I am unable to support today’s proposed guidelines establishing standards for corporate governance and risk management. While similar to the standards adopted by the OCC as Appendix D to 12 C.F.R. part 30 (the “OCC Guidelines”), our version would tend to undermine accountability for risk ownership, conflate the roles of board and management, preempt state corporate law, and potentially conflict with regulatory expectations applicable to parent companies. My hope is that we will address these issues in the final guidelines.
To suggest just a few specific examples that might merit the attention of commenters:
- Front-line risk ownership. One of the key risk-management lessons of the 2007-08 financial crisis was that business units should own the risks of their activities.1 The proposal, however, could be read to undermine that accountability. The proposal does not include the OCC Guidelines’ expectation that the front line units should be held accountable for managing the risk of their activities.2 And, unlike the OCC Guidelines, the proposal includes language suggesting the second-line risk function jointly shares responsibility for managing a bank’s risks with the front line units.3
- Role of the board. The proposal would impose new responsibilities on directors that instead should be tasked to senior management. For example:
- The proposal would provide that “[t]he board is responsible for establishing and approving the policies that govern and guide the operations of the covered institution in accordance with its risk profile . . . .”4 As originally proposed, the OCC Guidelines also would have required the board or the risk committee to approve any material policies established under the risk governance framework,5 but the OCC struck that requirement from the final OCC Guidelines because “the OCC did not intend to assign managerial responsibilities to the board of directors or its risk committee.”6
- The proposal also would provide that each director has a duty to “oversee and confirm that the covered institution operates . . . in compliance with all laws and regulations.”7 This could be read to suggest that the board must take steps to confirm that the bank is always in compliance with law, even absent red flags that put the board on notice of a compliance issue. Instead, we should be clear that it is the responsibility of management to ensure compliance with law, while the responsibility of the board should be to ensure that the company has in place a framework to ensure compliance with law.8
- Board composition. The proposal would provide that a majority of the directors should be independent,9 going beyond the expectations of other bank regulators.10 Members of the parent company’s board often would not be independent for this purpose, with some exceptions.11 The proposal also could be construed as setting a regulatory expectation with respect to racial, ethnic, gender, and other diversity on the board; I would be interested to hear whether commenters think diversity expectations could be better addressed in a clearer and more calibrated way through guidance other than these safety and soundness standards, which are focused on risk management.12
- Consideration of non-shareholder constituencies. The proposal would provide that the “[t]he board . . . should consider the interests of all its stakeholders, including shareholders, depositors, creditors, customers, regulators, and the public.”13 For at least some banks, that seems to conflict with settled law. For example, creditors generally have only limited rights beyond those in their contracts.14 Under some states’ laws, a board may consider non-shareholder constituencies only if there are benefits that accrue to the shareholders.15 Other states more broadly permit boards to consider non-shareholder constituencies, but only a few states actually require consideration of other stakeholders.16
- Reliance on third-party reports. The proposal’s guidelines with respect to active board oversight over management generally would mirror the corresponding provisions of the OCC Guidelines, except that the proposal does not affirm clearly that “the board of directors may rely on risk assessments and reports prepared by independent risk management and internal audit.”17 That departure unnecessarily raises questions about the FDIC’s view on boards’ customary reliance on third-party reports.
- Compliance risk management. The OCC Guidelines helpfully define “Chief Risk Executive” as “an individual who leads an independent risk management unit” and explicitly provide that “[a] covered bank may have more than one Chief Risk Executive.”18 The flexibility to have several Chief Risk Executives permits separate second line functions, including, for example, a separate compliance-risk function that is led by a Chief Compliance Officer who reports directly to the CEO and that is overseen by a separate Compliance Committee. The permissibility of a separate compliance-risk function is a point the OCC thought important enough to confirm in a footnote to the OCC Guidelines.19 However, in a rather odd departure from the OCC Guidelines, the proposal seems to contemplate one sole Chief Risk Officer.20 One interpretation is that the FDIC expects that all second-line risk management responsibilities, including with respect to compliance-risk management, would be overseen by the Chief Risk Officer and the Risk Committee.21 Under that interpretation, the proposal would preclude a separate compliance-risk function.
