[Federal Register Volume 87, Number 191 (Tuesday, October 4, 2022)]
[Notices]
[Pages 60160-60170]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-21414]
=======================================================================
-----------------------------------------------------------------------
FEDERAL RESERVE SYSTEM
[Docket No. OP-1765]
Framework for the Supervision of Insurance Organizations
AGENCY: Board of Governors of the Federal Reserve System (Board).
ACTION: Final guidance.
-----------------------------------------------------------------------
SUMMARY: The Board is adopting a new supervisory framework for
depository institution holding companies significantly engaged in
insurance activities, referred to as supervised insurance
organizations. The framework provides a supervisory approach that is
designed specifically to reflect the differences between banking and
insurance. Within the framework, the application of supervisory
guidance and the assignment of supervisory resources is based
explicitly on a supervised insurance organization's complexity and
individual risk profile. The framework establishes the supervisory
ratings applicable to these organizations with rating definitions that
reflect specific supervisory requirements and expectations. It also
emphasizes the Board's policy to rely to the fullest extent possible on
work done by other relevant supervisors, describing, in particular, the
way it relies on reports and other supervisory information provided by
state insurance regulators to minimize supervisory duplication.
DATES: Effective November 3, 2022.
FOR FURTHER INFORMATION CONTACT: Thomas Sullivan, Senior Associate
Director, (202) 475-7656; Lara Lylozian, Deputy Associate Director,
(202) 475-6656; Matt Walker, Manager, (202) 872-4971; Brad Roberts,
Lead Insurance Policy Analyst, (202) 452-2204; or Joan Sullivan, Senior
Insurance Policy Analyst, (202) 912-4670, Division of Supervision and
Regulation; or Dafina Stewart, Assistant General Counsel, (202) 872-
7589; Andrew Hartlage, Senior Counsel, (202) 452-6483; Christopher
Danello, Senior Attorney, (202) 736-1960; or Evan Hechtman, Senior
Attorney, (202) 263-4810, Legal Division, Board of Governors of the
Federal Reserve System, 20th and C Streets NW, Washington, DC 20551.
For users of TTY-TRS, please call 711 from any telephone, anywhere in
the United States.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Background
II. Notice of Proposed Guidance and Overview of Comments
III. Overview of Final Guidance and Modifications From the Proposal
IV. Final Guidance
A. Proportionality--Supervisory Activities and Expectations
B. Supervisory Ratings
C. Incorporating the Work of Other Supervisors
D. Additional Comments
V. Regulatory Analysis
A. Paperwork Reduction Act
Appendix A--Text of Insurance Supervisory Framework
I. Background
The Board supervises and regulates companies that control one or
more banks (bank holding companies) and companies that are not bank
holding companies that control one or more savings associations
(savings and loan holding companies, and together with bank holding
companies, depository institution holding companies). Congress gave the
Board regulatory and supervisory authority for bank holding companies
through the enactment of the Bank Holding Company Act of 1956 (BHC
Act).\1\ The Board's regulation and supervision of savings and loan
holding companies began in 2011 when provisions of the Dodd-Frank Wall
Street Reform and Consumer Protection Act (Dodd-Frank Act) \2\
transferring supervision and regulation of savings and loan holding
companies from the Office of Thrift Supervision to the Board took
effect.\3\ Upon this transfer, the Board became the federal supervisory
agency for all depository institution holding companies, including a
portfolio of firms significantly engaged in insurance activities
(supervised insurance organizations).\4\
---------------------------------------------------------------------------
\1\ Ch. 240, 70 Stat. 133.
\2\ Public Law 111-203, 124 Stat. 1376 (2010).
\3\ Dodd-Frank Act tit. III, 124 Stat. at 1520-70.
\4\ Although currently all supervised insurance organizations
are savings and loan holding companies, the proposed framework would
apply to any depository institution holding company that meets the
criteria of a supervised insurance organization.
---------------------------------------------------------------------------
The Board has a long-standing policy of supervising holding
companies on a consolidated basis. Consolidated supervision encompasses
all legal entities within a holding company
[[Page 60161]]
structure and supports an understanding of the organization's complete
risk profile and its ability to address financial, managerial,
operational, or other deficiencies before they pose a danger to its
subsidiary depository institution(s). The Board's current supervisory
approach for noninsurance depository institution holding companies
assesses holding companies whose primary risks are largely related to
the business of banking. The risks arising from insurance activities,
however, are materially different from traditional banking risks. The
top-tier holding company for some supervised insurance organizations is
an insurance underwriting company, which is subject to supervision and
regulation by the relevant state insurance regulator as well as
consolidated supervision from the Board; for all supervised insurance
organizations, the state insurance regulators supervise and regulate
the business of insurance underwriting companies. Additionally, instead
of producing consolidated financial statements based on generally
accepted accounting principles, many of these firms only produce legal
entity financial statements based on Statutory Accounting Principles
(SAP) established by states through the National Association of
Insurance Commissioners (NAIC).
The Board has recognized these differences in its supervision and
regulation of supervised insurance organizations. For example, in 2013,
when the Board made significant revisions to its regulatory capital
framework, the Board determined not to apply it to this group of
companies, stating that it would ``explore further whether and how the
proposed rule should be modified for these companies in a manner
consistent with section 171 of the Dodd-Frank Act and safety and
soundness concerns.'' \5\ In 2019, the Board invited comment on a
proposal to establish a risk-based capital framework designed
specifically for supervised insurance organizations, termed the
Building Block Approach, that would adjust and aggregate existing legal
entity capital requirements to determine an enterprise-wide capital
requirement.\6\ In addition, in 2018, the Board did not apply to these
firms the supervisory rating systems applicable to other depository
institution holding companies.\7\ The insurance supervisory framework
represents a significant step in the continuation of the Board's
tailored approach to supervision and regulation for supervised
insurance organizations.
---------------------------------------------------------------------------
\5\ 78 FR 62017, 62027 (October 11, 2013).
\6\ 84 FR 57240 (October 24, 2019).
\7\ See 83 FR 58724 (November 21, 2018); 83 FR 56081 (November
9, 2018).
---------------------------------------------------------------------------
II. Notice of Proposed Guidance and Overview of Comments
On February 4, 2022, the Board invited public comment on a proposed
framework for the supervision of insurance organizations (proposal).\8\
The proposal would have established a transparent framework for
consolidated supervision of supervised insurance organizations. A
depository institution holding company would have been considered a
supervised insurance organization if it were an insurance underwriting
company or if over 25 percent of its consolidated assets were held by
insurance underwriting subsidiaries. The proposed framework would have
consisted of a risk-based approach to establishing supervisory
expectations, assigning supervisory resources, and conducting
supervisory activities; a supervisory rating system; and a description
of how examiners would work with state insurance regulators to limit
the burden associated with supervisory duplication.
---------------------------------------------------------------------------
\8\ 87 FR 6537 (February 4, 2022).
---------------------------------------------------------------------------
The comment period on the proposal closed on May 5, 2022.\9\ The
Board received four comments on the proposal. In addition,
representatives of the Federal Reserve met with stakeholders and
obtained supplementary information from certain commenters. Commenters
generally supported the proposal. However, commenters also requested
additional clarity on certain aspects of the proposal and provided
suggestions on potential changes.
---------------------------------------------------------------------------
\9\ The comment period on the proposal was extended by the
Board. See 87 FR 17089 (March 25, 2022).
---------------------------------------------------------------------------
III. Overview of Final Guidance and Modifications From the Proposal
The final insurance supervisory framework adopts the core elements
of the proposal with certain modifications to address comments
received. Consistent with the proposal, the final framework consists of
a risk-based approach to establishing supervisory expectations,
assigning supervisory resources, and conducting supervisory activities;
applies tailored supervisory ratings; and describes how Federal Reserve
examiners will rely to the fullest extent possible on the work of state
insurance regulators to limit supervisory duplication. The final
guidance has been modified from the proposal to include additional
clarity in various sections, including with respect to the complexity
classification and applicable guidance. The final guidance also
includes additional references to incorporating the work performed by
state insurance regulators and allows for noncomplex supervised
insurance organizations to be rated up to every other year.
