OCC Proposes Formal Guidelines for Large Banks


Published on

On January 16, 2014, the Office of the Comptroller of the Currency (OCC) issued proposed guidelines that enhance and formalize “heightened expectations” to strengthen governance and risk management practices. This notice of proposed rule-making (NPR) applies to certain large national banks, federal savings associations and federal branches.

Our most recent Flash Report discusses the basic content and scope of the NPR and highlights important matters in the NPR for institutions to consider.

Published in: Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

OCC Proposes Formal Guidelines for Large Banks

  1. 1. FINANCIAL SERVICES FLASH REPORT OCC Proposes Formal Guidelines for Large Banks February 6, 2014 In the aftermath of the financial crisis, the Office of the Comptroller of the Currency (OCC) developed a set of “heightened expectations” to strengthen governance and risk management practices at large national banks and federal savings associations to enhance the agency’s supervision of those institutions. On January 16, 2014, the OCC issued proposed guidelines under 12 CFR Parts 30 and 170, pursuant to section 39 of the Federal Deposit Insurance Act (FDIA) (which applies to banks and savings associations), that enhance and formalize those expectations. This Flash Report discusses the basic content and scope of the OCC’s proposal and highlights important matters in the proposal for institutions to consider. Which Financial Services Institutions Are Affected? The notice of proposed rule-making (NPR) is titled “OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of 12 CFR Parts 30 and 170.” 1 The OCC, as part of its efforts to integrate the former Office of Thrift Supervision’s regulations, is also requesting comments on its proposal to make part 30 and all of its appendices applicable to federal savings associations and to remove part 170, which contains similar information for savings associations. By definition, the guidelines would apply to any insured national bank, insured federal savings association, or insured federal branch of a foreign bank with average total consolidated assets of $50 billion or more. Currently, no federally insured branches of foreign banks meet the threshold. Once an institution reaches $50 billion in assets, the guidelines would still apply even if its assets dropped below $50 billion. In addition, the proposal allows the OCC to apply these guidelines to institutions with less than $50 billion in average total consolidated assets if it determines the institution is highly complex or presents a heightened risk. To determine this, the OCC would consider the institution’s complexity of products and services, risk profile, and scope of operations. As a result, banks of all types should examine the guidelines closely and assess the relevance of the guidelines to their operations. What Does the Proposal Say? The NPR sets forth minimum standards for the design and implementation of an institution’s risk governance framework and also provides minimum standards for oversight of that framework by the board of directors. Its content is set forth in three parts: Part 1 is an introduction to the 1 OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of 12 CFR Parts 30 and 170; http://www.occ.gov/news-issuances/newsreleases/2014/nr-occ-2014-4a.pdf.
  2. 2. guidelines, scope and key terms; Part 2 contains minimum standards for design and implementation of the bank’s risk governance framework; and Part 3 sets forth minimum standards for the board of directors and the risk governance framework oversight. Key aspects of the NPR include: • Roles and responsibilities of organizational units that are fundamental to the design and implementation of the risk governance framework – The NPR provides guidance on the roles and responsibilities of the front line units 2, independent risk management, and internal audit comprising what is typically referred to as the institution’s three lines of defense. These units are required to establish an appropriate system to manage risk taking and ensure the board of directors has sufficient information on the institution’s risk profile and risk management practices to provide credible challenges to management’s recommendations and decisions. Of particular note is the specific inclusion of Administration, Finance, Treasury, Legal and Human Resources as front line units by the OCC. This raises a number of questions surrounding regulatory expectations for these units when designing risk management frameworks, articulating risk appetite statements, reporting lines, etc. We believe that additional clarification will be required by the OCC around these issues. • Strategic plan – The CEO is required to develop a written strategic plan with input from front line units, independent risk management, and internal audit. The strategic plan should account for changes to the risk governance framework as the institution’s risk profile changes. Additionally, the plan must be reviewed, updated and approved by the board at least annually. The board would be required to monitor management’s efforts to implement the strategic plan. • Risk appetite statement – Institutions are required to have a comprehensive written statement that articulates their risk