In January, the Federal Reserve proposed new guidance that sets forth core principles of effective senior management, business line management, and independent risk management and controls for large financial institutions (LFIs).1 The proposal reinforces and, in some respects, supplements long-standing Federal Reserve supervisory expectations for risk management and internal controls. Firms should assess how well their operations and controls measure up to the proposed guidance, which will inform the Federal Reserve’s supervisory evaluation of LFIs, including the assignment of ratings under a new LFI rating system.
The proposed guidance is a companion piece to two proposals issued in the summer of 2017: the proposal for a new LFI rating system and the proposed guidance setting forth supervisory expectations for boards of directors and delineating the relative roles and responsibilities of the board and senior management. The new proposed guidance, unlike the 2017 proposals, would explicitly extend to the combined U.S. operations, including branch and subsidiary operations, of foreign banking organizations (FBOs).2
The proposed guidance confirms and supplements existing guidance and supervisory expectations in the form of principles for the assessment of LFIs. Firms would be well advised to approach this guidance in a proactive and risk- based manner and enhance their ongoing monitoring and periodic testing of key controls for higher-risk activities in advance of their next regular examination. In enhancing monitoring and testing, firms should consider the full range of key activities that are higher-risk or have also received recent regulatory attention. Some of these activities may include intercompany transactions, including inter- and intra-firm payment and settlement activities, and consumer laws and regulations.
Smaller firms may also find it helpful to consider the proposed guidance as an indicator of the issues that are top of mind for regulators and to augment their monitoring and testing capabilities, particularly if they are considering expansion or acquisitions. Firms of all sizes and levels of complexity may wish to consider the benefits of obtaining an independent view of the robustness of their monitoring and testing capabilities. An independent assessment can help to validate results, provide appropriate assurances (or recommendations for enhancements) to senior management and the board, and augment stretched internal resources.
The proposed guidance encompasses core principles of:
- effective senior management;
- business line management; and
- independent risk management and controls.
The core principles of business line management would apply to all business lines of a firm subject to the Federal Reserve’s Large Institution Supervision Coordinating Committee (LISSC) framework. For non-LISSC firms, the business line core principles would apply to any business line where a significant control disruption, failure, or loss event could result in a material loss of revenue, profit, or franchise value, or result in significant consumer harm. Non-LISSC LFIs would be well advised to apply the core principles to all but very immaterial business lines, since there could be considerable differences of interpretation as to whether a business line could give rise to material loss or significant consumer harm.
Core Principle of Effective Senior Management
The core principle of effective senior management is that senior management is responsible for managing the day-to-day operations of the firm and ensuring safety and soundness and compliance with internal policies and procedures, laws, and regulations, including those related to consumer protection. The two key responsibilities of senior management are overseeing the activities of the firm’s business lines, individually and collectively, and overseeing the firm’s independent risk management and controls. Consistent with long-standing guidance and regulatory expectations, senior management is responsible for implementing the firm’s board-approved strategy and risk tolerance by implementing strategic and risk objectives at the enterprise-wide level, at the line-of-business level, and at an appropriately granular level within the firm’s business lines.
The proposed guidance emphasizes the dynamic nature of the role of senior management. For example, senior management is responsible for a forward-looking and proactive understanding of the firm’s risks and activities and for periodically assessing the risk management framework to ensure that it remains comprehensive and up to date in light of changing internal and external risks, economic conditions, and the market environment. Senior management is also charged with ensuring that firm-wide information flows are adequate and effective so that decisions are not made in isolation, without a full understanding of the firm’s risks and current and prospective or planned activities.
As activities change or expand, internal audit and compliance teams can be challenged to include sufficient testing of key controls in their annual audit and compliance testing plans. Similarly, systems for ongoing monitoring of new controls take time to develop, test, and validate. As a result, the risk management framework and firm-wide information flows for new activities can be subpar, leading to examination and supervisory findings and actions. Firms should consider whether outside resources can help mitigate these significant regulatory risks, especially if the new activities directly impact customers or counterparties, where the potential for direct harm and reputational risks can arise from flaws or gaps in risk management and internal controls.