IV. Final Guidance
A. Proportionality--Supervisory Activities and Expectations
Risk Profile, Complexity Classification, Risk Assessment
In the proposal, the terms ``risk profile,'' ``complexity
classification,'' and ``risk assessment'' would have been used to
describe the Board's approach to aligning its supervision with the risk
of a firm. Under the proposal, an organization's risk profile would
have depended on its products, investments, and strategy and would have
been assessed independent of supervisory opinions or approach. The
complexity classification would have been the Federal Reserve's
preliminary view of the organization's risk profile and would have been
used primarily to determine the level of supervisory resources needed
to effectively supervise an organization. A supervised insurance
organization would have been classified as either complex or noncomplex
when the organization initially became subject to Federal Reserve
supervision and only re-classified if the organization's risk profile
significantly changed (typically the result of a major acquisition or
divestiture). The risk assessment would have been an exercise typically
completed annually by Federal Reserve examiners to support a discussion
of the organization's material risks, ensuring that supervisory
activities planned for the following year were risk-focused and did not
duplicate work done by other regulators. Commenters requested clarity
on the differences between these three terms as used in the proposal.
The final guidance maintains these terms and their intended
definitions, but the text has been adjusted to clarify how they will be
used.
Complexity Classification
Under the proposal, supervised insurance organizations would have
been classified as either complex or noncomplex based on a list of
characteristics. The complexity classification would have been the
initial driver for the assignment of supervisory resources, with
complex supervised insurance organizations being assigned a dedicated
supervisory
[[Page 60162]]
team. The complexity classification would have also been a driver for
the application of supervisory guidance. Organizations with over $100
billion of consolidated depository institution assets or that are
designated as an internationally active insurance group (IAIG) would
have automatically been classified as complex. Commenters requested
additional transparency regarding the factors considered when making
the complexity classification and suggested additional factors for
consideration, such as the source of funding for non-insurance
operations. Commenters also suggested removing the $100 billion
consolidated depository institution asset threshold, removing the
automatic complex classification for IAIGs in exchange for a
materiality view of international exposure, attaching specific weights
to the factors listed in the proposal, and providing organizations the
opportunity to appeal or request a review of the complexity
classification.
To ensure that organizations with similar sized banking operations
are supervised consistently by the Federal Reserve, the final guidance
retains the $100 billion consolidated depository institution asset
threshold as proposed. The automatic complex classification proposed
for IAIGs has been removed from the final guidance and instead the
materiality of an insurance organization's international operations
will be considered as part of the complexity classification decision.
While weights were not added to the factors in order to preserve the
flexibility needed to properly classify organizations of differing
business and risk profiles, the factors in the final guidance are
sequenced in order of expected relative priority. The Board believes
that these factors are broad enough to cover the additional factors
suggested by commenters. In response to the comments, and to promote
transparency, the complexity classification work program used to
support the complexity classification decision made by the Board will
be published on the Board's website. The work program provides
additional clarity regarding the information leveraged to make the
complexity classification and several of the factors suggested by
commenters are included in the work program as questions related to a
listed factor. The final guidance also clarifies that an organization
can request a review of its complexity classification if it has
experienced a significant change to its risk profile.
Supervisory Activities
Under the proposal, supervisory activities would have focused on
material risks to the consolidated organization and leveraged the work
performed by the firm's functional regulators. Additionally, under the
proposal, ratings examinations would have been performed annually for
all supervised insurance organizations, including those classified as
noncomplex. Commenters requested that supervisory activities focus on
material risks not subject to oversight by other regulators and that,
where appropriate, Federal Reserve examiners coordinate the timing and
scope of supervisory activities with other regulators to avoid
duplication. Specifically for noncomplex supervised insurance
organizations, commenters requested that Federal Reserve examiners
align periodic rating examinations with the frequency used by other
regulators and limit the frequency of examinations to every other year,
as described in SR letter 13-21,\10\ ``Inspection Frequency and Scope
Requirements for Bank Holding Companies and Savings and Loan Holding
Companies with Total Consolidated Assets of $10 Billion or Less.''
---------------------------------------------------------------------------
\10\ See SR letter 13-21, ``Inspection Frequency and Scope
Requirements for Bank Holding Companies and Savings and Loan Holding
Companies with Total Consolidated Assets of $10 Billion or Less.''
---------------------------------------------------------------------------
The final guidance emphasizes that supervisory activities focus
primarily on material risks that could impede the organization's
ability to act as a source of strength for its depository
institution(s). Supervisory activities are also used to develop a
better understanding of an organization's business and risk profile and
to monitor the safety and soundness of the organization, including its
adherence to applicable laws and regulations. As the consolidated
supervisor, it is important for Federal Reserve examiners to understand
all material risks to the organization. Federal Reserve examiners work
closely with other regulators to promote knowledge sharing and to
avoid, to the greatest extent possible, supervisory duplication. This
includes discussing annual supervisory plans and coordinating the
timing of supervisory activities. Under the final guidance, noncomplex
supervised insurance organizations may be rated every other year,
depending on the organization's risk profile.
Supervisory Expectations
Under the proposal, the requirement that supervised insurance
organizations comply with all applicable laws and regulations, operate
in a safe-and-sound manner, and act as a source of strength for their
depository institution(s) would have been emphasized. Expectations
within supervisory guidance published by the Board related to specific
firm practices would have been tailored to reflect the firm's business
and risk profile. Commenters were supportive of this tailoring and
requested that the framework explicitly allow for supervisory
expectations to differ by business line. Commenters also requested
clarity regarding the applicability of SR letter 12-17,\11\
``Consolidated Supervision Framework for Large Financial Institutions''
to supervised insurance organizations.
---------------------------------------------------------------------------
\11\ See SR letter 12-17, ``Consolidated Supervision Framework
for Large Financial Institutions.''
---------------------------------------------------------------------------
Supervisory guidance issued by the Board often provides examples of
practices that the Board generally considers consistent with safety-
and-soundness standards. Most guidance issued by the Board provides
examples specific to banking operations. The final guidance
communicates that other practices used by supervised insurance
organizations for their other business lines, including for insurance
operations, may be different without being considered unsafe or
unsound. When making an assessment of whether a different practice is
unsafe or unsound, Federal Reserve examiners will work with supervised
insurance organizations and their functional regulators, including
state insurance regulators. The final guidance clarifies that it
supersedes SR letter 12-17 for supervised insurance organizations.
One commenter also requested the Board provide additional clarity
on supervisory expectations by continually updating the list of
applicable guidance found in SR letter 14-9,\12\ ``Incorporation of
Federal Reserve Policies into the Savings and Loan Holding Company
Supervision Program.'' SR letter 14-9 was issued after supervisory
authority for savings and loan holding companies was transferred from
the Office of Thrift Supervision to the Board in order to clarify the
applicability of guidance issued before the transfer. Guidance issued
since the transfer has expressly stated its applicability to savings
and loan holding companies, and this practice will continue.
Accordingly, the Board does not intend to continually update SR letter
14-9 in this way.
---------------------------------------------------------------------------
\12\ See SR letter 14-9, ``Incorporation of Federal Reserve
Policies into the Savings and Loan Holding Company Supervision
Program.''
---------------------------------------------------------------------------
[[Page 60163]]
B. Supervisory Ratings
Under the proposal, supervised insurance organizations would have
been assigned supervisory ratings in each of three components: Capital
Management, Liquidity Management, and Governance and Controls. The
ratings would have been Broadly Meets Expectations, Conditionally Meets
Expectations, Deficient-1, and Deficient-2. The definitions for the
ratings would have been designed for supervised insurance organizations
with particular emphasis on the obligation that the firms operate in a
safe and sound manner and serve as a source of financial and managerial
strength for their depository institution(s). Under the proposal,
examples would have been included in the definitions for the Deficient-
1 and Deficient-2 ratings for the Governance and Controls component
that included being subject to informal or formal enforcement action by
the Federal Reserve or another regulator. Commenters indicated that
state insurance and other regulators may have different thresholds for
enforcement actions and that the materiality of enforcement actions
should be of more importance than the existence of an enforcement
action. The final guidance qualifies the example provided by referring
to enforcement actions tied to violations of laws and regulations that
indicate severe deficiencies in the firm's governance and controls.
C. Incorporating the Work of Other Supervisors
Consistent with statutory requirements, under the proposal, Federal
Reserve examiners would have relied to the fullest extent possible on
the work performed by the firm's functional regulators, including state
insurance regulators. This would have included coordinating with state
insurance regulators before commencing certain supervisory activities,
meeting periodically with state insurance regulators, and reviewing
specific reports required of supervised insurance organizations from
state insurance regulators. Commenters requested additional clarity
regarding how Federal Reserve examiners would rely on the work of
functional regulators and offered specific recommendations on ways to
improve this reliance to avoid supervisory duplication. In response to
these comments, the final guidance includes additional references to
the importance of incorporating the work of other supervisors in the
sections on proportionality and ratings. The final guidance also
incorporates several of the suggested changes, including additional
reports from the state insurance regulators that should be reviewed by
Federal Reserve examiners.
