Heightened Risk Requirements: OCC Defines “Strong,” Now Banks Must Get There

On September 2, 2014, the Office of the Comptroller of the Currency (OCC) finalized new standards that formalize “heightened expectations” for risk governance on the banks over $50 billion it regulates — and in turn, impose new levels of responsibility on the board and executive leaderships of those institutions for the risk decisions they make.

Now, banks must codify “strong risk management practices” at the bank legal entity level, including governance policies, procedures, structures and even board composition. What some banks have had to do as the result of individually targeted Matters Requiring Attention (MRAs) is now applicable to all, albeit on a phased basis according to size. All banks with more than $50 billion in assets must comply with the new rules within 18 months. Those whose assets total between $100 billion and $750 billion have six months and those with more than $750 billion must comply within two.

The heightened standards include several key elements of which banks should be aware:

  • The board of the bank legal entity is now accountable for preserving the sanctity of the bank’s charter, even to the point of restructuring bank legal entities.
  • Each bank must have a well-defined risk management structure that encompasses staffing, compensation, succession planning and the second and third “lines of defense” – internal risk and internal audit – all aligned to discourage “imprudent risk-taking.”
  • Each bank must define its risk appetite in clear terms and communicate that definition throughout the enterprise, including to all three lines of defense: front line units, independent risk management and internal audit.
  • Reliable oversight must be in place across all three lines of defense.
  • The board must provide a credible challenge to actions or decisions that run counter to the defined risk strategy.

Under the heightened standards, a bank must name at least one Chief Risk Executive who reports to the CEO and has access to the board. The OCC has also split the way it regards finance within the risk management hierarchy: some parts of the function are considered front-line; but others, including financial reporting and statement preparation, are considered part of the second line.

As banks move to “get to strong” and comply with the new standards, their boards should undergo self-assessments and renewed training and they should reevaluate internal reporting requirements at all levels. Strengthening the capability, authority and visibility of the three lines of defense will be important. There will also be related demands on data, systems and culture.

For more details on the OCC’s heightened risk expectations, please download Deloitte’s POV, Stronger: OCC’s heightened expectations.

Posted by Tom Rollauer, Executive Director, Center for Regulatory Strategies, Deloitte & Touche LLP and David Wilson, Senior advisor, Deloitte & Touche LLP

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s