Core Principles of Business Line Management
The proposed guidance sets forth five core principles that would require business line management to:
- Execute business line activities consistent with the firm’s strategy and risk tolerance.
- Identify, measure, and manage the risks associated with business activities under a broad range of conditions, incorporating input from independent risk management.
- Provide sufficient resources and infrastructure to manage the business line’s activities in a safe and sound manner, and in compliance with applicable laws and regulations, including those related to consumer protection, as well as policies, procedures, and limits.
- Ensure that internal control systems are effective for business line operations.
- Operate within established policies and guidelines, and act in accordance with applicable laws, regulations, and supervisory guidance, including those related to consumer protection.
The proposed guidance emphasizes the importance of the alignment of business and risk objectives at the enterprise- wide level and at more granular business line levels as well as the management of risks at the business line level in accordance with the firm-level risk tolerance.3 This emphasis may be a reflection of situations in which the firm-level risk tolerance was well-established and appropriate but individual business units conducted activities that deviated from the firm’s risk tolerance, and these deviations were not adequately detected or reported to senior management and/or the board.
Proper attention to the aggregation of risks across business lines, by business activities or products is critical to identifying, measuring, and managing business activity risks across a wide range of actual or potential firm-specific or macroeconomic conditions. Consideration should be given to the correlations among risks and how these correlations may change under stressed conditions.
Firm resources and infrastructure, including management information systems and reporting, should be sufficiently flexible to take advantage of changes in the internal or external environment and the resulting need to provide additional information to senior management and/or the board. Linked closely to the fifth principle under business line management, human resources need to have the requisite skills and experience, staff roles need to be clearly delineated and appropriately segregated, and succession and contingency plans need to be in place for key positions.
Internal control failures and inadequacies can also lead to breakdowns in compliance and potential customer harms. The fourth principle emphasizes the importance of periodic reassessment and regular testing of access controls, change controls, and data integrity controls, with a risk-based emphasis on key controls.
The final principle under business line management calls upon senior management to hold staff accountable when performance and behavior fails to meet expectations. It also calls upon senior management to have the means to prevent, detect, and remediate risk management and compliance failures. This includes both systems capabilities and human resources overseeing complex activities.
The oversight of business lines includes a role for compliance and independent risk management, which is discussed in the next section of the guidance and this note. Past experience has demonstrated the importance of compliance and risk management functions with a keen understanding of the business lines they oversee. Failure of these functions to understand the day-to-day operations of the business line can give rise to difficulties in detecting fraudulent or inappropriate behavior, including behavior that could harm customers or counterparties.
Firms should ensure that business line management, as the first line of defense, understands the firm’s overall risk tolerance and how that risk tolerance translates to key lines of business and activities or products. Strong compliance and independent risk management functions are not a substitute for a strong first line of business management that understands and owns the risk that the firm undertakes.
Core Principles of Independent Risk Management and Controls
The proposed guidance offers ten core principles related to independent risk management and controls:
- The Chief Risk Officer (CRO) should establish and maintain independent risk management that is appropriate for the size, complexity, and risk profile of the firm.
- The Chief Audit Executive should have clear roles and responsibilities to establish and maintain an internal audit function that is appropriate for the size, complexity, and risk profile of the firm.
- Independent risk management should evaluate whether the firm’s risk tolerance appropriately captures the firm’s material risks and confirm that the risk tolerance is consistent with the capacity of the risk management framework.
- Independent risk management should establish enterprise-wide risk limits consistent with the firm’s risk tolerance and monitor adherence to such limits.
- Independent risk management should identify and measure the firm’s risks.
- Independent risk management should aggregate risks and provide an independent assessment of the firm’s risk profile.
- Independent risk management should provide the board and senior management with risk reports that accurately and concisely convey relevant, material risk data and assessments in a timely manner.
