1557-NEW (Heightened Expectations) Supporting (FINAL)

Download: docx | pdf

OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches

Supporting Statement A

1557-New

A. Justification

1. Circumstances Making the Collection of Information Necessary

The OCC has issued proposed rules and guidelines, to be codified in 12 CFR part 30, appendix D, to establish minimum standards for the design and implementation of a risk governance framework for large insured national banks, insured Federal savings associations, and insured Federal branches of a foreign bank with average total consolidated assets equal to or greater than $50 billion as well as a minimum standards for a board of directors in overseeing the framework’s design and implementation.

The standards contained in the guidelines would be enforceable under section 39 of the Federal Deposit Insurance Act (FDIA)¹, which authorizes the OCC to prescribe operational and managerial standards for insured national banks, insured Federal savings associations, and insured Federal branches of a foreign bank.

2. Purpose and Use of the Information Collection

Following the financial crisis, the OCC developed a set of heightened expectations to enhance supervision and strengthen the governance and risk management practices of large national banks.

The proposed guidelines would formalize the OCC’s heightened expectations program. This would, further the goal of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010² to strengthen the financial system by focusing management and boards of directors on improving and strengthening risk management practices and governance, thereby minimizing the probability and impact of future crises.

The standards for the design and implementation of the proposed guidelines, which contain collections of information, are set forth below.

Standards for Risk Governance Framework

Front Line Units

Banks are required to establish and adhere to a formal, written risk governance framework that is designed by independent risk management, approved by the board of directors or risk committee, and reviewed and updated annually by independent risk management (Framework).

Independent Risk Management

Independent risk management should oversee the bank’s risk-taking activities and assess risks and issues independent of the Chief Executive Officer (CEO) and front line units by: (i) designing a comprehensive written Framework commensurate with the size, complexity, and risk profile of the bank; (ii) identifying and assessing, on an ongoing basis, the bank’s material aggregate risks; (iii) establishing and adhering to enterprise policies that include concentration risk limits; (iv) establishing and adhering to procedures and processes, to ensure compliance with enterprise policies; (v) ensuring that front line units meet the standards specified for such units; (vi) identifying and communicating to the CEO and board of directors or risk committee material risks and significant instances where independent risk management’s assessment of risk differs from that of a front line unit, and significant instances where a front line unit is not adhering to the Framework; (vii) identifying and communicating to the board of directors or risk committee material risks and significant instances where independent risk management’s assessment of risk differs from the CEO and significant instances where the CEO is not adhering to, or holding front line units accountable for adhering to, the Framework; (viii) developing, attracting, and retaining talent and maintaining staffing levels required to carry out the unit’s role and responsibilities effectively; and (ix) establishing and adhering to talent management processes and compensation and performance management programs.

Internal Audit

Internal audit should ensure that the bank’s Framework complies with the guidelines and is appropriate for the size, complexity, and risk profile of the bank. It should maintain a complete and current inventory of all of the bank’s material businesses, product lines, services, and functions, and assess the risks associated with each, which collectively provide a basis for the audit plan. It should establish and adhere to an audit plan, updated at least quarterly, that takes into account the bank’s risk profile, emerging risks, and issues. The audit plan should require internal audit to evaluate the adequacy of and compliance with policies, procedures, and processes established by front line units and independent risk management under the Framework.

Changes to the audit plan should be communicated to the board of director’s audit committee. Internal audit should report in writing, conclusions, issues, and recommendations from audit work carried out under the audit plan to the audit committee. Reports should identify the root cause of any issue and include: (i) a determination of whether the root cause creates an issue that has an impact on one organizational unit or multiple organizational units within the bank; and (ii) a determination of the effectiveness of front line units and independent risk management in identifying and resolving issues in a timely manner. Internal audit should establish and adhere to processes for independently assessing the design and effectiveness of the Framework on at least an annual basis. The independent assessment should include a conclusion on the bank’s compliance with the standards set forth in the guidelines and the degree to which the bank’s Framework is consistent with leading industry practices. Internal audit should identify and communicate to the board of directors or audit committee significant instances where front line units or independent risk management are not adhering to the Framework. Internal audit should establish a quality assurance department that ensures internal audit’s policies, procedures, and processes comply with applicable regulatory and industry guidance, are appropriate for the size, complexity, and risk profile of the bank, are updated to reflect changes to internal and external risk factors, and are consistently followed. Internal audit should develop, attract, and retain talent and maintain staffing levels required to effectively carry out the unit’s role and responsibilities. Internal audit should establish and adhere to talent management processes. Internal audit should establish and adhere to compensation and performance management programs.

