On November 8, 2021, the acting head of the Office of the Comptroller of the Currency ("OCC"), Michael J. Hsu, issued a call to action on climate change to the boards of directors of OCC-regulated banks.1 Specifically, he outlined an initial series of climate change-related questions that boards should be asking bank management and stated that bank boards should use the exercise to help improve climate risk management practices and build up climate risk management and reporting capabilities. While he indicated that this is a long-term effort that will include further guidance from the agency, it is clear from his call to action that the OCC expects banks to begin right now.
In this Legal Update, we explain the background to the OCC's risk management initiatives and discuss this recent call to action on climate risk.
Risk Management Principles
In response to the savings and loan crisis and the enactment of the Federal Deposit Insurance Corporation Improvement Act of 1991, US regulators, including the OCC, implemented operational and management standards in the mid-1990s that required insured depository institutions to establish internal controls and information systems that were appropriate to the size of the institution and the nature, scope and risk of its activities.2 These standards also required institutions to maintain (i) an organizational structure that establishes clear lines of authority and responsibility for monitoring adherence to established policies; (ii) effective risk assessment; (iii) timely and accurate financial, operational and regulatory reporting; (iv) adequate procedures to safeguard and manage assets; and (v) compliance with applicable laws and regulations. However, the structure and details of such controls and systems were left to the judgment of the institution, subject to the supervision of its regulators.
In response to the 2008 financial crisis, the OCC established heightened expectations for the governance and oversight of the larger banks that it regulated.3 In 2014, it adopted those expectations as a specialized standard for safety and soundness at larger federally chartered banks ("Heightened Standards").4 The core of Heightened Standards are requirements that (i) a larger bank design and implement a risk governance framework5 and (ii) the institution's board of directors oversee that framework. The required framework must cover the eight risk stripes defined by the OCC and is composed of several highly detailed parts.6
Climate Call to Action
The recent statement builds on the OCC's longstanding safety and soundness standards by outlining five questions that large bank boards7 should be discussing with bank management. The OCC expects that these discussions will be detailed, ongoing and lead to iterative change within the bank. The five questions are:
- What is our overall exposure to climate change?
- Which counterparties, sectors, or locales warrant our heightened attention and focus?
- How exposed are we to a carbon tax?
- How vulnerable are our data centers and other critical services to extreme weather?
- What can we do to position ourselves to seize opportunities from climate change?
Each question is supplemented by discussion of OCC expectations for ongoing risk management activities. For example, the first discussion states that, for the board to understand the bank's overall exposure to climate change, bank management will need to "develop a framework, a risk taxonomy, metrics, data, scenarios, and a strong understanding of the first- and second-order impacts that physical and transition risks may have on the bank's portfolio." It also states that board reports on climate change exposure should contain multiple quantitative and qualitative metrics and bank management should develop scenario analyses for climate change-related events (i.e., extreme weather).
In some respects, the discussions around climate change-related exposures appear to blur climate risk and other risks, such as credit risk. For example, the second discussion explains that certain borrowers may experience a decline in creditworthiness in response to physical and transition risks associated with climate change. While that decline typically would be viewed through the lens of credit risk management, the discussion emphasizes that banks should be analyzing this potential decline as part of climate risk management. Similarly, the fourth discussion reframes some of the operational risks associated with data centers and third-party service providers to be a part of climate risk management. It remains to be seen how the OCC will maintain the boundaries between risk stripes that some examiners have come to expect in recent years.
The call to action states that the OCC expects to issue framework guidance on climate risk management by the end of 2021 and more detailed guidance throughout 2022. This is similar to the multi-year journey that larger banks experienced with Heightened Standards and will most likely require a similar commitment and partnership of legal, compliance, finance and risk management resources.
However, the call to action also is clear that OCC-regulated banks must start their climate change journey now. While some of these expectations may evolve over the next year, the general themes are unlikely to change. Therefore, boards and management of OCC-regulated banks should discuss not only the five questions but also how their banks will satisfy the agency's expectations in the accompanying discussions and demonstrate meaningful progress and maturation.
Finally, banks that are not regulated by the OCC also should carefully review the call to action to inform their own risk management activities. As we have seen with Heightened Standards, the rules for the largest OCC-regulated banks have a way of flowing down to smaller banks and out to state-chartered banks. This is particularly true for state-chartered banks that have larger and more complex operations.
We regularly assist banks and their boards in complying with the risk governance and management expectations of the US banking regulators, including the OCC. We also advise a wide array of financial institutions on environmental, social and governance ("ESG") matters, such as the design of ESG management systems, the preparation of ESG action plans and compliance with related corporate governance requirements. We would be happy to discuss how this intersection of bank risk management expectations and climate change may affect your institution and partner with you to determine an action plan. To discuss any of the issues raised in this Legal Update, please reach out to any of the authors listed above or your Mayer Brown contact.
1 OCC, Acting Comptroller Discusses Climate Change Risk (Nov. 8, 2021), https://occ.gov/news-issuances/news-releases/2021/nr-occ-2021-116.html. OCC-regulated banks consist of national banks, federal savings associations and federal branches and agencies of foreign banking organizations.
2 12 U.S.C. § 1831p-1; 61 Fed. Reg. 43,950 (Aug. 27, 1996); 60 Fed. Reg. 35,678, 35,682 (July 10, 1995).
3 See Remarks by Thomas Curry, Comptroller of the Currency (Dec. 7, 2012).
4 79 Fed. Reg. 54,517 (Sept. 11, 2014).
5 12 C.F.R. pt. 30, app. D.
6 12 C.F.R. pt. 30, app. D § II.A-B. The Federal Reserve Board has separate risk management and governance expectations for the entities that it regulates. E.g., Federal Reserve, SR 21-3 (Feb. 26, 2021). These expectations recognize only six risk stripes and this difference is an example of why there is no single path to satisfying regulators' expectations for risk management. See BHC Supervision Manual § 2124.01.6.2.2 (comparing the Federal Reserve's risk stripes to the OCC's).
7 Large banks generally are understood to be OCC-regulated banks with average total consolidated assets of at least $50 billion. 12 C.F.R. pt. 30, app. D § I.E.5. However, smaller banks also should consider these climate-related issues as an important area of focus for their regulator.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.