- Disaggregated risk appetites and risk assessments. The proposal does not include footnote four from the OCC Guidelines, which makes clear that risk may be aggregated for purposes of establishing risk appetites where it is not possible to disaggregate the risks.22 The proposal also would seem to require disaggregation for some business units and activities even if not always feasible, as it provides that the risk appetite limits and risk assessments should be both “in the aggregate and for lines of business and material activities or products.”23
- Self-reporting of risk-limit breaches. The proposal has conflicting expectations as to which risk-limit breaches should be reported to the FDIC. On the one hand, the proposal would expect processes that provide for the FDIC to be notified of any risk-limit breach.24 On the other hand, the proposal also would expect the establishment of protocols for when and how to inform the FDIC of a risk limit breach that takes into account the severity of the breach and its impact on the bank.25
- Self-reporting of violations of law. The proposal would expect a board to establish processes to report all violations of law to the appropriate enforcement authority.26 While the FDIC has historically afforded credit for self-reporting of compliance issues in considering enforcement remedies,27 I am not aware of any FDIC expectation that actually requires such self-reporting. An expectation to self-report compliance issues could pose some unintended consequences for attorney-client and other privileges and for each bank’s incentives to conduct investigations to self-identify and remediate compliance issues.
- Conflicts with other regulatory expectations. Large banking organizations typically manage their risks on an enterprise-wide basis.28 Some of the more prescriptive aspects of the proposal could pose a risk of conflicts with the Federal Reserve’s risk management expectations governing parent holding companies.
- Compliance date. The proposal does not provide a transition period to achieve compliance with these new expectations. As proposed, the FDIC would expect compliance on the effective date of the final guidelines for banks with total consolidated assets of $10 billion or more, and for banks under that threshold, immediately upon the bank reaching that threshold.29
1 OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches, 79 Fed. Reg. 54,518, 54,529 (Sep. 11, 2014) (“As the OCC observed during the financial crisis, it can be challenging to instill a sense of ‘risk ownership’ in a front line unit when multiple organizational units are responsible for the risks associated with the front line unit’s activities. Banks whose business leaders viewed themselves as accountable for the risks created through their activities fared better in the crisis than banks where accountability for risks were shared among multiple organizational units.”).
2 Like the OCC Guidelines, the proposal provides a description of the front line units’ roles and responsibilities, but unlike the OCC Guidelines, the proposal does not include the OCC’s expectation that “[f]ront line units should take responsibility and be held accountable by the Chief Executive Officer and the board of directors for appropriately assessing and effectively managing all of the risks associated with their activities.” Compare FDIC Proposal III.C.3(a) with OCC Guidelines II.C.1. This difference in expectations is reiterated in the definition of “front line unit.” The proposal’s definition of “front line unit” is substantially the same as the OCC Guidelines’ definition except that the proposal strikes that the front line unit “is accountable for a risk.” Compare FDIC Proposal I.D.5 with OCC Guidelines I.E.6.
3 For example, the proposal would provide that “independent risk management should . . . [e]nsure front line units meet the standards in paragraph 3(a).” FDIC Proposal III.C.3(b)(vi). Paragraph 3(a) provides that front line units should take steps to assess and manage their risks. Id. II.C.3(a). The proposal also would provide that “independent risk management should . . . [e]stablish and adhere to procedures and processes, as necessary, to ensure compliance . . . with applicable laws and regulations.” Id. III.C.3(b)(v).
4 Id. II.C.3.
5 OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches, 79 Fed. Reg. 4282, 4297 (proposed Jan. 27, 2014) (proposed I.C.4(i)).
6 79 Fed. Reg. at 54,526.
7 FDIC Proposal II.A (emphasis added).
8 See, e.g., In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 970 (Del. Ch. 1996) (“[A] director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists . . . .”); Bd. of Governors of the Fed. Reserve Sys., Supervisory Guidance on Board of Directors’ Effectiveness, SR 21-3 / CA 21-1, at 7 (Feb. 26, 2021) ( “An effective board considers whether its composition, governance structure, and practices support the firm’s . . . ability to promote compliance with laws and regulations . . . .”); Bd. of Governors of the Fed. Reserve Sys., Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $100 Billion, SR 16-11, at 5 (rev. Feb. 17, 2021) (“Senior management is responsible for implementing strategies set by the board of directors in a manner that controls risks and that complies with laws, rules, regulations, or other supervisory requirements on both a long-term and day-to-day basis.”).
9 FDIC Proposal II.B.
10 OCC Guidelines III.D (providing for at least two directors to be independent).
11 FDIC Proposal II.B & n.44.
12 Id. II.B.
13 Id. II.A.
14 See, e.g., N. Am. Cath. Educ. Programming Found., Inc. v. Gheewalla, 930 A.2d 92, 101 (Del. 2007) (“It is well settled that directors owe fiduciary duties to the corporation. When a corporation is solvent, those duties may be enforced by its shareholders, who have standing to bring derivative actions on behalf of the corporation because they are the ultimate beneficiaries of the corporation’s growth and increased value. When a corporation is insolvent, however, its creditors take the place of the shareholders as the residual beneficiaries of any increase in value.” (footnotes omitted)); id. at 103 (“The creditors of a Delaware corporation that is either insolvent or in the zone of insolvency have no right, as a matter of law, to assert direct claims for breach of fiduciary duty against its directors.”).
