OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches
Supporting Statement A
OMB Control No. 1557-0321
(Assigned but not Approved)
The OCC submitted these collections of information to the Office of Management and Budget (OMB) at the proposed rule stage. OMB filed comments instructing the OCC to examine public comment in response to the proposal and describe in the supporting statement of its next collection any public comments received regarding the collection as well as why (or why it did not) incorporate the commenters’ recommendations. No comments were received regarding the collection. The only change to the collections of information in the final rule and guidelines is the application of the guidelines to insured national banks and insured Federal savings associations with average total consolidated assets less than $50 billion if an institution’s parent company controls at least one insured national bank or insured Federal savings association that has average total consolidated assets of $50 billion or more.
A. Justification
Circumstances Making the Collection of Information Necessary
The OCC has issued final guidelines, to be codified in 12 CFR part 30, appendix D, that establish minimum standards for the design and implementation of a risk governance framework for insured national banks, insured Federal savings associations, and insured Federal branches of a foreign bank (bank). The final guidelines apply to a bank with average total consolidated assets: (i) equal to or greater than $50 billion; (ii) less than $50 billion if that institution’s parent company controls at least one insured national bank or insured Federal savings association that has average total consolidated assets of $50 billion or greater; or (iii) less than $50 billion, if the OCC determines such bank’s operations are highly complex or otherwise present a heightened risk as to warrant the application of the guidelines (covered banks). The final guidelines also establish minimum standards for a board of directors in overseeing the framework’s design and implementation.
The standards contained in the guidelines will be enforceable under section 39 of the Federal Deposit Insurance Act (FDIA)1, which authorizes the OCC to prescribe operational and managerial standards for insured national banks, insured Federal savings associations, and insured Federal branches of a foreign bank.
Purpose and Use of the Information Collection
Following the financial crisis, the OCC developed a set of heightened expectations to enhance supervision and strengthen the governance and risk management practices of large national banks.
The guidelines formalize the OCC’s heightened expectations program. They also further the goal of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 20102 to strengthen the financial system by focusing management and boards of directors on improving and strengthening risk management practices and governance, thereby minimizing the probability and impact of future financial crises.
The standards for the design and implementation of the risk governance framework, which contain collections of information, are set forth below.
Standards for Risk Governance Framework
Covered banks should establish and adhere to a formal, written risk governance framework designed by independent risk management. It should include delegations of authority from the board of directors to management committees and executive officers as well as risk limits established for material activities. It should be approved by the board of directors or the board’s risk committee and reviewed and updated at least annually by independent risk management.
Front Line Units
Front line units should take responsibility and be held accountable by the Chief Executive Officer (CEO) and the board of directors for appropriately assessing and effectively managing all of the risks associated with their activities. In fulfilling this responsibility, each front line unit should, either alone or in conjunction with another organizational unit that has the purpose of assisting a front line unit: (i) assess, on an ongoing basis, the material risks associated with its activities and use such risk assessments as the basis for fulfilling its responsibilities and for determining if actions need to be taken to strengthen risk management or reduce risk given changes in the unit’s risk profile or other conditions; (ii) establish and adhere to a set of written policies that include front line unit risk limits. Such policies should ensure risks associated with the front line unit's activities are effectively identified, measured, monitored, and controlled, consistent with the covered bank’s risk appetite statement, concentration risk limits, and all policies established within the risk governance framework; (iii) establish and adhere to procedures and processes, as necessary to maintain compliance with the policies described in (ii); (iv) adhere to all applicable policies, procedures, and processes established by independent risk management; (v) develop, attract, and retain talent and maintain staffing levels required to carry out the unit’s role and responsibilities effectively; (vi) establish and adhere to talent management processes; and (vii) establish and adhere to compensation and performance management programs.
