The Federal Reserve Board has issued guidelines to examiners explaining how new risk-based exams should work.
The supervisory letter lays out a four-step approach for examiners: identify the risks a bank faces; evaluate how the institution manages those risks; review individual assets; and review the quality of internal auditors.
Risk-based exams will "concentrate examiner resources on areas that expose an institution to the greatest risk," Richard Spillenkothen, the Fed's director of banking supervision and regulation, wrote in the May 24 letter, which is being distributed to all examiners.
The Fed wants its risk-based exams to begin long before its employees enter the bank, Mr. Spillenkothen said. Examiners must identify all of the businesses a bank is involved in, determine what risks those activities pose, and see how the bank manages those risks.
Officials should study items both on and off the balance sheet. Also, they should review all regulatory reports, business plans, stock analyses, and news stories.
Examiners should quantify the risks they uncover, indicating the percentage of a bank's assets dedicated to the activity or the portion of the institution's revenue that comes from it.
Examiners should draw up an on-site-review plan based on this risk assessment, Mr. Spillenkothen said. Areas that pose the greatest risk to the bank or that have the weakest internal controls should undergo "the most rigorous scrutiny and testing," he said.
Banks with strong risk-management controls won't face much on-site testing, he said. Examiners will simply verify whether the controls actually work, he said. But examiners will conduct extensive transaction testing if they believe the bank's controls are weak, he said.
Finally, examiners will meet with auditors during every review to see how the bank monitors its internal controls. For large banks, examiners should conduct similar reviews of outside auditors, he said.
Examiners will rate banks on a five-point scale for the quality of their risk-management systems, he said. Mr. Spillenkothen noted that small banks should not be downgraded if they lack complex risk-management systems. These banks may not require sophisticated systems, he said.
