In an ever-evolving financial landscape, regulatory authorities like the Federal Deposit Insurance Corporation (FDIC) continue to adapt to the changing dynamics within the banking industry. As part of its ongoing efforts to maintain the safety and soundness of financial institutions, the FDIC has recently proposed a set of comprehensive guidelines that will impact how banks manage risk, conduct business, and govern themselves.
The FDIC's proposed “Guidelines Establishing Standards for Corporate Governance and Risk Management for Covered Institutions with Total Consolidated Assets of $10 Billion or More” aim to set a higher standard for risk management within the banking industry.
The guidelines span several key areas, focusing on board governance and oversight, the establishment and role of various board committees, risk management, internal audit, communication processes, risk limit breaches, and identifying and responding to violations of laws and regulations.
The FDIC points out in the introduction to the proposed guidelines that poor corporate governance and risk management were contributing factors to bank failures in 2008 and 2023. The FDIC believes that the proposed guidelines will benefit banks by reducing the likelihood and magnitude of losses and the likelihood of failure.
The FDIC has not previously issued supervisory guidelines or regulations on corporate governance and risk management, though the Office of the Comptroller of the Currency and the Federal Reserve Board do impose such requirements on larger institutions. Several features of the proposed rule break new ground with requirements not found in previous mandates, including a specific requirement that institutions report violations of law and prescriptive guidelines on board committee structure.
The proposed guidelines target FDIC-supervised institutions, primarily state-chartered banks not affiliated with the Federal Reserve system, with assets of $10 billion or more, reflecting the agency’s view that larger or more complex institutions should have more sophisticated practices to ensure appropriate corporate governance. Furthermore, the FDIC reserves the authority to apply the proposed guidelines to smaller institutions if the FDIC determines that the institution’s operations are highly complex or present heightened risk.
The proposed guidelines contain board composition and diversity considerations, board committee requirements, and expectations for roles and responsibilities of the board. Appointing qualified executive management, developing succession plans, and actively overseeing management are some of the responsibilities covered. The proposed guidelines also would require development and maintenance of a strategic plan, risk management policies, and processes for responding to violations of laws, regulations, or breaches of internal risk limits.
The proposed FDIC guidelines introduce several key concepts and expectations:
One of the central features of the proposal is the implementation of a "three-lines-of-defense" risk management model. This model represents a structural approach to risk management that enhances risk reporting and management within covered financial institutions. The three lines of defense consist of:
Front Line Unit: This is the first line of defense, situated within the bank's business units. The primary responsibility is to identify, assess, and manage risks associated with each unit’s specific activities. This includes adhering to defined risk limits and following established policies and procedures.
Independent Risk Management Unit: The second line of defense is an independent risk management unit, overseen by an independent Chief Risk Officer reporting to the board or the Risk Committee. This group is responsible for assessing and overseeing risks independently of the business units and the CEO. Its critical role is to ensure that the bank's risk-taking activities align with the established risk appetite and that risk management practices are robust and effective.
Internal Audit Unit: The third line of defense involves the internal audit unit. The unit’s role is to evaluate the bank's risk management program. It conducts regular audits to assess the adequacy of policies, procedures, and processes set by the first and second lines of defense. Its findings are reported to the board and relevant committees.
A significant component of these guidelines is the requirement for banks to proactively communicate their risk appetite and maintain strategies for promoting compliance among their staff. This active approach to risk management is intended to ensure that employees throughout the bank are well-informed about risk limits and management practices. It also highlights the importance of reporting any breaches of these articulated risk limits promptly.
If the proposal is adopted, covered institutions may face substantial effort to implement the guidelines. Implementation may require hiring additional staff and making changes to internal systems and processes.
The FDIC is soliciting comments on the proposed guidelines until December 11, 2023.
SRA risk professionals are available to answer questions or assist with implementation of the rule.