15 See, e.g., Revlon, Inc. v. MacAndrews & Forbes Holdings, Inc., 506 A.2d 173, 182 (Del. 1986) (“A board may have regard for various constituencies in discharging its responsibilities, provided there are rationally related benefits accruing to the stockholders.”).
16 James D. Cox & Thomas Lee Hazen, Business Organizations Law § 4.5 (5th ed. 2020).
17 Compare FDIC Proposal II.C.5(a) with OCC Guidelines III.B
18 OCC Guidelines I.E.3 (emphasis added).
19 Id. II.C n.2 (“In addition, existing OCC guidance sets forth standards for establishing risk management programs for certain risks, e.g., compliance risk management. These risk-specific programs should also be considered components of the risk governance framework, within the context of the three units described in paragraph II.C. of these Guidelines.”).
20 For example, the proposal defines “independent risk management unit” as “any organizational unit within the covered institution that is directed by the CRO and which has responsibility for identifying, measuring, monitoring, or controlling aggregate risks.” FDIC Proposal I.D.6 (emphasis added). The proposal further provides that “[u]nder the direction of the CRO, the independent risk management staff should oversee the covered institution’s risk-taking activities and assess risks and issues independent of the CEO and front line units.” FDIC Proposal III.C.3(b) (emphasis added).
21 On the other hand, unlike the OCC Guidance, the proposal does not include “compliance risk” in the list of risk categories that should be managed by the risk-management program. Compare FDIC Proposal III.A (“The risk management program should cover the following risk categories as applicable: credit, concentration, interest rate, liquidity, price, model, operational (including, but not limited to, conduct, information technology, cyber-security, AML/CFT compliance, and the use of third parties to perform or provide services or materials for the institution), strategic, and legal risk.”) with OCC Guidelines II.B (“The risk governance framework should cover the following risk categories that apply to the covered bank: Credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputation risk.” (emphasis added)). In the next sentence, however, the proposal does go on to provide that “[t]he risk management program should ensure that the covered institution’s activities are conducted in compliance with applicable laws and regulations.” FDIC Proposal III.A; see also id. III.C.1 (“The independent risk management unit should design a formal, written risk management program that . . . ensures compliance with applicable laws and regulations.”).
22 OCC Guidelines II.E n.4 (“Where possible, covered banks should establish aggregate risk appetite limits that can be disaggregated and applied at the front line unit level. However, where this is not possible, covered banks should establish limits that reasonably reflect the aggregate level of risk that the board of directors and executive management are willing to accept.”).
23 FDIC Proposal III.B (“[T]he covered institution should have a comprehensive written statement . . . that establishes risk appetite limits for the covered institution, both in the aggregate and for lines of business and material activities or products.”); id. III.C.3(b)(ii) (“[I]ndependent risk management should . . . [i]dentify and assess, on an ongoing basis, the covered institution’s material risks, in the aggregate and for lines of business and material activities or products . . . .”).
24 Id. III.E.3. (emphasis added).
25 Id. III.C.2(c)(ii). (emphasis added).
26 Id. III.F.5 (“The board should establish, and the covered institution should adhere to, processes that require front line units and the independent risk management unit, consistent with their respective responsibilities to . . . [r]eport all violations of law or regulation in a manner and on a timetable acceptable to the agency with jurisdiction over that law or regulation and establish accountability for resolving violations, even if the covered institution did not realize a loss from such violations.”).
28 See, e.g.,Fin. Stability Bd., Thematic Review on Risk Governance § 2, at 11 (Feb. 2013) (“The risk management function should be responsible for the firm’s risk management framework across the entire organization, ensuring that the firm’s risk limits are consistent with the risk appetite statement and that risk-taking remains within those limits.” (cleaned up)); 12 CFR § 252.22(b)(2)(i)(A) (“The chief risk officer is responsible for overseeing: . . . [t]he establishment of risk limits on an enterprise-wide basis and the monitoring of compliance with such limits . . . .” (emphasis added)).
29 See FDIC Proposal I.A. A bank has $10 billion or more in total consolidated assets for purposes of the proposal if it reports so on its call report for the two most recent consecutive quarters. Id.