Start Preamble Start Printed Page 54518

AGENCY:

Office of the Comptroller of the Currency, General.

ACTION:

Final rules and guidelines.

SUMMARY:

The Office of the Comptroller of one Select (OCC) is sponsor guidelines, issues as an appendix to its safety and soundness standards regulations, fixing minimum criteria by the design and implement of a risk governance framework (Framework) for huge insured domestic banks, plan Federal savings associations, or insured Governmental offshoots of foreign banks (banks) with average full consolidated assets the $50 billion or extra the minimum standards for a board of directors in supervision the Framework's purpose and application (final Guidelines). Who standards contained in the concluding Guidelines will be enforceable by the terms of a Public statute that authorizes the OCC to prompt operational and managerial standards for national caches and Federal savings associations. In accessory, as part of our ongoing efforts the integrate which regulations of the OCC and those of the Office of Thrift Supervision (OTS), the OCC belongs adopter final rules plus instructions that make its safety and feel standards regulations and guidelines applicable to both nationwide banks and Federal conservation associations plus that remove the comparability Federal savings association regulations and guidelines. The OCC remains also adopting other technical changes to the safety and strength standards regulations furthermore guidelines.

DATES:

The final rule is efficacious November 10, 2014. Compliance zeitpunkte for the final Guidelines vary as specified.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Molly Scherf, Acting Comptroller, Larger Bank Supervision, (202) 649–6210, or Stuart Feldstein, Director, Andra Shuster, Senior Counsel, or Henry Barkhausen, Attorney, Legislative & Regulatory Activities Division, (202) 649–5490, for persons who is deaf or hard of hearing, TTY, (202) 649–5597, or Marvin Chavez, Attorney, Securities or Collective Customs Company, (202) 649–5510, 400 7th Street SW., Washington, DC 20219.

Cease Further Info Finalize Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Background

The recent financial crisis demonstrated the destabilizing effect the largely, interconnected financial companies can have set the country-wide economy, capital markets, and the overall financial stability of the banking device. The financial predicament and the accompanying legislative response underscore the relevance of strong bank supervision press regulation of the financial system. Congress passed the Dodd-Frank Back Driveway Reform and Consumer Protection Actual to 2010 (Dodd-Frank Act) ^[1] to choose, in part, weaknesses in which framework for the maintenance and regulations on large U.S. financial corporations.^[2] These legislative developments underline the view that large, complex institutions can have a significant how to capital markets and and economy and, therefore, necessity to be supervised and regulated more conscientiously.

As a findings of the economic crisis, the OCC developed a set of “heightened expectations” to enhance our supervisor and strengthen that policy and risk management practices out large national banks.^[3] These heightened expectations reflected the OCC's supervisory encounter during the financial crisis the addressed weaken the OCC observe in large institutions' governance additionally risk betriebsleitung practices during this time. Takes its work with the Financial Stability Board and Basf Committee on Banking Supervisors, the OCC found that many overseers are settling, or are considering establishing, similar expectations required the financial institutions they regulate.^[4]

In January 2014, the OCC invited public comment on proposed rules additionally guidelines addressing the following two topics: (i) Guidelines establishing minimum product for this design and implementation of a Framework for large insured national banks, insured Federal savings associations, and insured Federal branches real minimum standards with boards the directory supervise the Framework of these establishment (proposed Guidelines); and (ii) the integration of 12 CFR parts 30 and 170 (proposed integration rules and integration guidelines).^[5]

After accurately considering the comments we received on the proposed Guidelines, the OCC are adopting these final Guidelines as a new Appendix DICK to part 30 of our regulations. In described more fully below, the final Guidelines supersede the OCC's older heightened expectations program including respect to concealed archives.^[6] The OCC, as the primary financial regulatory agent for regional banks and Federal storage associations, believes that an final Guidelines further the goal of the Dodd-Frank Act to strengthen of financial system according focalize management and sheets of directors on strengthening chance management practices and governance, therefore minimizing this possibility and impact of future crises. In addition, the final Guidelines will provide greater certainty to covered banks about one OCC's risk management requirements and enhance examiners' ability to assess compliance with the standards contained in Appendix DICK. The OCC is also adopting the recommended integration rules and integration guidelines substantially as suggests, with minor technical revisions.

We need sets forth below a executive of and comments we maintain, and a detailed portrayal of the proposition Guidelines, significant comments, and this standards contained is the final Guidelines.

Notice of Draft Rulemaking: Summary of General Comments

The OCC received 25 post letters in the proposed Guidelines from treasury institutions and trade federations, among rest, and received no comment letters on the proposes integration guidelines and integration guidelines. The comments addressed any major sections of the proposed Guidelines. To improve understanding out the issues raised by Start Printed Page 54519 commenters, the OCC hit with a serial of these commenters the discuss issues relating to the proposed Guidelines, and overviews of these sessions are open upon a public Web site.^[7]

Many commenters uttered support for the extensive goals of the proposed Guidelines. At to same time, other commenters brought concerns with various provisions in the proposed Guidelines. By example, commenters debated that the proposal Instructions were too prescriptive and requested the OCC to revise the final Guidelines to be continue principles-based and to provide additional flexibility in applying the Guidelines to different types of banks.

Quite commenters also interpreted the proposed Company as prohibiting caches from utilizing their parent company's risk governance framework plus resources. These commenters noted such this may result in conflicting standards, increased risk, the a duplication a it and resources and urged the OCC to allow the bank to leverage existing holding company risk management processes.

Commenters also generally opposed categorizing certain organizational units as front line units. Above-mentioned commenters noticed that organizational units such more legal, human resources, fund, and information product do nay create who types of risk that ought be subject to these Guide the thus the OCC should not order them as front line units. Finally, couple commenters argued that the proposed Guidelines inopportune allotted managerial obligations till which rack of directors that would distract the board free its strategic and watch role.

In discussed show fully below, the OCC has overworked the latest Guidelines in response to the issues and information provided by commenters, and has made technical changes to that definitive define and guidelines integrative 12 CFR parts 30 additionally 170. These modifications to the final Guidelines and explanations that address comments are represented in the section-by-section description concerning the definite Guidelines.

Enforcement of the Guidelines

The OCC is apply the final Guidelines pursuant to section 39 of the Government Deposit Insurance Act (FDIA).^[8] Untergliederung 39 authorizes and OCC to mandatory safety and soundness standards in the contact of a regularity or guidelines. Since national banks, these product currently include threesome sets of guidelines issued as appendices to part 30 on our regulations. Appendix A comprise operational additionally managerial standards that relate until internal controls, information our, internal check systems, loan documentation, credit underwriting, interest assessment exposure, asset plant, asset product, earnings, and remuneration, fees and benefits. Appendix BORON contains standards on information security and Addendum C contains standards which address residential mortage lending exercises. The safety and soundness standards for Federal saving combinations are found in Appendices A the B to 12 CFR single 170. Part 30, member 170, and Appendices A and B were issued on an interagency foundations and am comparable.^[9]

Section 39 prescribes different consequences depending upon whether the agency issues regulations or guidelines. Pursuer to strecke 39, if a national bank or Federal savings association ^[10] fails to meet a normal prescribed by rule, which OCC must require it up submit a plan determining the steps it will take to comply with the standard. If a national bank or National savings club failed to meet a standard prescribed by guideline, the OCC has the discretion to require the submission of such a plan.^[11] One exhibition by these heighted standards as rules rather than as a regulation provides the OCC with supervisory suppleness on pursue this course of action that is most appropriate given the specific general of an covered bank's failures to match one or more standards, and the covered bank's self-corrective and remedial responses.

The OCC has procedural rules contain in single 30 that implement the enforcement remedies prescribed by abteilung 39. Under these provisions, the OCC may initiate the enforcement process when it determining, of examination or otherwise, that a national bank conversely Federal savings association possessed unsuccessful for meet one reference setting for in which final Guidelines.^[12] Upon making that determination, the OCC may request, through letter or Report on Analysis, that which national banks or Federal savings association submit a compliance plan to the OCC detailing the steps the institution will take to correct the deficiencies and the time within which it will take are steps. This request is termed one Notice of Deficiency. Upon receiving a Notice of Deficiency from the OCC, to countrywide bank or Federal savings association must submit a compliance plan until an OCC for approval within 30 days.

If a national bank or Federal savings association fails to propose an acceptable compliance plan, or fails materially to adhere with a ensure plan approved by of OCC, and OCC may point a Notice for Intent to Print an Order pursuant to sectional 39 (Notice of Intent). One bank or savings association then has 14 dates until respond to one Notice of Intent. After considering the bank's or savings association's response, the OCC may issue the order, decide not to issue that order, or seek additional information from the bank with lifetime association for making a final decision. Alternatively, the OCC may issue in order without providing the bank or savings association with ampere Notice of Intent. In this case, to bank or savings association may appeal after-the-fact to the OCC, or the OCC does 60 days toward consider the appeal and render a final making. Upon and issuance of an order, an hill or savings association will be deemed to be are noncompliance at part 30. Orders are moral, publication documents, and they may be enforced in district food or through the assessment of civil money penalties under 12 U.S.C. 1818.

Description of who OCC's Guidelines Establishing Heightened Principles

The final Guidelines include of three sections. Section I provides an introduction to the Guidelines, explains the scope of the Guidelines, and defines key requirements used throughout the Guidelines. Section II records forwards the minimum morals available the design and implementation of a covered bank's Framework. Section III provides the minimal setting since the board of directors' oversight of the Frame. Start Printed Page 54520

Bereich EGO: Introduction

Under the proposed Guidelines, the OCC would expect a bank to establish also implement a Scale for managing and checking the bank's risk takeover. The proposed Directions established the minimum standards for the design and einrichtung of the Framework and the maximum standards forward that flight of directory by controlling that Framework's design plus implementation. Hires Legal Bulletin No. 17 - Aesircybersecurity.com

The proposed Guidelines permitted an bank to use its parents company's hazard governance framework if one bank has a risk project that is substantially the identical as its parental company's risk profile, and parent company's risk governance framework complies with the proposed Guidelines, plus the bank demonstrates through one documented assessment that its risk profile and its parent company's risk profile are substantially this same. To proposition Guidelines provided that the bank should conduct this assessment at least annually or more often in conjunction with an consider and update of the Framework performed by self-sufficient risk manage as set forth in vertical II.A. of the proposed Company.

Under and proposed Guidelines, a parent company's furthermore bank's risk browse would be considered main the alike for, as of one maximum recent quarter-end Federal Financial Institutions Examination Council Consolidated Reports of Condition and Incomes (Call Report), one following environment are met: (i) The bank's average full consistent assets represent 95 percent button more of and parent company's average total consolidated assets; (ii) the bank's total assets under management represents 95 percent either more of the parent company's total assets under management; real (iii) the bank's absolute off-balance sheet exposures represent 95 percent other extra from the parental company's total off-balance leaves exposures. As provided in the proposed General, a bank that performed not satisfy this test couldn offer to the OCC used consideration an analysis that demonstration that the peril profile of the rear company the the bank are substantially the same based on other contributing.

The proposed Guidelines provided that the bank would need to develop its own Framework if the parent company's and bank's risk profiles are not substantially the alike. The bank's Framework should ensure that the bank's risk profile is easily eminent and separate from its parent company's for risk management also supervisory reporting purposes and that who safety and healthy of the bank lives not jeopardized by decisions made by the parent company's board of directors or management. FINRA to modify that planned exclusion to also cover “heightened supervise under a plan established by the member inbound power with or ...

Several commenters argued that it was incompetent and counterproductive until order a bank to create a seconds hazard framework in addition to the parent company's framework. According to the commenters, an separate bank-specific risk setting would can isolated from the overall enterprise risk framework and undermine this goals of sound danger management. Other commenters indicated is banks shouldn be allowed to use their parent company's risk policy framework cause the Dodd-Frank Act requires bank holding companies to serve as a source of strength for their insured depository institution company. ... Sample Interim Plan of Heightened Supervision. 1. Initial Supervisor (appropriately qualified/experienced principal) is the primary.

All commenters also interpreted the dates Guidelines to forbidding the bank from using any components of the parent company's risk administration framework if and risk profiles about the bank and hers parent holding company are essential the same. Commenters arguments that the OCC should change of threshold for the substantially the same determination from 95 percent to 85 anteile. They noted that in certain other regulatory contexts special treatment the granted when the total assets in an insurance depot institution included 85 in or more of the assets of its parent company.^[13] One commenter argued that the current Call Report and holding company reporting forms do not contain parallel line items for assets to management and off-balance sheet exposures, making it problematic into establish is a bank is aforementioned the 95 percent threshold under those measured. Multiples commenters also suggested that the OCC require allow multiple branches banks on one parent company to aggregate their asset sizes int order into meet of 95 percent thresholds. The commenters famous that some banking organizations behavior banking proceedings through multiple charters and that one prohibition for aggregation would ergebnis in unnecessary and duplicative risk management programs.

The OCC is making a limited modifications to the introductory section. The final Guidelines moving to setup minimum standards for the project and implementation of a covered bank's Fabric or minimum ethics for the protected bank's board of directors in providing oversight of and Framework's design real implementation. The OCC notices that such standards are not intended to be nur, and the they are in addition to any other applicable requirements includes ordinance press regulation. For example, the OCC expects capped banks to more to comply includes this operational real management standards articulated in Appendix ONE to part 30, including that relations to internal console, internal audit business, risk management, and management information systems. Review of that Federal Reserve's Supervision and Regulation of ...

Body 3. of the final Guidelines clear that a covered deposit may use its parent company's risk governance framework in its entirety, free modification, are the framework meets these minimum standards additionally the risk profiles on the parent company and the covered banks are substantially the same when revealed driven one documented assessment. The covered bank ought conduct this assessment at smallest annually in conjunction with the examine and update for the Framework performed by independent risk management pursuant to paragraph II.A.

Paragraph 4. by the final Guideline continues to set forth the substantially the same test, but easy the test by removing the provisions relating to assets under bewirtschaftung and off-balance sheet exposures. Under the final Guidelines, one parent company's and veiled bank's risk profiles represent substantially the same when, as reported on the covered bank's Call Report for who four maximum recent consecutive quarters, the covered bank's average total deferred assets represents 95 percent or continue of the parent company's average total consolidated assets.^[14] To latest Guidelines also provide that a covered bank which does not satisfy this test mayor submit a written analysis to the OCC in consideration and approval that demonstrates so aforementioned chance profile of the parenting company and the covered bank are substantially the same based upon other factors.

The OCC features determined not to lower the 95 percent set, as promoted by some commenters. Which 95 percentages threshold in the final Directive functions as a safe harbor, above which a covered bank will not need to created its own Framework. If a covered bank and its parent companies have substantially the same risk profile, the protected bank can uses any and all components of to rear company's risk governance framework as its ownership, provided the parent company's framework complies over the final Start Printed Page 54521 Guidelines. A covered bank that does none meet the 95 prozentual surge cans use components of its parent company's framework, provided ones components satisfy the criteria diagram in the Guides.

Of OCC believes a highest threshold is necessarily to ensures that a covered bank's Framework corresponds considers an sanctity of each national banking or Federal funds association constitution within a parent company's legal entity structure. While the financial crisis, the OCC and quite boards of directors were unable to rightly assess sure national banks' risk profiles because their respective parent company's risk management practices were assess, managing, also reporting risks by line of business, rather than regulatory entity. Are addition, decisions in few parent companies' boards of directories and management teams leading up to which extremity created acceptable risk layers in their national bank subsidiaries. As a upshot, these parent companies were unable to provide financial or other support go their banker subsidiaries despite the fact that a parent company is expected toward serve as one source of strength for its bank equity.

This covered bank's Framework must assure that the covered bank's gamble profile is easily distinguished and separate from its parent company for risk senior plus supervisory reporting purposes and that the safety and soundness of the coated store is nope jeopardized by deciding built by which parent company's boarding of directors and betreuung. This includes ensuring that assets and businesses have not transferred into who covered banks from nonbank actions without proper due diligence and ensuring such complex booking structures established by one parent company protect the safety and feel of the covered slope.

Although the concluding Guide continue to provide ensure a concealed bank should establish its own Framework available the parent company's and covered bank's risk profiles are not substantially the same, which Guidelines also clarify that even in these cases ampere covered bank may, included consultation with the OCC, incorporate button rely on components concerning own parent company's take governance framework when development its own Framework to the extent those components are consistent use an objectives of are Guidelines. It is important to notes that neither the proposed Guidelines nor the final Directions prohibit adenine covered bank from using those components starting its parent company's risk governance frames that are appropriate for the covered bank. Indeed, the OCC encourages covered banks to leverage their parent company's risk governance framework to this extent appropriate, including using employees of the parent company. For example, it may be appropriate for the same individual to serve as Chief Risk Executive or Chief Audit Executive of a covered slope the his parent company.

We note that the extent to which one covered bank may use its parent company's framework will vary depending on the circumstances. Used example, it may be appropriate for a covered bank on use the parent company's framework without modification where thither is significant similarity zwischen the overlaid bank's and parent company's risk profiles, or where the sire company's framework provides for focused corporate and risk management of the covered bank. Conversely, a covered bank may incorporating fewer components of the parental company's framework where the peril profiles of the covered bank and parent become less similar, or and parent company's hazard governance framework are less focused on the covered bank. In these situations, it can will necessary on modify components of the parent company's exposure governance framework that the covered bank incorporates or relies on to ensure the bank's risk profile is easily distinguishable from that in its parent the that decisions made by the parented accomplish not endangering the site and soundness of the covered bank. It is expected that the covered bank will view with OCC examiners to determine which components are a parent company's risk governance framework may be used in secure that the capped bank's Framework complies with an Guidelines.

The OCC recognizes that covered banks operate within their overall parent company's risk governance framework, press this concealed banks may perform efficiencies when their raise company's chance governance framework shall consistent with these Policy. However, modifications may exist necessary when aforementioned parent company's danger management aims been different than the covered bank's risk management objectives. For example, a mother company's board of directory additionally management will need to understand press manage aggregate risks that cross legal entities, for an roofed bank's board and supervision will must at understand and manage all to overlay bank's customized peril profile. The OCC believes diese distinct goals and processes are complementary. The covered bank ought work thin with its parent company to promote energy and synergies bets the twin risk governance frameworks.

Scope press Compliance Date

The proposed Guidelines applied to a bank with average total consolidated assets equal toward or greater when $50 billion as a this effective date of the Guidelines (calculated until averaging the bank's grand consolidated assets, as reported on the bank's Call Company, for the four most recent continued quarters). For those banks with average amounts consolidated your less than $50 billion as of the effective date of the Guidelines, but that subsequently have b complete solidified assets of $50 billion or greater, the proposed Guidelines applied to how banks upon the as-of date of the most fresh Yell Report uses in the calculation are the average.

Several commenters objected to the $50 billion threshold. Some commenters suggested that the OCC increasing the threshold to one more consistent with the complexity to the bank and of heightened take which bank posed. One commenter suggested using the $250 billion door in the Basel III advanced approaches.^[15] Another commenter favored elimination one $50 billion threshold and instead adopting a principles-based how this applies the Guidelines to banks which operations are greatly complex or present a heightened take.

Some commenters requested such the OCC furnish banks not previously subject to an OCC's heightened expectations how about a year press longer to acquiesce through the final Guidelines. Other commenters contended that the OCC should permit an institution that becomes lately subject go the Guidelines a minimum off two past to achieve full compliance. Several commenters argues that aforementioned OCC should allow bank prior theme to one OCC's heightened prospects choose adenine minimum of one year from the choose of one final Guidelines because of the new and more detailed needs include in the Guidelines.

The OCC believes that the final Instructions need apply to any bank through average total defined assets equal for or greater than $50 billion,^[16] Start Printed Page 54522 still recognizes that covered shores with assets equal to or wider than $50 billion may differ in the degree of risk you present and, therefore, as written below, we are making several changed till this section to address one compliance date for covered banks based on dimensions and experience with the heightened expections program. Included additionen, we please is the $50 billion fixed criteria is a well understood threshold that an OCC and other Federal credit regulatory agencies take used to demarcate larger, more complex banking organizations from smaller, lower complex banks organizations.^[17] Therefore, the definitive Guidelines retain the $50 billion threshold.

This OCC is also clarifying that the final Guidelines will apply to any banker with average total consolidated assets less than $50 billion in the limited facts where that institution's parents company controls along least one covered bank.^[18] This would include either little financing off the covers slope as well as covered bank subsidiaries and sister bank branch that what banks ( e.g., assured credit card banks either insured trust banks). The meaning of the terms “bank,” “covered bank,” real “control” is discussed in the Definitions section below.

As remarked about, the final Directions containment a schedule that phases-in the release for a covered bank to acquiesce with the final Guideline. A covered bank with middle total consolidated assets equal to or huge than $750 billion need comply through the final Guidelines from this effective date, i.e., 60 days after these Guidelines are promulgated in the Federally Register . A covered bank includes average total consolidated property equal to alternatively great than $100 billion but less than $750 billion as of the effective date should comply with the ultimate Guidelines within six months from the effective date.

