be 
subject to, informal or formal

[[Page 60169]]

enforcement action(s) by the Federal Reserve or another regulator 
tied to violations of laws and regulations that indicate severe 
deficiencies in the firm's governance and controls.
     Significant legal issues may have or be expected to 
impede the holding company's ability to act as a source of financial 
strength for its depository institution(s).
     The firm may have engaged in intentional misconduct.
     Deficiencies within the firm's governance and controls 
may limit the credibility of the firm's financial results, limit the 
board or senior management's ability to make sound decisions, or 
materially increase the firm's risk of litigation.
     The firm's internal audit function may be considered 
ineffective.
     Deficiencies in the firm's governance and controls may 
have limited the holding company's ability to act as a source of 
financial and/or managerial strength for its depository 
institution(s).
    Deficient-2. Financial or operational deficiencies in a 
supervised insurance organization's governance and controls present 
a threat to its safety and soundness, a threat to the holding 
company's ability to serve as a source of financial strength for its 
depository institution(s), or have already put the firm in an unsafe 
and unsound condition.
    Examples of issues that may result in a Deficient-2 rating 
include, but are not limited to:
     The firm is currently subject to, or expected to be 
subject to, formal enforcement action(s) by the Federal Reserve or 
another regulator tied to violations of laws and regulations that 
indicate severe deficiencies in the firm's governance and controls.
     Significant legal issues may be impeding the holding 
company's ability to act as a source of financial strength for its 
depository institution(s).
     The firm may have engaged in intentional misconduct.
     The holding company may have failed to act as a source 
of financial and/or managerial strength for its depository 
institution(s) when needed.
     The firm's internal audit function is regarded as 
ineffective.
    Definitions for the Capital Management Component Rating:
    Broadly Meets Expectations. Despite the potential existence of 
outstanding supervisory issues, the supervised insurance 
organization's capital management broadly meets supervisory 
expectations, supports maintenance of safe-and-sound operations, and 
supports the holding company's ability to serve as a source of 
financial strength for its depository institution(s). Specifically:
     The firm's current and projected capital positions on a 
consolidated basis and within each of its material business lines/
legal entities comply with regulatory requirements and support its 
ability to absorb potential losses, meet obligations, and continue 
to serve as a source of financial strength for its depository 
institution(s);
     Capital management processes are sufficient to give 
credibility to stress testing results and the firm is capable of 
producing sound assessments of capital adequacy through a range of 
stressful yet plausible conditions; and
     Potential capital fungibility issues are effectively 
mitigated, and capital contingency plans allow the holding company 
to continue to act as a source of financial strength for its 
depository institution(s) through a range of stressful yet plausible 
conditions.
    Conditionally Meets Expectations. Capital adequacy meets 
regulatory minimums, both currently and on a prospective basis. 
Supervisory issues exist but these do not threaten the holding 
company's ability to act as a source of financial strength for its 
depository institution(s) through a range of stressful yet plausible 
conditions. Specifically, if left unresolved, these issues:
     May threaten the firm's ability to produce sound 
assessments of capital adequacy through a range of stressful yet 
plausible conditions; and/or
     May result in the firm's projected capital positions 
being insufficient to absorb potential losses, comply with 
regulatory requirements, and support the holding company's ability 
to meet current and prospective obligations and continue to serve as 
a source of financial strength to its depository institution(s).
    Deficient-1. Financial or operational deficiencies in a 
supervised insurance organization's capital management put its 
prospects for remaining safe and sound through a range of plausible 
conditions at significant risk. The firm is unable to remediate 
these deficiencies in the normal course of business, and remediation 
would typically require a material change to the firm's business 
model or financial profile, or its capital management processes.
    Examples of issues that may result in a Deficient-1 rating 
include, but are not limited to:
     Capital adequacy currently meets regulatory minimums 
although there may be uncertainty regarding the firm's ability to 
continue meeting regulatory minimums.
     Fungibility concerns may exist that could challenge the 
firm's ability to contribute capital to its depository institutions 
under certain stressful yet plausible scenarios.
     Supervisory issues may exist that undermine the 
credibility of the firm's current capital adequacy and/or its stress 
testing results.
    Deficient-2. Financial or operational deficiencies in a 
supervised insurance organization's capital management present a 
threat to the firm's safety and soundness, a threat to the holding 
company's ability to serve a source of financial strength for its 
depository institution(s), or have already put the firm in an unsafe 
and unsound condition.
    Examples of issues that may result in a Deficient-2 rating 
include, but are not limited to:
     Capital adequacy may currently fail to meet regulatory 
minimums or there is significant concern that the firm will not meet 
capital adequacy minimums prospectively.
     Supervisory issues may exist that significantly 
undermine the firm's capital adequacy metrics either currently or 
prospectively.
     Significant fungibility constraints may exist that 
would prevent the holding company from contributing capital to its 
depository institution(s) and fulfilling its obligation to serve as 
a source of financial strength.
     The holding company may have failed to act as source of 
financial strength for its depository institution when needed.
    Definitions for the Liquidity Management Component Rating:
    Broadly Meets Expectations. Despite the potential existence of 
outstanding supervisory issues, the supervised insurance 
organization's liquidity management broadly meets supervisory 
expectations, supports maintenance of safe-and-sound operations, and 
supports the holding company's ability to serve as a source of 
financial strength for its depository institutions(s). The firm 
generates sufficient liquidity to meet its short-term and long-term 
obligations currently and under a range of stressful yet plausible 
conditions. The firm's liquidity management processes, including its 
liquidity contingency planning, support its obligation to act as a 
source of financial strength for its depository institution(s). 
Specifically:
     The firm is capable of producing sound assessments of 
liquidity adequacy through a range of stressful yet plausible 
conditions; and
     The firm's current and projected liquidity positions on 
a consolidated basis and within each of its material business lines/
legal entities comply with regulatory requirements and support the 
holding company's ability to meet obligations and to continue to 
serve as a source of financial strength for its depository 
institution(s).
    Conditionally Meets Expectations. Certain material financial or 
operational weaknesses in a supervised insurance organization's 
liquidity management place its prospects for remaining safe and 
sound through a range of stressful yet plausible conditions at risk 
if not resolved in a timely manner during the normal course of 
business.
    Specifically, if left unresolved, these weaknesses:
     May threaten the firm's ability to produce sound 
assessments of liquidity adequacy through a range of conditions; 
and/or
     May result in the firm's projected liquidity positions 
being insufficient to comply with regulatory requirements and 
support the firm's ability to meet current and prospective 
obligations and to continue to serve as a source of financial 
strength to its depository institution(s).
    Deficient-1. Financial or operational deficiencies in a 
supervised insurance organization's liquidity management put the 
firm's prospects for remaining safe and sound through a range of 
stressful yet plausible conditions at significant risk. The firm is 
unable to remediate these deficiencies in the normal course of 
business, and remediation would typically require a material change 
to the firm's business model or financial profile, or its liquidity 
management processes.
    Examples of issues that may result in a Deficient-1 rating 
include, but are not limited to:

[[Page 60170]]

     The firm is currently able to meet its obligations but 
there may be uncertainty regarding the firm's ability to do so 
prospectively.
     The holding company's liquidity contingency plan may be 
insufficient to support its obligation to act as a source of 
financial strength for its depository institution(s).
     Supervisory issues may exist that undermine the 
credibility of the firm's liquidity metrics and stress testing 
results.
    Deficient-2. Financial or operational deficiencies in a 
supervised insurance organization's liquidity management present a 
threat to its safety and soundness, a threat to the holding 
company's ability to serve as a source of financial strength for its 
depository institution(s), or have already put the firm in an unsafe 
and unsound condition.
    Examples of issues that may result in a Deficient-2 rating 
include, but are not limited to:
     Liquidity shortfalls may exist within the firm that 
have prevented the firm, or are expected to prevent the firm, from 
fulfilling its obligations, including the holding company's 
obligation to act as a source of financial strength for its 
depository institution(s).
     Liquidity adequacy may currently fail to meet 
regulatory minimums or there is significant concern that the firm 
will not meet liquidity adequacy minimums prospectively for at least 
one of its regulated subsidiaries.
     Supervisory issues may exist that significantly 
undermine the firm's liquidity metrics either currently or 
prospectively.
     Significant fungibility constraints may exist that 
would prevent the holding company from supporting its depository 
institution(s) and fulfilling its obligation to serve as a source of 
financial strength.
     The holding company may have failed to act as source of 
financial strength for its depository institution when needed.

