United States: OCC Seeks To Formalize Risk Governance Expectations Of Large Banks

Last Updated: January 30 2014
Article by Charles Horn, Melissa Hall and Kathleen W. Collins

The proposed guidelines demonstrate the Office of the Comptroller of the Currency's continued emphasis on strong risk management for large banks.

On January 16, the Office of the Comptroller of the Currency (OCC) issued proposed rules and guidelines establishing minimum risk governance standards for certain large insured financial institutions (the Proposed Guidelines).1 The content of the Proposed Guidelines is not unexpected; as the OCC states in its commentary to the Proposed Guidelines, its intention is to formalize the "heightened expectations" that it has been applying for the last several years during its supervision and examination process. Overall, the Proposed Guidelines are a continuation on a regulatory theme that has been paramount since the financial crisis—robust risk management and risk management accountability. However, the potentially broad scope of applicability of the Proposed Guidelines, as well as the formalization of what have been softer regulatory "expectations," may result in unforeseen consequences for some financial institutions that would otherwise not expect to be subject to the same risk management expectations as large banks.

Scope of Applicability

The Proposed Guidelines would generally apply to insured national banks, insured federal savings associations, and insured federal branches of foreign banks with average total consolidated assets of $50 billion or more (each a Bank, and collectively Banks). The OCC retains the authority to apply the Proposed Guidelines to a financial institution whose total consolidated assets are below $50 billion if the OCC determines that such entity's operations are highly complex or otherwise present a heightened risk as to require compliance with the Proposed Guidelines. The Proposed Guidelines would require the risk governance standards to be developed at the Bank level, unless the risk profiles of the Bank's parent company and the Bank are "substantially the same," in which case, the Bank may use its parent's risk governance framework. In turn, parent company and Bank risk profiles would be considered "substantially the same" if the Bank's total consolidated assets, total assets under management, or total off-balance sheet exposures represent 95% or more of the parent company's corresponding assets, assets under management, or off-balance sheet exposures.

The OCC notes that it may apply the Proposed Guidelines to smaller banks (with less than $50 billion in total consolidated assets) that are subsidiaries of the same parent company if the total consolidated assets of the banks and their holding company is $50 billion or more. The OCC also asks for input on whether the Proposed Guidelines should apply to uninsured entities, such as trust banks and federal branches or agencies of foreign banks. Currently, the heightened expectations regarding risk management are applied informally to a select number of these uninsured entities.

In addition, the OCC is applying a version of the "Hotel California rule" to the applicability of the Proposed Guidelines—meaning that once a Bank becomes subject to the Proposed Guidelines, it would be required to comply with the Proposed Guidelines even if its average total consolidated assets drop below $50 billion, unless or until the OCC determines otherwise. The OCC retains the discretion to determine whether continued compliance is necessary. There is no formal procedure for a Bank to petition the OCC for relief from the applicability of the Proposed Guidelines.2

Requirements Under the Guidelines

The Proposed Guidelines set an expectation that a Bank will establish a formal, written risk management policy (Framework) that covers credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputation risk. The Framework would be required to be reviewed and updated on at least an annual basis. The Proposed Guidelines identify three key organizational units—"front line units," "independent risk management," and "internal audit"—that are charged with the development, implementation, and testing of the Framework. In turn, the Proposed Guidelines set out, in some detail, the expected roles and responsibilities of the front line units and independent risk management in developing and implementing the Framework, with the overarching focus being on communication, independence, accuracy, and responsibility and "ownership."

Banks would also be required to develop a written three-year strategic plan that is developed by the CEO with input from the applicable business units (front line, risk management, and internal audit). The Bank's board of directors (Board) would be required to evaluate, approve, and actively monitor implementation of the strategic plan. In addition, each Bank will be required to have a comprehensive written statement (containing qualitative components and quantitative limits) that articulates that Bank's risk appetite; the written statement would serve as the basis for the Bank's Framework.

The Proposed Guidelines also set out heightened expectations of the Bank's Board, mostly concerning the independence of the Board from the Bank's parent company and the Board's role in managing and overseeing risk management. Significantly, each Bank's Board would be required to have at least two independent members who are not part of the Bank's or its parent company's management.

