1557-0333 Recovery Planning Supporting Statement NPR (Submitted to OMB)

OCC Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches

Supporting Statement

OMB Control No. 1557-0333

A. Justification.

1. Circumstances that make the collection of information necessary:

In 2016, the OCC issued guidelines applicable to each insured national bank, insured Federal savings association, and insured Federal branch of a foreign bank (together, banks) with average total consolidated assets equal to or greater than $50 billion (covered banks). The guidelines stated that each covered bank should develop and maintain a recovery plan that is appropriate for its individual size, risk profile, activities, and complexity, including the complexity of its organizational and legal entity structure, in order to be able to respond quickly to and recover from the financial effects of severe stress. The guidelines established standards for this recovery planning. In 2018, the OCC raised the threshold from $50 billion to $250 billion.

This supporting statement is being filed in connection with an OCC-issued proposed rule that would expand the recovery planning guidelines to apply to banks with average total consolidated assets of $100 billion or more. The proposed rule would also incorporate a testing standard for recovery plans and clarify the role of non-financial (including operational and strategic) risk in recovery planning.

2. Use of the information:

Proposed Updates to Collection

Testing standard. A covered bank should test its overall recovery plan, and each element of the plan, to ensure that it will be an effective tool during periods of severe stress. To meet the testing standard, a covered bank may simulate severe financial and non-financial stress scenarios to confirm that the plan is likely to work as intended when the covered bank is experiencing severe stress. Testing should, for example, (1) ensure that the plan’s triggers appropriately reflect the covered bank’s particular vulnerabilities and will, in practice, provide the covered bank with timely notice of a continuum of increasingly severe stress, ranging from warnings of the likely occurrence of severe stress to the actual existence of severe stress; (2) enable management and the board to verify that the bank has identified credible options and is adequately prepared to carry out these options, as needed, during a period of severe stress; (3) be sufficient to provide management and the board with similar assurances regarding the other elements of the plan and, ultimately, the plan as a whole; and (4) be risk-based and reflect the covered bank’s size, risk profile, activities, and complexity. A covered bank should test its recovery plan periodically but not less than annually. If the testing reveals weaknesses or deficiencies in a recovery plan, a covered bank should revise its recovery plan as appropriate following testing.

Non-financial risk. When developing and maintaining its recovery plan, each covered bank should appropriately consider both financial and non-financial risks (including operational and strategic risk).

Triggers. A recovery plan should identify financial and non-financial triggers that appropriately reflect the covered bank’s particular vulnerabilities.

Impact assessments. For each recovery option, a covered bank should assess and describe how the option would affect the covered bank. This impact assessment and description should specify the procedures the covered bank would use to maintain the financial strength and viability of its material entities, critical operations, and core business lines for each recovery option. For each option, the recovery plan’s impact assessment should address the following: (1) the effect on the covered bank’s capital, liquidity, funding, and profitability; (2) the effect on the covered bank’s material entities, critical operations, and core business lines, including reputational impact; (3) the effect on the covered bank’s risk profile as a result of changes to its financial and non-financial risk; and (4) any legal or market impediment or regulatory requirement that must be addressed or satisfied in order to implement the option.

Relationship to other processes; coordination with other plans. A covered bank should (1) integrate its recovery plan into its risk governance functions and (2) align its recovery plan with its other plans, such as its strategic, operational (including business continuity and resilience program), contingency, capital (including stress testing), liquidity, and resolution planning. The covered bank’s recovery plan also should be specific to that covered bank and coordinated with any recovery and resolution planning efforts by the bank’s holding company.

Previously Approved Collection

Overview of covered bank. A recovery plan should describe the covered bank’s overall organizational and legal entity structure, including its material entities, critical operations, core business lines, and core management information systems. The plan should describe interconnections and interdependencies (1) across business lines within the covered bank; (2) with affiliates in a bank holding company structure; (3) between a covered bank and its foreign subsidiaries; and (4) with critical third parties.

Options for recovery. A recovery plan should identify a wide range of credible options that a covered bank could undertake to restore financial strength and viability, thereby allowing the bank to continue to operate as a going concern and to avoid liquidation or resolution. A recovery plan should explain how the covered bank would carry out each option and describe the timing required for carrying out each option. The recovery plan should specifically identify the recovery options that require regulatory or legal approval.

Escalation procedures. A recovery plan should clearly outline the process for escalating decision-making to the covered bank’s senior management, the board of directors, or appropriate committee of the board of directors (board), as appropriate, in response to the breach of any trigger. The recovery plan should also identify the departments and persons responsible for executing the decisions of senior management or the board.

Management reports. A recovery plan should require reports that provide senior management or the board with sufficient data and information to make timely decisions regarding the appropriate actions necessary to respond to the breach of a trigger.

