Final Risk Guidelines Represent a 'Sea Change' in Regulation

WASHINGTON — Large banks and their board of directors won a slight reprieve in final guidance issued this week by the Office of the Comptroller of the Currency that sets "heightened expectations" for the risk management.

The agency made several key changes to the wording in the final document, including easing up on potential legal liability for board members and senior officials and clarifying the establishment of appropriate lines of defense for risk management.

Yet even with the tweaks, the guidance represents a significant shift in the power given to examiners when supervising the biggest banks, experts said.

"It is a sea change in regulation and banking as a whole," said Gregory Lyons, a corporate partner at Debevoise & Plimpton and co-chair of the financial institutions group. "As important as the rule itself, is the flexibility and enforcement it gives the OCC and the ability to change practices it deems are wrong."

Julie Williams, head of the domestic advisory practice at Promontory Financial Group and a former chief counsel at the OCC said the final guidance "reflects some practical, sensible adjustments from the proposal.

"But that does not detract from the basic objectives and rigor of the proposal," she said.

Regulators have long taken banks to task for insufficient risk management practices at banks, but the OCC is the first to issue formal guidance outlining its expectations, making it a likely tool for future enforcement actions.

Many industry representatives were pleased, however, that the final guidelines issued Sept. 2 dialed back expectations for banks' board of directors. The proposal said it was the "duty" of boards to "ensure" the bank was appropriately following risk governance procedures. Several observers said that those words could mean greater legal liability for board members and potentially scare off qualified candidates.

The final guidance replaced "duty" and "ensure," saying board members must "actively oversee" and "require" banks to take appropriate steps.

"I was pleased to see they did make some change," said Ralph Sharpe, head of Venable's financial services group risk management and compliance team. For example, "there was an impression given to the board that they would be required to take on what might be considered more management roles and in the final guidance the OCC stressed that that was not their intent."

An OCC official said that "the final guidelines were revised to avoid imposing undue operational burdens and overly prescriptive requirements on board members that might be construed as imposing managerial responsibilities."

Doug Roeder, managing director in the financial services regulatory practice at PricewaterhouseCoopers, said that it does ease legal concerns, "particularly where there's clarity around the role and responsibility of the board."

Still, the overall message to board directors is clear.

"Something that didn't change is the importance that risk governance for large banks or thrifts starts with the board," Roeder said. "It's a lot of responsibility and that in itself could make it difficult to attract independent directors."

In the final guidelines, the OCC did reject other industry requests. For example, bankers had raised concerns about a provision of the proposal that said boards must "question, challenge, and, when necessary oppose" management on certain actions related to risk. The fear is that such language will create a rift between management and the board, and prevent an open dialogue. But the OCC kept such language in its final guidelines, emphasizing that by challenging management, board members will have more information.

"In addition to resulting in a more informed board of directors, the OCC expects that this provision will enable the board to make a determination as to whether management is adhering to, and understands, the [risk governance] framework," the final guidelines said. "For example, recurring breaches of risk limits or actions that cause the covered bank's risk profile to materially exceed its risk appetite may demonstrate that management does not understand or is not adhering to the framework. In these situations, the board of directors should take action to hold the appropriate party, or parties, accountable."

Yet the OCC did make adjustments in another critical area, which specified that banks must create a "front line" of defense in risk management that included select departments normally involved with customers to oversee some risk management functions. Bankers raised concerns that such a requirement might include personnel involved in back-office functions like legal and human resources. The final guidance issued a clarification that said the front line would include anyone involved in generating revenue for the bank, products or services to customers, or technology services. In doing so, it relieved some of the back-office personnel like HR and legal.

The adjustment "helps clarify where the industry was concerned and it certainly provides the institutions a clear way to figure out how the support functions or units can align themselves" with the front line, Roeder said.

The final guidelines still require several other lines of defense beyond the front line, including the formation of a independent risk management unit that reports to the chief executive officer; and an internal audit group that oversees top officials on down. Each group has an extensive list of criteria to meet.

The OCC has "been practical in making adjustments that recognize certain realities about how the industry operates and how these standards are working in practice but they haven't pulled back," Williams said. "The front lines still need to recognize, monitor, manage, control and report on their risks. The independent risk management line has to be rigorous and the audit group has to be proactive."

The OCC also eased some of the duplication for some banks to be able to use the expertise of the parent company, such as sharing a chief audit officer, under certain circumstances. This was seen as an improvement from the proposal, which said the only time a bank could share risk management functions with a parent was if 95% or more of its average total assets also represent the holding company's assets. The final guidance upheld that rule but added that it would consider "other factors" to include banks that sent a written request showing their risk profile is similar to the parent.

Observers said it may take time for the OCC to begin using the guidance in enforcement actions, since it needs to give banks time to implement the new standards. The OCC has set up a tiered implementation deadline, starting with 60 days after the guidance is published in the Federal Register for the largest banks, and up to 18 months for those with average total assets of $50 billion to $100 billion.

The OCC official said examiners have applied the heightened expectations to large national banks since 2010 and will follow the tiered implementation approach as outlined in the guidance during exams going forward.

"If a covered bank fails to meet a standard prescribed by guideline, the OCC has the discretion to require the bank to submit a plan specifying the steps it will take to comply with the standard," the official said. "The OCC may issue an enforceable order [by law] if the institution, after notification that it is violating a safety and soundness standard, fails to submit an acceptable compliance plan, or fails in any material respect to implement an accepted plan. In those cases, the OCC has a spectrum of enforcement tools available ranging from formal agreement, to cease-and-desist orders and civil money penalties based on the specific facts of each case."