In connection with its August 2017 proposal to establish a new rating system for large financial institutions (LFIs)1, the Federal Reserve Board (FRB) issued proposed guidance on January 4, 2018 outlining supervisory expectations for senior management, business line management, and independent risk management (IRM) and controls in the form of principles.2
Once finalized, the guidance will help inform the FRB’s overall evaluation of a firm’s governance and controls (i.e., one of the three components of the new rating system, along with capital planning and positions and liquidity risk management and positions). The proposed guidance is generally consistent with a high-level preview of expectations provided in the August rating system proposal, though the guidance would now also extend to the US operations of foreign banking organizations (FBOs).3
The proposed guidance would apply to US bank holding companies (BHCs), savings and loan holding companies (SLHCs), and the combined US operations of FBOs with more than $50 billion in total assets, as well as state member bank subsidiaries of these organizations and nonbank financial companies designated for enhanced supervision by the Financial Stability Oversight Council.
The FRB does not expect to examine all of a firm’s business lines during a single year. Rather, consistent with current practice, it would use a risk-based approach to determine which business lines to examine.
Comments on the proposed guidance are due by March 15, 2018, timed to be reviewed with the LFI rating system and the board effectiveness proposals (comments on which are due February 15, 2018).
Core principles of effective senior management
The proposed guidance emphasizes that two key responsibilities of senior management (i.e., the “core group of individuals directly accountable to the board of directors for the sound and prudent day-to-day management of the firm”) are overseeing the activities of the firm’s business lines and the firm’s IRM and system of internal controls.
Core principles of the management of business lines
For business line management (i.e., the “core group of individuals responsible for the prudent day-to-day management of the business line and who report directly to senior management”), the FRB stresses the need to execute activities consistent with the firm’s strategy and risk tolerance, identify and manage risk within the business line, provide sufficient resources and infrastructure to the business line, ensure the business line has the appropriate system of internal control, and ensure accountability for operating within established policies and guidance and in accordance with laws and regulations.
The proposed guidance does not include specific expectations regarding a firm’s organizational structure.
Core principles of IRM and controls
With respect to IRM and controls, including the chief risk officer (CRO) and chief audit executive (CAE), the FRB underscores the need to evaluate the firm’s risk tolerance, establish enterprise-wide risk limits and monitor adherence to those limits, identify, measure, and aggregate risks, provide an independent assessment of the firm’s risk profile, and provide risk reports to the board and senior management.
For internal controls, the proposed guidance expands upon the expectation outlined in SR 12-17,6 noting that a firm should identify its system of internal control and demonstrate that the system is commensurate with its size, scope, activities, risk profile, strategy, and risk tolerance. It should also regularly evaluate and test the effectiveness of internal controls, and monitor the functioning of controls so that deficiencies are identifies and communicated in a timely manner.
Notably, the proposed guidance would not expand upon the FRB’s expectations for internal audit; instead, it references existing guidance under SR 03-57 and SR 13-1.8
The FRB notes that the proposed guidance contains recordkeeping requirements, including the establishment of (1) specific business and risk objectives for business lines and (2) policies and guidelines that delineate accountability within the business line.
In addition, the guidance sets forth expectations for the IRM function, including the scope of a firm’s risk limits and an expectation for a written risk assessment that would be provided to the senior management and, as appropriate, the board. The guidance also sets forth expectations for internal audit, including an expectation for an internal audit risk assessment and audit reports.
The FRB seeks comments on this piece of the proposal, including ways to minimize the burden of the information collections on respondents, including through the use of automated collection techniques of other forms of information technology.
Application to FBOs
The proposed guidance would apply to an FBO’s combined US operations, including branch and subsidiary operations, including both those firms in the Large Institution Supervision Coordinating Committee (LISCC) portfolio and non-LISCC firms that meet the asset threshold.
The FRB recognizes that certain elements of an FBO’s governance framework may be located outside the US, but would require such elements to “enable effective governance and risk management by the US senior management, the US risk committee, and the [IHC] board (as applicable), and should facilitate US supervisors’ ability to assess the adequacy of governance and controls in the combined US operations.”
With respect to the principles for senior management, the proposed guidance acknowledges that senior management can refer to individuals located inside or outside the US who are accountable to the IHC board, US risk committee, or global board of directors. However, the FRB stresses that, regardless of location, senior management should “fully understand the risks of US operations and communicate information on the risks of combined US operations to global management so that these risks are included in the aggregate risk management of the global organizations.” Further, senior management with authority over budgeting or strategy for the US operations should “allocate appropriate resources and expertise to meet the expectations” of the guidance.
Notably, the proposed guidance also provides FBOs the flexibility to separately develop the risk tolerance for the IHC and branch operations. With respect to the principles for business line management, the FRB recognizes that a US business line may be part of a larger global business line, and clarifies that the guidance only applies to the portion of the business conducted in the US. Although the FRB notes that it tailored the proposed guidance for FBOs, it seeks public comment on how this tailoring could be improved.
The new rating system for LFIs would fully align with the FRB’s supervisory programs, processes and priorities across the three key pillars. By reframing the rating system and providing more guidance, there should be greater transparency into how the results of various examinations, including horizontal examinations, and other activities translate into safety and soundness ratings. In turn, LFI boards and senior management have further opportunities to self-identify issues, hold responsible parties accountable, and proactively initiate improvement in areas that are less than satisfactory prior to regulatory mandates.
As further developments occur, Deloitte will issue additional updates as appropriate.
Organizations may contact Deloitte with questions about the changes and activities to support planning, preparation, and compliance.
1Federal Reserve System, Notice of Proposed Rulemaking, Large Financial Institution Rating System; Regulations K and LL, 82 Fed. Reg. 39049 (August 17, 2017), available at https://www.gpo.gov/fdsys/pkg/FR-2017-08-17/pdf/2017-16736.pdf.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see http://www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2018 Deloitte Development LLC. All rights reserved.