Communication procedures. A recovery plan should provide that the covered bank will notify the OCC of any significant breach of a trigger and any action taken or to be taken in response to such breach and should explain the process for deciding when a breach of a trigger is significant. A recovery plan also should address when and how the covered bank will notify persons within the organization and other external parties of its action under the recovery plan. The recovery plan should specifically identify how the covered bank will obtain required regulatory or legal approvals.

Other information. A recovery plan should include any other information that the OCC communicates in writing directly to the covered bank regarding the covered bank’s recovery plan.

Management’s and Board of Directors’ Responsibilities. A covered bank’s recovery plan should address the responsibilities of the bank’s management and board with respect to the plan. Specifically, management should review the recovery plan at least annually and in response to a material event. It should revise the plan as necessary to reflect material changes in the covered bank’s size, risk profile, activities, and complexity, as well as changes in external threats. This review should evaluate the organizational structure and its effectiveness in facilitating a recovery. The board is responsible for overseeing the covered bank’s recovery planning process. The board of a covered bank should review and approve the recovery plan at least annually, and as needed to address significant changes made by management.

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology. Describe any consideration of using information technology to reduce burden:

Respondents may use any technology compatible with meeting the guidelines.

4. Efforts to identify duplication:

The OCC recognizes that many covered banks already engage in significant planning, including planning responses to cyber-attacks, business interruptions, and leadership vacancies. Some covered banks also undertake a range of other planning, including strategic, operational, contingency, capital, liquidity, and resolution. The same is true for their parent holding companies or affiliates. The OCC does not intend for a covered bank’s recovery planning to be needlessly burdensome or duplicative of these other planning processes. The OCC expects, however, that a covered bank’s recovery plan will identify the recovery strategies that are specific to that bank and, as appropriate, distinguishable from the recovery strategies of its holding company or affiliates. Furthermore, while the OCC encourages covered banks to leverage their existing processes, including by incorporating or cross-referencing portions or elements of relevant plans, in most cases, it is unlikely that a covered bank will be able to use a plan prepared for another purpose or entity to satisfy the guidelines. The purpose of the guidelines is to provide a comprehensive framework for evaluating the financial effects of severe stress on the covered bank and the recovery options that would allow that bank to remain viable under such stress.

5. If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.

Not applicable.

6. Consequence to Federal program if the collection were conducted less frequently:

If a covered bank were to prepare, review, or revise its recovery plan less frequently than provided in the rule, the bank would be less prepared to respond to and recover from the financial effects of severe stress, which could threaten its viability or the safety and soundness of its operations.

7. Special circumstances that would cause an information collection to be conducted in a manner inconsistent with 5 CFR par 1320:

The information collection will be conducted in a manner consistent with 5 CFR part 1320.5(d)(2).

8. Efforts to consult with persons outside the agency:

The OCC issued a notice of proposed rulemaking on July 03, 2024, 89 FR 55114.

9. Payment or gift to respondent:

Not applicable.

10. Any assurance of confidentiality:

The information collection request will be kept private to the extent permissible by law.

11. Justification for questions of a sensitive nature:

None.

12. Burden estimate:

Total Number of Respondents: 21.

Total Burden per Respondent: 32,017 hours.

Total Burden for Collection: 672,360 hours.

Cost of Hour Burden

672,360 hours x $129.40 = $87,003,384

To estimate wages the OCC reviewed May 2023 data for wages (by industry and occupation) from the U.S. Bureau of Labor Statistics (BLS) for credit intermediation and related activities (NAICS 5220A1). To estimate compensation costs associated with the rule, the OCC uses $129.40 per hour, which is based on the average of the 90th percentile for six occupations adjusted for inflation (4.3 percent as of Q1 2024), plus an additional 34.6 percent for benefits (based on the percent of total compensation allocated to benefits as of Q4 2023 for NAICS 522: credit intermediation and related activities).

13. Estimate of total annual costs to respondents (excluding cost of hour burden in Item #12)

None.

14. Estimate of annualized cost to the Federal government:

None.

15. Change in burden:

Prior Burden: 60,344

Current Burden: 672,360 hours.

Difference: + 612,016 hours.

The new testing standard and inclusion of non-financial risks will increase burden hours for existing covered banks.  Additionally, compliance by newly covered banks will add burden hours and will involve significant engagement across various stakeholders in the front-line unit, independent risk management, and internal audit.  The increase in burden is also driven by an original underestimation of burden hours. 

16. Information regarding collections whose results are to be published for statistical use:

Not applicable.

17. Reasons for not displaying OMB approval expiration date:

Not applicable.

18. Exceptions to the certification statement:

Not applicable.

B. Collections of Information Employing Statistical Methods

Not applicable.