- A firm should identify its system of internal controls and demonstrate that it is commensurate with the firm’s size, scope of operations, activities, risk profile, strategy, and risk tolerance, and that it is consistent with all applicable laws and regulations, including those related to consumer protection.
- A firm should regularly evaluate and test the effectiveness of internal controls and monitor functioning of controls so that deficiencies are identified and communicated in a timely manner.
- The internal audit function should examine, evaluate, and perform independent assessments of the firm’s risk management and internal control systems and report findings to senior management and the firm’s audit committee.
The proposed guidance is clear on the role, stature, and independence of the CRO, providing that the CRO must report directly to the risk committee of the board and the Chief Executive Officer. In the case of an FBO, the CRO must report to the U.S. risk committee and the global CRO or equivalent position. The CRO is responsible for guiding independent risk management but also has a role that is broader, encompassing responsibilities for strategic planning, capital and liquidity planning, and incentive compensation plan design and review.
Independent risk management both checks the scope and breadth of risk capture in the firm’s risk tolerance and establishes enterprise-wide and more granular4 quantitative and qualitative risk limits that are consistent with the firm’s risk tolerance for a comprehensive set of risks. While business line input into the firm’s risk tolerance will be appropriate and helpful, independent risk management limits should be the operative, formal, and binding limits across the firm. The guidance on independent risk management combines supervisory expectations for both risk management and compliance, although it leaves it to each firm to structure programs consistent with the guidance.
LFIs should have a Chief Audit Executive (CAE) charged with managing all internal audit work and assessments of the firm’s systems of internal control and risk management, whether conducted in-house or outsourced. The guidance describes the types of activities and processes covered by internal controls and calls for continuous monitoring and periodic testing of controls, using a risk-based approach.
Internal compliance and audit teams may lack the business line expertise to detect fraudulent or inappropriate behavior that could lead to direct harm to customers and counterparties and result in regulatory and reputational risks. Outside experts with subject matter expertise in particular lines of business (e.g. trading activities) and with capabilities in data analytics, machine learning, and network analysis can aid firms in detecting problematic behavior, isolating the source of the behavior (e.g. trading desks for particular products or in certain geographic locations), and mitigating risks to the firm.
CROs and CAEs are charged with wide-ranging responsibilities. Firms should consider the need to augment CRO and CAE resources with independent experts. Independent experts can serve as an effective challenge, prevent firm “group think,” and act as a second set of eyes and ears for senior management and the board.
In response to this proposed guidance, we would recommend that firms consider the following actions, at a minimum:
- Develop a risk-based plan and timetable to enhance ongoing monitoring and periodic testing of key controls for higher-risk activities in advance of regular examinations.
- Assess business line management, as the first line of defense, and its understanding of how firm-level risk tolerance translates to key activities and products.
- Assess risk management capabilities, systems, data and information flows, and internal controls in light of the proposed guidance.
- Develop a program to incorporate data analytics, machine learning, and network analysis in the detection and isolation of potential problematic behavior, particularly with respect to high-risk activities that directly impact customers or counterparties.
- Consider the need to augment CRO and CAE resources with independent experts that can provide a challenge function and an “outside looking in” perspective.
1 Specifically, the guidance would apply to domestic bank holding companies (BHCs) and domestic savings and loan holding companies (SLHCs) with total consolidated assets of $50 billion or more (including commercial and insurance SLHCs), the combined U.S. operations of foreign banking organizations with combined U.S. assets of $50 billion or more, and any state member bank subsidiaries of the foregoing, as well as any systemically important nonbank financial company designated by the Financial Stability Oversight Council for supervision by the Federal Reserve Board.↩
2 The 2017 proposed guidance on supervisory expectations for boards of directors requested comment on the application of the guidance to the U.S. intermediate holding companies of FBOs.↩
3 For FBOs, this includes consideration of risks outside of the United States that may impact the FBO’s combined U.S. operations.↩
4 Granular risk limits could be imposed at the product or activity level or with respect to specific legal entities or jurisdictions.↩