United States: FDIC Proposes Large Bank-Like Corporate Governance And Risk Management Standards For FDIC-Supervised Depository Institutions With US$10 Billion Or More In Assets

On October 11, the Federal Deposit Insurance Corporation (FDIC) issued a proposed rule and guidelines (NPR) that would require all FDIC-supervised insured depository institutions to adopt corporate governance and risk management standards that are comparable to those expected of banking organizations with US$100 billion or more in total consolidated assets (proposed guidelines).

In the NPR, the FDIC notes that the proposed guidelines "are drawn from the principles" in the risk management and corporate guidance issued by the OCC and the Federal Reserve Board for banking organizations with US$50 billion or more in total consolidated assets and US$100 billion or more in total consolidated assets, respectively. However, the FDIC believes that its proposal to apply such principles more broadly to FDIC-supervised depository institutions with total assets of US$10 billion or more "is appropriate, as effective risk management practices should be tailored to the size of the institution and the nature, scope, and risk of its activities." With this proposal, the FDIC is lowering the threshold for the applicability of heightened corporate governance and risk management standards for FDIC-supervised institutions to US$10 billion or more.

As highlighted below, in some instances, the standards are more prescriptive and detailed than the standards in the principles-based guidance for banking organizations with US$100 billion or more in total consolidated assets. The FDIC published the NPR against the backdrop of the three bank failures in spring 2023. In the statement published concurrently with the NPR, FDIC Chair Gruenberg stated that the experience of the recent bank failures should focus the FDIC's attention on the need for meaningful action to improve the corporate governance and risk management processes of large insured depository institutions (IDIs). The NPR is a significant step in that direction.

What Institutions Would Be Covered by the NPR?

The NPR, if adopted as proposed, would apply to all insured state non-member banks, state-licensed insured branches of foreign banks, and insured state savings associations (i.e., FDIC-supervised insured institutions) that are subject to the provisions of Section 39 of the Federal Deposit Insurance Act (FDI Act), with total consolidated assets of US$10 billion or more (Covered Institutions).

For Covered Institutions with total assets of more than US$10 billion but less than US$50 billion, the proposed guidelines' heightened corporate governance and risk management standards are being imposed for the first time. Covered Institutions with assets greater than US$50 billion had been subject to heightened risk management standards for a brief period until the passage of the Economic Growth, Regulatory Relief, and Consumer Protection Act in 2018. Even for Covered Institutions with total assets of US$100 billion or more, the proposed guidelines impose more prescriptive and detailed requirements than what is currently expected of such large institutions. The FDIC is reserving its authority to apply the proposed guidelines in whole or in part to an institution that has total consolidated assets of less than US$10 billion. Total consolidated assets are measured based on an institution's total assets reported on its Call Report for the two most recent consecutive quarters.

What Is Required Under the Proposed Guidelines?

The FDIC notes in the NPR that the proposed guidelines would "codify the FDIC's expectations for effective corporate governance and risk management practices of a Covered Institution's risk profile" which suggests that even if the proposed guidelines are not adopted, the FDIC will have these expectations for its supervised entities.

The proposed guidelines set and delineate requirements, expectations, and obligations of the Board of Directors (Board) (including composition, duties, and committees), Board and management responsibility regarding risk management and audits, and expectations with respect to identifying and addressing violations of law or regulations. In terms of Board composition, the FDIC would expect that in addition to any requirements set forth in a Covered Institution's organizational documents or state chartering authority for Board members, the proposed guidelines would "expand upon, but [not] replace, these requirements by providing Covered Institutions various considerations for ensuring an effective board composition." Similar to the Federal Reserve Board's guidance for effective board governance, the proposed guidelines include standards for independent directors and Board diversity.

Corporate Governance

A. Obligations of the Board and Individual Directors

In the NPR, the FDIC references the general fiduciary duties and obligations of a Board and individual directors under state laws, common law, and other applicable law. The NPR also references additional duties related to managing the affairs of the Covered Institution in a safe and sound manner in compliance with applicable law and regulations and considering the interests of all its stakeholders, including shareholders, depositors, creditors, customers, regulators, and the public.

