Heightened Risk Governance Standards for Banks and Bank Boards of Directors: Proposed OCC “Guidelines” Would Establish Heightened Standards for Large National Banks’ Risk Governance Frameworks and Boards of Directors, and Accelerate Trends of Regulatory Involvement and Reliance on Enforcement

Sullivan & Cromwell LLP - January 21, 2014

On January 16, 2014, the Office of the Comptroller of the Currency (the “OCC”) solicited public comment, through a Notice of Proposed Rulemaking (the “NPR”), on proposed “guidelines” to establish minimum standards for the design and implementation of risk governance frameworks by certain large banks and minimum standards for the boards of directors of those banks in overseeing the frameworks’ design and implementation (the “Guidelines”). The NPR describes the Guidelines as building upon and formalizing informal “heightened expectations” for risk governance developed by the OCC in 2010 and as intended to improve examiners’ ability to assess compliance with the OCC’s expectations.

The Guidelines would be issued and enforceable under section 39 of the Federal Deposit Insurance Act, which authorizes the OCC to prescribe safety and soundness standards They would apply to insured national banks, insured Federal savings associations, and insured Federal branches of foreign banks with average total consolidated assets of $50 billion or more, as well as potentially smaller insured depository institutions (together, “Banks,” and each, a “Bank”).

The Guidelines establish specific risk management-related roles and responsibilities for three designated functions: a Bank’s “front line” units, independent risk management, and internal audit. The Guidelines require the three functions to maintain independence from each other. The Guidelines also impose substantial risk management-related and other responsibilities on the Bank’s board of directors, as well as on the Bank’s Chief Executive Officer. If adopted as proposed, the Guidelines’ detailed requirements regarding roles, responsibilities, and reporting structures would represent a significantly enhanced level of regulatory intervention into bank management and internal processes.

A principal theme of the Guidelines is that a Bank is expected to evaluate and manage its risk separately and apart from its parent organization. This approach has been described by the OCC as involving the “sanctity of the charter.”

Although larger national banks have already implemented many of the elements of the proposed Guidelines, they would represent a significant development in at least four respects. First, the prescriptiveness of the Guidelines represents an acceleration of a trend toward increased regulatory involvement in the processes and procedures of banking organizations. Second, the Guidelines continue a trend towards use of enforcement as a principal regulatory tool. The NPR explicitly describes the Guidelines as “enforceable guidelines” to be enforced through “formal, public” orders. Third, the Guidelines require an increased responsibility for the boards of directors. Fourth, the Guidelines frequently reference board or management “ensuring” a prescribed result. This standard would be highly problematic absent a definition of this term along the lines often used by the OCC in Consent Orders.

Although the OCC requests comment on all aspects of the NPR, the five specific questions posed in the NPR do not address a number of its most problematic aspects. The NPR leaves unanswered the interplay between the Guidelines and the supervisory expectations of other Federal banking regulators for institutions subject to their respective jurisdictions. In particular, the independent risk management required by the Guidelines at the national bank level could create tension with the enterprise-wide risk management expectations of the Board of Governors of the Federal Reserve System (the “Federal Reserve”) for the banking organization as a whole. In this regard, it will be important to reconcile the OCC’s approach in the Guidelines with the Federal Reserve’s proposed rules issued under Section 165 of the Dodd-Frank Act, which would establish such enterprise-wide risk management expectations.

Comments on the NPR are due by 60 days after its publication in the Federal Register.