appetite and provides the basis for their risk governance framework. This statement is required to include both qualitative components and quantitative limits. Qualitative components should be reflective of a sound “risk culture” 3 and the quantitative limits should incorporate stress testing, and the institution’s earnings, capital and liquidity levels. The framework must also include processes and supporting documentation for the following: – Risk appetite review, monitoring and communication at all levels of the organization – Concentration and risk limits as well as processes for addressing limit breaches and managing concentration risk – Risk data aggregation and reporting – Talent management, compensation and performance management 2 The NPR defines a “front line unit” as “any organizational unit within the bank that: (i) engages in activities designed to generate revenue for the parent company or bank; (ii) provides services, such as administration, finance, treasury, legal, or human resources, to the bank; or (iii) provides information technology, operations, servicing, processing, or other support to any organizational unit covered by the proposed guidelines.” This proposed definition of front line units includes those units that provide information technology, operations, servicing, processing, or other support to both independent risk management and internal audit. The NPR states that front line units create risks for the bank by engaging in their respective activities. 3 While there is no regulatory definition of risk culture, for purposes of this NPR, the OCC defines risk culture on page 26 of this NPR as: “the shared values, attitudes, competencies, and behaviors present throughout the Bank that shape and influence governance practices and risk decisions.” See http://www.occ.gov/news-issuances/news-releases/2014/nr-occ-2014-4a.pdf. Protiviti | 2
  3. 3. • Board of directors’ oversight – The guidance includes provisions for the following: – Requirements for the board’s oversight of an institution’s management and compliance with safe and sound banking practices and minimum standards for the design and implementation of the effective governance risk framework. While much of the language about board of director oversight can be interpreted as nothing new, much of it will depend on the regulatory definition of terms such as “ensure” and “active board oversight.” There is definitional risk here and the possibility that the lines become blurred regarding roles and responsibilities of bank management and the board. It will be important for the OCC and other regulators to articulate their meaning here. – Active board oversight of an institution’s risk-taking activities including establishing accountability for management’s adherence to the risk governance framework. The board is expected to exercise independent judgment and evaluate management’s recommendations and decisions by questioning, challenging, and, when necessary, opposing, management proposals that could lead to excessive risk taking or pose a threat to safety and soundness. – At least two independent board members who are not part of the institution’s or the parent company’s management. – Ongoing training of independent board members. – Requirements for boards to perform annual self-assessments on their effectiveness to meet the NPR standards. As mentioned earlier, this NPR also seeks to consolidate the safety and soundness guidelines by applying 12 CFR 30 and all appendices to all national banks and federal savings associations. Note that 12 CFR 170, which applies only to federal savings associations, is similar to 12 CFR 30. These guidelines provide that if a bank or savings association fails to meet the prescribed standards, the OCC may require the institution to submit a plan specifying the steps it will take to comply. If the institution, after being notified that it is in violation of the safety and soundness standards, fails to submit an acceptable compliance plan or fails materially to comply with an OCC-approved plan, then under section 8 of FDIA, 12 U.S.C. § 1818(b) the OCC may issue an enforceable order. Important Matters to Consider Institutions should review the NPR and determine how the proposed guidelines might affect them. While performing this review, institutions should consider the proposed questions in the NPR as well as the overall proposal and determine whether responding with feedback would be beneficial. In support of that effort, we’ve summarized below a few of the unique statements, questions and challenges institutions may face as they contemplate compliance with the proposed guidelines: Scope, Applicability and Enforcement of the NPR • As mentioned earlier, the NPR is applicable to institutions with $50 billion in assets. However, the proposal allows the OCC to apply these guidelines to institutions with less than $50 billion in average total consolidated assets if the OCC determines the institution is highly complex or presents a heightened risk. Additionally, the OCC is likely to apply certain aspects of the guidelines to midsize institutions. Protiviti Comment: Midsize institutions should evaluate the NPR in relation to their current practices to identify areas for improvement. The proposed requirements could Protiviti | 3
