On September 2, 2014, the Office of the Comptroller of the Currency (OCC) finalized new standards that formalize “heightened expectations” for risk governance on the banks over $50 billion it regulates — and in turn, impose new levels of responsibility on the board and executive leaderships of those institutions for the risk decisions they make.
Now, banks must codify “strong risk management practices” at the bank legal entity level, including governance policies, procedures, structures and even board composition. What some banks have had to do as the result of individually targeted Matters Requiring Attention (MRAs) is now applicable to all, albeit on a phased basis according to size. All banks with more than $50 billion in assets must comply with the new rules within 18 months. Those whose assets total between $100 billion and $750 billion have six months and those with more than $750 billion must comply within two.
The heightened standards include several key elements of which banks should be aware:
Under the heightened standards, a bank must name at least one Chief Risk Executive who reports to the CEO and has access to the board. The OCC has also split the way it regards finance within the risk management hierarchy: some parts of the function are considered front-line; but others, including financial reporting and statement preparation, are considered part of the second line.
As banks move to “get to strong” and comply with the new standards, their boards should undergo self-assessments and renewed training and they should reevaluate internal reporting requirements at all levels. Strengthening the capability, authority and visibility of the three lines of defense will be important. There will also be related demands on data, systems and culture.
For more details on the OCC’s heightened risk expectations, please download Deloitte’s POV, Stronger: OCC’s heightened expectations.
Posted by Tom Rollauer, Executive Director, Center for Regulatory Strategies, Deloitte & Touche LLP and David Wilson, Senior advisor, Deloitte & Touche LLP