WASHINGTON The Office of the Comptroller of the Currency proposed formal standards Thursday for how large banks should manage their risk-taking to avoid repeating the missteps made before and during the 2008 financial crisis.
The standards cover everything from how institutions design a multi-pronged framework for improving risk governance to steps ensuring board members can push back against risky management decisions.
The proposal, which is open for comment for 60 days, would put a more formal stamp on a supervisory program begun after the crisis to communicate the OCC's "heightened expectations" for how large banks manage risk. The new guidelines apply to OCC-regulated banks and thrifts with over $50 billion in assets, but the agency said it reserves the right to subject smaller institutions that present heightened risk to the new rules as well.
The guidelines "will contribute to a safer financial system for all of us by providing clear and enforceable standards for the risk management and governance of our largest institutions," Comptroller Thomas Curry said in a press release. "They provide additional supervisory tools to examiners of large national banks and federal savings associations, and they will measurably enhance our supervision of these institutions."
The agency outlined five expectations, including the need for a bank board to appropriately exercise its fiduciary duty to oversee institutions, and the need for a personnel management system that, among other things, ensures compensation tools do not encourage "imprudent risk taking."
Banks are also expected to define and communicate an "acceptable risk appetite" throughout the institution, as well as maintain strong auditing functions. The final expectation calls for independent board members "to acquire a thorough understanding" of the institution's risk profile.
The proposed guidelines describe the different components considered fundamental to an effective risk governance framework.
"These units are front line units, independent risk management, and internal audit," the proposal said. "They are often referred to as the three lines of defense and, together, should establish an appropriate system to control risk taking. These units should also ensure that the board has sufficient information on the bank's risk profile and risk management practices to provide credible challenges to management's recommendations and decisions."
The agency's "heightened expectations" program began in 2010, with examiners communicating the tougher regime in meetings with independent board members and bank executives. Exams of large institutions later incorporated the expectations to assess banks' compliance.
Last fall, Curry said, OCC officials were no longer allowing institutions' risk controls to be just satisfactory.
"As part of this 'heightened expectations' program, we are insisting that internal controls and audit be raised to the standard of 'strong' and we are making it clear that satisfactory ratings are not acceptable," Curry said in a September speech at American Banker's Regulatory Symposium.
The proposal would require banks to complete a written statement formally outlining an institution's risk appetite.
"The term risk appetite means the aggregate level and types of risk the board and management are willing to assume to achieve the bank's strategic objectives and business plan, consistent with applicable capital, liquidity, and other regulatory requirements," the proposal said.
"The board and management should ensure that the level and types of risk they are willing to assume to achieve the bank's strategic objectives and business plan are consistent with its capital and liquidity needs and requirements, as well as other laws and regulatory requirements applicable to the bank."
The written statement should include both qualitative and quantitative components. The former, among other things, should include a description of a "safe and sound 'risk culture.'"
"Setting an appropriate tone at the top is critical to establishing a sound risk culture, and the qualitative statements within the statement should articulate the core values that the board and CEO expect employees throughout the bank to share when carrying out their respective roles and responsibilities within the bank," the agency said.
Quantitatively, the statement should address sound stress testing procedures, as well as the "bank's earnings, capital and liquidity positions."
The proposal also says that an institution's board should include at least two directors who are not part of the bank's or the parent company's management.
The agency laid out steps for how it will enforce the standards as well. An institution not in compliance could be required to submit a plan describing its steps for meeting the new standards.