  4. 4. pose challenges to banks closer to the $50 billion threshold, and even below that threshold if the OCC were to decide to “trickle down” the requirements to such banks on a selective basis as circumstances dictate. • The NPR states: “If a Bank has a risk profile that is substantially the same as its parent company, the parent company’s risk governance framework complies with these Guidelines, and the Bank has demonstrated through a documented assessment that its risk profile and its parent company’s risk profile are substantially the same, the Bank may use its parent company’s risk governance framework to satisfy the Guidelines.” Protiviti Comment: This provision deals with the similarities between the institution and its holding company. We believe this will be a potential point of confusion in the industry and will require further clarification and interpretation by the OCC. Even in cases where the risk profile between the bank and the holding company is substantially the same, we believe the bank will still need to develop some additional framework. In most cases the 95% threshold will probably not be met and there exists a high potential for confusion regarding how much of the parent company’s risk governance framework may be used at the bank level. For example, will there be a need to devise completely separate and redundant frameworks, or can one build off the other? We believe there are multiple corporate structures that will create a series of questions around this provision and that clarification will be required for banks to apply it in the manner the OCC intends. • The NPR states: “The OCC has not included uninsured entities, such as trust banks and uninsured Federal branches or agencies of foreign banks, in the scope of the proposed Guidelines because section 39 of the FDIA applies only to ‘insured depository institutions.’ Currently, OCC examiners are informally applying certain aspects of the heightened expectations to select uninsured entities. The OCC is considering whether it would be appropriate to apply the provisions in the Guidelines to these entities.” Protiviti Comment: Since the OCC is currently informally applying these expectations it makes sense for large uninsured entities to pay attention to the provisions of the NPR guideline. • Section 39 prescribes different consequences depending on whether the standards the OCC authorizes are issued by regulation or guidelines. Pursuant to section 39, if a national bank or Federal savings association fails to meet a standard prescribed by regulation, the OCC must require it to submit a plan specifying the steps it will take to comply with the standard. If a national bank or Federal savings association fails to meet a standard prescribed by guideline, the OCC may require it to submit a plan – meaning the OCC has the discretion to decide whether to require the submission of such a plan. Protiviti Comment: Since the OCC is issuing the NPR as a guideline rather than as a regulation, it will give the agency flexibility to determine the best course of action. This is a vitally important distinction in this NPR. • If an institution is required to submit a compliance plan detailing the steps and time frame it will take to correct the deficiencies identified in a letter or Report of Examination from the OCC and either the plan is insufficient or the institution fails materially to comply with the OCC-approved plan, the OCC may issue a Notice of Intent to Issue an Order pursuant to section 39. Once the institution receives a Notice of Intent, it has 14 days to respond to the OCC. The OCC would then decide its course of action based on the institution’s response. Protiviti | 4
  5. 5. Protiviti Comment: What happens in this process, including after the point at which an institution receives a Notice of Intent, is largely dependent on the institution’s responsiveness. Risk Governance Framework (Framework) – Overall Comments • The NPR states: “The term Chief Audit Executive (CAE) means an individual who leads internal audit and is one level below the Chief Executive Officer (CEO) in the Bank’s organizational structure. The term Chief Risk Executive (CRE) means an individual who leads an independent risk management unit and is one level below the CEO in the Bank’s organizational structure.” Protiviti Comment: Nothing controversial here. The OCC is defining organizational structure and reporting lines for these individuals. Accordingly, institutions should review their organizational structure to ascertain how it compares to the standard, and determine whether to respond or comment in regard to the NPR. • The NPR states: “Regardless of how a Bank categorizes its risks, the Framework must appropriately cover risks to the Bank’s earnings, capital, liquidity, and reputation that arise from all of its activities, including risks associated with third-party relationships.” Protiviti Comment: Based on our reading of this section, we believe that the OCC will likely provide additional clarification surrounding the flexibility a bank has when developing a framework and categorizing underlying risks. We believe the OCC is expecting specific criteria around all eight of its categories of risk, if those specific risks are present in a particular institution. We would not recommend that a commercial bank attempt to collapse the eight areas of risk into a taxonomy that is something less, as we do not believe that is what the OCC intended with its language around flexibility. Institutions should take this into consideration as they design and build out their framework. • In the NPR, Question #3 states: “Section II.C.3.(a) provides that internal audit should maintain a complete and current inventory of all of the Bank’s material businesses, product lines, services, and functions. The OCC requests comment on whether the Guidelines should provide that independent risk management also maintains such an inventory in order to ensure that internal audit has identified all material businesses, product lines, services and functions.” Protiviti Comment: We believe it makes sense to have a centralized list maintained by both lines of defense, consistent with the view that a robust risk assessment is enhanced when multiple perspectives are engaged. Institutions should consider evaluating how they maintain their inventory in relation to this NPR in accordance with their respective needs. 4 4 Note that the OCC expects banks to have risk aggregation and reporting capabilities that meet the board’s and management’s needs for proactively managing risk and ensuring the bank’s risk profile remains consistent with its risk appetite. With respect to a “systemically important financial institution (SIFI),” the Basel Committee on Bank Supervision (BCBS) issued a set of principles for effective risk data aggregation and reporting in January of 2013 and established the expectation that a SIFI comply with these principles by the beginning of 2016. In the NPR, the OCC indicated that it expected the SIFIs it supervises to be largely compliant with these principles by the date established by the BCBS. Meanwhile, the other banks covered by the proposed guidelines are not expected to comply with the BCBS principles by the beginning of 2016; however, their risk aggregation and reporting capabilities should be sufficiently robust to meet the bank’s needs. In effect, these banks should consider the BCBS principles to be “leading practices” and should make an effort to bring their respective practices into alignment with the BCBS principles where possible. Protiviti | 5
  6. 6. Risk Governance Framework – Strategy and Risk Culture • The NPR states “Paragraph D. of Part II of the proposed Guidelines provides that the CEO should develop a written strategic plan with input from front line units, independent risk management, and internal audit.” Protiviti Comment: The NPR states that the strategic plan should cover a time horizon of at least three years. The plan must contain: (1) a comprehensive assessment of risks that currently impact the bank or that could impact the bank during the selected time horizon; (2) an overall mission statement and strategic objectives for the bank (including an explanation of how the bank will achieve those objectives); and (3) an explanation of how the bank will update, as necessary, the risk governance framework to account for changes in the bank’s risk profile projected under the strategic plan. The NPR states the plan must be reviewed, updated, and approved, as necessary, due to changes in the bank’s risk profile or operating environment that were not contemplated when the strategic plan was developed. The level of transparency envisioned by these proposed requirements should not be taken lightly, as it will provide OCC examiners a guidepost to point to if an institution were to stray from its core business. The NPR requires the CEO to develop the written strategic plan. As stated, this requirement may not be optimal for some institutions. We suggest that institutions consider how they develop their strategic plans. For example, it could be developed by a board committee, the office of the CEO, the Executive Committee at the bank level which is appointed by the CEO (with the CEO as member), or through other means. Institutions may want to point out to the OCC that it should consider rewording this requirement to say that a strategic plan must be developed under the direction of the CEO and is sponsored and owned by the CEO. • The NPR states: “The term risk appetite means the aggregate level and types of risk the Board and management are willing to assume to achieve the Bank’s strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements.” Protiviti Comment: The OCC’s end in mind is for large banks to state their appetite for risk formally by setting benchmarks for capital strength, liquidity and earnings, along with "the amount of risk that may be taken in each line of business, and the amount of risk that may be taken in each key risk category monitored by the institution.” • Risk Culture is defined in the NPR as “the shared values, attitudes, competencies, and behaviors present throughout the Bank that shape and influence governance practices and risk decisions.” Protiviti Comment: Based on our research, this definition appears appropriate as written. • The NPR states: “Paragraph F. of Part II of the proposed Guidelines provides that the Framework should include concentration risk limits and, as applicable, front line unit risk limits for the relevant risks in each front line unit to ensure that these units do not create excessive risks. When aggregated across all such units, the risks should not exceed the limits established in the Bank’s Statement. Depending on a Bank’s organizational structure, concentration risk limits and front line unit risk limits may also need to be established for legal entities, units based on geographical areas, or product lines.” Protiviti Comment: Institutions should evaluate the extent to which they utilize risk appetite at multiple levels throughout the organization as well as how they do it. In Protiviti | 6