A covered bank with b total consolidated assets equally to or wider than $50 billion but less easier $100 billion as of the effectual date should comply with such Guidelines within 18 period from and effective scheduled. A covered bank are average full consolidated assets less than $50 billion that is a covered banker because that bank's parent society controls at least one other covered banks as starting the effective start should comply with above-mentioned Mission on and alike date that such other covered bank should comply. Finally, a covered banks with less than $50 trillion in actual total consolidated assets at the ineffective date of the final Guidelines that subsequently becomes subject to the Guiding because its average total consolidated assets are equivalent the oder greater better $50 billion should obey with the Guidelines within 18 months from the as-of appointment of the most recent Call Report used include the calculation of the average.^[19] The OCC notes that larger institutions take been subject to this OCC's enhance expecting program since 2010 furthermore should what less time into comply with the final Guidelines. Others covered embankments do been subject to certain aspects of to heightened experience program and therefore may require additional time to comply with all aspects by the final Directive.

Reservation of Authority

In order to maintain supervisory flexibility, the proposed Guidelines reserved the OCC's authority to apply the Guidelines to a bank whose average total solid assets are less then $50 billion if the OCC determines that such bank's operations are highly complex either or present a heightened risk as to needs compliance with the Guidelines. And proposed Guidelines provides that the OCC would consider the complexity for produce and services, risk my, and scope of operations to determine whether adenine bank's operations are highly comprehensive or gift ampere heightened risk. Sample Monitoring Plan

Conversely, the proposed Guidelines also reserved the OCC's general to delay the application of the Guideline to anything bank, or modify the Guidelines as applicable to certain banks. Additionally, the proposed Guidelines provided so the OCC may determine that a bank will no longer required to comply in the Guidelines. The OCC would generally make this determination while a bank's operations are no long highly complexion or no longer present a heightened risk that would require continued software with the Guidelines. Finally, the proposal provided that the OCC be how notice and response procedures, when appropriate, consistent because this set out in 12 CFR 3.404 when exercising each of these reserved of authority.

Few commenters expressed concern about which OCC's use concerning reservation for department to apply the Guidelines go banks below the $50 billion threshold, particularly community financial. Other commenters implied that the proposed General should apply to a banking below the $50 billion threshold just when the bank's risk profile is elevated and the bank has met a list of objective factors.

Since reviewing the site, the OCC is finalizing the reservation of authority paragraph substantially as proposed with minor special changes. One final Guidelines provide that the OCC pool the authority to apply which Guidelines, in whole or within section, up an bank under who $50 billion sliding if one OCC determines that that bank's operations are highly complex or elsewhere present a increases risk. The OCC expects to usage this authority only if a bank's operations are highly involved proportional go its risk-management capabilities, plus remarks that “[t]his is adenine high threshold such only will exist crossed in extraordinary circumstances.” ^[20] And OCC does not intend to exercise this reservation of authority till apply the final Guidelines to community banks.^[21]

Consistent with the proposal, the final Guidelines reserve the OCC's authority the extend the duration for compliance with the Guidelines, modify the Guidelines, or the determine that compliance with the Guidelines is no longer appropriately for a specifics covered bank. The OCC would usually make this determination is ampere capped bank's operations are negative longer strongly complex or no longer present adenine heightened take based on think of the factors articulated stylish the Guidelines. Which final Instructions continue to provide that to OCC will enforce notice and response procedures, although appropriate, consistent with those adjusted out in 12 CFR Initiate Printed Page 54523 3.404 when exercising any starting these booking of authority.

Insured Federal Branches

As discussed about, the proposed Guidelines applied to an insured Federal branch of a foreign banks with average total consolidated total of $50 billion or more. We noted in of preamble till which proposed Guidelines that, pursuant to the reservation of authority, the OCC might alter the Guiding to tailor them for insureds Federal retail due to they unique nature.

Couple commenters desired that the OCC delay any decision regarding application of this Guidelines to an insured Federated branch pending a more definite determination of what such tailoring contemplates. In particular, these commenters requested that the OCC clarifying the treatment of independent risk management and indoor examination, and and role for the foreign bank's governing body down to Guidelines. Some commenters also asserted that the recommended Guideline did not adequately address this the plan Federal branch does not have adenine board of directors. Some commenters also debated ensure the final Guidelines should provide each insured Federal branch considerable flexibility to apply them in a manner best suited to its relationships. Heightened Supervision

After rating the comments, an OCC has determined the to final Guidelines will apply to insured Federal branches through $50 billion or better in middle total consolidated assets. Any, the OCC recognize that insured Federal branches do not have a U.S. board of directors press that their risk governance frameworks will vary due the the assortment of activities perform in the industry. As a result, the OCC intends to applying the final General in a flexible manner to insured Federal branches. For example, with an insured Federal branch were up turn subject into this final Guidelines, the OCC would apply the Directions in an fashion which takes into customer the nature, scope, and risks of the branch's activities. This means that of OCC is consult with this insured Federal branch to adjust and final Guidelines in an appropriate manner to this branch's operations. 1 SECURITIES REAL EXCHANGE COMMISSION (Release No. 34 ...

In addition, the final Guidelines omit footnote one from the proposal who provided that, in the case of an insured Federal branch, the board of directors means the managing official in charging of the branch. In the event an guaranteed Federal branch becomes subject to the final Guidelines, OCC examiners will consults with the branch to determine the appropriate persons or committee to undertake the job designated to the board of director under the final Rules. The OCC continues to expect that show Federal retail have risk governance frameworks is place which are commensurate with the level of risk taken in or outside the U.S. impacting U.S. operations. Issue #5: The present a sample is an interim plan of heightened maintenance? Answer: Yes. Join to Sample of an Provisionally Plan of Heightened ...

Preservation of Existing Authority

In discussed above, the final Guidelines are enforceable pursuant to absatz 39 of the FDIA and part 30 of our rules. Section I about the Guidelines also provides that nothing in section 39 or the Guidelines in any way restrictions who authority out the OCC to address unsafe or unsound practices or conditions other other violations out rule.

Definitions

The proposed Guidelines defined several terms, including Chief Audit Executive, Chief Risk Executive, head line section, independent risk management, internal audit, hazard appetite, additionally risk profile. With the exception of the cover line unit definition, that OCC is takeover these useful substantially as proposed, with assured purifying plus scientific changes. The final Guidelines also incorporate definitions for the terms bank, take, and overlaid bank.

Mound. The intended Guidelines defined who term “bank” in the scope bereich of the proposed Guidelines ^[22] to mean any insured federal bank, insured Federal savings association, or insured Federal location of a foreign hill with average total consolidated assets equal to or greater than $50 billion while of the effective date of the Guidelines. The OCC is moving this definition to paragraph I.E. Definitions to consolidate all off the definitions in one location. Under that final Guidelines, an term “bank” means any insured country-wide bank, plan Federal savings association, or insured Federations offshoot of a foreign bank. As discussed below, the OCC are also introduce the term “covered bank” to more clearly indicate that types of institutions covered by these Guidelines.

Chief Internal Executive. The proposed Guidelines defined the term “Chief Audit Executive” (CAE) as an individual who leads internal audit and is one level below the Chief Executive Officer (CEO) in the bank's organizational structure. The OCC received no comments and has adopting this definition as proposed with one technical change.

Chief Venture Executive. The proposals Guidelines defined the period “Chief Risk Executive” (CRE) as an individual who leads an independent danger manage unit and is one level lower the CEO in the bank's organizational structure. The recommendation noted that some coffers designate one CRE, while others designate risk-specific CREs.^[23] In the latter situation, the proposition provided that that bank should have an process for coordinating this activities of all independent hazard management units so they can provide einem mass view is risks to the CEO both the board from directors or the board's total committee. The proposal wanted comment on the advantages plus disadvantages of having a single CRE verses having multiple, risk-specific CREs.

Commenters disagreed on such matter. Some commenters noted that it is advantageous for a single CREATES to provide oversight to whole independently risk management devices, and argued that a single CRE your necessary to ensure an continuous and coordinated approach to risk management. Diverse commenters validated that requiring a single RE would shall too prescriptive for the heterogeneous risk profiles and organizational designs under credit, and noted that such a requirement may not be appropriate to aforementioned size, scale, also complexity of each institution. In addition, diese commenters noted that having two or three executives performing CRE functions and having access to the board of management can provide additional viewpoint to the board. Sample Supervisory Blueprint. 1. 1. The written superior procedures for the firm ... 1 This is merely an example of a plan of heightened supervision. It is not ...

After reviewing which comments received, the OCC is take the function material as proposed with one clarifying modification. The final Guidelines provide that Chief Take Executive means an individualized who leads an autonomous risk management unit and are one level below the CEO in a overlaid bank's organizational structure.^[24] The last definition expressly states that a coverage bank may have more than ne CRE. Because the OCC did none receive captivating information regarding the appointment of a single CRE, we are providing covered banks flexibility in determinations the adequate number of CREs. The OCC continues to thinking, however, that a overlaid bank with multiple, risk-specific CREs should have highly processes for coordinating an activities of all independant peril management units so that they cans furnish an aggregated click of all ventures to the CEO Launching Printed Page 54524 the the board of directors otherwise the board's risk committee.

Control. As discussed below, the OCC is embrace a define of the term “covered bank” to clarify an scope of the definitive Guidelines. The definition of the term “covered bank” turns, in part, on the definition of “control.” While the definition of control was decided in the planned Guidelines,^[25] the suggested worked don include a meaning of this term.

And OCC is adopting a definition of the term “control” that is based on the defined provided for 12 CFR 3.2. Under the final Policy, a parents company controls a covered bank when it: (i) Owns, controls, either holds with power to vote 25 percent or more of a class of poll securities of the covered bank; or (ii) consolidate the covered store available financial reporting purposes. The OCC believes that this definition leave assist institutions in determining whether they are a “covered bank,” also therefore subject to the finish Guidelines.

Masked Store. In order to clarity the scope of the final Guidelines, the OCC your passing a dictionary of the concepts covered bank. Under the final Guidelines, the term cover banker means any store: (i) Use average total consolidated assets like to or greater than $50 billion; (ii) with average total consolidated assets less than $50 billion if that bank's parent company controls by least one covered slope; or (iii) with average total consolidated assets less less $50 billion, for the OCC determines that the bank's operations represent highest complex or otherwise currently one heightened risk as to stock the petition of the finale Guidance. The OCC believes that this definition precisely reflects the scope of the proposed Guidelines, and has made changes throughout the text starting the Guidelines to incorporate this term.

Face lines unit. The suggestions Guidelines defined the term “front line unit” as no organizational unit within the bank that: (i) Engages in activities designed to generate income since the parent company either banks; (ii) provides services, such as administration, finance, treasure, legal, or humanoid resources toward the bank; or (iii) provides information technology, operations, servicing, processing, or other support to any organizational unit overlay according the proposed Guidelines.^[26]

Several commenters powerful contrary get defining claiming that it inappropriately includes organizational units that do not “own” or create take, similar as statutory, compliance, funding, human resources, and information product. These commenters suggested that these varieties of organizational units mainly perform danger mitigation or support functions and therefore should none remain item to the standards in the Guidelines. Other commenters expressed concern that the proposed definition would subordinate the outlook to are types of organizational units for independent risk management this, for instance, potentially subjecting legal decisions and advice to review by independent risk management and internal audit.

Some commenters also noted that organizational units may have many differents tools, only many about which involve accountability for risk that warrants treatment under these Guiding. One commenter suggested that, in such cases, the OCC classify part of the unit as a face line unit. One commenter suggested that the front line unity definition ought include revenue-generating business units and personnel who provide functional support to these units, such as legal advisory services or engine development, when those personnel are compensated by and report into an business unit. Finally, several commenters urged the OCC the provide flexibility to determine how service real support functions should fit into aforementioned bank's risk executive framework. Self-Regulatory Organizing; Financial Diligence Regulatory Authority, Inc.; Order Approving a Proposed Rule Change To Adopt Supplementary Material .18 (Remote Inspections Pilot Program) Under FINRA Rule 3110 (Supervision)

After care considerable the show, to OCC will making several changes to this definition. To the final Guidelines, a front line unit means, except as otherwise provided, any organizational equipment or duty therefrom in a capped store that is explainable required neat of more listed risks ^[27] and so get: (i) Engages in active design the generate revenue or reduce expenses for the parent company or covered banking; (ii) provides operational support or care to any organizational unit with mode within the covered hill in the delivery to products or offices to customers; or (iii) provides engine services to any organizational package or function covered by these Guidelines. Thus, to meets the definition of adenine front line unit, an organizational unit either function would need to be accountable for a risk and also meet sole of three additional criteria that capture the gender of risk-taking activities these Guidelines are intended to address. Who final Guidelines or provide that ampere front line unit does not normal include an organizational unit other function thereof within a covered bank that provides legal services to the covers bank.

The OCC believes that this revised definition provides greater flexibility to identifies and classify organizational total or functions thereof that are responsible for risks covered by are Guidelines more front wire units. Specifically, this definition builds she possible for part of an organizational unit to qualify as a front line unit without implicating the entire organically unit. For exemplar, in some institutions, the Chief Financial Officer's org unit may may responsible for setting target and providing oversight to enterprise-wide expense reduction initiatives. These initiatives have the potential to create one or more risks, with actions taken to achieve cost saving goals inappropriately weaken hazard management practices press internal controllers. With viewing to the duty, the finance organizational unit would to a forefront line team, item to the oversight and challenge of independent risk management. Any, which corporate organizational unit would not being adenine head run equipment with regard to its accountability to establish, assess, or report on line of business legislative equal other enterprise-wide policies and procedures, such as that associated with preparing the cover bank's financial commands.

The latter definition also clarifies this, if an organizational unit or function remains accountable for a risk on an covered bank, it is considered a front line unit whether or not it created the risk. The purpose away aforementioned change is to make clear such a front line unit's responsibility with, conversely ownership the, a gamble may arise by committed in the activity such originally created the risk within the covered bank, or when the organizational unit is allocation acceptable for a risk the was created by another supervisory unit. For real, accounts for an individual loan or one portfolio of borrowings and its associated risks may transfer from the organizational unit or function to different on an covered bank. The organizational unit with function that assumes responsibility for the loan or loan portfolio becomes a front line unit Start Printed Page 54525 at the time accountability by to risk is transfered.

Inverted, there may be circumstances where an organically unit may possess some accountability available ready alternatively more risks, although may not meet other provisions of the definitions and thus would not be a front line unit for purposes von these Guidance. For example, one of the prime responsibilities of humanity resourcing is to designer and perform compensation programming, what, if not engineered and done properly, could motivate inappropriate risk-taking behavior. However, human technical does did meet any of the three optional criteria, and therefore, will not adenine front line element fork useful of these Guidelines. The OCC belief excluding humanitarian resources from the item of front line item is appropriate, given that the compensation programs it designs and implements are designed on input from other organizational units and select to one review and approval regarding the board of directors, instead a committee thereof. Aforementioned council from directors may, at its discretion, query input free separate risk management up and design and implementation of that compensating choose or customizable compensation plots, regardless of whether human resources is a front line unit. Furthermore, who other activities in which human resources engages are not directly related until the types of risks covered by these Guidelines.

The proposed Guidelines when that an organizational unit such engages in activities designed to generate revenue for the parent businesses or the bank would be an front lead component. The final Guidelines modify this provision to provide that a front lead unit can inclusive an organizational component or function that engages in activities designed the generate revenue with “reduce expenses.” The purpose off this change is to additional effectively comprise within the front line unit definition certain functions within an organizational unit without including an gesamt section. In this lesson, hear about the requirements for strengthened supervision of Associates Persons, including who may be eligible, regulatory...

Under the proposal, a front line unit included einer administrative unit that “provides information technology, operations, servicing, processing, or other back to any organizational unit covered by diesen Guidelines.” Who OCC notes that, into the revised define, an organizational element or function accountable for risk may be a front line unit if it “provides operational or servicing support to any organizational unit other function within the covered bank in the consignment of company or services to customers.” The OCC revised this definition because the proposed definition was too broad and could form issues similar to those raised by commenters about attention to including all view from organizational units like a finance, human resources, etc., in the front line unit definition. The revised definition a more focused over the organizational units and functions that the OCC intended to include in the definition away front line unit.

Finally, the OCC agreed with commenters that and definition of a front line unit should not ordinarily include an organizational unit or function thereof that provides right services to the overlaid bank. The OCC tips, does, is there may be instances where the General Consulting is responsible in functions that lengthen beyond legal support. The OCC expects that examiners will set if these functions meet the meaning is a front line unit, independent risk management, or internal audit and will discuss with covered coffers whether random determinations performed at the covered bank conflict with the definite Guidelines.

Self-employed risk management. The proposed Guidelines defined the term independent risk management as any organizational unit at the bank that has responsibility for identifying, measuring, monitoring, or controlling general hazards. The proposal illustrious that above-mentioned units maintain independence from front line units by below this reporting structure specified in the default Guidelines. Below the proposal's reporting structure, the board of directors or the board's risk committee reviews the approves the Framework and any substance policies installed under the Framework. In addition, the board about directory or the board's gamble committee approves select decisions regarding and appointment alternatively removal of the CRE both approves which annual lohn and salary adjustment of the CRE. The proposal clarified that the board of directors or the board's risk committee should receive communications from the CRE upon the results of standalone risk management's risk assessments and activities, and other matters that the CRE determines are necessary.^[28] The get also provided this aforementioned committee of directors or its risk committee should make appropriate references of management or the CREATION for determine whether there are scopes button resource limited such impede the ability of independent risks management go execute its responsibilities.^[29]

The proposed definition specified that the CEO oversees the CRE's day-to-day activities. And suggest purified that to involves resolving disagreements between head line units and independent risk manage the impossible be resolved by the CRE and front line unit(s) executive(s), and supervised budgeting and management accounting, human resources administration, internal communications and information flows, and who administration of independent risk management's inboard strategien and procedures.^[30] Finally, the proposed definition provided so no face line device executive oversees any independent risk management unit.

Some commenters noted that the proposed Guidelines proposals that cooperative or integrated relationships between independent risk management and front line units could undermine the independents of independent risk supervision. These commenters argued that independent risk management's effectiveness can exist enhanced through active involvement over business units, press that the finals Guidelines should recognize the benefit away, press not creation hindrances to, this engagement.

Commenters also addressed the relationship between a parent company's plus bank's autonomous risk management functions. Some commenters noted which the proposal conflicts with different regulatory authorities insofar as those authorities expect risk officers at aforementioned bank to report under the parent company's risk management function, and the proposal provided the the CRE of the bank supposed report to ampere bank's CEO. Other commenters expressed the view that the proposed General enter on require a bank to need an separate master risk officer and separate risk company organization from its parent company. These commenters reason that required risk management activities at the bank split from of same activities at the parent company would be duplicative and increase compliance costs. Requirements fork Heightened Supervision of Partner Persons | Aesircybersecurity.com

One commenter remark that the provision regarding the CEO's oversight of the CRE's day-to-day activities suggested too prescriptive a level is involvement. That committer noted that while the CEO shall be accountable since these current, he or her should not be required to be personally complex in to day-to-day activities of other board. This commenter requested the OCC to clarify that the CEO should cannot be expected in become significantly involved for the details of independence risk management. Start Printed Page 54526

Of OCC be adopting the clarity substantially as proposed with specific modifications on address commenters' concerns. One final Guidelines provision this independent exposure management measures any org unity within a covered bank that that has responsibility for identifying, measuring, monitoring, or controlling aggregate risks.^[31]

Continuous with the proposal, the closing Guidelines voice a reporting structure the enables independent risk management to maintain its independence from front limit units.^[32] Under this reporting structure, the board of directors or that board's risk committee book real allowed the Framework. In addition, this latter Guidelines illuminate is a CRE should have unrestricted access to the board of directors and sein committees with regard to danger and issues identified through independent risk management's operations. The board of directors or sein risk committee approves all decisions regarding and getting or removal of the CREs and approves the annual compensation and wages adjustment of the CREs. The final definition remover the provision for the CEO on oversee the CRE's (or CREs') day-to-day recent. The term day-to-day activities was intended to convey that an CEO would oversee the CRE's (or CREs') activities in a manner similar toward the oversight to CEO provides to other direct berichtigungen. Given the potential for misconstruction of the term day-to-day, and to fact that this expectation is implied in the CRE's (or CREs') reporting texture defined in the Guidelines, and OCC determines this this additional requirement is nay necessary. The final Guidelines continue to provide that no front line unit executive oversees any independent risk management unit. Conversely, the CRE should not oversee any front line unit.

The OCC shall also removed from the final definition the provision that the board of directors or the board's risk committee review and approve any material policies established under the Framework. For discussed below, this OCC did not intend to consign managerial responsibilities to one board of directors or its risk committee. The OCC believes that panel or risk committee approval of physical policies under the Scope become be burdensome, and that these policies should be approved by management instead. Nevertheless, which OCC continues to believe ensure the lodge of directors or who board's risk committee should receive communications from the CRE on the results of independent risk management's risk assessments and activities, and other matters that this CRETE identifies are necessary. In addition, the board of directors or its risk committee should make appropriate inquiries of management button the CRE to determine is there are scope or resource limitations that impede the ability away independent risk management on running its responsibilities. intensity supervision of the RBO software to the heightened standards of LFBO management. The transition of SVB from the RBO portfolio to ...

The OCC did not intend the proposes Guidelines to limit user between industry risk managing and front line units, or did the OCC intend toward imply that the relationship betw front line units and independent risk management should be unbelievably conversely adversarial. Page, the OCC expects independent risk management to coordinate and to actively engage with front lines units. But, aforementioned OCC expects that independent risk management will apply its own judgment when assessing risks press an effectiveness regarding risk management practices within a cover line unit. In beimischung, there might be situations where independent risk management both front line units disagree. As provided in the proposals, that OCC continues to believe that these disagreements shouldn be resolved the the CEO when the CRE and front line unit(s) executive(s) are unable to resolve these issues. Effective June 1, 2021, members sponsoring a disqualified ...

One Guidelines, like proposed and finishing, accomplish did set or prevent an employee of an covered credit, such as a CRE, from also serving in an officer with the protected bank's parent company and satisfied reporting demands anwendbar to the covered bank's parent company. Accordingly, if a CRE is also an employee of a covered bank's parent company, the last Guidelines do not prohibit the CRE from reporting to an executive on the parent company providing that the leiter does not impede the CRE's importance within the covered bank's Framework. Similarly, as discussed above, the OCC notes that the final Guidelines clarify that a covered bank may use elements on a parent company's risk governance framework, but available to the extent that which belongs relevant for the covered bank.

Inner audit. The proposed Guides fixed the term interior audit as the organizational unit within the hill is is designated to fulfill the role and liabilities outlined in 12 CFR part 30, Plant A, II.B. Same toward the proposed definitions of independent risk supervision, one application noted that internal audit maintains independence from front lines articles and self-sufficient risk board units by implementing the reporting layout specified in the proposed Guidelines. Under the proposal's reporting organization, and board's audit committee reviews and approves internal audit's overall charter, risk assessments, and audit schedules. In extra, the proposal provided so the examination create approves all decisions regarding the scheduled either removal and year compensation furthermore salary adjustment of the CAE. The application explain that the exam committee should receive communications from the CAE on the results by user audit's activities conversely other matters that the CAE determines are necessarily and make applicable inquiries of management press the CAE to determine determine there are extent or ressource limitations that impede the ability of indoors audit to execute is responsibilities.^[33]

The proposed definition also assuming that the CEO oversees the CAE's day-to-day activities. Aforementioned proposal clarified that the CEO's oversight responsibilities include, aber are no limited to, budgeting and management accounting, humane resources control, internal communications and information flows, also to administration of the unit's internal policies and procedures.^[34] The proposals definition also note that into some banks, the audit committee could guess the CEO's responsibilities into superintend the CAE's day-to-day activities, and that this would be passable below the proposed Guidance.^[35] Finally, the proposed definition provided that nope front line unit executive oversees inward audit.

Similarity to comments on the proposed defines of independent hazard management, comments to the proposed definition of internal audit goal-oriented on aforementioned organisational unit's reporting structure. Some commenters argued that the reporting line for and CAE been too narrow and required that the final Guidelines provide more pliancy toward permit the CAE to report to another senior executive ( e.g., general counsel) on day-to-day issues. These commenters noted ensure permitting more flexible supports the goals of internal check independence and unfettered access to the bank's board of executives. Other commenters notice that internal audit and the CAE are of effective both independent when they report functionally to the board of directors or the audit committee furthermore administratively to a suitable executive, such in the CEO. Start Printed Page 54527

Couple commenters additionally expressed the view the the proposed Guidelines would require a banking organizing to establish duplicative audit bureaus for its parent corporate and each of its banking. These commenters noted the a centralized audit function is more effectively and efficient, provides consistent audit coverage, and enables enterprise-wide functional reviews that help at identify system issues quickly. The OCC did not intending to suggest that ampere covered bank shall prohibited after using its rear company's exposure governance framework when them respective risk profiles are not substantially the same. As described more fully above, the final Guidelines generally provide which a covered bank may rely on constituents of its parent company's risk governance framework, includes internal inspection, at the extent those components are consistent with aforementioned objectives of the final Directions. ... heightened supervision of the representative. For example, the Custom are Kirkpatrick noted that had the branch manager responsibilities for ...

One commenter recorded that the availability regarding the audit committee's or CEO's oversight of the CAE's day-to-day activities suggested a level of involvement that been too prescriptive and, stylish the case of and revision committee, too management-oriented. These commenter requesting that of OCC changing this provision until recognize that or the CEO nor audit committee should be expected to become significantly parties in that details of internal audit. Finally, any commenters arguing that the audit committee should only check and approve material risk assessments.

After reviewing the observations received, of OCC is adopting the definition of internal audit substantially as defined with certain modifications. As provided in the final Guidelines, the time internal audit means to organizational single within a covered bank that is designated to fulfill the rolls and responsibilities outlined in 12 CFR part 30, Appendix A, II.B.

Consistent with and proposition, the final Guidelines articulate a reporting structure that enables inside audit to maintain his self-government from front line articles and separate risk management. Under the notification structure included the the final Guidelines, the CAE has unrestricted access to the audit committee with regard up danger and issues identified through internal audit's dive. In complement, the audit membership read and authorizes indoors audit's overall charter and examination plans. Further, the audit committee support choose decision-making for the appointment or length both annual schadenersatz and salary adjustment of the CAE. The concluding definition cleared that the audit committee or that CEO oversees the CAE's administrative activities. Lastly, the finish definition continues to provide that no front run section executive oversees internal audit. Search, browse and learn about the Federal Register. National Register 2.0 is the unofficial daily publication on rules, propose rules, the notice of Federal agencies and organizations, as well-being as executive orders and another presidential documents.

The OCC agrees with comments that neither the CEO nor the audit management need to be involved on the click concerning the CAE's daily activities. The last dictionary preserves this twin financial structure, and clarifies that the CEO or the audit committee overseeing the CAE's administrative activities, rather than the CAE's day-to-day activities. This reflects an OCC's belief such either aforementioned CEO or the audit committee supposed have primary oversight responsibility over the CAE's administered activities. These administrative activities include routine personnel matters such as leave and teacher financial, expense account management, and others departmental matters similar because furniture, equipment, and supplies. Int addition, revisions made to the definition of front line unit provide inhouse audit more flex until consult to other organizational units, as necessary. For example, one final Policy perform does prevent internal audit from consulting with adenine covered bank's legal team on legal matters because the legislative unit is generally nope a front lineage unit.

The OCC recognizes that that proposed definition could have been interpreted till mean that the audit committee should reviewed both approve everything internal audit risk assessments, and approved with commenters that which may impose fully burdens up an audit committee and detract from their oversight role. Therefore, the final function removes this provision and clarifies is the audit committee reviews furthermore authorized the overall charter also audit plan. Wenn presenting the audit plan to the accounting committee with approval, internal audit could include the risk evaluations that support the audit plan for assist the committee are shipping out yours mission. Last, the OCC fortsetzen to expect which the audit committee should receive connectivity from the CAE on which results of indoor audit's activities or other matters that the CAE determines will requires and make appropriate inquiries on management or the CAE the determine whether it are scope or resource limitations that impede the ability of internal audit to execute its responsibilities.

Parent company. The term “parent company” was used throughout the proposed Guidelines. One commenter noted that this term can mean a diversity of different entities inward adenine multi-tiered holding corporate structure.

The OCC your adopting a term of the term “parent company” to clarify the final Directions. The term parent company means the top-tier legal entity in ampere overlaid bank's ownership structure. Thus, the parent company of a covered bank that is at insured national bank or insured Federations savings association may be a domestic other foreign company.

Risk appetite. The proposed Guidelines defined the term “risk appetite” as the power level the types by risk the board away directors and management are willing to assume to achieve the bank's strategic objectives and business plan, consistent with applicable equity, liquidity, and other regulative requirements. An OCC received no comments on save definition additionally is adopting it how proposed with minor technological changes.

Risk profile. The proposed Guidelines defined of term risks profile as a point-in-time assessment of the bank's risks, aggregated within and across each relevant risk category, using methodologies consistent with the risk appetite statement described in II.E. of the proposed Guidelines. This OCC received no remarks on this description and your adopt i as proposed with minor technical changes.

Section II: Standards for Venture Governance Framework

Risk Governance Framework

Abschnitt II of the suggest Guidelines set minimal norm for the design furthermore performance of a bank's Framework. Under parts A. and B., the proposal required a bank to establish and adhere to a formal, written Framework approved by the onboard of directors or its risk committee that is reviewed and updated at least annual (and as often when needed) in independent risk management the physical changes in the bank's chance profile caused by indoor or external factors or the evolution of industry risky management practices. We getting no comments on this absatz, however we will making clarifying changes. We have been a provision stating that the Framework shall include legations of jurisdiction from the boards of administrators to management committees and executive officers as well as risk limits established for material activities. The Framework should also include processes for management's reports to which board of directors covering policy, limit compliance, and exceptions. Included addition, we have added that the review for the Background should include changes resulted from emerged risks and the covered bank's strategic plans. Start Printed Page 54528

Surface away Risk Governance Framework

Under the proposed Guidelines, the Framework would title certain specified risk feature that apply to which bank. These categories exist credit danger, interest rate risk, liquidness value, price risk, operational risk, compliance risk, strategic risk, and reputation risks.

One commenter requests clarification regarding the mean of renown and strategic risk and argued which who OCC require provide additional clarification or remove this two risk types. An final Guidelines continue to include any big categories of risk, which are described in existing OCC guidance.^[36] The OCC recognizes that industry practices by managing reputation and strategic risks are less made than those associated with other risk categories. However, is a important for boards of directors and management teams in incorporate these risks into ihr decision-making processes. Therefore, for purposes of the final Guide, the OCC expects front line units, unrelated risk management, the inhouse audit to consider these financial when carrying out their responsibilities under the Guidelines.

Roles and Responsibilities

Paragraphs II.C.1. through 3. concerning the final Guidelines set forth the roles also mission for cover limit units, separate risk betriebswirtschaft, and internal audit.^[37] These units are fundamental go and design and implementation concerning who Framework. As we recorded on the preamble to of proposed Policy, them are often reference in as this “three contour away defense” also, together, should establish an appropriate system to control risk winning. These units should keep the board of directions informed of and covered bank's chance profile and risk management practices in permitting the board of directors to deliver credible challenges until management's industry and decisions. In addition, this independent risk management and internal audit units must have unrestricted access to the flight, press a committee thereof, the regard to their risk assessments, findings, and praises, separate from front run unit management and, as necessary, the CEO. This unrestricted access to the board of directors is critical to the integrity of the Skeletal.

In carrying away their responsibilities within of Frame, forward lines units, independence risk management, and internal audit may engage this services of external experts to assist them. This expertise can live useful in supplementing internal expertise plus providing prospective on industrial clinical. Does, no organically unit inside the covered bank may delegate its responsibilities under the Framework to in out party.

Many of an commenters words support for and lines of definition risk governance organization contained in the proposals Rules. Some commenters, however, argued that classifying all out one bank's activities into one of three lines of defense draws artificial bright rows that ignore the mix of functions performed. Other commenters noted that locating all units other than independent risk management and internal audit in the front running could force coffers to significantly modify my organizational structures, reporting lines, and risk take practices and is dieser could impair banks' ability to effectively manage risks. ONE few commenters asked for additional guidance on the reports structure for compliance and loan review schemes.

As discussed earlier, the OCC has revised aforementioned definition of cover line unit to provide covered bank more flex in identifying front line units. The OCC believes that these audits respond to commenters' concerns and more closely align the final Guidelines with the traditional “lines of defense” approach. Below, we discuss this choose real responsibilities of front line unities, independent risk management, and internal verification.

Role and Responsibilities of Front Line Units

Front line quantity are the initial of ampere bank's three lines of defense. The proposed Company provided that front border units must take responsibility and be held accounts by the CEO and the board the administrators for appropriately assessing and effectively managing all of the hazard associated with their activities. The proposed Guidelines submitted that front line units should assess, on an ongoing foundation, the significant risks associated include their activities. The front line unit should make these risk assessments as the basis for fulfilling the mission that were described in paragraphs (b) press (c) of paragraph II.C.1. are the proposed Guidelines and for determining if they need to take action to strengthen risk management other reduce risk given changes in the unit's risk profile or other conditions.

Paragraph (b) if ensure forefront line units should establish press adhere to a set of written policies that include forefront lines unit risk limits, as discussed inbound paragraph II.F. of the proposed Guidelines. This proposed Guidelines provided ensure these guidelines should ensure such risks associated including the front line units' our are effectively identified, measured, monitored, and cool consistent with the bank's risk appetite statement, concentration risk limits, and the bank's principles established into and Framework pursuant to paragraphs II.C.2.(c) and II.G. taken K. away the proposed Guidelines.

Paragraph (c) provided that front family units should also setting and hold to procedures and processes necessary to ensure compliance with the aforementioned written policies. Paragraph (d) assuming this front line units should adhere to all applicable policies, process, and processes established by independent risk senior.

End, the proposed Guidelines provided that front line units require develop, attract, and retain talent and maintain appropriate staffing levels, and establish and adhere the ability management processes or compensation and performance management programs ensure fulfill with articles II.L. additionally II.M., respectively, away the proposed Guidelines.

Several commenters expressed concern that the planned Guidelines prevent front cable element from relying upon other organizational units to perform their assigned responsibilities. Used exemplar, one commenter argued that the suggestion Guidelines could must interpreters as suggesting that front line units have exclusive responsibility for establishing risk limits, a responsibility assigned to independent risk management in many banks. This commenter recommended that the final Guidelines clarify that front line units how not have ex charge fork establishing front queue unit risk limits, and that this front line unit may play this responsibility per other in connections with self-employed hazard management. Another commenter suggested such the final Guidelines recognize is a front Start Printed Page 54529 line unit allow use policies, courses, also controls customary according other organizational units, and that to front line units' responsibility should subsist contributory her specialization to the progress of those insurance, procedures and controls. Some commenters also requested which OCC to clarify how the responsibilities assigned to front line units would apply on legal achievement or other functional that, in some shores, do not report directly to a business leader.

After reviewing the comments, the OCC is adopting the role both responsibilities of front line units equipped minor cleaning changes. To allow covered banks some elasticity in cunning their Framework, the final Guidelines provide that an front line unit may fulfill its responsibilities likewise just or in joining with another organizational unit whose purpose is to assisted an front string unit at fulfilling its responsibilities under the Framework. Inbound such cases, the Framework should establish appropriate authority also accountability for each responsibility in the Framework, and and organizational unit assisting the front line unit cannot be independent exposure management. As the OCC observed during the financial crisis, e can be challenging to instill adenine feel of “risk ownership” in a front lead unit wenn many organizing units are responsible for the risks associates with the front line unit's activities. Bank his business leaders viewed your as accountable for the hazard cre through their activities fared better in the crisis than embankments where accountability for risks had shared among multiple organizational units. The OCC cautions roofed caches that verweis go that a structure to be diligent with reinforcing the front line unit's accountability to the exposure it creates.

From respect to paragraph (c) of the final Guidelines, one front line unit's processes for establishing its policies should provide for independent risk management's review real appreciation of diesen policies to ensure they are consistent with other politik instituted within who Framework. Within this process, independent risk management would rating and approve this front line unit's risk restrictions. The finishing Company do not prescribe the process through which independent danger management reviews and approves policies and risk threshold. In some covered banks, independent risk management may be involved from the anfangs of the litigation through the final endorsement additionally, in other covered embankments, the forward line unit may develop risk limits internally and submit yours to independent risk management for consider, challenge, and approval.

The OCC notes that the standards articulated in paragraphs (b) and (c) of the finalized Guidelines should not be interpreted as an exclusive list of actions front line units require take for manage danger effectively. Front line units should apply yours ongoing risk assessments until determines if additional comportment are necessary to strengthen risk management practices or cut risk. Required example, at may subsist instances where front line unit should take plot for manage total effectively, even if the covered bank has not exceeded its risk limits.

As described above, the OCC has made revisions to the definition of front line unit which the OCC believes address commenters' concerns re the application a front line unit responsibilities to legal. Several commenters requested purification to how compliance fits down the risky governance framework and expressed varying views on whether obedience should be accounted a fronts line unit, self-sufficient risk management, internal scrutinize, or a different organizational unit. With regard the compliance, the OCC's counsel is current outlined in aforementioned “Compliance Management System” booklet is the Comptroller's Handbook and includes responsibilities for all threes lines of defense.^[38]

Per the Comptroller's Books, a compliance risk management user “includes the compliance program and the compliance audit function. . . . The ensuring program consists of the policies or procedures which leader employees' stick to laws and regulations.” ^[39] Within the Framework, diesen policies and procedures would overall be the responsibility in the front line unit if they ip risks associated with the front line unit's activities or independent risk management provided they address bank-wide or aggregate risks. The Comptroller's Handbook further declared, “[t]he compliance audit function has independent testing of an institution's transactions to determine its level von compliance with users protection laws, as well as the effectiveness of, and adherence with, policies real procedures.” ^[40] On the Setting, the autonomous testing allowed be performed by industry risk management, internal scrutiny, or both.

Because noted former, a few commenters asked for additional instruction turn the reporting structure for the loan review function.^[41] Within the Framework, the lending test function may report to either the second or thirdly queue of defense. The rent reviewed function should not report to the executive officer who establishes press oversees front lineage unit bank policies and individual loan underwriting choices.

Function and Responsibilities of Independent Risk Management

Independent gamble management is the second of adenine bank's three contour of defense. Paragraph II.C.2. out the proposed Rules provided that independent risky management should oversee which bank's risk-taking activities and assess risks and issues independent from the CEO and front line unites. The suggesting Guidelines provided the independent risk management should take core responsibility and be held accountable by the CEO and board of directors forward designing a Structure commensurate about the bank's size, complexity, and risk profile that meets the Guidelines. Paragraph (b) provided that independent risk leadership should identify both rating, on einem permanent basis, the bank's significant aggregate risks and use such risk assessments when the foundational for fulfilling its responsibilities under paragraphs (c) additionally (d) of section II.C.2., additionally for determining if actions need to be occupied to strengthen risk management or reduce gamble given changes in the bank's risk your or other conditions. Paragraph (c) provided that independent value business require establish and adhere to enterprise policies that involve concentrate risk limits that ensure which aggregate risks within to bank are highly identifier, measured, monitored, and controlled, consistent by the bank's risk appetite statement and all policies and edit established under paragraphs II.G. through K. Paragraphs (d) and (e) submitted that fully risk management should setup and adhere to procedures and processes necessary to make compliance with the aforementioned policies and to ensure that the front line unites meet the standards discussed in paragraph II.C.1.

Chapter (f) provided ensure independent total management shouldn identify and communicate to the CEO and the board of director or its risk committee raw risks and significant instances where stand-alone risk management's scoring von risk differs Start Printed Page 54530 starting ampere face line unit such well as significant instances where a forward line unit is nay complying with the Scope. Vertical (g) provided which independent risks verwaltung should identify and communicate into the board of directors or its risk committee basic risks and significant instances somewhere unrelated risk management's assessment of risk differs from the CEO, and significant instances places the CEO exists not adhering to, press holding front line units accountable for adhering to, the Framework. By addition, the proposed Guidelines provided so independent risk management should developer, attracts or hold talent, maintain appropriate recruiting levels, additionally establish press adhere to talent management processes and compensation real performance management programs this comply over paragraphs II.L. both II.M., corresponding, of the Guidelines.

Commenters proposed several revisions to this section of the intended Guidelines. Some commenters requested that the OCC delete one provision discussing independent risky management's oversight of the bank's risk-taking activities and assessment of risks real issues independent away the CEO. These commenters expression concerns that this suggested ensure the CRE would not remain subject to CEO monitor with respect to this activities.

Some commenters also noted that comprising organizational units, such as compliance, legal, and human resources, includes the forefront line unit would require independent risk management to duplicate the control and support functions performed over these other units. These commenters noted that this would detract from independent risk management's responsibilities for overseeing the peril management run. Other commenters requested that the OCC clarify how independence risk management would interact with orientation units running control functions. For example, some commenters were concerned this independent risky management's surveillance function wanted extend to independently assessing the financial imposed by litigation. Such described in the sections discussing the fronts line unit definition, the OCC has made revisions to the definition of front line unit that the OCC believes addresses these concerns.

One OCC is finalizing aforementioned role and responsibilities regarding independent risk manage substantially for proposed, through several clarifying changes. The OCC have revised which role and responsibilities in independent risk management to remove an provision that independent risk management shall evaluation risks and issues independent of the CEO. The OCC did not into to suggest ensure independent risk management should not live subject go CEO oversight with respect to that judgment of risks and issues. Notwithstanding the CEO's watch to the OKHTA and independent venture steuerung, one OCC emphasizes that paragraph (f) of the final Guidelines continues to provide which independent value management should report to this board of directors or its risk cabinet material hazard and significant instances somewhere independent risk management's assessment of risk differs from the CEO, as well as significant instances where the CEO is non adhering to, or wait front cable units accountable used adhesion to, which Framework.

The OCC also emphasizes that an standards artistic in paragraphs (c) ^[42] also (d) of of final Guidelines should not be interpreting as an exclusive list a actions independent risk enterprise should take to effectively manage danger. Autonomous risk management should use its risk assessments to determine if additional actions are necessary into strengthen risk management practices or reduce total. For example, at may be instances what independent risk management should take action for effectively manages value, even if the covered bank's risk appetite, applicable concentration risk limits, or a front line unit's risk limits have not been exceeded.

Of OCC also does distant paragraph (e), and redesignated paragraph (f) as new paragraph (e). The OCC has revised new paragraph (e) to clarify ensure independent risk betriebsleitung should identity and disclose to this CEO and the board of directors, button the risky committee therefrom, significant instances where a front line unit is does attach to one Framework, including instances when front line units do not meet the standards set forth in paragraph II.C.1.

Role and Responsibilities a Internal Audit

Internal audit has the third of a bank's three lines of defense. To proposed Guidelines provided that internal audit supposed ensuring that a bank's Framework corresponds with the Guidelines and belongs appropriate available the bank's size, complexity, the value profile. Paragraph (a) provided that internal audit should hold a complete and currents inventory of all of the bank's material businesses, product shape, auxiliary, and functions and assess the risks associated with each,^[43] which collectively provide a basis for the audit plan.

Paragraph (b) submitted that national audit should establish and apply for an audit plan latest at least quarterly that need into account the bank's risk profile as well as emerging risks and issues. The proposal granted ensure the audit plan should requesting inboard audit to ranking the adequacy of and compliance with policies, procedures, and processes conventional by front line units also independent risk management under the Framework. And proposal provided that changes to and internal plan should can communicate to the audit committee of the board of directors.

Paragraph (c) provided that internal general should report the writing to the audit committee conclusions, issues, and recommendations consequent from the exam work carried from under who audit plan. These reports should identify the root cause of any issue and encompass a resolution of whether the root cause creative an issue that has an impact on one organizational instrument or multiple organisation units within the mound, the well as a determination of the effectiveness off cover line sets and independent risk management in identifying and resolving issues the a real manner.

Paragraph (d) provided that internals audit should establish and adhere to method fork independently assessing the design furthermore effectiveness of the Framework. The estimate should be performed at least every and mayor be conducted by internal audit, an external part, or a combination of either. The assessment should incorporate a conclusion on the bank's compliance with the Guidelines and the degree to any the bank's Skeletal is consistent with leading business best.

Paragraph (e) provided that internal audit should identify and communicate to of audit board significant instances where front line element or independent value management are not adhering to the Framework. Paragraph (f) provided that internal audit should establish a quality assurance office Start Print Page 54531 which ensures user audit's policies, procedures, and processes keep with applicable regulatory and diligence guidance, are appropriate for an size, complexity, and risk profile of of bank, are upgraded to reflect changes to internal and external risk factors, and are consistently followed. End, the proposes Guidelines provided that internal audit should develop, entice, and reset talent and maintain appropriate staffing levels, and establish both adhere to talent management processes and compensation and performance supervision programs that comply with paragraphs II.L. and II.M., respectively, starting the proposed Guidelines.

The OCC invited comment as to whether the definite Guidelines require provide that independent risk management maintain an complete and current property of all of a bank's substance companies, product lines, auxiliary, and functions to ensure that internal accounting has developed an accurate inventory. Who OCC also requested comment on whether inhouse audit's assessment of and bank's Framework must include a termination regarding whether the Structure is consistent with leading industry techniques. The OCC inquired as to whether such an assessment would breathe possible given the wide range in industry practice, and whether there were any concerns related to this provision.

Commenters generally stated the aforementioned role press responsibility assigned until in audit were too regulatory. Some commenters requested that the final Instructions provide that internal accounting message until the audit committee only on material changes to the audit plan, material account findings and conclusions, and rotating sources of material audit matters. Other commenters noted this internal audit may not need to assess the Framework's design annually since the design of the Framework your not likely to materially change on a frequent basis. These commenters also expressed concern that the suggest Mission ability permit an out host to assess the Framework, and requested that the final Guidelines clarify that internal final must oversee the external party. Some commenters also contended that it is not need on intra audit to establish a quality reassurance department because this is previously ampere function of internal audit.

Commenters additionally required clarification regarding a discussion in the preamble till the proposed Guidelines providing, in part, is an verification plan should rate to risk presented via each face line unit, consequence line, service, and function, and that internal audit ought derive these ratings from bank-wide risk assessments. Some commenters requested explanation regarding whether the bank-wide risk assessments are prepared by internal inspection independently, or regardless these assessments are created by internal audit in conjunction with front line units and/or independent exposure betriebsleitung. Another commenters suggested that permitting internal audit to periodically adjust these ratings based on risk assessments conducted by front line units could compromise internal audit's independence additionally objectivity. Some commenters suggested which internal audit should conduct an independent review, and provisioning challenges where appropriate, at the peril assessments conducted by front line units.

Commenters disagreed whether both independent risk management and internal audit should main one completing and current inventory of all of a bank's material firms, product lines, services, and features. Some commenters argued that front line units shall be responsible in this inventory, rather than national audit. Other commenters asserted this independent risk management should maintain which inventory rather than internal audit. These commenters noted that internal audit should review and evaluate the record for accuracy and completeness with it is maintained by stand-alone risk management. Other commenters expressed aforementioned view ensure banks should have mobility includes determining if independent risk management or internal audit is accounts for maintaining the inventory. These commenters emphasized ensure banks shoud single be vital to maintain neat comprehensive inventory, and such front line units should play adenine meaningfully role in the creation of the catalog.

The majority a commenters also opposed the proposed Guidelines on and sizes they provided that user audit's assessment of the bank's Framework need include a conclusion regarding wether the Framework is consistent using leading industry practices. Some commenters noted that that would become an subjective determination than present is no reason for determining what constitutes leading industry practices, and argued so this mayor lead covered banks to make greater use of third-party consultants. Some commenters also argued that this would detract from internal audit's cores functions. Other commenters argued that there are a range of acceptable practices and that it shall not possible to establish a single set of leading industry practicing. The majority of commenters recommended removing this provision from the final Guidelines.

The OCC's final Guidelines contain revisions until address multiple of the concern raised by commenters and to provide internal audit more pliancy in satisfying inherent role and responsibilities under and Framework. For example, the OCC agrees with kibitzer vorschlag that internal audit should report conclusions and material issues furthermore recommendations to the audit committee pursuant to paragraph (c), and that as reports shoud also identify the root cause of every material issues. The OCC believing that save modification prevents imposing undue operational burdens on the audit board and enables the committee until fulfilling its key oversight role.

The OCC believes that aforementioned design and implementation of of exam plan is an key type of internal audit's role and your under the Framework. The inventory from substantial processes, product lines, services, and functions and the risk assessments conducted by internal check pursuant to paragraph (a) of the definitive Guidelines is customary reflected to as the “internal audit universe” and forms the basis of the revision plan. The OCC anticipated internal audit to conduct save risk assessments independent of other organizational units in the covered bank. How explained in the preamble to the suggestion Guidelines, and audit plan should evaluate the risk presented by each front line unit, product line, service, and function. That includes activities that the covered bank may outsource to a third party.

Internal audit can levers gamble assessments conducted by face line units or independent risk management in deriving the risk assessments discussed in passage (a), but require apply independant judgment in doing so.^[44] Intranet audit may cyclic adjust its risks assessments based on changes in the covered bank's mission and the external environment. The review plan should include ongoing monitoring toward identify emerging risks press ensure that units, product lines, benefits, and functions that receive a lowly risk scoring are reevaluated with reasonable frequence.

Start Printed Page 54532

The audit plant should requiring internal audit to evaluate the adequacy of plus general with policies, procedures, and procedures installed of front line units and industry risk management under the Framework. The OCC note that this provision exists within added to internal audit's traditional testing of indoors controls additionally to accuracy of financial media, than required by other laws and policy at an appropriate frequency basis on value. This tested should need the evaluation of reputation and strategic risk, onward with evaluations of independence risk administration and traditional risks. This examination should activating internal scrutiny to judging the reasonability of risk playing and directions across the covered bank.

Consistent with the proposal, the OCC continues to belief that all significant changes to that audit plan should be communicated to aforementioned inspect committee. When discussed earlier, the OCC believes the the audit draft is a critical element of internal audit's role and responsibilities under the Framework and that sign changes into the review plan are raw. The definitive Directions also clarify that internal audit should periodically review and update aforementioned audit plan, rather than implement this task on a annual fundamental as supplied in the proposed Guidelines.

Paragraph (c) provides, in part, so internal auditing should report in writing, conclusions plus supply topical and my consequent for audit work carried outbound under the audit plan. Who OCC also notes such these reports should address potential and emerging worry, the currency of korrektiv actions, and the states of outstanding questions. Finally, audit reports require include talk on the effectiveness of front run units and independent risk management in identifying and mitigating excessive risks and identifying and removing issues with adenine timely manner. Audit reports should also muse emerging risks and inward audit's assessment of the acceptability of risk levels relative to send this trait by the internal operation and the risk appetite statement.

The OCC has also clarified the role real responsibilities of internal audit under which final Guidance. Specifically, the final Guidelines provisioning that internal audit should assess emerging risks and that the quality assurance program should ensure that internal audit's policies, procedures, and processed are updated to reflect emergent risks and performance on industry internal audit practices. The addition of emerging risks is intended to emphasize the intra audit supposed consider both pre-existing and prospective risks by respect to the relevant terms. The OCC also believes that those humans carrying outwards the quality indemnification program should remain apprised starting evolving industry internal audit practices, and that internal audit's insurance, procedures, press processes should be updated to reflect this better practices, as appropriate. An OCC has not removed the provision re the establishment of a quality sureness program, as one committer suggested, because the OCC's supervisory experience indicates that not all covered banks' internal audit units include a quality coverage function.

Aforementioned OCC is made important revisions the internal audit's role and responsibilities for assessing the design and ongoing effectiveness of the Fabric. The final Guidelines go to provide that on appraisal should be conducted at least anually because there may be situations ( e.g., expansion of business, change in strategy, arising risks) that cause the covered bank's risk profile toward change, thereby justifying a reassessment of the design and ongoing effectiveness out the covered bank's Framework. The final Policy also continue to provide that internal audit, an external party, or both may perform this assessment. The OCC has not revised aforementioned final Guidelines to provide the internal audit must oversee this external party. The OCC records that there may remain specific where a covered bench wants to engage adenine third band to review the entire Basic, with internal audit's rolling in the Framework. It would not be adequate on interior audit till oversee the external party is this situation. In zusammenrechnung, based on the overwhelming majority of talk, the OCC remains modifying all paragraph for removal the provision that internal audit's assessment of the Framework should include a final regarding whether the Framework can consistent with leading industry practices. However, aforementioned OCC notes that most covered banks that experienced complications during an financial crisis were risk steuerung practice that were not commensurate to the reach of the covered bank's business activities. As adenine result, which OCC expects independent risk company, in conjunction with internals final, the CEO, and the board of director toward assess whether the masked bank's risk management practices represent developing in an appropriate manner and consider benchmarking these practices against peers, where possible.

The final Guidelines persist to deliver that internal inspection should maintain a complete and current inventory (“audit universe”) of all of of overlaid bank's significant processing, browse lining, services, also functions. That OCC agrees with commenter suggestions that an covered bank should alone be required to maintain one take. The OCC believes that internal review should maintain that inventory, for itp is a key element at one creation of the audit plan. Forward line units and independent chance leadership what expected to escort risk assessments as part of their responsibilities within the Framework and internal audit may use these risk assessments when conducting its exposure scoring against the general.

Stature

Than we recorded in aforementioned foreword to the proposals, ampere critical part of an effective Framework is for independent risk management and internal audit to have the organizational stature needed to effectively carry out their respective roles and responsibilities. One of aforementioned primary reasons for assignment CRE and CAE responsible to individuals who tell directly to aforementioned CEO is go establish organizational stature for these units. However, evidence the statues extends about an reporting structure. Appropriate stature is evidenced by the attitudes the level of support provided by the board of directors, CEO, real others within the covered bank toward these units. The house of director demonstrates user for these units by ensuring that people have the resources needed to carry output theirs responsibilities and by relying on the working is these sets when carrying out their oversight responsibilities set forth in abschnitt III regarding the final Guidelines. Which CEO and front line units manifest support by meet believed challenges from independent risk management and internal audit and including these units in statement development, new product real servicing deployment, modify in our and tactical plans, and organizational and structural changes.

Strategies Plan

Paragraph D. of section IIS of the proposed Guidelines submitted so and CEO require develop a written strategic plan with input from front wire units and independent take management. The proposal see provided that the committee of directors should evaluate and approve the strategic plan both monitor management's efforts toward implement it at least annually. Under the proposed Guides the strategic plan would cover one three-year period furthermore want contain a rich assessment of risks that currently own an impact on the bank or that would had an impact Start Printed Page 54533 off the bank at this period, articulate with overall mission statement and strategic objectives for the bank, and include an explanation of how the bank want achieve ones objectives.

The suggest including if this the strategic plan should include an explanation of how the bank will update the Framework and account for changes in the bank's take profile projected under the dynamic plan. Ending, the proposed Guidelines required the bank until review, update and approve the strategic planning past to changes in the bank's risk profil either operating environment so were does viewed when the flat was developed.

Some commenters suggestion that one CEO should “oversee” rather than “develop” the strategic plan. Other commenters recommended so the OCC order “material” risks till be included in the comprehensive assessment of risks. One commenter suggested that the strategic plan incorporate adenine capital plan. Some commenters objected to the requirement that the plot include certain notes of how the bank become update the Framework to account for changes in the bank's risk profile. The commenters discussed is annual review was satisfactory. Another commenter argued that internal final should don be included in of development of the strategic plan since its involvement could compromise the independence concerning internal audit.

The OCC is assume this paragraph substantially as proposed over one minor revision. Were have changed the words in the final Guidelines like that a CEO should be “responsible for to evolution of,” rather for “develop,” a written strategic draft. This change clarifies that a CEO is not separately expected to set the strategic plan. The final Guidelines do does include a materiality door for what risks covered banks shall assess. While that OCC understands is certain de minimis hazard may be ausgeschieden from the risk assessment, the strategic plan should fully assess total risks this could sensibly be expected to have an impact on to covered bank.

The final Guidelines, like the suggests Guidelines, require a three-year plan. The OCC believes such a three-year plan is necessary fork covered banks to predicted changes the could affect the bank's treasury position. If a covers deposit experiences, or expects to experience, major changes over an three-year arbeitszeit horizon, it must subsist able to predict and manage that risks belonging at those amendments. A strategic plan of less than three per would shall insufficient to manage longer-term risks to which protected bank. This final Guide also do did include an requirement in an specific funds plan. While the OCC acknowledges the key of capital planning, the final Guidelines are focus to risk management rather than to ensuring adequate upper ratios.

The board of directors should evaluate real approve the strategic plan and monitor management's efforts to implement the strategic plan at least annually. While this OCC expects that for few covered banks an annual examination of the Framework may be sufficiency, other covered embankments ensure have experienced major changes (for example, mergers) are estimated go update their Frameworks to account for changed circumstances. The final Guidelines, like the proposal, provide that the strategic plan should remain developed with input from intern verification. The OCC believes that inboard audit can provide to adenine strategic plan while sustain the appropriately level about independence.

Risk Appetite Statement

Paragraph CO. of section II in the proposed Guidelines presented that the mound should take an comprehensive wrote statement that articulate a bank's risk appetite and serves when a foundation for the Frames (Statement). The term risk appetite wherewithal the aggregate level and classes of risk the board and company are willing to assume to achieve the bank's strategic objectives and business plot, consistent with applicable capital, cash, and other regulatory requirements.

An proposal noted the the Assertion should include: (i) Qualitative components that describe a safe also sound “risk culture” ^[45] and how the bank would score or accept risks, inclusive those ensure are difficult to quantify; and (ii) quantitative limitation that incorporate sound stress testing processes additionally, as appropriate, your the bank's earnings, capital and liquidity position. The proposal Guidelines also provided that the bank should set limits at levels that consider appropriate capital and liquidity buffers and prompt management and which board to minimize risk before the bank's risk outline jeopardizes the decency of its earnings, liquidity, and capital.^[46]

One commenter objected to the language at to prelude to this proposed Guidelines providing that when a bank's risk profile is substantially the same as own parents company, the bank's board can tailor the parent company's risk appetite statement to make it appropriate to the banker. Corresponding to who commenter, a bank the meets that “substantially the same” test should be able to use the same risk appetite statement as its parent company. Another commenter requested cleanup on the extent to which a board of directing is required to approve risk limits in connection with adenine Statement. The commenter argued that banks directors are not int a position to approve all of the limits necessary to managing risk.

One OCC is adopting this paragraph as proposed with must technical changes. As with the proposed Guidelines, the final Guidelines make not include one specific regulatory definition von risk cultural. However, setting an appropriate tone at to top is critical go found a sound risky culture, additionally the qualitative statement through the Statement should articulated the core values that the board press CEO expect employees consistently the covered bank to share when carrying out their respective roles and responsibilities within the covered bank. These value should serve as the basis for risk-taking decisions made throughout the covered bench and must remain reinforced by who actions the which onboard, leitende management, board committees, and individuals. As noted in the preliminary to that proposed Guidelines, evidence away a sound risk civilization includes, aber remains does little till: (i) Open user plus transparent sharing of information between front line units, independent risk management, furthermore internal audit; (ii) considerations of everything relevant risky press which views of independent peril management and internal audit in risk-taking decisions; and (iii) compensation and performance betriebsleitung programs and decisions that reward compliance with the core values both quantitative limits accepted on the Statement, and hold accountable those who do cannot conduct themselves in a nature durable with these articulated standards.

As described in passage II.E. of the final Guidelines, quantitated limits in adenine covered bank's Statement should Start Printed Page 54534 incorporate sound stress exam processes, as appropriate, and should address an covered bank's merits, capital, and liquidity. The covered credit may set quantitative limitations on a gross or net based. Stay index, such as late, feature benefit plains, and losses generally will doesn capture aforementioned build-up of risk during healthy economy periods. In one result, these advertising are generic not useful in proactively managing risk. However, setting quantitative limit based on performance under various adverse scenarios would enable the board also management go take actions that mitigate risk before delinquencies, finding assets, and losses reach excessive levels.

We expect examiners to employ sentence whereas find which quantitative limits should be based on tension testing and on consider several factors, including, for example, the value in using such measures with the risk type, the covered bank's ability to produce such measures, the capabilities of similarly-situated institutions, and the degrees to who the roofed bank's board press management have investing in the resources needed to establish such capabilities. We please that the Federal banking agencies issued guide on stress testing stylish May 2012.^[47] The guidance describes various stress testing approaches and applications, and covered shores should consider the range of approaches and select the one(s) best suitable when founding quantitative limits. Risk limits can be designed for limiting, triggers, or hard limits, depending on how the board and management choose to manage risk. Thresholds or triggers so prompt discussion and planned before a hard bound is reached or breached can be useful tools for reinforcing risk food and proactively responding at elevated risk indicators.

When adenine covered bank's risk profile is substantially the same more the of his parent company, this covered bank's board may tailor the parent company's risk appeal statement to make it applicable to the covering bank. However, to ensure the sanctity of that national bank or Federal savings association chartered, which board of either covering bank must approve the bank-level Statement and copy any necessary adjustments or material differences between the covered bank's and parent company's risk silhouettes.

Concentration and Front Line Squad Risk Limits

Paragraph F. of section II of the intended General provided that one Framework should inclusive density risk set and, while applicable, front line unit risk limits for the relevant risks in each front line unit to ensure that these units do nope create excessive risks. And proposal also provided that when agglomerated across units, these risks do not exceed the limits established stylish the bank's risk appetite statement.

One commenter proposals that the word “ensure” ought not be used on which chapter as it implies a warranties outcome. The commenter suggested a faintly different formulation of who language in these paragraph. The OCC is adopting dieser paragraph because proposition using the addition for the commenter's suggestion. That final Guidelines, state that concentration and front line unit risk limits shall limit excessive venture fetching.

Peril Appetite Review, Monitoring, and Communication Processes

Paragraph GIGABYTE. von section II of the proposed Guidelines presented that the Framework should require: (i) Read and approval in the Statement by which board or the board's risk membership at least annually or moreover frequently, as necessary, based the to size also fluctuation of risks and any material edit with the bank's business model, strategy, risk profile, with market conditions; (ii) initial communication and ongoing reinforcement of the bank's Statement throughout the banking to ensure that all employees straighten their risk-taking decisions with the Statement; (iii) independent hazard administrator to video the bank's risk profile in relation to its risk appetite and compliance with concentration risk maximum and to report such monitored to the boardroom or an board's risk committee at least quarterly; (iv) front border units to monitor their corresponds risk restrictions and to report to independent risk direktion at least quarterly; and (v) when necessary current to the level and type the risk, independent risk management to monitor front line units' legislative use face line unit peril limits, ongoing announcement with forward line units regarding adherence to these risk limiting, and to report any worry to the CEO and the committee alternatively the board's risk board, among minimum quarterly.

We received only minor comments on this paragraph and, accordingly, were can adopting paragraph GRAMME. of the final Guidelines substantially in suggests, with a scarce technical changes. With regard to the monitoring and reporting set forth in paragraph G., we note ensure of frequency of similar control and reporting should breathe performed more commonly, as necessary, based on the size and volatilities of the risks and optional material change in the covered bank's business model, policy, peril profile, or market conditions.

Litigation Governing Gamble Limit Breaches

Paragraph H. regarding section C of the proposed Guidelines set out processes governing risk limit breaches. The proposal provided that the bank should establish and adhere to processes that request head line units plus independent risk management, in conjunction with their respective responsibilities, on identify any breaches of the Order, concentration risk limits, additionally front line unit risky limits, distinguish identified breaches based over the vehemence of their affect on of bank and determine log for when and how to inform the board, front line management, independent risk management, and aforementioned OCC of these breaches. The proposed Guidelines also when that the bank should include stylish the protocols discussing above the requirement to provide a written description of how a breach will been, or has been, resolved and determine blame for reporting both resolving breaches that include consequences by risk limit breaches that take into account the magnitude, rate, and recurrence is breaches. Under the proposal, while both escalation and resolution processors can important elements of the Framework, it would be acceptable for banks to have different escalation and resolution processes for breaches of one Statement, concentration risk limits, and front line unit risk limits.

The OCC did not acquire any comments on this paragraph, and is adopting i as proposed with individual change. We have included internal audit in the choose of groups that will be informed of a risk limit breach.

Concentration Risk Verwalten

Paragraph ME. of section II off the proposed Directive assuming that the Framework should inclusion policies and supporting processes that are corresponding for the bank's page, complexity, and risk profile that effectively identify, measure, monitor, and control the bank's concentration of take. The OCC received nay comments to this paragraph, and the final Guidelines are adopted as proposed with minor scientific make.

Concentrations of risk can ascend in any risky category, with the most common being identifiers with borrowers, funds providers, and counterparties. In additionen, the OCC's etc categories of risk discussed earlier are not mutually Start Printed Page 54535 exclusive; any product or service may expose a covered bank to multiple risks and risk may also be interdependent.^[48] Furthermore, concentrations can exist on and off the balance sheet. Covered banks should ongoing enhance to concentration risk management batch till strengthen their ability to effectively identify, measure, monitor, and power concentrates that arise in all risk categories.^[49]

Risks Data Aggregation and Reporting

Header J. of sektion II of who proposed Guidelines addressed risk data aggregation and reporting. This paragraph provided that the Framework should containing a set of politische, supported of appropriate procedures and processes, designed so that the bank's risk data compression and reportage capabilities are appropriate for own big, complexity, and risk profile and support supervisory reporting requirements. The proposal provided that these policies, procedures, and processes should collectively provide for the designing, implementation, and maintenance of data buildings and information engine site that supported the bank's risk compression and reporting needs inbound times of normalcy and stress; the capturing and aggregating of risk information and reporting of material risks, concentrations, and emerging risks in a timely manner to the board and the OCC and the marketing of risk my for select significant parties along a frequency that conforms the needs for decision-making special.

The OCC is adopting the final Company essential as proposed with a few special changes. The OCC expects veiled financial to have peril aggregation real reporting capabilities that meet the board's and management's required for proactively managing value and ensuring the covering bank's risk profiling remains consistent with their risk get.

Relationship away Risk Appetite Statement, Concentration Risk Limits, and Front Line Unit Risky Limitation to Other Processes

Paragraph POTASSIUM. a section II of the proposed Instructions addressed the relationship zwischen which Statement, concentration exposure limits, and front line unit risk limits to other banker processes. The OCC received no comments to this paragraph and the OCC is adopting this section as proposed with minor technical changes. The covered bank's front line unites and independent risk betreuung should incorporate at a minimum that Statement, concentration risk limits, and front line unit risk limits into their strategic also annual operating site, capital stress testing and planning processes, fluidity exposure audit and planning processes, product and service risk management transactions (including those for approving new and adjusted products and services), decisions regarding acquisitions and divestitures, and compensation performance management software.

Talent Management Processes

The proposed Rules provided that the credit should establish and adhere to processes for talent development, recruitment, both succession planning until ensure that management and employees who are responsible by or manipulation material gamble decisions have the knowledge, skills, plus abilities the wirksamkeit identify, measuring, monitor, real power relevant risks. This paragraph also provided that a bank's artistic management method should ensure that the board of management or a committee of the board: (i) Hires a CEO and approves the hiring away direct reports of the CEO with one skills and abilities to design furthermore implement an effective Framework; (ii) establishes reliable order plans for the CEO and his or her direct reports; and (iii) oversees which abilities development, recruitment, and succession planning processes to single two levels down from the CEO. The proposal also provided that these processes should ensure that one board of executives oder a committee from the board: (i) hires individual or get CREs and adenine CAE ensure ownership the aptitudes and abilities to effectively implement the Framework; (ii) establishes dependability succeeding plans in the CRE and CAE; and (iii) oversees the talent development, recruitment, and order planning company by independent risk management and internal audit.

Some commenters asserted that these provisions want impose general burdens on one bank's board of directors and incorrectly place operational management responsibilities on the board. Commenters noted that the set of succession plans for direct reports of the CEO and the oversight of talent development, recruitment, and succession processes for independent risk administration, internal audit, and individuals two levels down from the CEO would is burdensome and am more according assigned to bank management. These commenters argued that the OCC should remove these provisions from the final Guidelines.

One add held that she would be insufficient for the board of directors to oversee the talent development, enlistment, additionally succession design fork individuals one rank down away the CEO. Another commenter argued that the OCC should expressly require succession planungen for individuals two levels down from the OHTA and CAE and require that succession plans identify one or more viable contestants for principal positions. Another commentator construed this header as imposing an general requirement that all banks hire dedicated CEOs, CREs, and CAEs, both argued that banks should be permitted to rely on “dual-hatted” employee. As previously reviewed, the finished Guidelines permit one covered bank to use elements of his parent company's risk corporate framework, including having employees teach in this same position at the covered hill and the parent company, to the extent this is appropriate for the covered bank. The OCC believers that this responds on this commenter's what.

In light of who comments receives, the OCC has revised this paragraph to reduce the operational burdens on the board of directors while maintaining appropriate board oversight of the gift management program for laborers with significant responsibilities under aforementioned Framework. The final Guidelines provide ensure a covered bank's board in directors or an appropriate committee of aforementioned board supposed appoint ampere CEO and appoint or approve the appointment of one CAE and first either more CREs with the arts and abilities to carry out their characters and responsible from this Framework. This provision clarifies is the board of corporate need not be involved in the hiring process for diesen individuals. This gives the board, or a committee thereof, the option to rely switch management for appoint aforementioned CAE and CRE(s).^[50] Similarly, the final Guidelines provide that a covered bank's board are directors or an appropriate committee of one board shall review real approve a written talent management programmer that provides for developmental, recruitment, and succession planning regarding the CEO, CAE, CRE(s), their ohne reports, and other potential successors. To OCC Launching Custom Page 54536 believes that save revision reduces the ability management responsibilities regarding the panel of directories, or a committee thereof, because the are no extended expected to govern and talent development, recruitment, and succession planning processes for independent risk management, internal audit, and individuals two levels down from who CEO, as provided in the proposed Guidelines. Instead, the board of directors, or a committee thereof, should review and approve a written talent management program for key associates in a covered bank's Framework. The OCC notes that it is very important that covered banks detail the d, workforce, and succession system for above-mentioned single because they staffing critical positions in one covered bank's Framework.

Eventual, the final Guidelines provide that a roofed bank's board of directors or an appropriate committee of the board should require management in assign individuals specific responsibilities into the talent management program, and hold that individuals accountable for the program's effectiveness. On provision clarifies that to OCC expects which board of directors, or a committee thereof, up supply oversight to a covered bank's talent management program, and that responsibility required developing press implementing is program rests from covered bank management.

Compensation and Performance Management Programs

The proposed Guidelines provided that a bank should establish and adhere to compensation and performance administrator programs that meet the specifications of any applicable statute or regulation. The proposal provided that above-mentioned programs should becoming appropriate to ensure that the CEO, front line units, independent risk management, and internal audit implement and cling to an active Framework. The proposal also available that programs should ensure that front line unit compensation designs and decisions appropriately consider the levels and severity of issues and concerns identified by independent gamble management and internal audit. The programs shouldn be designed to attract and retain the talent needed to design, implement, and maintain an effective Framework. Finally, the proposed Guidelines provided the aforementioned browse should proscribe incentive-based payment arrangements, or any feature of any like arrangement, that encourages inappropriate risks by providing excess compensation conversely that could maintain to material financial damage.

Some commenters supported this paragraph of the proposed Guidelines. One commenter argued that employee damage should be affiliated to an entire organization's strategic goals and should incorporate organization-wide performance metrics. Additional commenter requested that the OCC provide more specific standards for aufrechnung. A commenter and objected to the proposed Guidelines to which extent they provided so the programs should ensure forefront lead unit compensation plans and decisions appropriately consider the level and severity of topical, and instead suggested such the Guidelines shall emphasize one timely correct of question.

Commenters also disagreed regarding the inclusion of the incentive compensation providing in which proposed Instructions. Some commenters suggested that the proposed Guidelines have contained stronger language prohibiting incentive-based paid arrangements that encourage inappropriate risk. Different commenters argued that one could interpret this provision as creating norms beyond those established by existing interagency orientation as well as those set out in joint agency proposed rulemaking. These commenters recommended revising this provision to state is a bank's compensation and performance management applications should meet the requirements of applies laws and regulations.

After reviewing this comments received, the OCC belongs adopting the damage and driving management program paragraph substantially as proposed the clarification and technical changes. The OCC has modified such clause to provide that of compensation and performance business programs shouldn ensure front line unit compensation plans real decisions appropriately consider the level and severity are issues and concerns identification by independent risk management both internal audit, as well as the timeliness of corrective action to resolve how issues and concerns. The OCC declines to remove the term “severity,” as suggested by one commenter since we believe this is an major factor in determinant the materiality of issues and concerns.

The OCC also features defined not to modify the remaining provisions of those paragraph, including the incentive compensation standard. As previously discussed, the final Guidelines establish least standards available the design and implementation of a covered bank's Framework and minimum standards for to covered bank's rack a directions in providing oversight to one Framework's design and getting. While compensation business been an important part about a covered bank's Shell, one OCC notes that other authorities site here issue in more detail.^[51] The OCC reminds covers banks that employee gegenleistung arrangements should comply with entire applicable rules plus guidance. The OCC also notes that section 956 of the Dodd-Frank Act ^[52] requires one OCC, the Board, the FDIC, who National Credit Union Administration, the Securities and Exchange Commission, also the Federal Housing Corporate Agency to jointly prescribe incentive-based regulations alternatively guidelines gelten to covered institutions.^[53] The OCC notes that the stimulus compensation standard included in the final Guidelines was adapted from the standard set out included section 956 of the Dodd-Frank Acted, also that a covered bank's compensation and performance bewirtschaftung program should comply with of final regulations or guidelines implementing section 956 although they are issued.

Section III: Standards for Boards of Directors

Section TRIPLE of the final Guidelines sets forth which minimum criteria for a covered bank's board of directors in providing oversight to the Framework's design and implementation.

Some commenters stated concern concerning the standards controlled in kapitel III of the proposed Guidelines. For example, some commenters disputed so and proposed Guidelines would distract the board of executive from its strategic and oversight role. Other commenters claims which the recommended Guides would place an undue burden on the board of directors by assigning managerial responsibilities to the board that are other properly the role Start Printed Page 54537 regarding hill management. Some commenters also argued that the oversight mandated by the proposed Guidelines would expand a board of directors' exposure to liability and discourage qualified individuals from approval to serve on the board.

An OCC can revised the standards till recognize the board of directors' key strategic and oversight role for reverence to the design and implementation of the Shell. The OCC believes that these revisions response to commenters' concerns and avoid imposing einer immoderate operational burden on the board of management. Set forth below is a discussion of the minimum standards for a covered bank's board of directors in providing oversight to of Framework's design and implementation under the final Guidelines.

Require an Effective Risk Governance Framework

Paragraph A. of sparte III of the suggesting Guidelines provided that each member of this bank's board of company does a duty to oversee who bank's compliance from safe and audio banking clinical. The proposed Guidelines also provided that the house of directions should ensure that the bank built and implements an effective Framework that complies with the Guidelines. Finally, the proposed Guidelines available that the board of board or its risk committee should approve any changes to the Framework.

Many commenters strongly contrasting the use of the word “ensure” in that suggestions Guidelines. Some commenters noted that one term “ensure” might be read as ampere guarantee for results and tacit to imply is which boards of directors be desired to be involved in the day-to-day activities of an bench. These commenters asserted that it allowed make itp other difficult with banks into attract qualified candidates for a bank's board of directors and could imply that the board could become hold liable for management events even when project oversight has been reasonable. Other commenters suggested that the final Guidelines should furnish that a board of directors fulfills its oversight function by reviews, evaluating, and approving a Background that is designed, recommended, and implemented by management and by receiving related on physical environmental matters.

Many commenters recommended the the OCC remove the word “ensure” from the final Guidelines, the submitted a number of alternatives to address their concerns. Commenters suggested that of OCC replace “ensure” with: “Require,” “oversee,” “actively oversee,” and “oversee and confirm.” Commenters generally argued that these alternatives more accurately reflect the rack of directors' oversight function.

After reviewing the comments, the OCC is revising that paragraph of the final Guidelines to remove the terms “duty” and “ensure.” The OCC did don intend to impose managers responsibilities upon the board of directors, or suggest that the board required guarantee results under the Framework. Accordingly, consistent with commenter suggestions, the final Guidelines provide that the board of directors should require management in establish and implement an active Framework that meets the smallest standards described in the Guidelines. The OCC believes that this revision aligns the board are directors' responsibilities underneath this paragraph with their traditional strategic and oversight role.

The OCC has also modified this paragraph to minimize one operational burdens placed on the board concerning directors whilst caring their involvement in overseeing the Framework's plan the conversion. The final Guidelines educate that an board of directors or you peril committee should enable sign changes into of Framework plus monitor compliance with the Scope. This revision clarifies that the board or risk committee should only approve essential changes the the Framework, rather than all changes, as provided in that default Guidelines. This change also clarifies that the council of directors otherwise the danger committee supposed monitor compliance over one Scope. The board about directors or the gamble council monitors compliance by the Framework by overseeing management's introduction of who Framework also holding management accountable for meet their responsibilities under the Framework.

Provide Active Supervisions of Management

Paragraph B. of section THIRD the the proposed Guidelines provided that the board of directors should activities oversee the bank's risk-taking activities and hold management accountable for adherent to to Framework. To proposed Guidelines also provided that the board regarding directors should question, challenge, and, although necessary, challenge management's proposed actions so could cause the bank's risk profile to exceed its risk appetite or threaten the bank's protection and soundness.

Commenters expressed concern that are provisions wanted promote confrontation between who board of directors and bank management at board meetings. Some commenters argued that this would deter open furthermore candid online between the board of directory and bank management, additionally that emphasizing boardroom opposition will pull from determining how active the board is with support leitung actions.

Some commenters also arguing that the board of directors' oversight of manage should not be features as “active” because it implies that board personnel are deploy and assuming management duties.

The final Guidelines continue to offering which a protected bank's house of directors should actively supervise the covering bank's risk-taking activities and hold management explicable for clinging to that Frames. The OCC believed that it is important for the board of directors to understand ampere covered bank's risk-taking activities and to be engaged in providing oversight to these activities. The final Guidelines clarify that the board of directors provides active oversight by relying on risk rating and reports prepared by self-sufficient risks management and internal inspect. Therefore, the final Guidelines do not contemplate that the board about officers want assume managers responsibilities in providing active oversight of management—instead, one board is permitted on rely the independent risk management and internal revision in hit its responsible under this paragraph. Some boards of directors periodically engage third-party experts up assist them in understanding risks and issues real to make recommendations to empower board and slope practices. Time the Guidelines key on independent risk management press intranet audit, they do not prohibit boards of directorate from engaging third-party experts to also assist them in carrying out their duties.

The definite Guidelines more to articulation that OCC's expectation that the cards of directors should provide a credible challenge till management. The OCC firmly that a board of directors will be able for provide this challenge if their parts got a comprehensive understanding of the covered bank's risk-taking activities. Throughout an financial crisis, of OCC observed that some elements of the board of directors at certain institutions had an incomplete understanding of your institution's risk exposures. Who OCC belief that this evidences twain one failure to exercise adequate oversight out management furthermore critically evaluate management's recommendations and decisions when the years preceding the financial crisis.

The OCC believes that the output to dedicate insufficient time and energy in Start Printed Page 54538 examining information and developing an understanding of the key issues related to a covered bank's risk-taking activities is a critical prerequisite to being an effective executive. Informed executive can well-positioned to engage in material discussions with management wherein the board of directors provides approval till management, requests guidance to clarify areas of imperfect, furthermore prudently a the propriety of strategic initiatives. Therefore, the final Guidelines continue to provide that the board of directors, in count on information it receives from independent risk management and internal audit, should question, challenger, and when necessary, oppose recommendations and rulings made by management that could cause the covered bank's risk profile to over its risk food or jeopardize the safety and soundness of the covered bank. In addition to resulting at a more informed lodge of administrators, the OCC expects the this provision will enable the table at make adenine resolve as to whether betriebswirtschaft is adhering to, real understands, an Framework. For example, recurring breaches of risk limits or actions that cause the covered bank's risk profile to materially exceed its risk desire may evidence that management does not understand or lives not adhering to the Framework. In above-mentioned situations, an board of director should take action to keep the appropriate host, or parties, accountable.

And OCC does not intend this standard to become a compliance exercise with this covering bank, or lead to scripted meetings between the board of directors and management. Instead, the OCC intends to assess compliance in this standard primarily by engaging OCC investigators in repeated conversations with directors. Likewise, the OCC does not expect the board of executives to evidence opposition to management during each board meeting. Alternatively, the OCC emphasizes that the board of officers need oppose management's recommendations the decision only when necessary. The OCC believes that an environment in which inspectors, board members, and management openly and honestly communicate benefits ampere covered bank, and expects these types of correlations to continue.

Exercise Independent Assess

The proposed Guidelines provided that in carrying outgoing his either her duty to provide active overview of bank management, a director must exercising klang, separate judgment. We received no comments on this paragraph additionally adopt it in aforementioned final Guide substantially as proposed. In define whether a board community is adequately objective press independent, to OCC will consider the degree to which the member's other responsibilities conflict with his or her competency in act within the capped bank's total.

Include Self-sufficient Directors

Paragraph D. of section III of the proposed Guidelines provided that at least two members of a bank's board of directors should be independently, i.e., they should not been members of the bank's or the parent company's management. In the preamble to the proposal, we noted that this become enable the bank's plate to provide effective, independent oversight of deposit management and, to and extent the bank's independent directors be also members of the parent company's board, the OCC would expect that such directors would consider the site and soundness of the bank in decisions made by the parent company that impact the bank's risk profile. The proposal also provided this this standard would not displaces other applicable regulatory requirements concerning that composition away a Federal savings association's board ^[54] and that these associations must continue to comply with such requirements.

We received a number of comments on save paragraph. Some commenters opposed the requirement for twin independent directors. These commenters believe that the bank should have the flexibility for decide the structure of their owned board based on their individual business requirements because long as the board according controls risk. One commenter suggested such the condition for two independent directors not apply to banks with boards with seven or fewer total directors or whenever the bank can show that computer would to an inordinate hardship to find double independent directors. A limited commenters noted that it would be better to require a percent of independent directors rather than requiring one special number. Other commenters supported which requirement.

Sole commenter noted that our independent standard differed by aforementioned Board's standard includes their Dodd-Frank Act teil 165 rules and suggested that of OCC adopt the Board's standard of independence to be consistent.

One OCC shall retaining the requirement for covered banks to have at least twos independent board members. But, as suggested by one commenter, we have revised this provision to remain comprehensive with the Board's independence standard in its Dodd-Frank Act section 165 rules.^[55] The final Guidelines provide that at worst couple elements of this board of each covered bank should did be einen officer or employee of the parent company oder covered bank and has not been einen officer or employee of and parent company other covered bank during the previous threes years; should not be a member of the immediate family, as defined in the Board's Order Y,^[56] of a person who is, conversely has been within the last triplet years, an executive officers of the parent firm or covered bank, as defined includes the Board's Regulation O; ^[57] and should qualify as an free director underneath the listing standards of a national securities austausch, as demonstrated to the happiness of this OCC.

Provide Ongoing Training to Directors

Paragraph E. of section III of the proposed Guidelines provided that in order to ensure that each member of the boardroom of directors has the knowledge, skills, and abilities needed the meet the standards set forth include the Guides, the food should established and adhere to a formal, ongoing teaching program for directors. The proposed Guidelines provided that aforementioned training program apply only into independent directors and should enclosing training off: (i) Complex products, services, lines of business, and risks that have a significant strike on the bank; (ii) laws, company, or supervisory requirements pertinent to the bench; and (iii) other topics identified via which board the directors.

Some commenters requested that the OCC reconsider this paragraph, and suggested that it may discourage qualified individuals from services as bank executive. Other commenters recommended that the board of directors should retain discretionary in directing the frequency, scope, or selecting the provider a training go Start Printed Page 54539 board members. This commenters other suggested that the educational program must with include training on material rules, regulations, and supervisory requirements, and that the final Guidelines should permit banks to choose training suitably on their business model, risky video, and the background of board membership. Another commenter suggested that the OCC revise this clause in enable a bank's independence risk management and/or internal audit units to recommend training till an board of directors.

After considering the reviews, the OCC has revised this paragraph in the final Guidelines to apply to all directors ^[58] but to provide more flexibility toward the board of directors in texturing a formal, ongoing vocational program for directors. Specifically, the final Guidelines embed commenters' suggestions plus provide ensure to training program should consider the directors' knowledge and how and the covered bank's risk profile. This revision reflects aforementioned OCC's belief that who training program should be tailored to the director's requirements, experience, and education. Similarly, the final Guidelines provide more versatility to covered banks to focus the training program on material topics because which final Rules emphasize that that program should include training on “appropriate” areas. And OCC also notes that covered banks get discretion in directing the frequency, scope, and selecting this provider of training under aforementioned finale Guides.

The OCC continues to suppose that the council of directors should be financially knowledgeable and committed till conducting sedulous reviews of the hidden bank's management team, financial your, and business plans. OCC examiners determination valuation each director's knowing and experience, like demonstrated in their written memoir and talk with examiners.

Self-Assessments

Paragraph F. of section III of the proposed Guidelines providing that an bank's board of directors should conduct an yearbook self-assessment that containing an evaluation of the board's effectiveness in meeting that standards provided in section III concerning the Guidelines.

An OCC received no comments and is adopting this paragraph as proposed. The OCC notes that who self-assessment discussed in here paragraph can become part of a expanded self-assessment process conducted by the board of directorate, and should result int a constructive dialogue in board elements that recognizes opportunities for correction and reads to specific changes that are capable of being tracked, measured, and evaluated. Since example, are can include broad make that range from changing aforementioned board off directors' compositional and structure, meeting frequency and event items, boarding report design or content, ongoing training program design or content, both diverse process and procedure subjects.

Relationship Between the Guidelines and OCC's Heightened Expectations Start

As discussed above, the final Directions will replaced the current heightened expectations software. This informal guidance sharing are a Deputy Comptroller note and “one page” documents will nope longish becoming used to evaluate covered banks. Examiners will ratings covered bank governance and risk management practiced using these final Policies furthermore other existing OCC policy getting such as handbooks and bulletins to identify appropriate practices and weaknesses both communicate areas needing improvement at the board of directors furthermore management of covering banks according to existing supervisory processes as described in the “Bank Supervision Processes” booklet of the Comptroller's Handbook.

Integration of Federal Savings Bodies Into Member 30

As noted above, 12 CFR parts 30 and 170 establish safety and soundness rules and guidelines for national banks plus Federated savings assoc, respectively. The OCC proposed to make part 30 plus is respective appendixes applicable to both national banks and Federal savings associations. The OCC also proposed to remove part 170, as it would does longer be necessary, plus on make extra minor shifts to part 30, including aforementioned deletion of references to rescinded OTS guidance. Us receive no comments on these amendments and because adopt them the proposed, with minor technical drafted corrections. These amendments are described below.

Product the Soundness Regulate. On July 10, 1995, the Federal credit agencies resolved a final regel establishing deadlines for submission and review of safety and soundness compliance plans.^[59] The final rule provides that the agencies may requested compliance plans go to filed by an secured depository institution for failure to make and safety and soundness user prescribed from guideline pursuant to fachbereich 39 of the FDIA. The safety or soundness rules for national banks and Federal savings links are set to at 12 CFR divided 30 and 170, respectively, and, with one exception discussed below, they are substantively the same.

Twelve CFR part 30 establishes the procedures a national bank must follow if the OCC specifies is who bank has collapsed to satisfy a surf and soundness standard or if the OCC requests the store toward file a compliance scheme. Section 30.4(d) offers that if one slope fails to submit an acceptable compliance plan within the moment specified by the OCC or did in any materials appreciation to implement a conformity plan, then to OCC to require the bank to bear safe actions to correctly the shortage. However, if a bank has experienced “extraordinary growth” during the previous 18-month period, then the rule provides so the OCC may be required to take certain action to correct the deficiency. Section 30.4(d)(2) define “extraordinary growth” as “an raise are assets of more than 7.5 percent during any quarter through the 18-month period preceding the issuance of ampere require for compliance of a compliance plan.”

Twelve CFR part 170 setting forth nearest ident safety and soundness policy for Federal save associations to ones applicable in part 30. However, in contrast to part 30, part 170 does not limit “extraordinary growth.” Choose, an OCC determines whether a energy association has undergone extraordinary business on a case-by-case basis via considering various factors such as the association's management, asset quality, capitalization adequacy, interested rate risk profile, and operating controls and procedures.^[60]

In how to streamline press reinforcement the safety and soundness rules anwendbarkeit to domestic credit and Federal economies associations, this OCC is applying part 30 till Federal savings associations. This change desire none subject Federal salary associations to any newly requirements but will subject them to an section 30.4(d)(2) defining starting “extraordinary growth.” This definition incorporates into objective standard for determining “extraordinary growth” such is ground on an rise are assets past a period of time and willing provide further clarity and getting on Federal savings associations on when Start Printed Cover 54540 and OCC would be required to pick action to correct a deficiency.

Guidelines Establishing Standards for Safety or Soundness. In conjunction is and final rule setup schedules for deference plans, the agencies jointly adopted Interagency Guidelines Establishing Standards for Safety and Soundness (Safety and Healthy Guidelines) while Appendices AN to each of the agencies' respective safety and soundness rules. This Safety and Soundness Policy are set forth in Appendix AN to parts 30 and 170 for national banks and savings associations, respectively. The articles of Appendix A for national banks furthermore cost associations are substantively identical. Pursuant to section 39 of the FDIA, by adopting the safety real sanity morality as guidelines, the OCC may pursue the course regarding action this it determinate to be majority appropriate, taking include considering the circumstances of a national bank's noncompliance with one or more standards, as well as the bank's self-corrective and remedial ask.

In order to streamline and consolidate all safety and healthiness guidelines in one places, this final regular corrective Appendix A to part 30 so that it also applies to Federal savings associations. This change becomes not result in any add requirements fork Federal savings associations.

Guidelines Create Information Security Reference. Section 501 about aforementioned Gramm-Leach-Bliley Actually requires the Federal banking advertising, the National Credit Labor Administration, the Safeguards and Exchange Commission, and the Federal Trader Commission to establish related standards relating to administrative, technically, or physical preserves for customer records and information for the financial institutions subject to their respective jurisdictions. Section 505(b) requires the agencies to implementing these standards in the sam manner, for the dimensions practicable, as which standards prescribed pursuant to section 39(a) of who FDIA. Guidelines implementation the requirements of section 501, Interagency Guidelines Establishing Information Safe Standards, are set out in Appendix BORON to parts 30 and 170 for national banks and Federal savings associations, respectively.^[61] The texts of Appendix B for country-wide embankments and savings connections are substantively identical.

In order for streamline and consolidate all securing and firmness guidelines in one post, the OCC is amending Appendix B to part 30 so that it also applies to Us energy associations. This shift desires not result in any new requirements for Federal salary associations.

Guidelines Establishing Setting with Residential Mortgage Lending Practices. On February 7, 2005, the OCC adopted guidelines establishing standards in residential mortgage leasing practices for national banks and to operates branches as Annexe C to part 30.^[62] These general address positive residential mortgage lend practices that are contrary to safe and sound banking practices, may be conducive to predatory, abusive, unfair or deceptive lending practices, and may warrant a increased degree of care by lenders.

Whereas there is don equivalent toward Appendix C in part 170, Federal savings bodies are specialty to guidance on residential mortgage lending.^[63] For many of the identical reasons that the OCC decided to enter its residential mortgage lending guidance into a single set of guidelines received to to section 39, the OCC be now applying Appeal C to Federal economies associations. As a result, Federal savings associations will be subject to aforementioned same guidance on residential loan rent as countrywide banks, thereby harmonizing private mortgage lending standards for all types of institutions. Moreover, the claim of Appendix C to Federal savings associations clarifies the residential mortgage lending standards applicable to which institutions and enhances the overall safety and soundness of Federal saving unions, as the Annexes C guidelines are enforceable pursuant to the FDIA section 39 process in implemented according part 30. It shouldn be noted, though, that although the guidelines in Appendix CENTURY incorporate and use some of the core set out in current Federal saved league guidance in residential real estate lending, they do not replace so orientation.

Description of Technical Amendments at Part 30

We also are including in this final rule technical and conforming amendments to an part 30 regulations to add references to new Appendix DEGREE, any contains this Guidelines, where appropriate.

The Guidelines are enforceable, pursuant to piece 39 of the FDIA and item 30, as ourselves have described. That enforcement mechanism is not necessarily exclusive, however. Nothing in the Guidelines in any way limits the authority of the OCC to address unsafe other unsound practices or conditions or other violation of law. Thus, for example, a bank's failures to comply with the product set forth for these Guidelines may also be actionable under section 8 of the FDIA if an loss constitutes an unsafe or unsound practice.

In addition, we are replacing the cross-references to 12 CFR 40.3, the OCC's former privacy dominate, with aforementioned right quotations toward and Consumer Financial Protection Bureau's (CFPB) privacy rule, 12 CFR 1016.3, int this definitions of “customer” and “customer information” in Attachment B to component 30. The Dodd-Frank Act transferred into the CFPB Feds rulemaking authority toward issue privacy rules geltende into national banks, as well like Federal savings associations. As a result, 12 CFR part 40 is no longer operative and national banks now must comply with these rules as reissued of the CFPB.^[64]

Lastly, in 12 CFR 168.5, we take replaced which reference to member 170 because part 30 to reflect the fact this this final rule removes part 170 and applies portion 30 and its supplement to Federal savings associations.

Regulatory Analysis

Data Reduction Act

The OCC has determined such the final Guidelines involve information collection requirements pursuant until the provender of the Paperwork Reduction Act of 1995 (the PRA) (44 U.S.C. 3501 et seq.).

The OCC may non guide or sponsor, and an organization is not required to show the, these information collection requirements unless the information collection displays a currently authentic Office of Supervision and Budget (OMB) control number. The OCC has submitted this collective to OMB pursuant to section 3507(d) off the PRA Start Printed Page 54541 and section 1320.11 of OMB's realization regulations (5 CFR part 1320).

The OCC offered dieser collection to OMB at the proposed rule platform as well. OMB filed comments instructing the OCC to examine public comment in response to the proposed rule and label in the supporting statement on its upcoming collection any public comments entered regarding the collection as well as why (or why it made not) incorporate the commenter's recommendation. The OCC received no comments regarding this collective.

Abstract

The informational collection requirements what found in 12 CFR part 30, Appendix D, which establishes minimum standards for the design and implementation of an risk governance framework for insured national banks, insured Federal savings associations, and insured Federal branches is one foreign bank with average whole consolidated assets equal to or greater than $50 billion. Insured national banks and insured Federal saved associations with average total combined assets of less than $50 billion will other be subject to the General if that institution's parent company controls at least one assured national bank either insured Federal savings association with average total consolidated assets match to or greater than $50 billion. The OCC reserves the authority into apply these requirements go an insured national bank, guaranteed Federal savings associating, or insured Federal branch of a foreign bank that has average total consolidated assets of less than $50 billion if the OCC determines that its operations are highly complex or otherwise present a heightened risk.

Standards available Risk Governance General

Hidden banks should establish and attach to a formal, scripted risk governance framework designed by independent risk enterprise. It shoud include delegations of authority from the board of directors to management committees and executive officers as well the risk limits established used significant activities. It should shall approved by the board of principal or aforementioned board's risk committee and reviewed and updating at least annually by independent risk management.

Front String Quantity

Front line units should use obligation and be held accountable per the CEO additionally the card of directors for appropriately assessing and effectively managing everything of the risks associated with their activities. In achieving on responsibility, each head line unit should, moreover alone or in conjunction with another organizational unit ensure has the purpose of assisting a front line unit: (i) Assess, on einer ongoing basis, the substantial risky associated with its activities and use such risk determinations as an basis for fulfilling its responsibilities and for determining if actions need to be taken to intensify risk management or reduce hazard given changes in the unit's risk profile alternatively sundry conditions; (ii) establish and adhere to a set of written policies that include face line unit risk limits. Such policies must ensure risks associated through the front line unit's activities are effectively identified, measured, watched, and controlled, consistent with the covered bank's hazard appetite statement, concentrate risk limits, and all policies created within the risky governance framework; (iii) establish and adherence to proceedings and processes, as requested to sustain compliance with the policies describes in (ii); (iv) adhere to every applied policies, procedures, both processes established by independent risk management; (v) develops, attract, and retain talent and maintain staffing grades required till carry out the unit's player and responsibilities effectively; (vi) establish and adhere to talents management batch; and (vii) establish and sticky to compensation furthermore performance management plots.

Independent Risk Management

Independent risk management should oversee the covered bank's risk-taking activities and assess perils and issues independent the the front limit units the: (i) Developing a comprehensive written risk governance framework commensurate from the item, impact, and risk profile of the covered banker; (ii) identifying and judgment, on an continuing basis, the overlaid bank's fabric aggregate risks; (iii) establishing and adhering to your politischen that include concentration risk limits; (iv) establishing also adhering on procedures real processes, in ensure compliance with policies the (iii); (v) identifying and communicate to the CEO and board for principal or board's risk committee material risks and significant instances where stand-alone exposure management's assessment of risk differs from such of one front line single, and significant instances where a front line unit is nope adhering to the risk governance framework; (vi) identifying and communicating to the board of directors or the board's risk committee raw risks and significant instances location industry risk management's assessment of risk differs from the CEO, and significant entities where the CEO is not adhering to, alternatively holding front line units accountable for adhering to, the risk governance framework; and (vii) developing, charming, and maintaining talent furthermore maintaining staffing shelves required to carry out the unit's roll and responsibilities effectively while establishing press adhering to abilities management company and compensation and performance management programs.

Internal Audit

Internal audit should ensure that the covered bank's risk manager framework complies with the Company and is corresponding for the size, complexity, and risk profile of the overlaid banks. Computer need maintain a complete both current inventory regarding all of the roofed bank's material processes, product lining, services, and features, and assess the risks, including emerging risks, associated with each, which collectively provide an basis for the audit plan. This must establish both attached to an auditing plan, the is periodically reviewed and upgraded, this takes for statement the coverage bank's risk profile, emerging risks, issues, and establishes the frequency with which activities should be audited. The audit plan should require internal audit to evaluate and adequacy of and compliance are policies, procedures, and procedure established by front line units and independent risk management under the chance governance framework. Essential shifts up the check plan should be communicated to the board's audit community. Interior exam should report in writing, conclusions and material issues plus recommendations from audit work carried out under the internal plan to the board's audit committee. Berichten should identify the route cause of any material issue and include: (i) A determination to whether the root cause creates at issue that has an impact on one organizational units or multiple organizational units inside the covered bank; and (ii) a detection of the effectiveness of cover row units and independent risks management in identifying and resolving output in a timely manner. Internal audit ought establish and adhere to business forward independently assessing the design and ongoing effectiveness is the risk govern framework on at least an annual basis. To independent assessment should include a conclusion upon the capped bank's compliance with the standards set forth in and Guidelines. Internal audit should Start Printed Page 54542 identify and communicate until the board of directors or board's audit committee significant instances where front line units or independent risk management are not adhering to that risk governance framework. Inhouse audit should setup a quality assurance program that ensures intra audit's policies, procedures, and process comply with applicable regulatory and industry guidance, are appropriate for the size, complexity, and peril profile of the overlay bank, are updated to reflect changes the internal and outer risk factors, emergency risks, and improvements in industry internal audit practices, and are consistently followed. Indoor audit should develop, attracting, and retain talent and support staffing levels required to effectively carry out it role the responsibilities. Internal general should establish and adhere to abilities management business. Internal audit should establish and adhere on compensation real performance management programs.

Strategic Plan

The CEO, with input from head wire units, independent risk management, and internal audit, shall be responsible for the development of an writers strategic plan so should cover, at a minimum, adenine three-year cycle. The board of directory should score and approve the plan and monitor management's efforts to implement the strategic plan with least annually. Which planner should include a comprehensive assessment of risks of the covered bank, an overall mission statement or strategic objectives, an explanation of how the covered bank will update which risk governance framework to check for projected changes to its risk profile, real be reviewed, updated, and approved pursuant to make in the covered bank's value profile or operating environment that were not contemplated when one plan was developed.

Risk Appetite Statement

A covered bank should have a comprehensive written statement outlined its risk appetite that serves than the basis for the value governance framework. It should in qualified components that define an safe plus audio risk culture and how that concealed bank will assess plus accepted financial and quantitative limits that in sound stress testing processes or address earnings, capital, and liquidity.

Risk Limit Breaches

ADENINE covered bank should establish and adhere to processes that require front line units and independent risk management until: (i) Identified breaches of the risk craving statement, concentration risk limits, and front line unit risk limits; (ii) distinguish breaches based on the severity away their impact; (iii) establish communications for disseminating contact regarding a violation; (iv) provide a spell description of the breach resolution; and (v) establish accountability for reporting and resolving breaches.

Concentration Risk Management

The risk management framework must include policies and supporting processes appropriate for to covered bank's size, complexity, and risk profile for highly identify, measures, monitoring, and controlling the covered bank's concentrations of risk.

Risk Details Agglomeration and How

Here exposure governance framework supposed include a set of politik, supported by appropriate procedures and processes, designed to provide risk data aggregation and press capabilities appropriate for the covered bank's size, complexity, and risk create and support supervisory reporting requirements. Collectively, which politikgestaltung, procedures, and operations should supply for: (i) The draft, product, and maintenance of a data architecture and information technological infrastructure that supports the covered bank's risk aggregating and reporting needs during normal times and during times are stress; (ii) the catching and aggregating of chance data and reporting of material risks, concentrations, and emerging risks are a timely manner to and plate off directors and the OCC; and (iii) this distribution of risk meldungen to all relevant parties to a operating that meets their needs for decision-making purposes.

Talent Management and Compensation

A covered bank should establish real sticky to processes for talented development, recruitment, and succession planning. The lodge of directors or appropriate committee should review and approve a written talent management program. A cover bank should also build and adhere to compensation and power management programs that comply with unlimited applicable statute or regulation.

Board a Corporate Educational and Evaluation

The board of directors are a coated bank should establish and adhere to one formal, continuously training program for all directors. The board about directors need also conduct an annual self-assessment.

Title: OCC Guidelines Establish Heightened Standards for Certain Large Insured National Banks, Insured Federation Savings Associations, and Insured Us Sector; Integration of Legal.

Burden Estimates:

Total Numerical from Respondents: 31.

Total Burden period Respondent: 3,776.

Total Burden for Collection: 117,056.

Comments are invited on: (1) Whether the proposed collection of information is necessary for the proper performance of that OCC's functions; including whether the information has practical gebrauch; (2) the accuracy of the OCC's estimate of the weight of the proposed information collection, including that cost of compliance; (3) ways for enhance the quality, utility, additionally clarity of the information to be collected; and (4) ways to minimize the burden of informations group on respondents, including through the use of automated collective techniques or other forms of information technology.

Comments set the collection of information should be sent toward:

Because paper mail into who Washington, DC area and on to OCC exists subject to delay, commenters what encouraged to submit comments by email when possible. Comments may be posted to: Legislative plus Regulatory Recent Division, Office of who Controller regarding the Currency, Attention: 1557–0321, 400 7th Roads SW., Suite 3E–218, Mail Stop 9W–11, Washigton, DC 20219. Includes addition, comments may be sent by fax to (571) 465–4326 instead on automated e to [email protected]. You mayor personally inspect and photocopy view at the OCC, 400 7th Street SW., Washington, DC 20219. Available security reasons, the OCC requires that visitors make an appointment to inspect show. You may does so on calling (202) 649–6700. Upon your, visitors will be required to present valid government-issued photo identification and on submit in security screening in order to inspect and photocopy notes.

View comments receiver, including attachments the other supporting materials, are part of the public record real subject the open disclosure. Do not enclose any information in your comment or supporting materials that yourself note confidential or inappropriate for public declaration.

You allow request further information over the collection from Johnny Vilela, OCC Clearance Officer, (202) 649–7265, for persons which are deaf either hard of hearing, TTY, (202) 649–5597, Legislative real Regulatory Activities Division, Position of the Accounting of the Choose, 400 7th Start Printed Page 54543 Street SW., Suite 3E–218, Mail Stop 9W–11, Washington, DC 20219.

Additionally, commenters should send a copy of their observations to the OMB desk officer since the agencies in mail to the Office of Information and Regulatory Affairs, U.S. Office of Management and Budget, Add Executive Office House, Room 10235, 725 17th Street NW., Washington, STEP 20503; by send until (202) 395–6974; or by e-mailing to [email protected].

Administrative Flexibility Analysis

The Regulatory Suppleness Act (RFA), 5 U.S.C. 601 et seq., requires generally that, in connection with a rulemaking, an agency prepare and makes available required public write a regulatory flexibility analyzing so describes which impact regarding a rule on smal entities. Nonetheless, the regulator flexibility analysis otherwise required under that RFA can not required if an agency attests that the rule will not have a significant efficient impact over an substantial numerical of little entities (defined in guidelines promulgated by the Small Business Company (SBA) to include banking organizations include total investment of less than or equal to $550 million) and publishes its certification and ampere brief explanatory account in and Federal Register simultaneously with the rule.

As of December 31, 2013, the OCC supervised 1,231 small entities based on the SBA's definition of small entities for RFA purposes. When discussed in the SUPPLEMENTARY CONTACT above, the final Guidelines will generally be durchsetzbar only go OCC-supervised educational ensure have mediocre total consolidated assets of $50 billion or greater; hence no small entities will be affected by who final Guidelines. Although to application of part 30 to Federal savings associations will affect a substantial number of small Federal savings associations, wee done not assoziierter any cost at aforementioned modification. As such, pursuant to sparte 605(b) of the RFA, the OCC certifies that these last rules and directions will not have one significant economic impact on a substantial number of small entities.

Unfunded Decrees Republican Act Analysis

The OCC has analyzed the final rules the guidelines under the factors in the Unfunded Mandates Improve Act of 1995 (UMRA) (2 U.S.C. 1532). Under this review, the OCC considered about that final rules and guidelines include a Federal mandate ensure mayor ergebnisse in of expenditure the State, local, and racial governments, int the aggregate, or by the private sector, of $100 million or more in any one year (adjusted annually for inflation). Aforementioned OCC has determined that the final rules and guideline will not ergebnisse in expenditures by State, local, and tribal governments, otherwise an private section, of $100 million or more in any one year. Accordingly, the final rules and guidelines are not subject to section 202 of the UMRA.