D. Additional Comments
Regulatory Reporting
Under the proposal, there would have been no changes to regulatory
reporting required by the Federal Reserve from supervised insurance
organizations. Given the extensive subsidiary reporting required by
state insurance regulators and to avoid duplication, commenters
requested that supervised insurance organizations not be required to
report on the FR Y-6 or submit FR Y-10, FR Y-11, or FR 2314 reports for
passive real estate and other investments held by insurance
underwriting companies. The proposal did not contemplate any changes to
regulatory reporting requirements, and the Board is not making any such
changes at this time. The Board will, however, consider incorporating
these suggestions in future revisions of these reporting forms.
Adjustments To Accommodate Different Charter Types
Under the proposal, the framework would have included references to
regulations applicable only to certain depository institution holding
company charter types (savings and loan holding companies). The
guidance is designed to apply to all organizations supervised by the
Federal Reserve that meet the definition of a supervised insurance
organization. Text included in the proposal applicable only to savings
and loan holding companies has been removed from the final guidance.
V. Regulatory Analysis
A. Paperwork Reduction Act
There is no collection of information required by this notice that
would be subject to the Paperwork Reduction Act of 1995, 44 U.S.C. 3501
et seq.
This Appendix A will not publish in the CFR.
Appendix A--Text of Insurance Supervisory Framework
Framework for the Supervision of Insurance Organizations
This framework describes the Federal Reserve's approach to
consolidated supervision of supervised insurance organizations.\1\
The framework is designed specifically to account for the unique
risks and business profiles of these firms resulting mainly from
their insurance business. The framework consists of a risk-based
approach to establishing supervisory expectations, assigning
supervisory resources, and conducting supervisory activities; a
supervisory rating system; and a description of how Federal Reserve
examiners work with the state insurance regulators to limit
supervisory duplication.
---------------------------------------------------------------------------
\1\ In this framework, a ``supervised insurance organization''
is a depository institution holding company that is an insurance
underwriting company, or that has over 25 percent of its
consolidated assets held by insurance underwriting subsidiaries, or
has been otherwise designated as a supervised insurance organization
by Federal Reserve staff.
---------------------------------------------------------------------------
A. Proportionality--Supervisory Activities and Expectations
Consistent with the Federal Reserve's approach to risk-based
supervision, supervisory guidance is applied, and supervisory
activities are conducted, in a manner that is proportionate to each
firm's individual risk profile. This begins by classifying each
supervised insurance organization either as complex or noncomplex
based on its risk profile and continues with a risk-based
application of supervisory guidance and supervisory activities
driven by a periodic risk assessment. The risk assessment drives
planned supervisory activities and is communicated to the firm along
with the supervisory plan for the upcoming cycle. Supervisory
activities are focused on resolving supervisory knowledge gaps,
monitoring the safety and soundness of the firm, assessing the
firm's management of risks that could potentially impact its ability
to act as a source of managerial and financial strength for its
depository institution(s), and monitoring for potential systemic
risk, if relevant.
A. Complexity Classification and Supervised Activities
The Federal Reserve classifies each supervised insurance
organization as either complex or noncomplex based on its risk
profile. The classification serves as the basis for determining the
level of supervisory resources dedicated to each firm, as well as
the frequency and intensity of supervisory activities.
Complex
Complex firms have a higher level of risk and therefore require
more supervisory attention and resources. Federal Reserve dedicated
supervisory teams are assigned to execute approved supervisory plans
led by a dedicated Central Point of Contact. The activities listed
in the supervisory plans focus on understanding any risks that could
threaten the safety and soundness of the consolidated organization
or a firm's ability to act as a source of strength for its
subsidiary depository institution(s). These activities typically
include continuous monitoring, targeted topical examinations,
coordinated reviews, and an annual roll-up assessment resulting in
ratings for the three rating components. The relevance of certain
supervisory guidance may vary among complex firms based on each
firm's risk profile. Supervisory guidance targeted at smaller
depository institution holding companies, for example, may be more
[[Page 60164]]
relevant for complex supervised insurance organizations with limited
inherent exposure to a certain risk.
Noncomplex
Noncomplex firms, due to their lower risk profile, require less
supervisory oversight relative to complex firms. The supervisory
activities for these firms occur primarily during a rating
examination that occurs no less often than every other year and
results in the three component ratings. The supervision of
noncomplex firms relies more heavily on the reports and assessments
of a firm's other relevant supervisors, although these firms may
also be subject to continuous monitoring, targeted topical
examinations, and coordinated reviews as appropriate. The focus and
types of supervisory activities for noncomplex firms are also set
based on the risks of each firm.
Factors considered when classifying a supervised insurance
organization as either complex or noncomplex include the absolute
and relative size of its depository institution(s), its current
supervisory and regulatory oversight (ratings and opinions of its
supervisors, and the nature and extent of any unregulated and/or
unsupervised activities), the breadth and nature of product and
portfolio risks, the nature of its organizational structure, its
quality and level of capital and liquidity, the materiality of any
international exposure, and its interconnectedness with the broader
financial system.
For supervised insurance organizations that are commencing
Federal Reserve supervision, the classification as complex or
noncomplex is done and communicated during the application phase
after initial discussions with the firm. The firm's risk profile,
including the characteristics listed above, are evaluated by staff
of the Board and relevant Reserve Bank before the complexity
classification is assigned by Board staff. Large, well-established,
and financially strong supervised insurance organizations with
relatively small depository institutions can be classified as
noncomplex if, in the opinion of Board staff, the corresponding
level of supervisory oversight is sufficient to accomplish its
objectives. Although the risk profile is the primary basis for
assigning a classification, a firm is automatically classified as
complex if its depository institution's average assets exceed $100
billion. A firm may request that the Federal Reserve review its
complexity classification if it has experienced a significant change
to its risk profile.
The focus, frequency, and intensity of supervisory activities
are based on a risk assessment of the firm completed periodically by
the supervisory team and will vary among firms within the same
complexity classification. For each risk described in the
Supervisory Expectations section below, the supervisory team
assesses the firm's inherent risks and its residual risk after
considering the effectiveness of its management of the risk. The
risk assessment and the supervisory activities that follow from it
take into account the assessments made by and work performed by the
firm's other regulators. In certain instances, Federal Reserve
examiners may be able to rely on a firm's internal audit (if it is
rated effective) or internal control functions in developing the
risk assessment.
B. Supervisory Expectations
Supervised insurance organizations are required to operate in a
safe and sound manner, to comply with all applicable laws and
regulations, and to possess sufficient financial and operational
strength to serve as a source of strength for their depository
institution(s) through a range of stressful yet plausible
conditions. The governance and risk management practices necessary
to accomplish these objectives will vary based on a firm's specific
risk profile, size, and complexity. Guidance describing supervisory
expectations for safe and sound practices can be found in
Supervision & Regulation (SR) letters published by the Board and
other supervisory material. Supervisory guidance most relevant to a
specific supervised insurance organization is driven by the risk
profile of the firm. Federal Reserve examiners periodically reassess
the firm's risk profile and inform the firm if different supervisory
guidance becomes more relevant as a result of a material change to
its risk profile.
Most supervisory guidance issued by the Board is intended
specifically for institutions that are primarily engaged in banking
activities. Examples of specific practices provided in these
materials may differ from (or not be applicable to) the nonbanking
operations of supervised insurance organizations, including for
insurance operations. The Board recognizes that practices in
nonbanking business lines can be different than those published in
supervisory guidance without being considered unsafe or unsound.
When making their assessment, Federal Reserve examiners work with
supervised insurance organizations and other involved regulators,
including state insurance regulators, to appropriately assess
practices that may be different than those typically observed for
banking operations.
This section describes general safety and soundness expectations
and how the Board has adapted its supervisory expectations to
reflect the special characteristics of a supervised insurance
organization. The section is organized using the three rating
components--Governance and Controls, Capital Management, and
Liquidity Management.
Governance and Controls
The Governance and Controls component rating is derived from an
assessment of the effectiveness of a firm's (1) board and senior
management, and (2) independent risk management and controls. All
firms are expected to align their strategic business objectives with
their risk appetite and risk management capabilities; maintain
effective and independent risk management and control functions
including internal audit; promote compliance with laws and
regulations; and remain a source of financial and managerial
strength for their depository institution(s). When assessing
governance and controls, Federal Reserve examiners consider a firm's
risk management capabilities relative to its risk exposure within
the following areas: internal audit, credit risk, legal and
compliance risk, market risk, model risk, and operational risk,
including cybersecurity/information technology and third-party risk.
