FRB proposes new supervisory expectations for senior management, business line management, independent risk management and controls of large financial institutions

In connection with its August 2017 proposal to establish a new rating system for large financial institutions (LFIs)1, the Federal Reserve Board (FRB) issued proposed guidance on January 4, 2018 outlining supervisory expectations for senior management, business line management, and independent risk management (IRM) and controls in the form of principles.2

Once finalized, the guidance will help inform the FRB’s overall evaluation of a firm’s governance and controls (i.e., one of the three components of the new rating system, along with capital planning and positions and liquidity risk management and positions).  The proposed guidance is generally consistent with a high-level preview of expectations provided in the August rating system proposal, though the guidance would now also extend to the US operations of foreign banking organizations (FBOs).3

The proposed guidance would apply to US bank holding companies (BHCs), savings and loan holding companies (SLHCs), and the combined US operations of FBOs with more than $50 billion in total assets, as well as state member bank subsidiaries of these organizations and nonbank financial companies designated for enhanced supervision by the Financial Stability Oversight Council.

Key takeaways

  • The principles appear broadly consistent with longstanding supervisory expectations evidenced in past guidance4 and supervisory feedback, and do not appear to establish “new” requirements.
  • The principles consolidate and clarify risk management expectations by better describing and delineating those key elements of governance and controls across the three lines of defense that the FRB believes are most critical for a firm to be well managed.
  • Specifically, the principles distinguish between responsibilities of senior management versus business line management, while responsibilities for senior management versus the board are described through the August 2017 proposal on board effectiveness.
  • The proposed guidance recognizes variations in the structure and reporting of IRM functions; however, expectations for firm-wide compliance risk management programs remain in line with current supervisory guidance.5
  • Accountability and management of conduct risk is emphasized in management of business lines, including a focus on detection, prevention, and remediation of risk and compliance issues, along with requirements to ensure an appropriate system of controls for compliance with laws, regulations, supervisory guidance, and internal policies.
  • Compared to the previewed high level guidance from August, the proposal changes the term “core business lines” to simply “business lines,” but leaves the substance of coverage largely the same.
  • As principles, the guidance provides discretion to line supervisors and onsite and specialist teams to interpret whether institutions are in practice meeting the spirit and substance of the guidance.
  • Institutions should consider whether their business-as-usual governance and controls reporting and related documentation are well aligned and framed to demonstrate to supervisors’ adherence to the principles.
  • The proposal suggests that the FRB expects documentation to evidence linkage and interconnections between strategy, risk tolerance/limits, and reporting to enable monitoring and escalation. Although this expectation is not entirely new, it is now deliberate across roles.

The FRB does not expect to examine all of a firm’s business lines during a single year.  Rather, consistent with current practice, it would use a risk-based approach to determine which business lines to examine.

Comments on the proposed guidance are due by March 15, 2018, timed to be reviewed with the LFI rating system and the board effectiveness proposals (comments on which are due February 15, 2018).

Core principles of effective senior management

The proposed guidance emphasizes that two key responsibilities of senior management (i.e., the “core group of individuals directly accountable to the board of directors for the sound and prudent day-to-day management of the firm”) are overseeing the activities of the firm’s business lines and the firm’s IRM and system of internal controls.

Core principles of the management of business lines

For business line management (i.e., the “core group of individuals responsible for the prudent day-to-day management of the business line and who report directly to senior management”), the FRB stresses the need to execute activities consistent with the firm’s strategy and risk tolerance, identify and manage risk within the business line, provide sufficient resources and infrastructure to the business line, ensure the business line has the appropriate system of internal control, and ensure accountability for operating within established policies and guidance and in accordance with laws and regulations.

The proposed guidance does not include specific expectations regarding a firm’s organizational structure.

Core principles of IRM and controls

With respect to IRM and controls, including the chief risk officer (CRO) and chief audit executive (CAE), the FRB underscores the need to evaluate the firm’s risk tolerance, establish enterprise-wide risk limits and monitor adherence to those limits, identify, measure, and aggregate risks, provide an independent assessment of the firm’s risk profile, and provide risk reports to the board and senior management.

For internal controls, the proposed guidance expands upon the expectation outlined in SR 12-17,6 noting that a firm should identify its system of internal control and demonstrate that the system is commensurate with its size, scope, activities, risk profile, strategy, and risk tolerance.  It should also regularly evaluate and test the effectiveness of internal controls, and monitor the functioning of controls so that deficiencies are identifies and communicated in a timely manner.

Notably, the proposed guidance would not expand upon the FRB’s expectations for internal audit; instead, it references existing guidance under SR 03-57 and SR 13-1.8

Recordkeeping requirements

The FRB notes that the proposed guidance contains recordkeeping requirements, including the establishment of (1) specific business and risk objectives for business lines and (2) policies and guidelines that delineate accountability within the business line.

In addition, the guidance sets forth expectations for the IRM function, including the scope of a firm’s risk limits and an expectation for a written risk assessment that would be provided to the senior management and, as appropriate, the board.  The guidance also sets forth expectations for internal audit, including an expectation for an internal audit risk assessment and audit reports.

The FRB seeks comments on this piece of the proposal, including ways to minimize the burden of the information collections on respondents, including through the use of automated collection techniques of other forms of information technology.

Application to FBOs

The proposed guidance would apply to an FBO’s combined US operations, including branch and subsidiary operations, including both those firms in the Large Institution Supervision Coordinating Committee (LISCC) portfolio and non-LISCC firms that meet the asset threshold.

The FRB recognizes that certain elements of an FBO’s governance framework may be located outside the US, but would require such elements to “enable effective governance and risk management by the US senior management, the US risk committee, and the [IHC] board (as applicable), and should facilitate US supervisors’ ability to assess the adequacy of governance and controls in the combined US operations.”

With respect to the principles for senior management, the proposed guidance acknowledges that senior management can refer to individuals located inside or outside the US who are accountable to the IHC board, US risk committee, or global board of directors.  However, the FRB stresses that, regardless of location, senior management should “fully understand the risks of US operations and communicate information on the risks of combined US operations to global management so that these risks are included in the aggregate risk management of the global organizations.”  Further, senior management with authority over budgeting or strategy for the US operations should “allocate appropriate resources and expertise to meet the expectations” of the guidance.

Notably, the proposed guidance also provides FBOs the flexibility to separately develop the risk tolerance for the IHC and branch operations.  With respect to the principles for business line management, the FRB recognizes that a US business line may be part of a larger global business line, and clarifies that the guidance only applies to the portion of the business conducted in the US.  Although the FRB notes that it tailored the proposed guidance for FBOs, it seeks public comment on how this tailoring could be improved.


The new rating system for LFIs would fully align with the FRB’s supervisory programs, processes and priorities across the three key pillars.  By reframing the rating system and providing more guidance, there should be greater transparency into how the results of various examinations, including horizontal examinations, and other activities translate into safety and soundness ratings.  In turn, LFI boards and senior management have further opportunities to self-identify issues, hold responsible parties accountable, and proactively initiate improvement in areas that are less than satisfactory prior to regulatory mandates.

As further developments occur, Deloitte will issue additional updates as appropriate.

Organizations may contact Deloitte with questions about the changes and activities to support planning, preparation, and compliance.


David Wright
Managing Director | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP

Irena Gecas-McCarthy
Principal | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP

Monica Lalani
Principal | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP

Michele Crish
Managing Director | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP

Edward Hida
Partner| Deloitte Risk and Financial Advisory
Deloitte & Touche LLP

Chris Spoth
Managing Director | Deloitte Risk and Financial Advisory
Executive Director, Center for Regulatory Strategy, Americas
Deloitte & Touche LLP

Richard Rosenthal
Senior Manager| Deloitte Risk and Financial Advisory
Deloitte & Touche LLP

Alex LePore
Senior Consultant | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP

1Federal Reserve System, Notice of Proposed Rulemaking, Large Financial Institution Rating System; Regulations K and LL, 82 Fed. Reg. 39049 (August 17, 2017), available at
2Board of Governors of the Federal Reserve System, “Federal Reserve Board requests comment on proposed guidance that would clarify Board’s supervisory expectations related to risk management for large financial institutions,” (January 4, 2018), available at
3Also in August 2017, the FRB issued a proposal identifying attributes of effective boards of directors. Among other things, the proposal seeks to better delineate the roles, responsibilities, and accountabilities among senior management and the board.
4For covered firms, the proposed guidance would supersede Supervision and Regulation (SR) Letter 95-21 (Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies).
5See SR Letter 08-8 (Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance), available at
6See SR Letter 12-17 (Consolidated Supervision Framework for Large Financial Institutions), available at
7See SR Letter 03-5 (Amended Interagency Guidance on the Internal Audit Function and its Outsourcing), available at
8See SR Letter 13-1 (Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing), available at

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2018 Deloitte Development LLC. All rights reserved.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s