  7. 7. evaluating this proposed provision, our sense is that the OCC is focused on cascading the risk appetite statement downward into the institution to establish more granular risk tolerances and thresholds and apply greater discipline in risk governance. For many institutions, this requirement will present a challenge. To illustrate, the focus on concentration risk could require enhanced policies, processes and procedures to: (1) define the scope of concentration risk; (2) establish formal concentration limits; (3) clarify roles, responsibilities and accountabilities for managing concentration risk (including adjustments to compensation structures); (4) report, manage and monitor concentration risk; and (5) enforce established limits through formal review processes and escalation protocols. Thus, institutions may require strengthening of their internal controls, periodically assessing the adequacy of allocated capital given the level of concentration risk in their loan and asset portfolios, and adjusting allocated capital for changes in circumstances. Accordingly, we believe it is possible the OCC may issue more prescriptive guidance surrounding concentration risk, which would add further complexities to the compliance process. • The NPR on concentration risk states: “Paragraph I. of Part II of the proposed Guidelines provides that the Framework should include policies and supporting processes that are appropriate for the Bank’s size, complexity, and risk profile that effectively identify, measure, monitor, and control the Bank’s concentration of risk. Concentrations of risk can arise in any risk category, with the most common being identified with borrowers, funds providers, and counterparties.” Protiviti Comment: These and other comments (for example, Paragraph F of Part II) indicate that the OCC will continue to place significant importance on concentration risk, and not just traditional credit, counterparty and funds providers, but concentrations of all types including third party, vendor, etc. We recommend that the risk governance framework around concentration risk be specific and analyzed down to the line-ofbusiness level. Accordingly, institutions should consider how they evaluate and manage concentration risk because, as discussed further above, the OCC’s proposal could require strengthening of internal controls and assessment and adjustment of allocated capital over time as circumstances change. • The NPR on talent management states: “A Bank’s talent management processes should ensure that the Board or a Board committee: (i) hires a CEO and approves the hiring of direct reports of the CEO with the skills and abilities to design and implement an effective Framework; (ii) establishes reliable succession plans for the CEO and his or her direct reports; and (iii) oversees the talent development, recruitment, and succession planning processes for individuals two levels down from the CEO.” Protiviti Comment: The “two levels down” requirement warrants attention. Institutions should consider how their talent management process operates in relation to this guidance. “Talent management processes” must ensure appropriate staffing levels across the institution’s front line units and provide for orderly succession and a compensation structure that appropriately motivates and retains talent in a manner that considers the long-term interests of shareholders by not encouraging inappropriate risk taking. Protiviti | 7
  8. 8. Risk Governance Framework – Board Oversight, Composition and Effectiveness • The NPR states, “The Guidelines establish the minimum standards for the design and implementation of the Framework and the minimum standards for the Board to use in overseeing the Framework’s design and implementation.” Protiviti Comment: The OCC does not clearly articulate what “overseeing” would entail. Institutions should consider what level they think is appropriate for oversight and respond accordingly. This lack of clarity may be troubling to some institutions and their boards as it could lead to more granular board involvement beyond its traditional oversight function and potentially into what might be regarded as activities normally attributed to management. It could also lead to “oversight creep” if the OCC examinations influence practice. What is clear is the OCC is expecting directors to be actively engaged with management on risk taking as well as risk management. This means the board provides “a credible challenge to bank management’s decision-making.” The OCC’s view of the “credible challenge” standard is that independent directors must “acquire a thorough understanding of an institution’s risk profile and to use this information to ask probing questions of management and to ensure that senior management prudently addresses risks.” • The NPR on board responsibilities states: “Paragraph B. of Part III of the proposed Guidelines addresses Board oversight of Bank management, and generally provides that the Board should provide a credible challenge to management. Specifically, the Board should actively oversee the Bank’s risk-taking activities and hold management accountable for adhering to the Framework. The Board should also critically evaluate management’s recommendations and decisions by questioning, challenging, and, when necessary, opposing, management’s proposed actions that could cause the Bank’s risk profile to exceed its risk appetite or threaten the Bank’s safety and soundness. The OCC expects that this provision will enable the Board to make a determination as to whether management is adhering to, and understands, the Framework. For example, recurring breaches of risk limits or actions that cause the Bank’s risk profile to materially exceed its risk appetite may demonstrate that management is not adhering to the Framework. In those situations, the Board should take action to hold the appropriate party, or parties, accountable.” Protiviti Comment: Institutions should evaluate their board oversight processes in light of this guidance, including the reporting that informs those oversight processes. We believe the information in this particular section is unlikely to change significantly. • In the NPR, Question #5 states: “The OCC requests comment on the composition of a Bank’s Board. The proposed Guidelines establish a minimum number of independent directors that should be on the Bank’s Board. Is this an appropriate number? Are there other standards the OCC should consider to ensure the Board composition is adequate to provide effective oversight of the Bank? Is there value in requiring the Bank to maintain its own risk committee and other committees, as opposed to permitting the Bank’s Board to leverage the parent company’s Board committees?” Protiviti Comment: Placement of at least two independent members who don't hold management positions in the bank or its parent holding company, as noted on page 3, could be an area in which national banks will face challenges. For example, the available pool of qualified board members is in the forefront of issues that come to mind. Institutions should consider this question in light of their current board structure, both at Protiviti | 8
  9. 9. the holding company and bank levels, as well as any perceived obstacles to compliance. Clearly, the OCC’s intent is to introduce more independent directors into the composition of the board at the bank level. • The NPR on independent board member training states: “Paragraph E. of Part III provides that in order to ensure that each member of the Board has the knowledge, skills, and abilities needed to meet the standards set forth in the Guidelines, the Board should establish and adhere to a formal, ongoing training program for independent directors. This reflects the OCC’s view that the Board should be comprised of financially knowledgeable directors who are committed to conducting diligent reviews of the Bank’s management team, financial status, and business plans. OCC examiners will evaluate each director’s knowledge and experience, as demonstrated in their written biography and discussions with examiners. The training program for independent directors should include training on: (i) complex products, services, lines of business, and risks that have a significant impact on the Bank; (ii) laws, regulations, and supervisory requirements applicable to the Bank; and (iii) other topics identified by the Board.” Protiviti Comment: This requirement is reasonably consistent with developments in corporate governance trends. • The NPR on board self-assessments states: “Paragraph F. of Part III of the proposed Guidelines provides that the Bank’s Board should conduct an annual self-assessment that includes an evaluation of the Board’s effectiveness in meeting the standards provided in Part III of the Guidelines. The self-assessment discussed in this paragraph can be part of a broader self-assessment process conducted by the Board, and should result in a constructive dialogue among Board members that identifies opportunities for improvement and leads to specific changes that are capable of being tracked, measured, and evaluated. For example, these may include broad changes that range from changing the Board composition and structure, meeting frequency and agenda items, Board report design or content, ongoing training program design or content, and other process and procedure topics.” Protiviti Comment: Board self-assessments are another developing trend that is becoming more commonplace. Enough boards do a self-assessment such that the practice itself has emerged as a leading practice. Accordingly, institutions should consider their ability to meet this requirement before commenting. Risk Governance Framework – Independent Risk Management • The NPR states: “Independent risk management … should be held accountable by the CEO and the Board, and … should establish and adhere to procedures and processes necessary to ensure compliance with … policies and to ensure that the front line units meet the [required] standards. Independent risk management should also identify and communicate to the CEO and the Board or the Board’s risk committee material risks and significant instances where independent risk management’s assessment of risk differs from a front line unit as well as significant instances where a front line unit is not complying with the Framework.” Protiviti Comment: According to the NPR, “independent risk management” means “any organizational unit within the Bank that has responsibility for identifying, measuring, monitoring, or controlling aggregate risks.” The scope of that definition includes the chief risk executive (who must be one level below the CEO) as well as any back office activity that is independent of the front line units and has access to the board of directors through an independent communications channel, though they would report to the chief Protiviti | 9