C. Incorporating the Work of Other Supervisors

    Similar to the approach taken by the Federal Reserve in its 
consolidated supervision of other firms, the oversight of supervised 
insurance organizations relies to the fullest extent possible, on 
work performed by other relevant supervisors. Federal Reserve 
supervisory activities are not intended to duplicate or replace 
supervision by the firm's other regulators and Federal Reserve 
examiners typically do not specifically assess firms' compliance 
with laws outside of its jurisdiction, including state insurance 
laws. The Federal Reserve collaboratively coordinates with, 
communicates with, and leverages the work of the Office of the 
Comptroller of the Currency (OCC), Federal Deposit Insurance 
Corporation (FDIC), Securities and Exchange Commission (SEC), 
Financial Crimes Enforcement Network (FinCEN), Internal Revenue 
Service (IRS), applicable state insurance regulators, and other 
relevant supervisors to achieve its supervisory objectives and 
eliminate unnecessary burden.
    Existing statutes specifically require the Board to coordinate 
with, and to rely to the fullest extent possible on work performed 
by the state insurance regulators. The Board and all state insurance 
regulators have entered into Memorandums of Understanding (MOU) 
allowing supervisors to freely exchange information relevant for the 
effective supervision of supervised insurance organizations. Federal 
Reserve examiners take the actions below with respect to state 
insurance regulators to support accomplishing the objective of 
minimizing supervisory duplication and burden, without sacrificing 
effective oversight:
     Routine discussions (at least annually) with state 
insurance regulatory staff with greater frequency during times of 
stress;
     Discussions around the annual supervisory plan, 
including how best to leverage work performed by the state and 
potential participation by state insurance regulatory staff on 
relevant supervisory activities;
     Consideration of the opinions and work done by the 
state when scoping relevant examination activities;
     Documenting any input received from the state and 
considering the assessments of and work performed by the state for 
relevant supervisory activities;
     Sharing and discussing with the state the annual 
ratings and relevant conclusion documents from supervisory 
activities;
     Collaboratively working with the states and the NAIC on 
the development of policies that affect insurance depository 
institution holding companies; and
     Participating in supervisory colleges.
    The Federal Reserve relies on the state insurance regulators to 
participate in the activities above and to share proactively their 
supervisory opinions and relevant documents. These documents include 
the annual ORSA,\10\ the state insurance regulator's written 
assessment of the ORSA, results from its examination activities, the 
Corporate Governance Annual Disclosure, financial analysis memos, 
risk assessments, material risk determinations, material transaction 
filings (Form D), the insurance holding company system annual 
registration statement (Form B), submissions for the NAIC liquidity 
stress test framework, and other state supervisory material. If the 
Federal Reserve determines that it is necessary to perform 
supervisory activities related to aspects of the supervised 
insurance organization that also fall under the jurisdiction of the 
state insurance regulator, it will communicate the rationale and 
result of these activities to the state insurance regulator.
---------------------------------------------------------------------------

    \10\ See NAIC Own Risk and Solvency Assessment (ORSA) Guidance 
Manual (December 2017) at https://content.naic.org/sites/default/files/publication-orsa-guidance-manual.pdf.

    By order of the Board of Governors of the Federal Reserve 
System.
Ann E. Misback,
Secretary of the Board.
[FR Doc. 2022-21414 Filed 10-3-22; 8:45 am]
BILLING CODE 6210-01-P