How the OCC Is Tightening the Screws on the Biggest Banks

WASHINGTON — Comptroller of the Currency Thomas Curry has warned banks since he took office almost two years ago that his agency expects the largest institutions to comply with "heightened standards" to guard against excessive risk taking.

But a recent proposal issued by the OCC is even tougher than institutions expected — and would give the agency greater authority to punish a firm it feels is not up to snuff.

"This proposal is quite different and far more extensive than the informal heightened expectations previously talked about," said Karen Shaw Petrou, a managing partner at Federal Financial Analytics. "Calling it a rule means there will be extra teeth behind it… It has a significant strategic impact for large financial institutions."

The proposal, issued last month, would require banks with more than $50 billion of assets to form new risk governance structures extending from the board of directors through senior management and down into the front lines of the institution.

While all three banking regulators have been putting pressure on management and board members to ramp up oversight of their bank, observers said the OCC's plan is deeper and more detailed.

"It formalizes and amplifies guidance that's already been out there in various forms and it creates an enforcement opportunity if banks don't meet those standards," said Jo Ann Barefoot, co-chair at Treliant Risk Advisors. "It's evolutionary for sure but it's also new … This is going to be a lot of work for some large banks because it is an effort at managing an entire culture and the quality of the outcomes may be uneven."

The proposal focuses heavily on the relationship between a bank's board and its management. It would require that at least two directors be independent of the bank and parent company and that they are appropriately trained. Overall, the board must prove that it maintains healthy skepticism of management's business plan. The OCC's plan suggests that the board proves its independence by "questioning, challenging, and when necessary, opposing" management's proposals.

"It is vitally important that each director be engaged in order to understand the risks being taken by his or her institution and to ensure that those risks are well managed. Informed directors who exercise independent judgment can better question the propriety of strategic initiatives and assess the balance between risk taking and reward," Curry told the Senate Banking Committee last week. "An effective board also should actively oversee management. Directors should be in a position to present a credible challenge to bank management while fulfilling their duty to preserve the sanctity of the national bank or federal savings association charter."

Industry observers said they understand the OCC's goals, but worry it will increase legal liability for board directors, making it even harder to find qualified participants.

"In effect, you're increasing exposure to liability of the board beyond its fiduciary obligation to shareholders by blurring the roles of day-to-day management and board oversight, which is really providing general advice," said Michael Bleier, a partner at Reed Smith. As a board member, "your personal assets are now at risk, you could be personally sued and you have to be able to show you discharged responsibility effectively…That's an issue they really do have to deal with and I think you will see lot of comments along those lines."

The proposal would also require a bank's risk management to be assessed separately from the parent company unless at least 95% of the bank's assets constitute the holding company's assets.

"Banks may have to set up new units at the bank level in order to have a framework in accordance with the guidelines," said Julie Williams, a managing director and head of the domestic advisory practice at Promontory Financial Group, and the OCC's former chief counsel. "There would need to be a risk appetite statement that works for the bank; risk limits that are bank-specific; and then risk limits get pushed down to lines of business within the bank."

Some see the proposal as another way for the regulators to force the largest banks to simplify and become smaller.

"This takes the biggest national banks and converts them into utilities so the light stays on at all times," Petrou said. "If that's the way the policy is going, it's a totally different business model than how large banks operate. It also means they will likely see 5% to 7% returns on equity and not the 20% they were used to."

Another key provision of the plan would require large banks to establish three units of defense — in front line business, independent risk management and internal audit — to assess a bank's risk and perform extensive stress tests in each.

Though many banks already have similar units, the proposal is likely more extensive than what most current units perform. For example, the plan considers front line units to include not just groups that produce revenue, but back-office activities like human resources, legal and information technology.

It also outlines new responsibilities for a chief audit executive and would require auditors to independently assess that the bank's risk governance is "consistent with leading industry practices," which many auditors are not used to, according to bank consultants. That may also create some confusion and time-consuming overlap across business lines, they said.

The proposal is "emphasizing that each of those units be independent and accountable to show that it has measured and monitored the risk metrics," Barefoot said. "That is going to probably produce some redundancy in what they do. And the lament you hear from banks is they don't have time to serve their customers because they are so busy reporting what they are doing internally. This will reinforce that tendency."

However, Barefoot added that problem would recede as banks become more efficient under the new standards.

"The regulators, generally speaking, don't trust the first line of defense. They feel it has to be policed by the second and third line of defense," she said. "But over time, the business lines themselves will do a better job of internalizing the risks and regulatory standards. And someday, maybe we can have smaller, more effective risk and audit functions that are able to catch the exceptions but not have to oversee everything that the bank is doing."

Despite the added burden envisioned by the proposal, some consultants said banks at least now have written standards for risk management expectations — an area where regulators have largely issued only verbal cautions in recent years.

"I think we're in a period of significant change and heightened regulatory change by banks and these guidelines certainly add to that agenda," said Edward Hida, the global leader of the risk and capital management team at Deloitte & Touche LLP. At the same time, the proposal "clarifies a lot of expectations out there so in some ways, it's better to have clarified so banks can expect to know what regulators are shooting for which should be a relief for them."

The proposal only applies to national banks, thrifts or branches of foreign banks with average total assets of $50 billion or more. But observers said it is possible that the plan could apply to more institutions over time.

"Smaller or mid-size institutions shouldn't be breathing a sigh of relief here," Williams said. "The OCC also reserves the right to pull in institutions below $50 billion in assets for reasons of complexity or higher risk. And what you often see where you have a set of detailed standards that apply to larger institutions is that some concepts — even those that do not formally apply — begin to trickle down to smaller institutions."