Independent Risk Management
Independent risk management should oversee the covered bank’s risk-taking activities and assess risks and issues independent of the front line units by: (i) designing a comprehensive written risk governance framework commensurate with the size, complexity, and risk profile of the covered bank; (ii) identifying and assessing, on an ongoing basis, the covered bank’s material aggregate risks; (iii) establishing and adhering to enterprise policies that include concentration risk limits; (iv) establishing and adhering to procedures and processes, to ensure compliance with policies in (iii); (v) identifying and communicating to the CEO and board of directors or board’s risk committee material risks and significant instances where independent risk management’s assessment of risk differs from that of a front line unit, and significant instances where a front line unit is not adhering to the risk governance framework; (vi) identifying and communicating to the board of directors or the board’s risk committee material risks and significant instances where independent risk management’s assessment of risk differs from the CEO, and significant instances where the CEO is not adhering to, or holding front line units accountable for adhering to, the risk governance framework; and (vii) developing, attracting, and retaining talent and maintaining staffing levels required to carry out the unit’s role and responsibilities effectively while establishing and adhering to talent management processes and compensation and performance management programs.
Internal Audit
Internal audit should ensure that the covered bank’s risk management framework complies with the Guidelines and is appropriate for the size, complexity, and risk profile of the covered bank. It should maintain a complete and current inventory of all of the covered bank’s material processes, product lines, services, and functions, and assess the risks, including emerging risks, associated with each, which collectively provide a basis for the audit plan. It should establish and adhere to an audit plan, which is periodically reviewed and updated, that takes into account the covered bank’s risk profile, emerging risks, issues, and establishes the frequency with which activities should be audited. The audit plan should require internal audit to evaluate the adequacy of and compliance with policies, procedures, and processes established by front line units and independent risk management under the risk governance framework. Significant changes to the audit plan should be communicated to the board’s audit committee. Internal audit should report in writing, conclusions and material issues and recommendations from audit work carried out under the audit plan to the board’s audit committee. Reports should identify the root cause of any material issue and include: (i) a determination of whether the root cause creates an issue that has an impact on one organizational unit or multiple organizational units within the covered bank; and (ii) a determination of the effectiveness of front line units and independent risk management in identifying and resolving issues in a timely manner. Internal audit should establish and adhere to processes for independently assessing the design and ongoing effectiveness of the risk governance framework on at least an annual basis. The independent assessment should include a conclusion on the covered bank’s compliance with the standards set forth in the Guidelines. Internal audit should identify and communicate to the board of directors or board’s audit committee significant instances where front line units or independent risk management are not adhering to the risk governance framework. Internal audit should establish a quality assurance program that ensures internal audit’s policies, procedures, and processes comply with applicable regulatory and industry guidance, are appropriate for the size, complexity, and risk profile of the covered bank, are updated to reflect changes to internal and external risk factors, emerging risks, and improvements in industry internal audit practices, and are consistently followed. Internal audit should develop, attract, and retain talent and maintain staffing levels required to effectively carry out its role and responsibilities. Internal audit should establish and adhere to talent management processes. Internal audit should establish and adhere to compensation and performance management programs.
Strategic Plan
The CEO, with input from front line units, independent risk management, and internal audit, should be responsible for the development of a written strategic plan that should cover, at a minimum, a three-year period. The board of directors should evaluate and approve the plan and monitor management’s efforts to implement the strategic plan at least annually. The plan should include a comprehensive assessment of risks of the covered bank, an overall mission statement and strategic objectives, an explanation of how the covered bank will update the risk governance framework to account for projected changes to its risk profile, and be reviewed, updated, and approved pursuant to changes in the covered bank’s risk profile or operating environment that were not contemplated when the plan was developed.
Risk Appetite Statement
A covered bank should have a comprehensive written statement outlining its risk appetite that serves as the basis for the risk governance framework. It should contain qualitative components that define a safe and sound risk culture and how the covered bank will assess and accept risks and quantitative limits that include sound stress testing processes and address earnings, capital, and liquidity.
Risk Limit Breaches
A covered bank should establish and adhere to processes that require front line units and independent risk management to: (i) identify breaches of the risk appetite statement, concentration risk limits, and front line unit risk limits; (ii) distinguish breaches based on the severity of their impact; (iii) establish protocols for disseminating information regarding a breach; (iv) provide a written description of the breach resolution; and (v) establish accountability for reporting and resolving breaches.
Concentration Risk Management
The risk governance framework should include policies and supporting processes appropriate for the covered bank’s size, complexity, and risk profile for effectively identifying, measuring, monitoring, and controlling the covered bank’s concentrations of risk.