Enforcement Authority

The Proposed Guidelines were issued pursuant to the OCC's safety and soundness authority under section 39 of the Federal Deposit Insurance Act (FDIA).3 In proposing to issue the heightened expectation standards as "guidelines" rather than "regulations," the OCC stated that it will have more flexibility in determining corrective action for a financial institution's failure to comply with the Proposed Guidelines. Although such flexibility could be beneficial to a financial institution in that the OCC would not be required to seek a formal remedial plan and remediation can be individually tailored, such flexibility also risks injecting an element of uncertainty into the supervision and enforcement process. Decisions and conclusions will apparently be made by the OCC on a case-by-case basis.

In addition, if the OCC makes the determination to take formal corrective action, then the enforcement and compliance apparatus for such corrective action comes fully into play. By folding the Proposed Guidelines into the OCC's section 39 authority, the OCC would have the ability to initiate a formal, public enforcement action against a financial institution that the OCC finds to be not in compliance with the Proposed Guidelines. There would also be the possibility of civil money penalties for failure to comply with the Proposed Guidelines.

Comments to the Proposed Guidelines are due 60 days after their publication in the Federal Register.


As mentioned, the Proposed Guidelines formalize what the OCC has been informally expecting during its examination process. This formalization may benefit banks in providing clarity and transparency to the OCC's risk management expectations as well as more specific guideposts for establishing a satisfactory risk management Framework. Compliance with the Proposed Guidelines will likely involve a great deal of time and effort; the OCC's official burden hour estimate is more than 7,000 hours per Bank, which may be low, especially if a Bank cannot rely on its parent company's Framework. Yet, in the postcrisis regulatory environment, a strong and well-documented risk management Framework has become an essential best practice. However, under the Proposed Guidelines, the OCC would have enforcement authority for failure to establish adequate risk management controls, including formal orders and civil money penalties for failure to comply.

Another notable feature of the Proposed Guidelines is the OCC's statement of agency expectations for a Bank's Board. By specifying the actions that Boards are required to take under the Proposed Guidelines, the OCC is taking steps, backed by the regulatory enforcement process, to formalize a key aspect of the overall board of directors governance process. The OCC will almost certainly be taking a close look during examinations for evidence of the independence of Bank Boards and robust Board oversight.

Additionally, one important issue that remains unclear is the effect of the Proposed Guidelines on banks below the $50 billion threshold and uninsured institutions and whether the OCC will apply the Proposed Guidelines to those institutions formally or informally. Given the flexibility that the OCC has given itself to apply the Proposed Guidelines based on an overall assessment of the risk profile of the institution, certain smaller banks or uninsured institutions conceivably may find themselves being placed under the Proposed Guidelines and faced with a burdensome administrative process if they attempt to challenge the OCC's determination, although the OCC suggests that would be an infrequent occurrence. Perhaps more interesting is the possibility that the Framework standards, which presumably are intended to reflect a "gold standard" in bank risk management, may filter down into the risk management supervisory activities and expectations of the OCC examination corps across the board.

Finally, there has yet to be any indication from the Federal Reserve or the Federal Deposit Insurance Corporation (FDIC) as to whether they plan to issue similar risk management guidelines. In this regard, FDIA section 39 requires the Federal Reserve and the FDIC, as well as the OCC, to prescribe safety and soundness standards for insured depository institutions in general. This is typically done on an interagency basis—the original safety and soundness standards were jointly issued by the Federal Reserve, the OCC, and the FDIC (and the now-defunct Office of Thrift Supervision).4 Therefore, it would not be unexpected for the other two regulatory agencies to weigh in with their own guidelines, although the Federal Reserve and the FDIC combined currently supervise significantly fewer banks of $50 billion or more than does the OCC. If the other banking agencies elect to propose risk governance standards for their constituent depository institutions, we would anticipate a coordinated approach among the agencies and the proposal of substantively similar requirements by the other agencies.


1. OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of 12 CFR Parts 30 and 70 (proposed Jan. 16, 2014), available here.

2. The notice and response procedures of 12 C.F.R. § 30.4 would apply to any determination by the OCC that the Proposed Guidelines should no longer apply to a particular Bank. These procedures, however, are OCC-initiated only.

3. 12 U.S.C. § 1831p-1 (Section 39 was added to the FDIA by section 132 of the FDIC Improvement Act of 1991 (Pub. L. No. 102-242).

4. These guidelines are found in Appendix D-1 to 12 CFR Part 208.

This article is provided as a general informational service and it should not be construed as imparting legal advice on any specific matter.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions