Payments Report: News from Washington, Brought to you by NEACH
VOLUME 2023-9 (DEC 23)
Overview: On October 11, 2023, the FDIC issued a notice of proposed rulemaking to establish guidelines regarding the expected standards for corporate governance and risk management of certain depository institutions (“Guidelines”). Specifically, the Guidelines would apply to state banks and state-licensed branches of foreign banks with total consolidated assets of at least $10 billion. Although the Guidelines are heavily influenced by existing principles established by the OCC and FRB, they would apply to more institutions due to lower applicability thresholds and appear to be more stringent. Interested parties may submit comments to the FDIC no later than February 9, 2024.
Background
From 1994 until 2008 the governance and risk management of banks was largely governed by state law, with some exceptions for certain federal requirements, such as the operational, managerial, and compensation standards imposed by federal banking regulators. But after the 2008 financial crisis, the federal banking regulators began imposing more extensive and stricter requirements. In March 2014 the FRB adopted a rule implementing its Enhanced Prudential Standards for Bank Holding Companies and Foreign Banking Organizations (the “FRB Enhanced Standards”). Later in 2014, the OCC adopted its own rule setting forth the Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches (the “OCC Heightened Standards”). Both the FRB Enhanced Standards and the OCC Heightened Standards apply to financial institutions with total combined assets of at least $50 billion. The FRB then added a supervisory guidance in 2021, setting out its expectations for effective board governance. However, the 2021 guidance only applied to bank holding companies and savings and loan holding companies with total consolidated assets of $100 billion or more.
The FDIC was motivated to adopt new governance and risk management standards in part because of the 2023 banking crisis, as well as to harmonize with the OCC and FRB. The FDIC observed that “financial institutions with poor corporate governance and risk management practices were more likely to fail,” and more specifically stated that reports reviewing the 2023
bank failures “noted that poor corporate governance and risk management practices were contributing factors.” It then determined that $10 billion in total assets is the appropriate scope of application, even though this threshold is significantly lower than the thresholds in the FRB Enhanced Standards or OCC Heightened Standards. According to the rulemaking notice, “[t]he FDIC’s supervisory experience has shown that institutions with assets greater than $10 billion are larger, more complex and present a higher risk profile” as compared to “community banking organizations with less than $10 billion in total assets.”
The Proposed Standards
The proposal would add a new Appendix C to the FDIC’s safety and soundness regulations in 12 C.F.R. Part 364. In drafting the Guidelines, the FDIC drew upon the principles previously established by the FRB and OCC and incorporated prior FDIC guidance and supervisory expectations. However, the Guidelines are significantly more extensive than the FRB Enhanced Standards or the OCC Heightened Standards. Following are a number of the key provisions proposed by the FDIC.
With respect to governance, the Guidelines set out minimum standards for a covered institution’s board of directors. Under the Guidelines, the majority of an institution’s board must be independent or outside directors. While not setting forth specific diversity requirements, the Guidelines emphasize that a covered institution should consider how diversity among its board members “may best promote effective, independent oversight of covered institution management.”
The board’s duties would include:
- Setting an appropriate tone, which includes establishing a corporate culture that promotes responsible, ethical behavior. This corporate culture should discourage “imprudent risk-taking,” as well as unethical or illegal behavior in the pursuit of profit.
- Approving a strategic plan for the institution that provides clear objectives within which the institution’s management can operate.
- Annually reviewing and approving the policies that govern and guide the operations of the covered institution.
- Establishing a written code of ethics covering directors, management, and employees. The code of ethics should address conflicts of interest and compliance, as well as reporting of prohibited behavior, and should be reviewed at least annually.
- Actively overseeing the covered institution’s activities and appointing qualified officers.
- Ensuring ongoing training of directors regarding the institution’s products and services as well as legal and regulatory obligations. The board should also conduct an annual self-assessment evaluating its effectiveness in meeting the standards of the Guidelines.
- Establishing and annually reviewing compensation and performance management programs.
A covered institution’s board would also be required to establish certain committees to allow for a division of labor among the directors. At a minimum, the board should form: (i) an audit committee composed entirely of outside and independent directors; (ii) a compensation committee; (iii) a trust committee (if the institution has trust powers); and (iv) a risk committee that approves and annually reviews and updates the institution’s risk management policies. Depending on the risk profile of the institution, the board may also need to form other committees, such as compliance, lending, IT, cybersecurity, and/or investments committees.
In addition to the governance requirements, the Guidelines also provide extensive directives regarding the covered institution’s risk management program. The risk management program should be structured using a “three-lines-of-defense model: business units (front line units), independent risk management unit, and internal audit unit.” The institution should also create a risk profile and establish a risk appetite statement, both of which must be reviewed and updated (if necessary) at least quarterly, including quarterly review by the board.
The Guidelines would also require a covered institution’s board to establish a process for front-line and risk management personnel to identify, document, and notify the CEO and board of directors of violations of law or regulation. Following the internal escalation process, the covered institution would also be required to report such violations to the governmental agency with jurisdiction over these matters, even if the institution has already filed a suspicious activity report under the Bank Secrecy Act.
Outlook: The Guidelines are even more extensive than the summary provided above and covered institutions should review them. The deadline to provide feedback has been extended to February 9, 2024. Comments can be submitted by mail, email, or through the FDIC’s website at https://www.fdic.gov/resources/regulations/federal-register-publications.
______________________________________________________________________________________________________________________
AUTHOR INFORMATION:
Craig Saperstein, a member of Nacha’s Government Relations Advisory Group, is a partner in the Public Policy practice of Pillsbury Winthrop Shaw Pittman LLP in Washington, D.C. In this capacity, he provides legal analysis for clients on legislative and regulatory developments and lobbies congressional and Executive Branch officials on behalf of companies in the payments industry. Deborah Thoren-Peden is a partner and member of the Financial Institutions Team at Pillsbury Winthrop Shaw Pittman LLP. She provides advice to financial institutions, bank and non-bank, and financial services companies. Daniel Wood is a Counsel and member of the Financial Services Regulatory Team. He provides analysis for financial institutions, technology companies, and clients that offer consumer financial products. Brian Montgomery is a Senior Counsel and member of the Financial Services Regulatory Team. He provides analysis for financial institutions, technology companies, and clients that offer consumer financial products. The information contained in this update does not constitute legal advice and no attorney-client relationship is formed based upon the provision thereof.