Risk Data Aggregation and Reporting
The risk governance framework should include a set of policies, supported by appropriate procedures and processes, designed to provide risk data aggregation and reporting capabilities appropriate for the covered bank’s size, complexity, and risk profile and support supervisory reporting requirements. Collectively, these policies, procedures, and processes should provide for: (i) the design, implementation, and maintenance of a data architecture and information technology infrastructure that supports the covered bank’s risk aggregation and reporting needs during normal times and during times of stress; (ii) the capturing and aggregating of risk data and reporting of material risks, concentrations, and emerging risks in a timely manner to the board of directors and the OCC; and (iii) the distribution of risk reports to all relevant parties at a frequency that meets their needs for decision-making purposes.
Talent and Compensation Management
A covered bank should establish and adhere to processes for talent development, recruitment, and succession planning. The board of directors or appropriate committee should review and approve a written talent management program. A covered bank should also establish and adhere to compensation and performance management programs that comply with any applicable statute or regulation.
Board of Directors Training and Evaluation
The board of directors of a covered bank should establish and adhere to a formal, ongoing training program for all directors. The board of directors should also conduct an annual self-assessment.
Use of Improved Information Technology and Burden Reduction
Respondents may use any method of improved technology that meets the requirements of the final guidelines.
Efforts to Identify Duplication and Use of Similar Information
The required information is unique and is not duplicative of any other information already collected.
Methods Used to Minimize Burden if the Collection Has a Significant Impact on Small Businesses or Other Small Entities
The information collection does not have a significant impact on a substantial number of small businesses or other small entities.
Consequences of Collecting the Information Less Frequently
If the information were collected less frequently, the OCC would encounter significant difficulties in supervising the largest covered banks and determining whether their governance and risk management practices are appropriate.
Special Circumstances Relating to the Guidelines of 5 CFR 1320.5
The information collection would be conducted in a manner consistent with 5 CFR Part 1320.5.
Comments in Response to the Federal Register Notice and Efforts to Consult Outside the Agency
In the Federal Register of January 27, 2014 (79 FR 4282), the OCC published the information collection for 60-days of public comment. No comments were received regarding these collections of information.
Explanation of Any Payment or Gift to Respondents
The OCC has not provided, and has no intention to provide, any payment or gift to respondents under this information collection.
Assurance of Confidentiality Provided to Respondents
The information collection request will be kept private to the extent permissible by law.
Justification for Sensitive Questions
Not applicable. No personally identifiable information is collected.
Estimates of Annualized Burden Hours and Costs
The OCC estimates the burden of this collection of information as follows:
Total number of respondents: 31
Total burden per respondent: 3,776
Total burden for collection: 117,056
Estimates of Annual Cost Burden to Respondents and Record Keepers
Total annual cost burden:
(a) Total annualized capital and start-up costs associated with the risk governance framework is estimated to be $0 (zero dollars).
(b) Total annualized operations, maintenance, and purchases of services costs are estimated to be $0 (zero dollars).
The above cost estimates are not expected to vary widely among respondents.
Annualized Cost to the Federal Government
No annualized cost to the Federal government.
Explanation for Program Changes or Adjustments
This is a new information collection request.
Plans for Tabulation and Publication and Project Time Schedule
There are no publications.
Reason(s) Display of OMB Expiration Date is Inappropriate
The agency is not seeking to display the expiration date of OMB approval of the information collection.
18. Exceptions to Certification for Paperwork Reduction Act Submissions
There are no exceptions to the certification.
B. Collection of Information Employing Statistical Methods
The collection of this information does not employ statistical methods. Statistical methods are not appropriate for the type of information collected and would not reduce burden or improve accuracy of results.
1 12 U.S.C. 1831p-1. Section 39 was enacted as part of the Federal Deposit Insurance Corporation Improvement Act of 1991, P.L. 102-242, section 132(a), 105 Stat. 2236, 2267-70 (Dec. 19, 1991).
2 Public Law 111-203, 124 Stat. 1376 (2010).
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | juanmanuel.vilela |
| File Modified | 0000-00-00 |
| File Created | 2021-01-27 |