B. Duties of the Board

To carry out the Board's overall responsibility for risk management of the Covered Institution and holding executives and management accountable, the NPR requires the Board to:

• Set an Appropriate Tone to promote responsible and ethical behavior and hold directors, officers, and employees accountable for unethical behavior or violations of law, regulation, or policy. The Board would also be expected to adopt a Code of Ethics and a Compensation and Performance Management Program and provide active oversight of management.
• Approve and Adopt a Written Strategic Plan that would discuss the Covered Institution's goals and objectives over, at a minimum, a three-year period. In addition, the strategic plan would be expected to articulate an overall mission statement and strategic objectives, contain a comprehensive assessment of current and potential risk factors, and explain how the Covered Institution will review, update, and approve its risk management program to account for changes in the Covered Institution's projected risk, risk profile, risk appetite, or operating environment.
• Approve Core Policies that govern the operations of the Covered Institution and review such policies at least annually. Examples of policies identified as required for review include those that address real estate lending, Anti Money Laundering/Countering the Financing of Terrorism (AML/CFT) compliance, consumer protection laws, anti-fraud, and the Community Reinvestment Act (CRA).
• Adopt a Written Code of Ethics that address conflicts of interest, self-dealing, protection of assets, recordkeeping, compliance with laws and regulations, and reporting procedures and a whistleblower policy. The Board would be expected to review and update the code of ethics at least annually.
• Select and Appoint Qualified Executive Officers who are qualified to administer the Covered Institution's affairs, including a Chief Risk Officer and Chief Audit Officer. The Board would also be required to develop and implement a succession plan and adequate training and personnel activities to ensure the continuity of qualified management and competent staff.

In addition, the NPR requires the Board to provide ongoing training to directors and engage in self-assessments to evaluate its adherence to the standards of the proposed guidelines.

C. Committees of the Board

The Board would be required to implement an organizational structure to keep directors informed and provide an adequate framework to oversee the Covered Institution. At a minimum, the Board must establish an Audit Committee, Compensation Committee, Trust Committee (if the Covered Institution has fiduciary powers), and Risk Committee. The FDIC would also expect a Covered Institution to establish specialty committees based on the complexity, activities, and the risk profile of the institution. For example, a Covered Institution that has a technology focus could be expected to have a committee for technology, cybersecurity, and privacy.

Risk Management

The proposed guidelines would require Covered Institutions to have a comprehensive and independent risk management function and effective programs for internal controls, risk management, and audits.

A. Risk Management Program

Covered Institutions would be expected to establish a risk management program that identifies, measures, monitors, and manages risks through a framework appropriate for the current and forecasted risk environment and that meets the minimum standards of the proposed guidelines. The risk management program, at a minimum, should cover credit, concentration, interest rate, liquidity, price, model, operational (including conduct, information technology, cyber-security, AML/CFT compliance, and third-party management), strategic, and legal risk. The Board should review and update the risk management program at least annually.

B. Risk Profile and Risk Appetite Statement

On a quarterly basis, the Covered Institution should review and update a risk profile that identifies current risks as well as a comprehensive written statement that establishes risk appetite limits for the covered institution, both in the aggregate and for lines of business and material activities or products. The risk appetite statement should reflect the level of risk that the Board and management are willing to accept and include both qualitative components and quantitative limits. The Covered Institution should communicate its risk appetite statement and risk management program to management and all employees to ensure that their risk-taking decisions are aligned with the risk appetite statement.

C. Three Lines of Defense Model

The proposed guidelines would adopt the three lines of defense model for risk management. Three distinct units should have responsibility and be held accountable by the CEO and the Board for monitoring and reporting on the Covered Institution's compliance with the risk management program. The three units are the front line units, the independent risk management unit, and the internal audit.

• Front Line Units — Front line units should assess and manage all of the risks associated with their activities and ensure that these risks do not exceed the established limits. Each front line unit, among other things, should establish written policies that include Board-approved risk limits and adhere to all applicable policies, procedures, and processes.
• Independent Risk Management Unit — Under the direction of the CRO, the independent risk management unit should oversee the Covered Institution's risk-taking activities. The independent risk management unit should take primary responsibility for designing a comprehensive written risk management program, identify and assess, on an ongoing basis, the Covered Institution's material risks, ensure compliance with risk management policies, procedures, and processes and with laws or regulations, and communicate with the CEO and the Risk Committee.
• Internal Audit — The internal audit should ensure that the Covered Institution's risk management program complies with the guidelines and is appropriate for the size, complexity, and risk profile of the Covered Institution. Importantly, the internal audit should remain independent of the front line units and the independent risk management unit.