Concentration Risk Management

The Framework should include policies and supporting processes appropriate for the bank’s size, complexity, and risk profile for effectively identifying, measuring, monitoring, and controlling the bank’s concentration of risk.

Risk Data Aggregation and Reporting

The Framework should include a set of policies, supported by appropriate procedures and processes, designed to ensure that the bank’s risk data aggregation and reporting capabilities are appropriate for its size, complexity, and risk profile and support supervisory reporting requirements. Collectively, these policies, procedures, and processes should provide for: (i) the design, implementation, and maintenance of a data architecture and information technology infrastructure that supports the bank’s risk aggregation and reporting needs during normal times and during times of stress; (ii) the capturing and aggregating of risk data and reporting of material risks, concentrations, and emerging risks in a timely manner to the board of directors and the OCC; and (iii) the distribution of risk reports to all relevant parties at a frequency that meets their needs for decision-making purposes.

3. Use of Improved Information Technology and Burden Reduction

Respondents may use any method of improved technology that meets the requirements of the regulation.

4. Efforts to Identify Duplication and Use of Similar Information

The required information is unique and is not duplicative of any other information already collected.

5. Methods used to Minimize burden if the collection has a significant impact on Small Businesses or Other Small Entities

The information collection does not have a significant impact on a substantial number of small businesses or other small entities.

6. Consequences of Collecting the Information Less Frequently

The consequences of collecting the information less frequently would prevent the OCC from developing a set of guidelines to enhance the OCC’s supervision and strengthen the governance and risk management practices of large institutions.

7. Special Circumstances Relating to the Guidelines of 5 CFR 1320.5

The information collection would be conducted in a manner consistent with 5 CFR Part 1320.5.

8. Comments in Response to the Federal Register Notice and Efforts to Consult Outside the Agency

In the Federal Register of January 27, 2014 (79 FR 4282), the OCC published the information collection for 60-Days of public comment.

9. Explanation of Any Payment or Gift to Respondents

The OCC has not provided, and has no intention to provide, any payment or gift to respondents under this information collection.

10. Assurance of Confidentiality Provided to Respondents

The information collection request will be kept private to the extent permissible by law.

11. Justification for Sensitive Questions

Not applicable. No personally identifiable information is collected.

12. Estimates of Annualized Burden Hours and Costs

The OCC estimates the burden of this collection of information as follows:

Standards for Risk Governance Framework	No. of Respondents	No. of Responses per Respondent	Annual No. of Responses	Burden per Response	Total Hours
Front Line Units	21	1	1	800	16,800
Independent Risk Management	21	1	1	640	13,440
Internal Audit	21	1	1	960	20,160
Concentration Risk Management	21	1	1	800	16,800
Risk Data Aggregation and Reporting	21	1	1	4,000	84,000
Total				7,200	151,200

13. Estimates of Annual Cost Burden to Respondents and Record Keepers

Total annual cost burden:

(a) Total annualized capital and start-up costs associated with the Framework is estimated to be $0 (zero dollars).

(b) Total annualized operations, maintenance, and purchases of services costs are estimated to be $0 (zero dollars).

The above cost estimates are not expected to vary widely among respondents.

14. Annualized Cost to the Federal Government

No annualized cost to the Federal government.

15. Explanation for Program Changes or Adjustments

This is a new information collection request.

16. Plans for Tabulation and Publication and Project Time Schedule

There are no publications.

17. Reason(s) Display of OMB Expiration Date is Inappropriate

The agency is not seeking to display the expiration date of OMB approval of the information collection.

18. Exceptions to Certification for Paperwork Reduction Act Submissions

There are no exceptions to the certification.

B. Collection of Information Employing Statistical Methods

The collection of this information does not employ statistical methods. Statistical methods are not appropriate for the type of information collected and would not reduce burden or improve accuracy of results.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	juanmanuel.vilela
File Modified	0000-00-00
File Created	2021-01-28