Governance & Controls expectations:
Despite differences in their business models and the
products offered, insurance companies and banks are expected to have
effective and sustainable systems of governance and controls to
manage their respective risks. The governance and controls framework
for a supervised insurance organization should:
[cir] Clearly define roles and responsibilities throughout the
organization;
[cir] Include policies and procedures, limits, requirements for
documenting decisions, and decision-making and accountability chains
of command; and
[cir] Provide timely information about risk and corrective
action for non-compliance or weak oversight, controls, and
management.
The Board expects the sophistication of the governance
and controls framework to be commensurate with the size, complexity,
and risk profile of the firm. As such, governance and controls
expectations for complex firms will be higher than that for
noncomplex firms but will also vary based on each firm's risk
profile.
The Board expects supervised insurance organizations to
have a risk management and control framework that is commensurate
with its structure, risk profile, complexity, activities, and size.
For any chosen structure, the firm's board is expected to have the
capacity, expertise, and sufficient information to discharge risk
oversight and governance responsibilities in a safe and sound
manner.
In assigning a rating for the Governance and Controls component,
Federal Reserve examiners evaluate:
Board and Senior Management Effectiveness
The firm's board is expected to exhibit certain
attributes consistent with effectiveness, including: (i) setting a
clear, aligned, and consistent direction regarding the firm's
strategy and risk appetite; (ii) directing senior management
regarding board reporting; (iii) overseeing and holding senior
management accountable; (iv) supporting the independence and stature
of independent risk management and internal audit; and (v)
maintaining a capable board and an effective governance structure.
As the consolidated supervisor, the Board focuses on the board of
the supervised insurance organization and its committees. Complex
firms are expected to take into consideration the Board's guidance
on board of directors' effectiveness.\2\ In assessing the
effectiveness of a firm's senior management, Federal Reserve
examiners consider the extent to which senior management effectively
and prudently manages the day-to-day operations of the firm and
provides for ongoing resiliency; implements the firm's strategy and
risk appetite; identifies and manages risks; maintains an effective
risk management framework and system of internal controls; and
promotes prudent risk taking behaviors and business practices,
including compliance
[[Page 60165]]
with laws and regulations such as those related to consumer
protection and the Bank Secrecy Act/Anti-Money Laundering and Office
of Foreign Assets Control (BSA/AML and OFAC). Federal Reserve
examiners evaluate how the framework allows management to be
responsible for and manage all risk types, including emerging risks,
within the business lines. Examiners rely to the fullest extent
possible on insurance and banking supervisors' examination reports
and information concerning risk and management in specific lines of
business, including relying specifically on state insurance
regulators to evaluate and assess how firms manage the pricing,
underwriting, and reserving risk of their insurance operations.
---------------------------------------------------------------------------
\2\ See SR letter 21-3, ``Supervisory Guidance on Board of
Directors' Effectiveness.''
---------------------------------------------------------------------------
Independent Risk Management and Controls
In assessing a firm's independent risk management and
controls, Federal Reserve examiners consider the extent to which
independent risk management effectively evaluates whether the firm's
risk appetite framework identifies and measures all of the firm's
material risks; establishes appropriate risk limits; and aggregates,
assesses and reports on the firm's risk profile and positions.
Additionally, the firm is expected to demonstrate that its internal
controls are appropriate and tested for effectiveness and
sustainability.
Internal Audit is an integral part of a supervised
insurance organization's internal control system and risk management
structure. An effective internal audit function plays an essential
role by providing an independent risk assessment and objective
evaluation of all key governance, risk management, and internal
control processes. Internal audit is expected to effectively and
independently assess the firm's risk management framework and
internal control systems, and report findings to senior management
and to the firm's audit committee. Despite differences in business
models, the Board expects the largest, most complex supervised
insurance organizations to have internal audit practices in place
that are similar to those at banking organizations and as such, no
modification to existing guidance is required for these firms.\3\ At
the same time, the Board recognizes that firms should have an
internal audit function that is appropriate to their size, nature,
and scope of activities. Therefore, for noncomplex firms, Federal
Reserve examiners will consider the expectations in the insurance
company's domicile state's Annual Financial Reporting Regulation
(NAIC Model Audit Rule 205), or similar state regulation, to assess
the effectiveness of a firm's internal audit function.
---------------------------------------------------------------------------
\3\ Regulatory guidance provided in SR letter 03-5, ``Amended
Interagency Guidance on the Internal Audit Function and its
Outsourcing'' and SR letter 13-1, ``Supplemental Policy Statement on
the Internal Audit Function and Its Outsourcing'' are applicable to
complex supervised insurance organizations.
---------------------------------------------------------------------------
The principles of sound risk management described in the
previous sections apply to the entire spectrum of risk management
activities of a supervised insurance organization, including but not
limited to:
Credit risk arises from the possibility that a borrower
or counterparty will fail to perform on an obligation. Fixed income
securities, by far the largest asset class held by many insurance
companies, is a large source of credit risk. This is unlike most
banking organizations, where loans generally make up the largest
portion of balance sheet assets. Life insurer investment portfolios
in particular are generally characterized by longer duration
holdings compared to those of banking organizations. Additionally,
an insurance company's reinsurance recoverables/receivables arising
from the use of third-party reinsurance and participation in
regulatory required risk-pooling arrangements expose the firm to
additional counterparty credit risk. Federal Reserve examiners scope
examination work based on a firm's level of inherent credit risk.
The level of inherent risk is determined by analyzing the
composition, concentration, and quality of the consolidated
investment portfolio; the level of a firm's reinsurance
recoverables, the credit quality of the individual reinsurers, and
the amount of collateral held for reinsured risks; and credit
exposures associated with derivatives, securities lending, or other
activities that may also have off-balance sheet counterparty credit
exposures. In determining the effectiveness of a firm's management
of its credit risk, Federal Reserve examiners rely, where possible,
on the assessments made by other relevant supervisors for the
depository institution(s) and the insurance company(ies). In its own
assessment, the Federal Reserve will determine whether the board and
senior management have established an appropriate credit risk
governance framework consistent with the firm's risk appetite;
whether policies, procedures and limits are adequate and provide for
ongoing monitoring, reporting and control of credit risk; the
adequacy of management information systems as it relates to credit
risk; and the sufficiency of internal audit and independent review
coverage of credit risk exposure.
Market risk arises from exposures to losses as a result
of underlying changes in, for example, interest rates, equity
prices, foreign exchange rates, commodity prices, or real estate
prices. Federal Reserve examiners scope examination work based on a
firm's level of inherent market risk exposure, which is normally
driven by the primary business line(s) in which the firm is engaged
as well as the structure of the investment portfolio. A firm may be
exposed to inherent market risk due to its investment portfolio or
as result of its product offerings, including variable and indexed
life insurance and annuity products, or asset/wealth management
business. While interest rate risk (IRR), a category of market risk,
differs between insurance companies and banking organizations, the
degree of IRR also differs based on the type of insurance products
the firm offers. IRR is generally a small risk for U.S. property/
casualty (P/C) whereas it can be a significant risk factor for life
insurers with certain life and annuity products that are spread-
based, longer in duration, may include embedded product guarantees,
and can pose disintermediation risk. Equity market risk can be
significant for life insurers that issue guarantees tied to equity
markets, like variable annuity living benefits, and for P/C insurers
with large common equity allocations in their investment portfolios.
Generally foreign exchange and commodity risk is low for supervised
insurance organizations but could be material for some complex
firms. Firms are expected to have sound risk management
infrastructure that adequately identifies, measures, monitors, and
controls any material or significant forms of market risks to which
it is exposed.
Model risk is the potential for adverse consequences
from decisions based on incorrect or misused model outputs and
reports. Model risk can lead to financial loss, poor business and
strategic decision-making, or damage to a firm's reputation.
Supervised insurance organizations are often heavily reliant on
models for product pricing and reserving, risk and capital
management, strategic planning and other decision-making purposes. A
sound model risk management framework helps manage this risk.\4\
Federal Reserve examiners take into account the firm's size, nature,
and complexity, as well as the extent of use and sophistication of
its models when assessing its model risk management program.