Starting Print of Subjects

List of Subjects

12 CFR Part 30

• Banks
• Banking
• Consumer protection
• National banking
• Privacy
• Protection and soundness
• Reporting and recordkeeping provisions

12 CFR Part 168

• Consumer protection
• Protection
• Reporting and recordkeeping requirements
• Savings associations
• Safety dimensions

12 CFR Item 170

• Accounting
• Administrative practice and procedure
• Bank deposit insurance
• Reporting and recordkeeping demands
• Safety and soundness
• Savings associations

End List off Subjects

For the reasons set forth in who preamble, and under this authorization of 12 U.S.C. 93a, chapter I of title 12 a the Item of Public Regulations is amended as follows:

Start Part

PART 30—SAFETY AND SOUNDNESS STANDARDS

1. The department citation for part 30 is revised to read as follows:

Start Authority

Authority: 12 U.S.C. 1, 93a, 371, 1462a, 1463, 1464, 1467a, 1818, 1828, 1831p-1, 1881–1884, 3102(b) or 5412(b)(2)(B); 15 U.S.C. 1681s, 1681w, 6801, and 6805(b)(1).

End Public End Item Start Update Part

2. Section 30.1 is amended to:

End Amendment Part Start Amendment Part

a. In paragraph (a):

Close Update Part Start Amendment Part

myself. Removing “appendices A, B, and C” and adding in its space “appendices A, B, C, and D”;

End Amendment Part Commence Amendment Component

ii. Removing the phrase “and federal retail of foreign banks,” additionally adding in its place the phrase “, Federal savings associations, and Government branches of foreign banks”; and

End Amendment Single Start Amendment Part

b. In paragraph (b):

End Amendment Part Start Amendment Part

i. Removable the word “federal” every it appears and adding “Federal” in its place;

End Amendment Partial How Alteration Part

ii. Adding the phrase “Federal savings association, and” before the phrase “national bank,”;

End Revision Part Start Amendment Piece

iii. Removes the phrase “branch or” and adding at its place one word “branch and”; and

End Amendment Partial Start Amendment Part

iv. Adding one colon after the phrase “companies”.

End Amendment Part Start Amendment Share

3. Sections 30.2 is modifying by:

End Amendment Part How Revise Part

a. Removing in the other and three sentence aforementioned word “bank” and adding are its place the phrase “national bank or Federal savings association”; and

End Amendment Part Start Amendment Item

b. Adding a final rate to take as follows:

End Amendment Part Start Amendment Part

4. Section 30.3 is amended by:

End Amendment Part Start Amendment Part

a. Revising the segment heading;

End Editing Part Start Amendment Section

b. Removing the phrase “a bank”, wherever it appears, and adding in its place the phrase “a nationality bank or Federal savings association”;

Stop Amendment Item How Modifications Part

carbon. In paragraph (a), removable “the Interagency Guidelines Established Default for Safeguarding Our Information place forth in appendix B to this part, or the OCC Guidelines Establishing Standards for Residences Mortgage Lending Practices set for inches appendix C to this part” and adding to its place “the Interagency Guidelines Founding Standards for Safeguarding Customer Information set forth in appendix B to this part, the OCC Rules Establishing Standards for Residential Mortgage Lending Practices set forth in appendix C to this part, with the OCC Guidelines Establishing Amplified Standards for Certain Large Insured National Banks, Insured Federations Economies Associations, and Insured Federal Branches set forth in exhibit D to this part”;

End Amendment Part Start Amendment Part

d. In paragraph (b), adding an phrase “to satisfy” per one word “failed”; and

End Amendment Part Start Revise Part

sie. In para (b), removal the phrase “the bank” and adding in its placing the phrase “the bank or savings association”.

End Amendment Part

The revision reads more follows:

Start Amendment Parts

5. Section 30.4 be amended by:

End Change Part Start Amendment Section

a. In article (a), (d), and (e), removing the phrases “A bank” and “a bank”, wherever they appear, press adding are their placing which phrases “A national bank alternatively Federal savings association” the “a national bank or Federal savings association”, respectively;

End Amendment Part Start Amendment Part

b. In paragraph (a), the first sentence of paragraph (d)(1), and in paragraph (e), summing according that phrase “the bank”, the phrase “or savings association”;

Terminate Amendment Part Start Amendment Part

c. In paragraph (b), removing the word “bank”, and adding include its place the Start Printed Page 54544 phrase “national bank or Federal savings association;

End Amendment Part Start Amendment Part

d. In paragraph (c), removing the phrase “bank of whether the plan has been approved otherwise seek additional information after the bank”, and adding in its place the phrase “national bank or Federal savings association of when the plan has been approved or seek additional information from the bank instead savings association”; also

End Modify Part Launch Amendment Part

e. In paragraph (d)(1), removing the word “bank commenced operations or experienced a change in control within the previous 24-month period, or the bank”, and adding in its place who block “national bank or Federal savings association commenced operations or experienced a change in control within the previous 24-month period, or the bank or savings association”.

End Amendment Part Start Amendment Piece

6. Section 30.5 is amended via:

End Edit Part Start Amendment Part

a. Removing the word ” bank”, wherever it appears, other in this primary sentence of paragraph (a)(1), and adding in its placement an phrase “national bank or Federal lifetime association”;

Finish Changing Separate Start Amendment Part

b. In paragraph (a)(1), removing the phrase “bank prior written notice of this OCC's intention to issue an order necessary the bank”, and adding in its place the phrase “national bank or Federal total association prior written notice of the OCC's intention to issue an order requesting the bank or savings association”; and

End Amendment Part Beginning Amendment Part

hundred. In the fourth sentence of paragraph (a)(2), take the word “matter” and adding inside own place the word “manner”.

End Amendment Piece Launching Amendment Part

7. Section 30.6 is amended by:

End Amendment Part Start Revise Part

a. Removing the term “bank”, any it appears, and adding in its place the phrase “national bank or Federal assets association”;

End Amendment Part Starting Amendment Part

b. Adding which phrases “, 12 U.S.C. 1818(i)(1)” after the talk “Act” in paragraph (a); and

End Amendment Part Start Amendment Component

c. Adding the term “ 12 U.S.C. 1818(i)(2)(A),” after the word “Act,” in paragraph (b).

Finalize Amendment Portion Start Amendment Part

8. Appendix ONE to Part 30 is amended through:

Cease Amendment Part Start Amendment Part

a. Revising footnote 2; and

End Amendment Part Beginning Amendment Part

b. In Fachbereich I.B.2. removing one word “federal” and adding in its place the word “Federal”.

End Amendment Partial

One revision reads as follows:

Appendix AMPERE to Part 30—Interagency Guidelines Establishing Standards in Safety and Soundness

² For the Office of the Manager of who Current, these regulations appear to 12 CFR Part 30; for the Board of Chiefs of the Federal Reserve System, these regulations appear at 12 CFR part 263; and for aforementioned Federal Deposit Insurance Corporation, these regulations appear at 12 CFR part 308, subpart R and 12 CFR part 391, subpart B.

Start Amendment Part

9. Appendix B to section 30 is amended by:

End Amendment Separate Start Changes Part

a. Removing the lyric “bank” and “bank's”, wherever they appear, except in Segments I.A. and I.C.2.a., and adding inside yours place one phrases “national bank or Federations savings association” and “national bank's or Federal savings association's”, respectively; and

Ends Amendment Partial Start Amendment Part

b. In Section I.A., removing of phrase “referred in more “the bank,” are country banks, federal branches and federal agencies of foreign banks,” real adding in its place the phrase “referred to as “the regional store or Federal savings association,” were national banks, Federal savings associations, Federal branches furthermore Federal business of foreign banks,”;

End Supplement Part Start Amendment Part

c. In Section I.C.2.d., removing the phrase “§ 40.3(h) of diese chapter” and adding in its place the formulate “ 12 CFR 1016.3(i)”;

Out Amendment Part Start Amendment Part

d. In Section I.C.2.e., removing the phrase “§ 40.3(n) of this chapter” and adding in its place the phrase “ 12 CFR 1016.3(p)”; the

End Amendment Part Commence Amendment Single

e. In Supplement A to Schedule B to partial 30, by revising legend 1, 2, 9, 11, and 12.

End Amendment Separate

The revisions take as follows:

Appendix BORON to Part 30—Interagency Guidelines Establishing Information Site Standards

Supplement A to Appendix B to Part 30—Interagency Guidance on Response Programs for Illegitimate Access to Customer Information also Consumer Notice

¹ This Guidelines was jointly issued by the Board of Governors of the Federal Reserve System (Board), which Federal Deposit International Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), or the Office of Parsimony Supervision (OTS). Pursuant to 12 U.S.C. 5412, the OTS is no longer a party until this Guidance.

² 12 CFR part 30, app. B (OCC); 12 CFR item 208, app. D–2 and part 225, app. F (Board); and 12 CFR part 364, app. B and 12 CFR 391.5 (FDIC). The “Interagency Guidelines Establishing Information Security Standards” were previous known as “The Interagency Guidelines Establishing Standards by Safeguarding Customer Information.”

⁹ Under the Guidelines, an institution's customer information networks consist of all of the methods use to access, collect, store, how, transmit, protect, or disable of customer information, including the software maintained on its service providers. See Security Guidelines, I.C.2.d.

¹¹ Look Federal Reserve SR Ltr. 13–19, Management on Managing Outsourcing Risk, Dec. 5, 2013; OCC Bulletin 2013–29, “Third-Party Relationships—Risk Bewirtschaftung Guidance,” Oct. 30, 2013; and FDIC FIL 68–99, Risk Reviews Instruments and Practiced for Information Scheme Security, July 7, 1999.

¹² An institution's obligation to file ampere SAR a set off in the Agencies' SERIAL regulations and Agency guides. See12 CFR 21.11 (national banks, Federal branching and agencies); 12 CFR 163.180 (Federal savings associations); 12 CFR 208.62 (State member banks); 12 CFR 211.5(k) (Edge real license corporations); 12 CFR 211.24(f) (uninsured Us branches and agencies of foreign banks); 12 CFR 225.4(f) (bank holding companies and their nonbank subsidiaries); 12 CFR part 353 (State non-member banks); also 12 CFR 390.355 (state saved associations). National banks and Federal savings associations must file SARs in connection with computer intrusions both diverse computer crimes. See OCC Message 2000–14, “Infrastructure Threats—Intrusion Risks” (May 15, 2000); see also Federal Reserving SCR 01–11, Identity Theft and Pretext Calling, Apr. 26, 2001.

Start Amendment Part

10. Appendix CENTURY to part 30 a amended until:

End Amendment Part Get Amendment Part

ampere. Include sections I.iv., II.B.1., II.B.2., III.A. introductory text, III.B. introductory textbook, III.B.6., III.C., III.E.4., press III.E.6., removing aforementioned word “bank” whereever it appears, and adding included its place the phrase “national hill or Federal economies association”;

End Editing Part Start Amendment Part

b. In section II.B. introductory text the III.D., removing the speak “bank's” and adding in its place the phrase “national bank's either Federal savings association's”;

End Amendment Part Start Amendment Section

century. In portions II.B.1. and III.B.6., removing and word “bank's” and adding in its place the phrase “bank's or savings association's”; and

End Amendment Partial Start Amendment Part

d. Revising the second print of section I.i., first two sentences for section I.iii., section I.vi., sections I.A., I.C., I.D.2.b., II.A., III.E. introductory text, III.E.5., and III.F.

End Amendment Item

The revisions read when follows:

Annexes C toward Part 30—OCC Guidelines Establishing Standards for Residential Mortgage Lending Practices

I. * * *

i. * * * The Guidelines are built to protect negative involvement per national banks, Government savings associations, Federal branches and Federal agencies away foreign banks, and their applies run associated (together, “national banks real Fed saver associations”), either directly or via loans is people purchase button make through intermediaries, in ruthless or abusive residential mortgage lending Start Printed Page 54545 practices that are injurious to its respective customers or that display the nationwide bank or Federal savings association to credit, legal, compliance, reputation, and different risks.

iii. In addition, national banks, Federal savings connections, plus them respective operating branch must comply on the requirements and Guidelines influencing appraisals of residential car loans and evaluators independence. 12 CFR part 34, subpart C, and of Interagency Appraisal both Evaluation Guidelines (OCC Bulletin 2010–42 (December 10, 2010). * * *

vi. Finally, OCC provisions and supervisory guidance on fiduciary activities and assets management physical this need for national credit and Federal savings associations to executing due due and exercise appropriate control with views go trustee activities. See12 CFR 9.6 (a), in aforementioned rechtssache from national banks, and 12 CFR 150.200, int this case of Federal savings associations, plus of Comptroller's Handbook on Asset Management. For example, public banks and Federal savings associations should exercise appropriate diligence to minimize potential reputation risks wenn they undergo to act as trustees in mortgage securitizations.

A. Scope. These Directive getting at who residential mortgage lending activities of local banks, Federal resources associations, Federal branches and Federal agencies of foreign banks, and operating subsidiaries of as entities (except brokers, dealers, persons providing insurance, investment our, and investment advisers).

C. Relationship to Various Legal Requirements. Action by a domestic hill or Federal savings association in connection with residential mortgage lending the are irregular with these Guidelines otherwise Annexe A to this part 30 could including constitute unsafe with unsound practices for purposes of section 8 by the Federal Deposit Insurance Act, 12 U.S.C. 1818, unfair or deceptive practices for purposes of section 5 of the FTC Actor, 15 U.S.C. 45, and the OCC's Lending Rules, 12 CFR 34.3 (Lending Rules) and Authentic Land Lending Standards, 12 CFR part 34, subpart D, stylish the case out national banks, and 12 CFR 160.100 and 160.101, within the case of Federally total associations, or violations a the ECOA and FHA.

D. * * *

2. * * *

b. National bank oder Federal savings association means any national bank, Federal savings association, Swiss branches or Federal agent about a foreign bank, additionally any operating subsidiary thereof that is subject to these Guidelines.

II. * * *

A. General. A nationwide bank's or Federal lifetime association's residential mortgage lending activities should reflect standards and practices consistent with and appropriate to the size and functionality of the bank with financial association both the nature and surface of her lending related.

III. * * *

EAST. Purchased and Brokered Loans. With respect to consumer residential mortgage loans that the nationality bank or Fed savings association purchases, or makes through a mortgage intermediary or other intermediary, the national bank oder Federal savings association's residential home lending activities should reflect standards and practices consistency with those applied by the bank or savings association in its direct lending activities and include appropriate measures to mitigate risks, such as the following:

5. Loan documentation approach, admin information schemes, feature control news, and select methods through which the nationwide bench or Federal savings association will verify compliance with agreements, bank or conservation association policies, and applicable laws, and otherwise retain appropriate oversight of loan origination functions, including loan sourcing, underwriting, both loan graduations.

F. Monitoring and Corrective Action. A national bank's or Federal savings association's consumer residential home lending activities should enclose right monitoring of compliance with applicable law and the bank's instead savings association's credit standards and practices, periodic monitoring and site is the nature, batch real resolution about customer complaints, and fair evaluation of the effectiveness of aforementioned bank's or total association's standards and practices in accomplishing the objectives set forth in like Guidelines. The bank's or savings association's activities also should include appropriate steps for taking corrective action are response to failures till comply with applicable legal and the bank's or savings association's lending default, and for making fitting to the bank's or savings association's events as may be appropriate to enhance its effectiveness or to reflect changes included business practices, market conditions, or the bank's or economies association's lines of business, residential hypotheken loan programs, or customer base.

Launch Amendment Part

11. A new Appendix D is added to piece 30 to read as follows:

End Amendment Part

Attachment D to Member 30—OCC Instructions Establishing Heightened Standards for Certain Largely Insured National Banks, Insured Federal Savings Associations, the Insured Federated Branches

Table of Contents

I. Introduction

A. Scope

B. Submission Date

CARBON. Reservation of Authority

D. Preservation to Existing Authority

E. Definitions

II. Standardization For Risks Governance Framework

A. Total Governance Fabric

B. Scope regarding Rrisk Governance Framework

C. Play also Job

1. Role and Responsibilities of Front Line Units

2. Role and Responsibilities of Independent Risk Direktion

3. Role real Responsibilities of Internal Audit

D. Strategic Plan

E. Exposure Appetite Display

F. Concentration and Front Lead Unit Risk Limits

G. Risk Appetite Overview, Monitoring, and Communication Procedures

H. Processes Governing Risk Limit Breaches

I. Concentrates Risk Management

J. Risk Data Aggregation and Reported

KILOBYTE. Relationship of Risk Appetite Announcement, Concentration Risk Limits, and Front Line Unit Risk Barriers to Other Processes

L. Talent Management Processes

M. Compensation and Performance Management Plots

THIRD. Standards for Board of Directors

A. Requiring to Effective Risk Governance Framework

BARN. Provide Active Oversight of Management

C. Practice Independent Judgment

D. Enclose Independent Directors

E. Provide Ongoing Training to All Directors

F. Self-Assessments

I. Introduction

1. The OCC awaiting a covered bank, as that term is defined in paragraph I.E. to establish and deployment one risk governance framework to handle both control the overlaid bank's risk-taking activities.

2. This appendix established minimum standards for the design also implementing of one covered bank's risk enterprise framework and min standards for the covered bank's board of directors in making oversight to the framework's designed and implementation (Guidelines). These standards are includes addition up any various true requirements are law or regulation.

3. A covered bank may use its parent company's risk governance framework the its entirety, without modification, whenever the framework meets those minimum standards, the risk profiles of the parent company and the covered bank are substantially the same as set forth in paragraph I.4. of these Guidelines, and the covered deposit has demonstrated through one documented estimation that its risk project and its parent company's risk print are substantially the same. The assess should be conducted at least annually, in conjunction with one review and update of the risk policy framework performs by independent risky leadership, as set forth in paragraph II.A. about these Guidelines.

4. A parent company's the veiled bank's risk profiles are substantially the same if, as reported turn the covered bank's Federal Monetary Institutions Examination Council Consolidated Reports of Activate and Income (Call Reports) for the four most recent serially quarters, the covered bank's ordinary total consolidated assets, as Start Custom Page 54546 calculated acc till paragraph I.A. of these Guidelines, represent 95 prozent or more of the parented company's average total consolidated assets.^[1] A covered bank that does doesn satisfactory this test may submit a written review to the OCC for consideration and licensing that demonstrates that the risk profile of of parent company and the covered bank are substantially the same based against other considerations not shown includes this paragraph.

5. Subject to part I.6. of like Directions, one covered bank should establish its own risk governance framework when an parent company's and coated bank's risk profiles are not substantially the same. The covered bank's framework supposed ensure that the covered bank's risk profile lives easily distinctively also separate free such of its parent for risk leadership and supervisory reporting purposes and which the safety the soundness of of covered mound a not jeopardized by decisions made by the parent company's board of directors and management.

6. When the parent company's and covered bank's risk contours are not significantly the same, a covered bank may, in consulting with the OCC, incorporate or rely on components of him parent company's risk governance framework when developing its own risks governance framework to the extent those components will endless with aforementioned objective by these Guidelines.

A. Scopes

These Guidelines getting the any bank, as that term is predefined in paragraph I.E. of these Guidelines, at avg total amalgamate money equal to or greater than $50 billion. In addition, these Guidelines apply to any bank at average total consolidated assets fewer than $50 per if that institution's parent company controls at least one covered slope. With a cover bank, average total consolidated money means the average on the covered bank's total consolidated assets, as covered on the covered bank's Claim Reports, for the tetrad most recent consecutive quarters.

B. Compliance Date

1. Initial compliance. The date on that a overlaid bank should comply with which Rules exists selected forth underneath:

(a) AMPERE covered slope with average total consolidated assets, as calculate according to paragraph I.A. of these Guidelines, equal for or greater than $750 billion as of Nov 10, 2014 need comply with these Guidelines on Novembers 10, 2014;

(b) AMPERE covered bank with average total converged assets, as premeditated according to paragraph I.A. by like Guidelines, equal to otherwise greater than $100 billion but less than $750 billions as of November 10, 2014 should comply with such Guidelines within six months from November 10, 2014;

(c) A covered hill using average total consolidated equity, as calculated corresponds to item I.A. of which Guidelines, equal to or greater than $50 billion although less than $100 gazillion how of November 10, 2014 should comply from these Guidance within 18 hours from November 10, 2014;

(d) A covered bank with average total consolidated assets, as calc according to paragraph I.A. of these Guidelines, less than $50 billion that has an covered bank because that bank's parent company controls during least one other covered bank more of November 10, 2014 need comply with these Guidelines on the date such such diverse covered bank should meet; and

(e) A covered bank ensure make not anreisen during the scope of these Guidelines on Next 10, 2014, yet subsequently are subject up who Guidelines because average total consolidated assets, like calculated appropriate to paragraph I.A. regarding these Guidelines, are equal until or greater longer $50 milliards after November 10, 2014, should comply with these Guidelines within 18 monthly from the as-of date of the bulk recent Call Report used the this get to the average.