  10. 10. executive on a day-to-day basis. While independent risk management functions have always been important in financial services, larger institutions would need to ensure that their functions track and monitor activity in all critical front line units, i.e., the lines of business, and meet the requirements of the NPR. For example, the NPR would require approval of the leaders of these functions and their compensation by the board. • In the NPR, Question #2 states: “The OCC requests comment on the advantages and disadvantages of having a single CRE, such as a Chief Risk Officer, provide oversight to all independent risk management units versus having multiple, risk-specific CREs providing oversight to one or more independent risk management units.” Protiviti Comment: This is an interesting question. As phrased, it is framed on an “either/or” premise, with the attendant pros and cons on both sides around a centralized versus distributed approach. A third option is both, with multiple CREs reporting to a single chief risk officer who reports directly to the CEO. Each institution should assess this question and its implications to its structure, culture and operating philosophy. Risk Governance Framework – Internal Audit • The NPR states: “Internal audit should also establish a quality assurance department that ensures internal audit’s policies, procedures, and processes comply with applicable regulatory and industry guidance, are appropriate for the size, complexity, and risk profile of the Bank, are updated to reflect changes to internal and external to (sic) risk factors, and are consistently followed.” Protiviti Comment: Given this proposed provision, institutions should consider the applicability of a quality assurance department within Internal Audit. • In the NPR, Question #4 states: “The OCC requests comment on whether internal audit’s assessment of the Bank’s Framework should include a conclusion regarding whether the Framework is consistent with leading industry practices. Is such an assessment possible for internal audit given the wide range of practices in the industry and the challenges associated with determining what constitutes a leading industry practice? Are there any other concerns with such a requirement?” Protiviti Comment: Institutions should evaluate whether their internal audit function possesses the capability to make such a determination and, if not, whether it is feasible for them to require the function to obtain the skillsets necessary to make this determination. If there are significant gaps, institutions may want to consider them in preparing a response to the OCC. Comments Due Comments are due to the OCC by March 28, 2014, 60 days after the published date of the NPR on February 5, 2014. Summary It is likely that most large banks already comply with many of the provisions proposed by the NPR due to the fact that the OCC has been signaling change for some time. However, mid-size banks are likely to have more work to do in this area. Under the proposed NPR, large banks could face swifter reprimands and punishment in the event of risk management breakdowns. According to Comptroller of the Currency, Thomas J. Curry: The [proposed] standards … build on lessons learned from the financial crisis. They will contribute to a safer financial system for all of us by providing clear and enforceable Protiviti | 10
  11. 11. standards for the risk management and governance of our largest institutions. They provide additional supervisory tools to examiners of large national banks and federal savings associations, and they will measurably enhance our supervision of these institutions. We can expect these proposed guidelines to become an important part of the supervisory fabric for insured institutions as they streamline the enforcement process. The overall message: To whom size and complexity is given, more is expected by the regulator. About Protiviti Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. Contacts Carol Beaumier Managing Director +1.212.603.8337 carol.beaumier@protiviti.com Cory Gunderson Managing Director +1.212.708.6313 cory.gunderson@protiviti.com Michael Brauneis Managing Director +1.312.476.6327 michael.brauneis@protiviti.com Tim Long Managing Director +1.212.399.8637 timothy.long@protiviti.com Matthew Moore Managing Director +1.704.972.9615 matthew.moore@protiviti.com Michael Schuchardt Managing Director +1.415.402.3620 michael.schuchardt@protiviti.com © 2014 Protiviti Inc. An Equal Opportunity Employer. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.