Examiners focus on the governance framework, policies and controls,
and enterprise model risk management through a holistic evaluation
of the firm's practices. The Federal Reserve's review of a firm's
model risk management program complements the work of the firm's
other relevant supervisors. A sound model risk management framework
includes three main elements: (1) an accurate model inventory and an
appropriate approach to model development, implementation, and use;
(2) effective model validation and continuous model performance
monitoring; and (3) a strong governance framework that provides
explicit support and structure for model risk management through
policies defining relevant activities, procedures that implement
those policies, allocation of resources, and mechanisms for
evaluating whether policies and procedures are being carried out as
specified, including internal audit review. The Federal Reserve
relies on work already conducted by other relevant supervisors and
appropriately collaborates with state insurance regulators on their
findings related to insurance models. With respect to insurance
models, the Federal Reserve recognizes the important role played by
actuaries as described in actuarial standards of practice on model
risk management. With respect to the business of insurance, Federal
Reserve examiners focus on the firm's adherence to its own policies
and procedures and the comprehensiveness of model validation rather
than technical specifications such as the appropriateness of the
model, its assumptions, or output. Federal Reserve examiners may
request that firms provide model documentation or model validation
reports for insurance and bank models when performing transaction
testing.
---------------------------------------------------------------------------
\4\ SR letter 11-7, ``Guidance on Model Risk Management'' is
applicable to all supervised insurance organizations.
---------------------------------------------------------------------------
Legal risk arises from the potential that unenforceable
contracts, lawsuits, or adverse
[[Page 60166]]
judgments can disrupt or otherwise negatively affect the operations
or financial condition of a supervised insurance organization.
Compliance risk is the risk of regulatory sanctions,
fines, penalties, or losses resulting from failure to comply with
laws, rules, regulations, or other supervisory requirements
applicable to a firm. By offering multiple financial service
products that may include insurance, annuity, banking, services
provided by securities broker-dealers, and asset and wealth
management products, provided through a diverse distribution
network, supervised insurance organizations are inherently exposed
to a significant amount of legal and compliance risk. As the
consolidated supervisor, the Board expects firms to have an
enterprise-wide legal and compliance risk management program that
covers all business lines, legal entities, and jurisdictions of
operation. Firms are expected to have compliance risk management
governance, oversight, monitoring, testing, and reporting
commensurate with their size and complexity, and to ensure
compliance with all applicable laws and regulations. The principles-
based guidance in existing SR letters related to legal and
compliance risk is applicable to supervised insurance
organizations.\5\ For both complex and noncomplex firms, Federal
Reserve examiners rely on the work of the firm's other supervisors.
As described in section C, Incorporating the Work of Other
Supervisors, the assessments, examination results, ratings,
supervisory issues, and enforcement actions from other supervisors
will be incorporated into a consolidated assessment of the
enterprise-wide legal and compliance risk management framework.
---------------------------------------------------------------------------
\5\ SR letter 08-8, ``Compliance Risk Management Programs and
Oversight at Large Banking Organizations with Complex Compliance
Profiles'' is applicable to complex supervised insurance
organizations. For noncomplex firms, the Federal Reserve will assess
legal and compliance risk management based on the guidance in SR
letter 16-11, ``Supervisory Guidance for Assessing Risk Management
at Supervised Institutions with Total Consolidated Assets Less than
$100 Billion.''
---------------------------------------------------------------------------
[cir] Money laundering, terrorist financing and other illicit
financial activity risk is the risk of providing criminals access to
the legitimate financial system and thereby being used to facilitate
financial crime. This financial crime includes laundering criminal
proceeds, financing terrorism, and conducting other illegal
activities. Money laundering and terrorist financing risk is
associated with a financial institution's products, services,
customers, and geographic locations. This and other illicit
financial activity risks can impact a firm across business lines,
legal entities, and jurisdictions. A reasonably designed compliance
program generally includes a structure and oversight that mitigates
these risks and supports regulatory compliance with both BSA/AML
OFAC requirements. Although OFAC regulations are not part of the
BSA, OFAC compliance programs are frequently assessed in conjunction
with BSA/AML. Supervised insurance organizations are not defined as
financial institutions under the BSA and, therefore, are not
required to have an AML program, unless the firm is directly selling
certain insurance products. However, certain subsidiaries and
affiliates of supervised insurance organizations, such as insurance
companies and banks, are defined as financial institutions under 31
U.S.C. 5312(a)(2) and must develop and implement a written BSA/AML
compliance program as well as comply with other BSA regulatory
requirements. Unlike banks, insurance companies' BSA/AML obligations
are limited to certain products, referred to as covered insurance
products.\6\ The volume of covered products, which the Financial
Crimes Enforcement Network (FinCEN) has determined to be of higher
risk, is an important driver of supervisory focus. In addition, as
U.S. persons, all supervised insurance organizations (including
their subsidiaries and affiliates) are subject to OFAC regulations.
Federal Reserve examiners assess all material risks that each firm
faces, extending to whether business activities across the
consolidated organization, including within its individual
subsidiaries or affiliates, comply with the legal requirements of
BSA and OFAC regulations. In keeping with the principles of a risk-
based framework and proportionality, Federal Reserve supervision for
BSA/AML and OFAC primarily focuses on oversight of compliance
programs at a consolidated level and relies on work by other
relevant supervisors to the fullest extent possible. In the
evaluation of a firm's risks and BSA/AML and OFAC compliance
program, however, it may be necessary for examiners to review
compliance with BSA/AML and OFAC requirements at individual
subsidiaries or affiliates in order to fully assess the material
risks of the supervised insurance organization.
---------------------------------------------------------------------------
\6\ ``Covered products'' means: a permanent life insurance
policy, other than a group life insurance policy; an annuity
contract, other than a group annuity contract; or any other
insurance product with features of cash value or investment. 31 CFR
1025.100(b). ``Permanent life insurance policy'' means an agreement
that contains a cash value or investment element and that obligates
the insurer to indemnify or to confer a benefit upon the insured or
beneficiary to the agreement contingent upon the death of the
insured. 31 CFR 1025.100(h). ``Annuity contract'' means any
agreement between the insurer and the contract owner whereby the
insurer promises to pay out a fixed or variable income stream for a
period of time. 31 CFR 1025.100(a).
---------------------------------------------------------------------------
Operational risk is the risk of loss resulting from
inadequate or failed internal processes, people, and systems, or
from external events. Operational resilience is the ability to
maintain operations, including critical operations and core business
lines, through a disruption from any hazard. It is the outcome of
effective operational risk management combined with sufficient
financial and operational resources to prepare, adapt, withstand,
and recover from disruptions. A firm that operates in a safe and
sound manner is able to identify threats, respond and adapt to
incidents, and recover and learn from such threats and incidents so
that it can prioritize and maintain critical operations and core
business lines, along with other operations, services and functions
identified by the firm, through a disruption.
[cir] Cybersecurity/information technology risks are a subset of
operational risk and arise from operations of a firm requiring a
strong and robust internal control system and risk management
oversight structure. Information Technology (IT) and Cybersecurity
(Cyber) functions are especially critical to a firm's operations.
Examiners of financial institutions, including supervised insurance
organizations, utilize the detailed guidance on mitigating these
risks in the Federal Financial Institutions Examination Council's
(FFIEC) IT Handbooks. In assessing IT/Cyber risks, Federal Reserve
examiners assess each firm's:
[ssquf] Board and senior management for effective oversight and
support of IT management;
[ssquf] Information/cyber security program for strong board and
senior management support, integration of security activities and
controls through business processes, and establishment of clear
accountability for security responsibilities;
[ssquf] IT operations for sufficient personnel, system capacity
and availability, and storage capacity adequacy to achieve strategic
objectives and appropriate solutions;
[ssquf] Development and acquisition processes' ability to
identify, acquire, develop, install, and maintain effective IT to
support business operations; and
[ssquf] Appropriate business continuity management processes to
effectively oversee and implement resilience, continuity, and
response capabilities to safeguard employees, customers, assets,
products, and services.
Complex and noncomplex firms are assessed in these areas. All
supervised insurance organizations are required to notify the
Federal Reserve of any computer-security notification incidents.\7\
---------------------------------------------------------------------------
\7\ SR letter 22-4, ``Contact Information in Relation to
Computer-Security Incident Notification Requirements'' applies to
all supervised insurance organizations.
---------------------------------------------------------------------------
[cir] Third party risk is also a subset of operational risk and
arises from a firm's use of service providers to perform operational
or service functions. These risks may be inherent to the outsourced
activity or be introduced with the involvement of the service
provider. When assessing effective third party risk management,
Federal Reserve examiners evaluate eight areas: (1) third party risk
management governance, (2) risk assessment framework, (3) due
diligence in the selection of a service provider, (4) a review of
any incentive compensation embedded in a service provider contract,
(5) management of any contract or legal issues arising from third
party agreements, (6) ongoing monitoring and reporting of third
parties, (7) business continuity and contingency of the third party
for any service disruptions, and (8) effective internal audit
program to assess the risk and controls of the firm's third party
risk management program.\8\
---------------------------------------------------------------------------
\8\ SR letter 13-19, ``Guidance on Managing Outsourcing Risk''
applies to all supervised insurance organizations.