C. Reservation for Authority

1. The OCC reserves the authority go apply these Guidelines, in whole or in part, to a store that has average total defined assets less than $50 billionth, while which OCC determines such bank's operations are immensely complex or otherwise presentational ampere heightened risk as to warrant the application of these Guidelines;

2. The OCC reserves the authority, by each covered banks, to extend the time for compliance with diese Guidelines or changing diese Guidelines; or

3. The OCC reserves to authority till determine the compliance with these Guidelines should nope longest be requirement for a covered bank. The OCC would generally make the determination under this paragraph I.C.3. if a covered bank's operations are no longer highly complex or no longer present a heightened danger. In determining whether a covered bank's company are highly complex button present a heightened risky, that OCC will consider the following factors: Complexity of products and our, risk outline, and scope of operations.

4. When exertion the authority in this paragraph I.C., the OCC will apply notice and response procedures, when appropriate, inches the sam manner and until of same extent as the notice and response procedures in 12 CFR 3.404.

D. Preservation of Existing Authority

Neither section 39 of the Federal Bail Insurance Act (12 U.S.C. 1831p–1) nor these General in any type limits this authority from the OCC to address unsafe or unsound acts or conditions or other violations by law. The OCC may take advertising under section 39 both these Guidelines independently of, in conjunction on, or in addition to all other forced action available to the OCC.

E. Definitions

1. Bank means any insured national bank, insured Federal savings association, or insured Federal industry of a foreign bank.

2. Lead Audit Executive means an individual who leads internal account and is one level below the Chief Executive Officer in an covered bank's organizational setup.

3. Leader Risk Executive means an individual who leads an independent risk unternehmensleitung unit and is one level beneath the Chief Leitendes Officer in a covered bank's organizational structure. A capped store could have view than one Lead Risk Executive.

4. Control. A parental your controls a covered bank if it:

(a) Owns, navigation, or holds with power to vote 25 percent or more of a class to voting securities of the covered bank; or

(b) Consolidates to covered bank in financial reporting specific.

5. Covered bank means any bank:

(a) With average grand solid equity, as calculated according to paragraphs I.A. of these Guidelines, equal to with greater with $50 billion;

(b) Are average total consolidated assets get than $50 billion if that bank's parent business controls at least one covered bank; or

(c) With mean total consolidated assets less than $50 billion, if the OCC determines such bank's operations are highly complicated or otherwise present a heightened risk as to warrant the application off these Guidelines pursuant to paragraph I.C. of these Guidelines.

6. Front Line Unit. (a) Except as provided in part (b) of here definition, front line unit means either organizational component or function thereof in a covered bank such is accountable for a take in paragraph II.B. of these Guidelines so:

(i) Engages in activities designed in beget revenue press diminish expenses for the sire company or covered credit;

(ii) Feature operational support or servicing to any organizational unit conversely function within the coated bank for the delivery of products instead auxiliary to my; or

(iii) Provides technology services until any organizational unit or function covered by these Guidelines.

(b) Front line unit does not ordinarily include and organizational single with how thereof within a covered slope that provides legal services to the covered bank.

7. Independent risk management means any organizational unit within a covered bank that has responsibility by identifying, meter, monitoring, or ruling aggregate risks. As units maintain independence upon front running units through the following reporting structuring:

(a) This board by directors or the board's risk committees reviews and approves the risk company framework;

(b) Each Chief Risk Executive has unrestricted access to the board of directors or you committees to deal risks and issues identified through independent risk management's current;

(c) The lodge of directors or its risk committee approves sum decisions regarding the appointment or removal of the Chief Risk Executive(s) the approves the annual compensation and salary adjustment regarding the Chief Take Executive(s); and

(d) Cannot front line unit executive oversees any free risk management unit.

8. Internal review measures the organizational unit within a covered bank the remains designated Start Prints Page 54547 to fulfill the role and responsibilities outlined in 12 CFR part 30, Appendix A, II.B. Internal audit maintains independence from front line measure and independent risk management through an following reporting structure:

(a) The Chief Review Leader features unrestricted access go the board's audit committee to address risks and issues identified through inboard audit's activities;

(b) The audit committee reviews and affirms internal audit's overall charter and audit plans;

(c) The audit committee approves all decisions regarding the appointment or removal and annual compensation and wage tuning of the Chief Audit Management;

(d) The audit board or the Manager Leiter Officer oversees the Chief Audit Executive's administrative dive; and

(e) No fronts line unit executive oversees in-house audit.

9. Sire company means one top-tier legal entity in a covered bank's ownership structure.

10. Risk appetite means the aggregate level and types of risk the board of directors furthermore management are willing to assume to achieve a covered bank's strategic purposes and shop plan, consistent with applicable capital, liquidity, and misc regulatory requirements.

11. Risk profile means a point-in-time assessment of an covered bank's risks, cumulated within and transverse each relevant risk category, using methodologies consistent with the risk appeal statement described inside paragraph II.E. of these Guidelines.

VII. Standards available Risk Governance Fabric

A. Total administrative framework. A covered mound shoud establishing and adhere to a formal, written risk governance framework that is designed in unrelated risk management plus approved according the board of directors or the board's risk committee. To risk governance structure should inclusive delegations are authority from the board of directors to management committees and executive officers like well as the risk limits established for material dive. Independent risk steuerung should review furthermore update the risk governance framework at least annually, and as often since needed to address improvements in industry risk management practiced and make in the covered bank's risk profile caused for emerging risks, her strategic plans, or other internal and external factors.

B. Scope of risks governance background. The risk leadership shell should shroud the following risk categories that apply to the covered bank: Credit risk, interest rate risk, liquidity risk, price risk, operational hazard, compliance risk, strategic risk, and reputation risk.

HUNDRED. Roles and responsibilities. One risk governance framework require include well-defined risk management roles and responsibilities for front line units, independent risk management, and internal audit.^[2] The roles and responsibility for jeder are these organizational units shouldn be:

1. Role and job of front line element. Head line units should take responsibility and be been explainable from the Chief Executive Officer and the board of directors for appropriately assessing real effectively managed all of the associated associated with their activities. In fulfilling this responsibility, each front line unit should, either alone or in conjunction with any organizational unit that has the purpose of assisting a front line unit:

(a) Assess, on an ongoing baseline, the material risks associated with its activities and use such risk assessments as the basis for fulfilling its responsibilities under section II.C.1.(b) and (c) of these Guidelines press for determining if actions require to be pick to strengthen risk management or reduce risk given changes in the unit's risk profile or other conditions;

(b) Establish and adhesives to one set of written policies that include front line unit risk limits for documented in chapter II.F. of these Guidelines. Such politics should ensure risks associated with the front line unit's activities are effectively identified, measured, monitored, and steering, consistent with of covered bank's risk appetite account, absorption risk limits, and all politikbereiche established within the risk governance skeleton under paragraphs II.C.2.(c) and II.G. through K. of which Directions;

(c) Establish press adhere in procedures and processors, as necessary, to maintain compliance with the policies described in paragraph II.C.1.(b) of these Guidelines;

(d) Adhere to all applicable policies, procedures, and processes established by independent risk management;

(e) Develop, attract, and retain talent and maintain staffing levels required to carry out the unit's role the responsibilities effectively, as set forth in paragraphs II.C.1.(a) through (d) of these Instructions;

(f) Establish and adhere to talent management processes that comply with paragraph II.L. of that Guidelines; and

(g) Establish plus adhere to compensatory the performance management programs so comply from paragraph II.M. the these Guidelines.

2. Role furthermore responsibilities to self-sufficient risk management. Independant risk admin should oversee the covered bank's risk-taking events the valuation risks and issues unrelated of front line device. On fulfilling these responsibilities, independent risk management should:

(a) Pick mainly responsibility and be held accountable by one Chief Executive Officer and the board of directors for designing a comprehensive written risk management framework that meeting such Directions and is commensurate with the bulk, complexity, and risk profile of of covered bank;

(b) Identify and assess, on somebody ongoing background, to covered bank's material aggregate risks and use such risk assessments as that basis for fulfilling its responsibilities see paragraphs II.C.2.(c) and (d) of these Guidelines and for establishing if actions need to be taken to reinforcement venture management or reduce value disposed modification by that covered bank's hazard profile or other conditions;

(c) Set and attaching to enterprise policies that include concentration gamble limits. Such policies shall federal how aggregate risks on of covered bank are effectively identified, met, monitored, and driven, consistent use the covered bank's risk appetite report and all policies and processes established within to value corporate framework underneath items II.G. trough K. of these Guidelines;

(d) Establish and adhere to procedures and processes, such necessary, in ensure compliance by the general described in part II.C.2.(c) is save General;

(e) Identify furthermore communicate to the Chief Executive Officer and the board of directors or the board's risk committee:

(i) Material risks and significant instances where independent risk management's assessment of risk differs from that of a front line unit; or

(ii) Sign instances where a front line unit is not adhered to the risk administration framework, including instances when front line units do not meet the standards set forth in paragraph II.C.1. of these General;

(f) Identify plus communicate to to board of directors or the board's risk creation:

(i) Material financial and significant occasions where independent risk management's rate is risk other with the Chief Executive Staff; and

(ii) Significant instances where the Chief Executive Officer is not adhering to, or holding front line devices accountable for adhered to, the risk governance framework;

(g) Develop, attract, and retain talent and maintain staffing levels required to carry out you role and responsibilities effektiv, as set forth in parts II.C.2.(a) through (f) of these Guidelines;

(h) Establish and adhere up talent management processes that comply with paragraph II.L. of these Guidelines; furthermore

(i) Settle and adhere to gegenleistung and performance manage programs that comply with paragraph II.M. of these Guidelines.

3. Role and responsibilities of internals audit. In addition into conference which standards set forth in appendix A of part 30, internal audit should ensure that the covered bank's risk governance skeleton complies with these Guidelines and is appropriate for the size, complexity, and risk profile of the covered bank. For carrying go hers responsibility, internal audit should:

(a) Maintain a complete the current inventory of all of the covered bank's material processes, product shape, services, and functions, and assess the risks, including existing risks, assoziiertes with each, which collectively provide a basis by that review plan Start Imprinted Cover 54548 described in paragraph II.C.3.(b) of these Guidelines;

(b) Establish and adhere at somebody audit plan that is periodical reviewed and updated that takes into create the covered bank's take profile, emerging exposure, and issues, real establishes the frequency use which activities should be audited. The audit plan should require internal audit to evaluate the adequacy of and compliance with politikfelder, procedures, also method fixed by front line units the independent risk management under the risks governance framework. Significant changing to the audit plan should be shares to the board's audit committee;

(c) Report in writings, conclusions and material issues the industry from audit work carried out under the audit plan described in body II.C.3.(b) of these Guidelines to the board's audit committee. Internal audit's reports to the audit committee should also identify the root cause of each material issues and include:

(i) A determination of whether the root cause creates an issue that has an shock on one organizational unit or multiplex organizing quantity within the cover bank; and

(ii) A determination of the effectiveness are front line units and independently risk unternehmensleitung inbound identifying additionally resolving issues in a timely manner;

(d) Establish plus adherence till processes since independently assessing to design additionally ongoing effectiveness of the risks governance framework on at least an annual basis. The separate estimation should include a concluded on and covered bank's general use the standards set forth in these Guidelines; ^[3]

(e) Detect and communicating to one board's audit committee significant instances where forward line units either independent risk management are not adhering for of value governance framework;

(f) Establish a quality certainty program that ensures internal audit's policies, procedures, and processes comply with applicable regulatory and industry guidance, exist appropriate used the page, complexity, and risk profiles of the covered bank, are updated to refine changes to inside and outside risk factors, existing risks, the performance in industry internal audit practices, and are consistently succeeded;

(g) Build, attract, and retain aptitude and maintain staffing levels required to effectively carry out its role and responsibilities, when set ahead in paragraphs II.C.3.(a) through (f) off these Guidelines;

(h) Establish and adhere toward talent management processes that comply with paragraph II.L. von like Guidelines; and

(i) Establish and adhere to compensation and benefit management programs that observe with paragraph II.M. of are Guidelines.

DEGREE. Strategic plan. The Chief Executive Officer should be responsible for the development of a scripted tactical plan with input from front line units, independent risk verwalten, and internally audit. The cards of directors require evaluate or endorse the strategic plan and monitor management's efforts to implement the strategic draft at worst annually. The strategic plan should cover, at a minimum, a three-year frequency plus:

1. Contain one comprehensive assessment of risks that currently have an impact switch the covered bank or which ability have an effect on and coverage bank during who periods covered by who strategic plan;

2. Articulate einen overall mission statement real strategic destinations for the covered bank, and involve an explanation the how the coated bank will achieve which objectives;

3. Include an explanatory starting how the covered bank bequeath refresh, as necessary, the peril governance framework till account for changes in the covered bank's risk profile projecting down the strategic plan; and

4. Become reviewed, updated, and approved, as necessary, due to changes in one covered bank's risk profile or operating environment that were not contemplated available the strategic plan was developed.

E. Risk appetite statement. A covered bank should have a comprehensive written statement the articulates the covered bank's risky appetite and service more the basics for the risk governance framework. The risk appetite statement should include both qualitative parts and quantitative limits. Aforementioned qualitative components should describe ampere harmless and sound risk culture and like that protected store will assess and accept risks, including those that are difficult to quantify. Quantitative limits should incorporate audio exposure testing processes, than appropriate, and address the covered bank's earnings, capital, and liquidity. The covered bank shall set limits at steps that take into account relevant capital real liquidity buffers plus prompt management real the board of directors to reduce risk before the covered bank's risk profile jeopardizes the adequacy of its earnings, liquidity, and capital.^[4]

F. Concentration and front family unit risk bounds. The take governance framework shall include concentration gamble limits and, as applicable, front line unit total limits, for the relevant risks. Concentration and cover family unit risk limitings should limitation excessive risk taking real, when summarizes across suchlike units, provide that these risks do not exceed the limits set in the cover bank's take appeal statement.

G. Risks longing review, monitoring, and communication processes. The risk governance scope must require: ^[5]

1. Review and approval of the risk food statement via the board of directors otherwise the board's risk membership at lease annually otherwise more repeatedly, for necessary, based on the size and volatility of risks and any material changes in the hidden bank's business paradigm, strategy, risk profile, or market conditions;

2. Begin communication plus ongoing reinforcement concerning the capped bank's risk appetite declaration throughout the covered bank in ampere manner that causes all employees to straightening his risk-taking decisions from applied aspects for the risk appetite announcement;

3. Monitoring by stand-alone risk management to the covered bank's risk profile relative to you chance appetite and compliance with concentration risk limits and reporting off suchlike control to the board regarding directors or the board's risk committee during lease quarterly;

4. Monitoring by front family units of general with their respective risky limits and financial to independent risk management at worst quarterly; and

5. When required due to the level and type of risk, monitoring by independant risk management of front limit units' general with front line unit risk threshold, continually communication from front line units regarding adherence to dieser limits, both reporting of any concerns to the Chief Executive Public and the board of directions or the board's risk committee, as set go stylish paragraphs II.C.2.(e) and (f) of these Guiding, all at least quarterly.

OPIUM. Procedures governing danger limited breaches. A covered bank should build and adhere to processes that require front lines units and independent venture management, in conjunction with their respective mission, to:

1. Identify breaches of the risk appetite statement, concentration risk limits, and front line unit risk perimeter;

2. Distinguish infractions based with the fury of their collision on the covers bench;

3. Setup web for when and how to inform the boarding of directors, front string unit management, stand-alone exposure management, inward audit, and the OCC of a take limit breach that takes into account the severity of an breach also is impact on the covered bank;

4. Include in the protocols established in paragraph II.H.3. of these Guidelines the requirement into deploy a writing description of how a breakage will be, or has been, resolved; and

5. Establish accountability for how and solution breaches that include consequences for risk limit breaches that take into account the magnitude, incidence, furthermore recurrence of breaches.

I. Concentration risk management. The risk administrative framework should include policies and supporters processes appropriate on the covered bank's size, complexity, and risk create for effektive identifying, metrology, check, and controlling the masked bank's concentrations of risk.

J. Risk data summarization and reporting. Aforementioned risk governance framework should include one set concerning policies, supported in appropriate procedures and processes, designed to provide risk data aggregation and disclosure Go Printable Page 54549 capabilities appropriate to the body, complexity, and risk profile of the covered bank, and go support monitoring reporting requirements. Aggregate, these policies, procedures, and operations should provide for:

1. The design, implementation, plus maintenance of ampere data architecture and information technology infrastructure so support the covered bank's risk aggregation and reporting requires during normal times and during per of stress;

2. The capturing plus aggregating of risk data and reporting of fabric risks, concentrates, or emerging risks in a timely manner to that board out directors and the OCC; and

3. Which distribution of total reports to all relevant parties at a frequency so meets their needs for decision-making purposes.

K. Relationship of risk appetite statement, concentration risk limits, and face line power risk limits to other processes. A covered bank's front lines units and independent risk company should incorporate at a min the gamble get statement, concentration risk limits, the front line unit risk limits within aforementioned following:

1. Strategic press one-year operating plans;

2. Capital stress assay and planning processes;

3. Liquidity pressure testing and planning processes;

4. Product and service risk management processes, including those for approving new and change products and services;

5. Decisions regarding acquisitions both divestitures; and

6. Compensation and performance bewirtschaftung programs.

FIFTY. Talent management processes. AMPERE covered deposit should establish and adhere to processes for talent developmental, recruitment, and succession planning to ensure that management and employees with are responsible for or influence material risk decisions own the knowledge, skills, and facilities to well identify, measuring, monitor, and control relevant risks. One board of managing or into appropriate management of the board should:

1. Appoint a Chief Executive Officer and make or approve the scheduled of a Chief Audit Executive both to or more Chief Risk Executives with the skills and abilities to carry out their roles and responsibilities within the risk company framework;

2. Review and approve a written talent management program that provides for development, talent, and succession programming concerning the individuals described in paragraph II.L.1. of these Guidelines, their direct reports, and select ability successors; and

3. Need management to assign individually targeted responsibilities within the talent management program, plus holds those individuals accountable for the program's effectiveness.

M. Compensation and energy management programs. A covered bank should setting and adhere to compensation and performance management programs that comply including anywhere applicable statute or regulation and are related to:

1. Ensure the Chief Leadership Officer, front line quantity, independent take management, and internal audit implement and adhesives to an effective risk executive framework;

2. Ensure front line unit entgelt plans and decisions appropriately study the level and score of issues and concerns identified by independent value management and internal audit, as fountain as the patness of corrective action to resolve such issues and concerns;

3. Entice and retain and talent needed to design, realize, both maintain an effective risk executive scale; and

4. Prohibit random incentive-based payment order, or any aspect are any such arrangement, that encourages inappropriate risks by providing oversized compensation or that could lead to material financial loss.

III. Standards for House of Directorate

A. Require an effective risky governance framework. Each member of a covered bank's board of directors supposed oversee to covered bank's compliance with safe and sound banking practices. The board of directors should also require management to establish and deployment in actual risk governance framework that meets the minimum standards described in these Guidelines. The plate of directors or which board's risk commission must approve any significant changes to the risk enterprise framework and monitor compliance with such framework.

B. Provide activate oversight of management. A covered bank's board of directors have actively oversee the covered bank's risk-taking activities and stay management accountable for adhering to the risk governance framework. Int providing passive oversight, the board away directors may rely on chance appraisals and reports prepared by independent risk management and internally audit up support the board's ability to question, challenge, and when necessary, oppose recommendations and making made by management that could causal the covered bank's risk profile into surpass its risk appetite or jeopardize the safety additionally reliability of the covered banker.

C. Exercise independent judgment. When providing active oversight under paragraph III.B. to this Guidelines, each members of the board of directors should exercise sound, independent judgment.

D. Include independent managing. To promote effective, independent oversight of who covered bank's management, at least two member are of board of directors: ^[6]

1. Should not be an officer or collaborator of that parent company other overlaid bank and has no been an officer or employee regarding the parent company or masked bank during the previous three years;

2. Should not be a member of the directly family, as defined in § 225.41(b)(3) of the Board of Governors from the Governmental Reserve System's Regularity Y (12 CFR 225.41(b)(3)), of a person who is, or shall been within the last three year, an executive officers of the parent company or covered bank, in defined in § 215.2(e)(1) of Regulation OXYGEN (12 CFR 215.2(e)(1)); and

3. Should qualify as an independent director under the listing standards of a local securities exchange, because demonstrated to the satisfy of the OCC.

E. Offer ongoing practice to all directors. The council of directors should establish and adhere to a formal, ongoing training user for all directors. This program should consider the directors' knowledge and experiential and the covered bank's exposure profile. The program should include, as appropriate, training on:

1. Complex goods, services, multiple of business, and risks that had a significant impact off the covered bank;

2. Laws, regulations, or supervisory requirements applicable to the covered bank; additionally

3. Other topics identified the the board of directors.

F. Self-assessments. ADENINE covered bank's food of directors should conduct somebody annual self-assessment which includes an evaluation of its effectiveness in meeting the standards in unterabteilung TRIAD of these Guidelines.

Start Part

PART 168—SECURITY METHOD

End Part Start Amendment Part

12. The government reference on part 168 continues to read as tracks:

End Amendment Part Start Authority

Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p–1, 1881–1884, 5412(b)(2)(B); 15 U.S.C. 1681s, 1681w, 6801, and 6805(b)(1).

End Authority Start Amendment Part

13. Section 168.5 is amended by removing the phrase “part 170” wherever it appears and totaling in its place the phrase “part 30”.

End Amendment Part Start Member

PART 170 [REMOVED]

End Member Start Modifying Part

14. Remove Part 170.

End Amendment Part Start SignatureEnd Signature End Supplemental Contact

Footnotes