OCC’s Heightened Risk Management “Guidelines” for Bank Directors – Where is the Due Process?
On September 2, 2014, the Comptroller of the Currency finalized “guidelines” to require national and federal savings banks (and certain foreign banks) with assets of $50 billion or more to establish and implement a risk governance framework to manage and control the bank’s risk-taking activities. The Guidelines also require boards of banks subject to the guidelines to engage in heightened oversight.
It is a misnomer to call them “Guidelines.” They are enforceable rules. And by their adoption pursuant to the OCC’s safety and soundness rule authority, banks are deprived of due process protections normally afforded them.
The guidelines allow the OCC to unilaterally impose a broad-based order on a bank that could govern entirely the risk management process in the bank (and the activities, services and products of the bank) without any independent third party review. This contrasts with alternative procedures under a different statute that would require the OCC to prove in administrative court that an unsafe or unsound bank practice has occurred and that the remedy is appropriate. Under the alternative procedure, the administrative judge’s recommendation would then be reviewed by the Comptroller of the Currency, whose decision would be reviewed in a federal appeals court.
The guidelines also can apply to any-sized national or federal savings bank if the Comptroller decides that they are at heightened risk or their operations are complex.
They may also begin to be viewed by the banking agencies as “best practices” that might be applied informally to smaller banks – even state banks regulated by the FDIC or Federal Reserve.
This is the first time that federal banking agency rules specifically require bank boards to obtain formal training and conduct self assessments.
The guidelines are an improvement over the OCC’s proposed rules, which required bank directors who served at banks subject to the guidelines to assume certain management responsibilities over risk management. The OCC did adopt a number of our suggestions in our comment letter on the proposed rules that would make it clear that bank boards should not assume management responsibilities. See AABD comment letter of April 2, 2014 and summary of comment letter here.
The guidelines require minimum standards for the design and implementation of a bank’s risk governance Framework and minimum standards for its board to provide oversight. The risk governance Framework should provide for delegations of authority from the board to management as well as imposition of risk limits established for material activities. The Framework should include well-defined roles and responsibilities for front line units, independent risk management, and internal audit.
The guidelines state that boards of directors of covered banks should:
- Appoint a CEO and appoint or approve appointments of a Chief Audit Executive and one or more Chief Risk Executives with skills and abilities to carry out their roles and responsibilities within the risk governance framework;
- Review and approve a written talent management program that provides for development, recruitment, and succession planning regarding those individuals, their direct reports and potential successors;
- Require management to establish and implement an effective risk governance framework that meets the minimum standards described in the guidelines;
- Approve any significant changes to the risk governance framework and monitor compliance with such framework;
- Actively oversee the bank’s risk taking activities and hold management accountable for adhering to the risk governance framework;
- Be willing to provide “credible challenges” to management’s actions;
- When providing active oversight, exercise sound, independent judgment (applicable to each board member);
- Have at least two members of the board meeting the definition of “independence” in the Guidelines;
- Establish and adhere to a formal, ongoing training program for all directors;
- The training program should consider the directors’ knowledge and experience and the bank’s risk profile;
- The program should include training on complex services, lines of business, and risks that have a significant impact on the bank; laws, regulations and supervisory requirements; and other subjects identified by the board; and
- Conduct an annual self-assessment that includes an evaluation of its effectiveness in meeting the standards imposed by the guidelines on boards and board members.
At least three elements of the final guidelines have been improved to reflect concerns voiced by AABD:
- While the guidelines cover banks with assets of $50 billion or more and the OCC has reserved the option to apply them to smaller institutions whose operations are ‘highly complex’ or at risk, the narrative accompanying the final rule states that its application to smaller banks would occur only in “exceptional circumstances” and that it is not the OCC’s intention to apply the guidelines to community banks.
- While the proposed guidelines required boards of directors to “ensure” that the bank establish and implement an effective framework that complies with the guidelines, the final guidelines have eliminated the words “ensure” and “duty” and replace them with a provision stating that the board should require the management to establish an “effective” framework to meet the standards of the guidelines. These changes reflects AABD’s strongly held belief, as stated in its comment letter, that an “ensure” or “duty” requirement would place directors in the inappropriate role of management and would be inconsistent with director standards of care imposed by most, if not all jurisdictions. Moreover, AABD is pleased that the OCC has stated that it does not intend to impose managerial responsibilities on the board of directors or suggest that the board must guarantee results under the institution’s compliance framework. In fact the OCC stated that it does not contemplate that the board will assume managerial responsibilities in assuring the adequacy of active oversight management – instead, the board is permitted to rely on independent risk management and internal audit to meet its responsibilities under the guidelines.
- While the OCC did not follow AABD’s recommendation to eliminate the requirement for formal director training in order to leave this matter to the judgment of the bank board depending on the individual needs of a bank director to serve effectively, it did build into the guidelines substantially more flexibility for the board to structure the training to correspond to the directors’ knowledge and experience, and the covered banks’ risk profile.
Although these guidelines are not intended to be applicable to community institutions, the language in the guidelines still allows the OCC to apply them to community and other banks whose assets are less than $50 billion. In addition, examiners may use them as an informal standard when reviewing the practices of those institutions.
The problem remains that these guidelines really aren’t guidelines; they are enforceable rules that circumvent the administrative due process protections afforded banks that otherwise apply. That is because the OCC chose to adopt the “guidelines” under its safety and soundness authority in FDICIA, a law enacted in 1991 during the depths of the S&L crisis. The issue of lack of due process under the guidelines will be the subject of a separate analysis prepared by AABD.