---------------------------------------------------------------------------
Capital Management
The Capital Management rating is derived from an assessment of a
firm's current and stressed level of capitalization, and the
[[Page 60167]]
quality of its capital planning and internal stress testing. A
capital management program should be commensurate with a supervised
insurance organization's complexity and risk profile. In assigning
this rating, the Federal Reserve examiners evaluate the extent to
which a firm maintains sound capital planning practices through
effective governance and oversight, effective risk management and
controls, maintenance of updated capital policies and contingency
plans for addressing potential shortfalls, and incorporation of
appropriately stressful conditions into capital planning and
projections of capital positions. The extent to which a firm's
capital is sufficient to comply with regulatory requirements, to
support the firm's ability to meet its obligations, and to enable
the firm to remain a source of strength to its depository
institution(s) in a range of stressful, but plausible, economic and
financial environments is also evaluated.
Insurance company balance sheets are typically quite different
from those of most banking organizations. For life insurance
companies, investment strategies may focus on cash flow matching to
reduce interest rate risk and provide liquidity to support their
liabilities, while for traditional banks, deposits (liabilities) are
attracted to support investment strategies. Additionally, for
insurers, capital provides a buffer for policyholder claims and
creditor obligations, helping the firm absorb adverse deviations in
expected claims experience, and other drivers of economic loss. The
Board recognizes that the capital needs for insurance activities are
materially different from those of banking activities and can be
different between life and property and casualty insurers. Insurers
may also face capital fungibility constraints not faced by banking
organizations.
In assessing a supervised insurance organization's capital
management, the Federal Reserve relies to the fullest extent
possible on information provided by state insurance regulators,
including the firm's own risk and solvency assessment (ORSA) and the
state insurance regulator's written assessment of the ORSA. An ORSA
is an internal process undertaken by an insurance group to assess
the adequacy of its risk management and current and prospective
capital position under normal and stress scenarios. As part of the
ORSA, insurance groups are required to analyze all reasonably
foreseeable and relevant material risks that could have an impact on
their ability to meet obligations.
The Board expects supervised insurance organizations to have
sound governance over their capital planning process. A firm should
establish capital goals that are approved by the board of directors,
and that reflect the potential impact of legal and/or regulatory
restrictions on the transfer of capital between legal entities. In
general, senior management should establish the capital planning
process, which should be reviewed and approved periodically by the
board. The board should require senior management to provide clear,
accurate, and timely information on the firm's material risks and
exposures to inform board decisions on capital adequacy and actions.
The capital planning process should clearly reflect the difference
between the risk profiles and associated capital needs of the
insurance and banking businesses.
A firm should have a risk management framework that
appropriately identifies, measures, and assesses material risks and
provides a strong foundation for capital planning. This framework
should be supported by comprehensive policies and procedures, clear
and well-established roles and responsibilities, strong internal
controls, and effective reporting to senior management and the
board. In addition, the risk management framework should be built
upon sound management information systems.
As part of capital management, a firm should have a sound
internal control framework that helps ensure that all aspects of the
capital planning process are functioning as designed and result in
an accurate assessment of the firm's capital needs. The internal
control framework should be independently evaluated periodically by
the firm's internal audit function.
The governance and oversight framework should include an
assessment of the principles and guidelines used for capital
planning, issuance, and usage, including internal post-stress
capital goals and targeted capital levels; guidelines for dividend
payments and stock repurchases; strategies for addressing capital
shortfalls; and internal governance responsibilities and procedures
for the capital policy. The capital policy should reflect the
capital needs of the insurance and banking businesses based on their
risks, be approved by the firm's board of directors or a designated
committee of the board, and be re-evaluated periodically and revised
as necessary.
A strong capital management program will incorporate
appropriately stressful conditions and events that could adversely
affect the firm's capital adequacy and capital planning. As part of
its capital plan, a firm should use at least one scenario that
stresses the specific vulnerabilities of the firm's activities and
associated risks, including those related to the firm's insurance
activities and its banking activities.
Supervised insurance organizations should employ estimation
approaches to project the impact on capital positions of various
types of stressful conditions and events, and that are independently
validated. A firm should estimate losses, revenues, expenses, and
capital using sound methods that incorporate macroeconomic and other
risk drivers. The robustness of a firm's capital stress testing
processes should be commensurate with its risk profile.
Liquidity Management
The Liquidity Management rating is derived from an assessment of
the supervised insurance organization's liquidity position and the
quality of its liquidity risk management program. Each firm's
liquidity risk management program should be commensurate with its
complexity and risk profile.
The Board recognizes that supervised insurance organizations are
typically less exposed to traditional liquidity risk than banking
organizations. Instead of cash outflows being mainly the result of
discretionary withdrawals, cash outflows for many insurance products
only result from the occurrence of an insured event. Insurance
products, like annuities, that are potentially exposed to call risk
generally have product features (i.e., surrender charges, market
value surrenders, tax treatment, etc.) that help mitigate liquidity
risk.
Federal Reserve examiners tailor the application of existing
supervisory guidance on liquidity risk management to reflect the
liquidity characteristics of supervised insurance organizations.\9\
For example, guidance on intra-day liquidity management would only
be applicable for supervised insurance organizations with material
intra-day liquidity risks. Additionally, specific references to
liquid assets may be more broadly interpreted to include other asset
classes such as certain investment-grade corporate bonds.
---------------------------------------------------------------------------
\9\ See SR letter 10-6, ``Interagency Policy Statement on
Funding and Liquidity Risk Management.''
---------------------------------------------------------------------------
The scope of the Federal Reserve's supervisory activities on
liquidity risk is influenced by each firm's individual risk profile.
Traditional property and casualty insurance products are typically
short duration liabilities backed by short-duration, liquid assets.
Because of this, they typically present lower liquidity risk than
traditional banking activities. However, some non-traditional life
insurance and retirement products create liquidity risk through
features that allow payments at the request of policyholders without
the occurrence of an insured event. Risks of certain other insurance
products are often mitigated using derivatives. Any differences
between collateral requirements related to hedging and the related
liability cash flows can also create liquidity risk. The Board
expects firms significantly engaged in these types of insurance
activities to have correspondingly more sophisticated liquidity risk
management programs.
A strong liquidity risk management program includes cash flow
forecasting with appropriate granularity. The firm's suite of
quantitative metrics should effectively inform senior management and
the board of directors of the firm's liquidity risk profile and
identify liquidity events or stresses that could detrimentally
affect the firm. The metrics used to measure a firm's liquidity
position may vary by type of business.
Federal Reserve examiners rely to the fullest extent possible on
each firm's ORSA, which requires all firms to include a discussion
of the risk management framework and assessment of material risks,
including liquidity risk.
Supervised insurance organizations are expected to perform
liquidity stress testing at least annually and more frequently, if
necessary, based on their risk profile. The scenarios used should
reflect the firm's specific risk profile and include both
idiosyncratic and system-wide stress events. Stress testing should
inform the firm on the amount of liquid assets necessary to meet net
cash outflows over relevant time periods, including at least a one-
year time horizon. Firms should hold a liquidity buffer
[[Page 60168]]
comprised of highly liquid assets to meet stressed net cash
outflows. The liquidity buffer should be measured using appropriate
haircuts based on asset quality, duration, and expected market
illiquidity based on the stress scenario assumptions. Stress testing
should reflect the expected impact on collateral requirements. For
material life insurance operations, Federal Reserve examiners will
rely to the greatest extent possible on information submitted by the
firm to comply with the National Association of Insurance
Commissioners' (NAIC) liquidity stress test framework.
The fungibility of sources of liquidity is often limited between
an insurance group's legal entities. Large insurance groups can
operate with a significant number of legal entities and many
different regulatory and operational barriers to transferring funds
among them. Regulations designed to protect policyholders of
insurance operating companies can limit the transferability of funds
from an insurance company to other legal entities within the group,
including to other insurance operating companies. Supervised
insurance organizations should carefully consider these limitations
in their stress testing and liquidity risk management framework.
Effective liquidity stress testing should include stress testing at
the legal entity level with consideration for intercompany liquidity
fungibility. Furthermore, the firm should be able to measure and
provide an assessment of liquidity at the top-tier depository
institution holding company in a manner that incorporates
fungibility constraints.
