Raising the Bar: FDIC's Proposed Enhanced Governance Guidelines for Regional and Large Banks

In an ever-evolving financial landscape, regulatory authorities like the Federal Deposit Insurance Corporation (FDIC) continue to adapt to the changing dynamics within the banking industry. As part of its ongoing efforts to maintain the safety and soundness of financial institutions, the FDIC has recently proposed a set of comprehensive guidelines that will impact how banks manage risk, conduct business, and govern themselves.

‍Understanding the New Guidelines

The FDIC's proposed “Guidelines  Establishing Standards for Corporate Governance and Risk Management for Covered Institutions with Total Consolidated Assets of $10 Billion or More” aim to set a higher standard for risk management within the banking industry.

The guidelines span several key areas, focusing on board governance and oversight, the establishment and role of various board committees, risk management, internal audit, communication processes, risk limit breaches, and identifying and responding to violations of laws and regulations.

The FDIC points out in the introduction to the proposed guidelines that poor corporate governance and risk management were contributing factors to bank failures in 2008 and 2023. The FDIC believes that the proposed guidelines will benefit banks by reducing the likelihood and magnitude of losses and the likelihood of failure.

The FDIC has not previously issued supervisory guidelines or regulations on corporate governance and risk management, though the Office of the Comptroller of the Currency and the Federal Reserve Board do impose such requirements on larger institutions. Several features of the proposed rule break new ground with requirements not found in previous mandates, including a specific requirement that institutions report violations of law and prescriptive guidelines on board committee structure.

The proposed guidelines target FDIC-supervised institutions, primarily state-chartered banks not affiliated with the Federal Reserve system, with assets of $10 billion or more, reflecting the agency’s view that larger or more complex institutions should have more sophisticated practices to ensure appropriate corporate governance. Furthermore, the FDIC reserves the authority to apply the proposed guidelines to smaller institutions if the FDIC determines that the institution’s operations are highly complex or present heightened risk.

Key Details and Highlights

The proposed guidelines contain board composition and diversity considerations, board committee requirements, and expectations for roles and responsibilities of the board. Appointing qualified executive management, developing succession plans, and actively overseeing management are some of the responsibilities covered. The proposed guidelines also would require development and maintenance of a strategic plan, risk management policies, and processes for responding to violations of laws, regulations, or breaches of internal risk limits.

The proposed FDIC guidelines introduce several key concepts and expectations:

1. Risk Appetite and Governance: A fundamental aspect of the proposed guidelines is for institutions to clearly define and document their risk appetite. This includes both qualitative and quantitative limits and regular review and approval.
2. Board and Committee Responsibilities: The proposed guidelines emphasize the composition, roles, and responsibilities of various board committees. The Audit Committee, Compensation Committee, Risk Committee, and Trust Committee, for those institutions that offer trust services, all have specific mandates to fulfill under the proposal.
3. Risk Management Program: Under the proposed guidelines, covered institutions must establish a risk management program that identifies, measures, monitors, and manages risks across risk categories that include credit, concentration, interest rate, liquidity, price, model, operational, strategic and legal risk.
4. Internal Audit: The proposed guidelines call for internal audit units to maintain an inventory of material business areas, develop an audit plan, and report findings to the Audit Committee. The guidelines emphasize independence and an ongoing assessment of the risk management program's design and effectiveness.
5. Risk Limit Breaches and Compliance: Under the proposed guidelines, processes must be established to identify, report, and resolve breaches of risk limits and violations of laws or regulations. These processes must hold individuals accountable for reporting and resolution.
6. Communication and Training: The proposed guidelines prescribe ongoing training for directors and employees as well as communications processes to reinforce the institution’s risk appetite and risk management program.

The Three Lines of Defense Model

One of the central features of the proposal is the implementation of a "three-lines-of-defense" risk management model. This model represents a structural approach to risk management that enhances risk reporting and management within covered financial institutions. The three lines of defense consist of:

Front Line Unit: This is the first line of defense, situated within the bank's business units. The primary responsibility is to identify, assess, and manage risks associated with each unit’s specific activities. This includes adhering to defined risk limits and following established policies and procedures.

Independent Risk Management Unit: The second line of defense is an independent risk management unit, overseen by an independent Chief Risk Officer reporting to the board or the Risk Committee. This group is responsible for assessing and overseeing risks independently of the business units and the CEO. Its critical role is to ensure that the bank's risk-taking activities align with the established risk appetite and that risk management practices are robust and effective.

Internal Audit Unit: The third line of defense involves the internal audit unit. The unit’s role is to evaluate the bank's risk management program. It conducts regular audits to assess the adequacy of policies, procedures, and processes set by the first and second lines of defense. Its findings are reported to the board and relevant committees.

Active Communication and Compliance is the Key  

A significant component of these guidelines is the requirement for banks to proactively communicate their risk appetite and maintain strategies for promoting compliance among their staff. This active approach to risk management is intended to ensure that employees throughout the bank are well-informed about risk limits and management practices. It also highlights the importance of reporting any breaches of these articulated risk limits promptly.

If the proposal is adopted, covered institutions may face substantial effort to implement the guidelines. Implementation may require hiring additional staff and making changes to internal systems and processes.

The FDIC is soliciting comments on the proposed guidelines until December 11, 2023.

SRA risk professionals are available to answer questions or assist with implementation of the rule.

Source: FDIC | FIL-55-2023 | Letter: Proposed Addition to Part 364 of the FDIC’s Rules and Regulations of Appendix C

Part 364 - Standards for Safety and Soundness