D. Self-Reporting of Risk Limit Breaches and Violations of Law or Regulations

Front line units and the independent risk management unit, consistent with their respective responsibilities, would be expected to:

• Identify breaches of the risk appetite statement, concentration risk limits, and front line unit risk limits; inform front line unit management, the CRO, the Risk Committee, the Audit Committee, the CEO, and the FDIC in writing of a breach of a risk limit or any noncompliance; and establish accountability for reporting and resolving such breaches.
• Identify known or suspected violations of law or regulations; document all such violations and notify the CEO, Audit Committee, and the Risk Committee; and ensure that known or suspected violations of law involving dishonesty, misrepresentation, or willful disregard for requirements are promptly reported as required by law or regulation.

The Board should review and update the processes related to risk limit breaches and violations of law or regulations at least annually.

Enforceability

Under Section 39 of the FDI Act, the FDIC may issue safety and soundness standards by guideline or regulation. If an institution fails to meet a standard prescribed by regulation, the FDIC must require the institution to submit a plan specifying the steps that it will take to comply with the standard. For a violation of a standard prescribed by the proposed guidelines, the FDIC has the discretion to decide whether to require the submission of a plan.

Here, the FDIC decided to issue the standards as binding guidelines rather than as non-binding guidance or a regulation to provide the agency with (1) an enforcement framework to ensure compliance and (2) supervisory flexibility to pursue the course of action that is most appropriate given the Covered Institution's specific circumstances, including self-corrective and remedial responses. For example, if the proposed guidelines are adopted and a Covered Institution fails to submit or implement an acceptable plan under the guidance, the FDIC, by order, may require the institution to correct the deficiency and may take additional enforcement actions, including growth restrictions, increased capital requirements, and restrictions on interest rates paid on deposits.

As noted below, the FDIC will expect Covered Institutions to maintain written records of any self-identified violations of law or regulations and report any violations to the FDIC in a prompt manner as well as any plans for remediation. However, there is no mention of how self-reporting will fit within the enforcement framework in terms of whether self-reporting would allow for an institution to avoid or qualify for reduced penalties.

Request for Comment

The FDIC is soliciting feedback on various aspects of its proposed guidelines. Particularly important questions include the following:

1. Should the proposed guidelines apply to FDIC-supervised institutions with US$10 billion or more in total consolidated assets, or would a higher or lower threshold be appropriate?
2. Is there a need to differentiate corporate governance and risk management requirements for Covered Institutions with US$50 billion or more in total consolidated assets (or some other threshold)?
3. Should the proposed guidelines apply to any insured state nonmember bank or insured state savings association with total consolidated assets of less than US$10 billion if that institution's parent company controls at least one Covered Institution?
4. Would the proposed guidelines have any costs or benefits that the FDIC has not identified?
5. Are there alternative ways to achieve the objectives of these proposed guidelines that would impose lower burdens and costs on Covered Institutions?

Takeaways

According to the FDIC, the proposed guidelines, if adopted as proposed, would require 57 FDIC-supervised banks to establish and implement extensive corporate governance and risk management frameworks, and add over 91,000 labor hours in the first year for the Covered Institutions and approximately 90,000 hours each additional year to comply with the recordkeeping, reporting, and disclosure requirements.

Among other things, the standards under the proposed guidelines requiring self-reporting of risk limit breaches and violations of law or regulations go beyond what's required under the existing regulations and are likely to impose a substantial compliance and monitoring burden on affected institutions. Notably, the standards prescribed under the NPR largely track the OCC's guidelines establishing heightened standards for banks with US$50 billion or more in total assets (OCC Guidelines). In some instances, the NPR goes into considerably more detail than the OCC Guidelines and imposes more extensive obligations. If the NPR is finalized at the US$10 billion threshold as proposed, FDIC-regulated banks, especially small, community banks, may face a disparate burden compared to banks that are not state non-member banks.

Industry participants and other interested parties concerned that the rulemaking's outcome might challenge their business operations should consider submitting comments, which are due by December 11. Financial institutions interested in how the FDIC's proposed guidelines may impact their businesses may contact any of the authors of this Advisory or their usual Arnold & Porter contact. The firm's Financial Services team would be pleased to assist with any questions about the NPR, submitting a comment to the FDIC, or banking regulation in general.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.