The enterprise-wide governance and oversight framework should be
consistent with the firm's liquidity risk profile and include
policies and procedures on liquidity risk management. The firm's
policies and procedures should describe its liquidity risk
reporting, stress testing, and contingency funding plan.
B. Supervisory Ratings
Supervised insurance organizations are expected to operate in a
safe and sound manner, to comply with all applicable laws and
regulations, and to possess sufficient financial and operational
strength to serve as a source of strength for their depository
institution(s) through a range of stressful yet plausible
conditions. Supervisory ratings and supervisory findings are used to
communicate the assessment of a firm. Federal Reserve examiners
periodically assign one of four ratings to each of the three rating
components used to assess supervised insurance organizations. The
rating components are Capital Management, Liquidity Management, and
Governance & Controls. The four potential ratings are Broadly Meets
Expectations, Conditionally Meets Expectations, Deficient-1, and
Deficient-2. To be considered ``well managed,'' a firm must receive
a rating of Conditionally Meets Expectations or better in each of
the three rating components. Each rating is defined specifically for
supervised insurance organizations with particular emphasis on the
obligation that firms serve as a source of financial and managerial
strength for their depository institution(s). High-level definitions
for each rating are below, followed by more specific rating
definitions for each component.
Broadly Meets Expectations. The supervised insurance
organization's practices and capabilities broadly meet supervisory
expectations. The holding company effectively serves as a source of
managerial and financial strength for its depository institution(s)
and possesses sufficient financial and operational strength and
resilience to maintain safe-and-sound operations through a range of
stressful yet plausible conditions. The firm may have outstanding
supervisory issues requiring corrective actions, but these are
unlikely to present a threat to its ability to maintain safe-and-
sound operations and unlikely to negatively impact its ability to
fulfill its obligation to serve as a source of strength for its
depository institution(s). These issues are also expected to be
corrected on a timely basis during the normal course of business.
Conditionally Meets Expectations. The supervised insurance
organization's practices and capabilities are generally considered
sound. However, certain supervisory issues are sufficiently material
that if not resolved in a timely manner during the normal course of
business, may put the firm's prospects for remaining safe and sound,
and/or the holding company's ability to serve as a source of
managerial and financial strength for its depository institution(s),
at risk. A firm with a Conditionally Meets Expectations rating has
the ability, resources, and management capacity to resolve its
issues and has developed a sound plan to address the issue(s) in a
timely manner. Examiners will work with the firm to develop an
appropriate timeframe during which it will be required to resolve
that supervisory issue(s) leading to this rating.
Deficient-1. Financial or operational deficiencies in a
supervised insurance organization's practices or capabilities put
its prospects for remaining safe and sound, and/or the holding
company's ability to serve as a source of managerial and financial
strength for its depository institution(s), at significant risk. The
firm is unable to remediate these deficiencies in the normal course
of business, and remediation would typically require it to make
material changes to its business model or financial profile, or its
practices or capabilities. A firm with a Deficient-1 rating is
required to take timely action to correct financial or operational
deficiencies and to restore and maintain its safety and soundness
and compliance with laws and regulations. Supervisory issues that
place the firm's safety and soundness at significant risk, and where
resolution is likely to require steps that clearly go beyond the
normal course of business--such as issues requiring a material
change to the firm's business model or financial profile, or its
governance, risk management or internal control structures or
practices--would generally warrant assignment of a Deficient-1
rating. There is a strong presumption that a firm with a Deficient-1
rating will be subject to an enforcement action.
Deficient-2. Financial or operational deficiencies in a
supervised insurance organization's practices or capabilities
present a threat to its safety and soundness, have already put it in
an unsafe and unsound condition, and/or make it unlikely that the
holding company will be able to serve as a source of financial and
managerial strength to its depository institution(s). A firm with a
Deficient-2 rating is required to immediately implement
comprehensive corrective measures and demonstrate the sufficiency of
contingency planning in the event of further deterioration. There is
a strong presumption that a firm with a Deficient-2 rating will be
subject to a formal enforcement action.
Definitions for the Governance and Controls Component Rating:
Broadly Meets Expectations. Despite the potential existence of
outstanding supervisory issues, the supervised insurance
organization's governance and controls broadly meet supervisory
expectations, supports maintenance of safe-and-sound operations, and
supports the holding company's ability to serve as a source of
financial and managerial strength for its depository
institutions(s). Specifically, the firm's practices and capabilities
are sufficient to align strategic business objectives with its risk
appetite and risk management capabilities; maintain effective and
independent risk management and control functions, including
internal audit; promote compliance with laws and regulations; and
otherwise provide for the firm's ongoing financial and operational
resiliency through a range of conditions. The firm's governance and
controls clearly reflect the holding company's obligation to act as
a source of financial and managerial strength for its depository
institution(s).
Conditionally Meets Expectations. Certain material financial or
operational weaknesses in a supervised insurance organization's
governance and controls practices may place the firm's prospects for
remaining safe and sound through a range of conditions at risk if
not resolved in a timely manner during the normal course of
business. Specifically, if left unresolved, these weaknesses may
threaten the firm's ability to align strategic business objectives
with its risk appetite and risk-management capabilities; maintain
effective and independent risk management and control functions,
including internal audit; promote compliance with laws and
regulations; or otherwise provide for the firm's ongoing resiliency
through a range of conditions. Supervisory issues may exist related
to the firm's internal audit function, but internal audit is still
regarded as effective.
Deficient-1. Deficiencies in a supervised insurance
organization's governance and controls put its prospects for
remaining safe and sound through a range of conditions at
significant risk. The firm is unable to remediate these deficiencies
in the normal course of business, and remediation would typically
require a material change to the firm's business model or financial
profile, or its governance, risk management or internal control
structures or practices.
Examples of issues that may result in a Deficient-1 rating
include, but are not limited to:
The firm may be currently subject to, or expected to be
subject to, informal or formal
[[Page 60169]]
enforcement action(s) by the Federal Reserve or another regulator
tied to violations of laws and regulations that indicate severe
deficiencies in the firm's governance and controls.
Significant legal issues may have or be expected to
impede the holding company's ability to act as a source of financial
strength for its depository institution(s).
The firm may have engaged in intentional misconduct.
Deficiencies within the firm's governance and controls
may limit the credibility of the firm's financial results, limit the
board or senior management's ability to make sound decisions, or
materially increase the firm's risk of litigation.
The firm's internal audit function may be considered
ineffective.
Deficiencies in the firm's governance and controls may
have limited the holding company's ability to act as a source of
financial and/or managerial strength for its depository
institution(s).
Deficient-2. Financial or operational deficiencies in a
supervised insurance organization's governance and controls present
a threat to its safety and soundness, a threat to the holding
company's ability to serve as a source of financial strength for its
depository institution(s), or have already put the firm in an unsafe
and unsound condition.
Examples of issues that may result in a Deficient-2 rating
include, but are not limited to:
The firm is currently subject to, or expected to be
subject to, formal enforcement action(s) by the Federal Reserve or
another regulator tied to violations of laws and regulations that
indicate severe deficiencies in the firm's governance and controls.
Significant legal issues may be impeding the holding
company's ability to act as a source of financial strength for its
depository institution(s).
The firm may have engaged in intentional misconduct.
The holding company may have failed to act as a source
of financial and/or managerial strength for its depository
institution(s) when needed.
The firm's internal audit function is regarded as
ineffective.
Definitions for the Capital Management Component Rating:
Broadly Meets Expectations. Despite the potential existence of
outstanding supervisory issues, the supervised insurance
organization's capital management broadly meets supervisory
expectations, supports maintenance of safe-and-sound operations, and
supports the holding company's ability to serve as a source of
financial strength for its depository institution(s). Specifically:
The firm's current and projected capital positions on a
consolidated basis and within each of its material business lines/
legal entities comply with regulatory requirements and support its
ability to absorb potential losses, meet obligations, and continue
to serve as a source of financial strength for its depository
institution(s);
Capital management processes are sufficient to give
credibility to stress testing results and the firm is capable of
producing sound assessments of capital adequacy through a range of
stressful yet plausible conditions; and
Potential capital fungibility issues are effectively
mitigated, and capital contingency plans allow the holding company
to continue to act as a source of financial strength for its
depository institution(s) through a range of stressful yet plausible
conditions.
Conditionally Meets Expectations. Capital adequacy meets
regulatory minimums, both currently and on a prospective basis.
Supervisory issues exist but these do not threaten the holding
company's ability to act as a source of financial strength for its
depository institution(s) through a range of stressful yet plausible
conditions. Specifically, if left unresolved, these issues:
May threaten the firm's ability to produce sound
assessments of capital adequacy through a range of stressful yet
plausible conditions; and/or
May result in the firm's projected capital positions
being insufficient to absorb potential losses, comply with
regulatory requirements, and support the holding company's ability
to meet current and prospective obligations and continue to serve as
a source of financial strength to its depository institution(s).
Deficient-1. Financial or operational deficiencies in a
supervised insurance organization's capital management put its
prospects for remaining safe and sound through a range of plausible
conditions at significant risk. The firm is unable to remediate
these deficiencies in the normal course of business, and remediation
would typically require a material change to the firm's business
model or financial profile, or its capital management processes.
Examples of issues that may result in a Deficient-1 rating
include, but are not limited to:
Capital adequacy currently meets regulatory minimums
although there may be uncertainty regarding the firm's ability to
continue meeting regulatory minimums.
Fungibility concerns may exist that could challenge the
firm's ability to contribute capital to its depository institutions
under certain stressful yet plausible scenarios.
Supervisory issues may exist that undermine the
credibility of the firm's current capital adequacy and/or its stress
testing results.
Deficient-2. Financial or operational deficiencies in a
supervised insurance organization's capital management present a
threat to the firm's safety and soundness, a threat to the holding
company's ability to serve a source of financial strength for its
depository institution(s), or have already put the firm in an unsafe
and unsound condition.
Examples of issues that may result in a Deficient-2 rating
include, but are not limited to:
Capital adequacy may currently fail to meet regulatory
minimums or there is significant concern that the firm will not meet
capital adequacy minimums prospectively.
Supervisory issues may exist that significantly
undermine the firm's capital adequacy metrics either currently or
prospectively.
Significant fungibility constraints may exist that
would prevent the holding company from contributing capital to its
depository institution(s) and fulfilling its obligation to serve as
a source of financial strength.
The holding company may have failed to act as source of
financial strength for its depository institution when needed.
Definitions for the Liquidity Management Component Rating:
Broadly Meets Expectations. Despite the potential existence of
outstanding supervisory issues, the supervised insurance
organization's liquidity management broadly meets supervisory
expectations, supports maintenance of safe-and-sound operations, and
supports the holding company's ability to serve as a source of
financial strength for its depository institutions(s). The firm
generates sufficient liquidity to meet its short-term and long-term
obligations currently and under a range of stressful yet plausible
conditions. The firm's liquidity management processes, including its
liquidity contingency planning, support its obligation to act as a
source of financial strength for its depository institution(s).
Specifically:
The firm is capable of producing sound assessments of
liquidity adequacy through a range of stressful yet plausible
conditions; and
The firm's current and projected liquidity positions on
a consolidated basis and within each of its material business lines/
legal entities comply with regulatory requirements and support the
holding company's ability to meet obligations and to continue to
serve as a source of financial strength for its depository
institution(s).
Conditionally Meets Expectations. Certain material financial or
operational weaknesses in a supervised insurance organization's
liquidity management place its prospects for remaining safe and
sound through a range of stressful yet plausible conditions at risk
if not resolved in a timely manner during the normal course of
business.
Specifically, if left unresolved, these weaknesses:
May threaten the firm's ability to produce sound
assessments of liquidity adequacy through a range of conditions;
and/or
May result in the firm's projected liquidity positions
being insufficient to comply with regulatory requirements and
support the firm's ability to meet current and prospective
obligations and to continue to serve as a source of financial
strength to its depository institution(s).
Deficient-1. Financial or operational deficiencies in a
supervised insurance organization's liquidity management put the
firm's prospects for remaining safe and sound through a range of
stressful yet plausible conditions at significant risk. The firm is
unable to remediate these deficiencies in the normal course of
business, and remediation would typically require a material change
to the firm's business model or financial profile, or its liquidity
management processes.
Examples of issues that may result in a Deficient-1 rating
include, but are not limited to:
[[Page 60170]]
The firm is currently able to meet its obligations but
there may be uncertainty regarding the firm's ability to do so
prospectively.
The holding company's liquidity contingency plan may be
insufficient to support its obligation to act as a source of
financial strength for its depository institution(s).
Supervisory issues may exist that undermine the
credibility of the firm's liquidity metrics and stress testing
results.
Deficient-2. Financial or operational deficiencies in a
supervised insurance organization's liquidity management present a
threat to its safety and soundness, a threat to the holding
company's ability to serve as a source of financial strength for its
depository institution(s), or have already put the firm in an unsafe
and unsound condition.
Examples of issues that may result in a Deficient-2 rating
include, but are not limited to:
Liquidity shortfalls may exist within the firm that
have prevented the firm, or are expected to prevent the firm, from
fulfilling its obligations, including the holding company's
obligation to act as a source of financial strength for its
depository institution(s).
Liquidity adequacy may currently fail to meet
regulatory minimums or there is significant concern that the firm
will not meet liquidity adequacy minimums prospectively for at least
one of its regulated subsidiaries.
Supervisory issues may exist that significantly
undermine the firm's liquidity metrics either currently or
prospectively.
Significant fungibility constraints may exist that
would prevent the holding company from supporting its depository
institution(s) and fulfilling its obligation to serve as a source of
financial strength.
The holding company may have failed to act as source of
financial strength for its depository institution when needed.
C. Incorporating the Work of Other Supervisors
Similar to the approach taken by the Federal Reserve in its
consolidated supervision of other firms, the oversight of supervised
insurance organizations relies to the fullest extent possible, on
work performed by other relevant supervisors. Federal Reserve
supervisory activities are not intended to duplicate or replace
supervision by the firm's other regulators and Federal Reserve
examiners typically do not specifically assess firms' compliance
with laws outside of its jurisdiction, including state insurance
laws. The Federal Reserve collaboratively coordinates with,
communicates with, and leverages the work of the Office of the
Comptroller of the Currency (OCC), Federal Deposit Insurance
Corporation (FDIC), Securities and Exchange Commission (SEC),
Financial Crimes Enforcement Network (FinCEN), Internal Revenue
Service (IRS), applicable state insurance regulators, and other
relevant supervisors to achieve its supervisory objectives and
eliminate unnecessary burden.
Existing statutes specifically require the Board to coordinate
with, and to rely to the fullest extent possible on work performed
by the state insurance regulators. The Board and all state insurance
regulators have entered into Memorandums of Understanding (MOU)
allowing supervisors to freely exchange information relevant for the
effective supervision of supervised insurance organizations. Federal
Reserve examiners take the actions below with respect to state
insurance regulators to support accomplishing the objective of
minimizing supervisory duplication and burden, without sacrificing
effective oversight:
Routine discussions (at least annually) with state
insurance regulatory staff with greater frequency during times of
stress;
Discussions around the annual supervisory plan,
including how best to leverage work performed by the state and
potential participation by state insurance regulatory staff on
relevant supervisory activities;
Consideration of the opinions and work done by the
state when scoping relevant examination activities;
Documenting any input received from the state and
considering the assessments of and work performed by the state for
relevant supervisory activities;
Sharing and discussing with the state the annual
ratings and relevant conclusion documents from supervisory
activities;
Collaboratively working with the states and the NAIC on
the development of policies that affect insurance depository
institution holding companies; and
Participating in supervisory colleges.
The Federal Reserve relies on the state insurance regulators to
participate in the activities above and to share proactively their
supervisory opinions and relevant documents. These documents include
the annual ORSA,\10\ the state insurance regulator's written
assessment of the ORSA, results from its examination activities, the
Corporate Governance Annual Disclosure, financial analysis memos,
risk assessments, material risk determinations, material transaction
filings (Form D), the insurance holding company system annual
registration statement (Form B), submissions for the NAIC liquidity
stress test framework, and other state supervisory material. If the
Federal Reserve determines that it is necessary to perform
supervisory activities related to aspects of the supervised
insurance organization that also fall under the jurisdiction of the
state insurance regulator, it will communicate the rationale and
result of these activities to the state insurance regulator.
---------------------------------------------------------------------------
\10\ See NAIC Own Risk and Solvency Assessment (ORSA) Guidance
Manual (December 2017) at https://content.naic.org/sites/default/files/publication-orsa-guidance-manual.pdf.
By order of the Board of Governors of the Federal Reserve
System.
Ann E. Misback,
Secretary of the Board.
[FR Doc. 2022-21414 Filed 10-3-22; 8:45 am]
BILLING CODE 6210-01-P