Skip Header
U.S. flag

An official website of the United States government

Supervisory Insights

Credit Risk Assessment of Bank Investment Portfolios

Last Updated: May 15, 2023

PDF version of this article

The recent financial crisis exposed deficiencies in credit ratings assigned by nation ally recognized statistical rating organizations (NRSRO) for certain fixed-income securities, especially structured products that were tied to the residential real estate market. These and other securities depreciated rapidly when the residential real estate market collapsed, causing severe losses to insured depository institutions and contributing to some bank failures. Problems were pronounced in many bonds that were assigned strong credit ratings at the time of issuance (i.e., AAA-rated securities), but suffered significant credit deterioration and were subsequently downgraded.

In response, the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Dodd-Frank Act) addressed this situation by directing all federal agencies to remove language in banking regulations that called for reliance on external credit ratings to form judgments about a fixed-income obligor’s repayment capacity.1 The federal agencies were directed to draft rules that replaced external credit ratings with uniform standards of creditworthiness. The new rules pertaining to permissible investments went into effect on January 1, 2013.2

Since their issuance, bankers have asked for clarification on how the regulators will interpret the rules. This article discusses why the new investment-grade standard is not a paradigm shift from previous supervisory guidance, how the rule permits flexibility in how banks assess credit risk, and how examiners will work with banks in their effort to comply with the rule. The heart of this article discusses supervisory expectations for the credit analysis of fixed-income securities, gives examples of due diligence, and ends with a list of questions that examiners may consider when reviewing a bank’s risk management practices related to due diligence.


Investors’ overreliance on credit ratings in the period leading up to the financial crisis contributed to the widespread underestimation of credit risk in certain fixed-income securities. Some banks did not adequately understand or independently assess the risk characteristics of a bond’s obligor, the underlying collateral, or the payment structure of individual securities. Inadequate due diligence led to purchases of what were believed to be “investment-grade” bonds, but were not, as initial credit ratings failed to identify the inherent repayment risks and weaknesses that were exposed when the economy, real estate, and bond markets deteriorated. The severity and magnitude of the financial crisis triggered credit impairment in investment portfolios, resulting in significant principal write-downs that affected earnings and capital.

The reliance on credit ratings and subsequent problems prompted Congress to enact Section 939A of the Dodd-Frank Act, which restricted references to credit ratings in banking regulations. In response, the Office of the Comptroller of the Currency (OCC) issued a rule on June 13, 2012, Alternatives to the Use of External Credit Ratings in the Regulations of the OCC, and accompanying guidance that established an investment-grade standard in lieu of credit ratings.3

The OCC’s rule requires banks to verify that their investment securities with some limited exceptions discussed below - meet this standard at purchase. The rule defines “investment grade” as a security with a low risk of default and where full and timely payment of principal and interest is expected. Although the OCC rule was directed to nationally chartered financial institutions, state-chartered institutions should also adhere to the rule and guidance since state banks are generally prohibited from engaging in an investment activity not permissible for a national bank.4

The Dodd-Frank Act required the FDIC to issue a rule and guidance directed to savings associations and their investments in corporate bonds.5 Thus, thrift investments in corporate bonds will be subject to credit standards and due diligence guidance that are consistent with those issued by the OCC. The FDIC’s authority to issue such rules to national and state savings associations is based in the Federal Deposit Insurance Corporation Improvement Act of 1991 in response to the savings and loan crisis.

Supervisory Due Diligence Requirements Have Not Changed, but the Focus Has Shifted

From a bond analysis and investment due diligence perspective, the need to look beyond the credit rating is not a new supervisory expectation. Before the financial crisis, existing guidance stipulated that banks were expected to have in place a robust credit risk management framework for securities which entailed appropriate pre-purchase and ongoing monitoring by a qualified staff that graded a security’s credit risk based upon an analysis of the repayment capacity of the issuer and the structure and features of the security.6

Therefore, removal of references to credit ratings from regulations has not substantively changed the standards institutions should consider when evaluating a fixed-income instrument’s creditworthiness, permissibility, and adverse classification. However, the supervisors’ emphasis has shifted with the Dodd-Frank Act and issuance of the corresponding OCC regulation. As a result, examiners will focus less on credit ratings and more on the adequacy of pre-purchase analysis, integration of various credit factors other than credit ratings, and monitoring procedures.

The Dodd-Frank Act does not require states to change their laws on permissible investments. Therefore, it is likely there will be circumstances where a state law requires that an investment meet a credit rating threshold (typically, at the NRSRO’s lowest investment-grade rating band such as BBB). In these cases, banks will need to demonstrate that the external credit ratings meet the state criteria and still conduct the due diligence required to meet the new OCC regulation’s investment-grade or safety and soundness standards.

Three general points about due diligence are worth emphasizing. First, the OCC and FDIC regulations are not envisioned to significantly change the scope of permissible investments.7 Second, the Dodd-Frank Act does not prohibit institutions from considering credit ratings as part of their due diligence and ongoing review of securities. And finally, the depth of due diligence that examiners expect will depend in part on the size, complexity, and risk characteristics of the securities portfolio. Thus, for example, institutions with high concentrations of particular types of securities relative to capital would be expected to perform more comprehensive due diligence and ongoing monitoring.

Exemptions, Flexibility, and Learning Curves

Banks have processes and procedures in place to effectively evaluate credit risk in their loan portfolios. Similar processes and procedures could be adopted for securities, which would save bankers from creating a credit risk framework from scratch. In addition, the OCC rule’s exemption of many bonds from the investment-grade standard may also reduce burden. That is, banks may purchase obligations of the U.S. government or its agencies and general obligations of states and political subdivisions without having to make an investment-grade determination. This exemption also applies to revenue bonds that are held by well capitalized banks.

Therefore, U.S. Treasury securities and federal agency bonds will not require credit analysis. Most municipal bonds will also not require credit analysis to determine if the investment-grade standard has been satisfied. However, the supervisors will expect banks to have a sufficient understanding of the credit risk of municipals to ensure standards for safety and soundness are observed and maintained. And, as has always been the case, management should fully understand safety and soundness standards related to interest rate risk, operational risk, liquidity risk, etc.8

The OCC purposely did not issue prescriptive guidance that detailed procedures for every instrument or situation. By keeping the guidance broad, bankers have greater flexibility to develop due diligence methodologies that are suitable to their institutions’ respective risk tolerance and unique situation.

Methods for measuring and monitoring credit risk in the investment portfolio will evolve, and best practices will emerge, as bankers, regulators, and investment advisors identify more effective credit review techniques. As a result, the supervisory agencies expect the transition away from reliance on credit ratings to entail a learning curve for both bankers and examiners. As long as management demonstrates that it has made good-faith progress to comply with the OCC rule, FDIC examiners, at their initial examination reviews, will work with banks as they transition away from a ratings-centric bond selection and monitoring process. Examiners may offer constructive recommendations or suggestions on due diligence efforts, as appropriate.

Due Diligence

The OCC’s regulation was issued with accompanying guidance that listed a matrix of factors to consider as part of a credit risk assessment to meet the investment-grade standard or the safety and soundness standard. Bankers should benefit from reviewing this matrix as well as the following section, which shows examples of methodologies for analyzing a municipal bond and a corporate bond. The examples that follow are for informational purposes; banks are free, but not required, to use these due diligence templates. Individual securities may require different or a varying degree of analysis. Further, bank management has the flexibility and responsibility to design its own due diligence processes, techniques, and models that are best suited for their institution while meeting the OCC rule’s requirements.

The first example presents a framework that may satisfy the credit risk safety-and-soundness standard for a municipal bond. General obligation municipal bonds, and also revenue bonds held by well-capitalized banks, will not require an investment-grade determination, but they will need an initial credit assessment and ongoing reviews to ensure they satisfy safety and soundness standards. The corporate bond example in the second text box is a description of a framework that might be used to determine whether a corporate bond satisfies the investment-grade standard.

Municipal Bonds

Many municipal bonds held in bank portfolios share two characteristics with the majority of loans held in portfolio: they are not actively traded or publicly rated. That is, neither municipal bonds nor loans benefit from an efficient secondary market that provides timely price discovery (fair value) and independent, ongoing third party credit surveillance. Even for many rated municipal bonds, surveillance and the reassessment of assigned credit ratings are often not conducted on a timely basis.

Given these characteristics, it is important that management’s due diligence and monitoring process identify bonds with higher risk characteristics at the time of investment and during the holding period. Higher-risk bonds have characteristics that could potentially cause them to not meet credit quality safety-and-soundness standards. Examples of characteristics that have the potential for higher risk include:

  • Municipal category or type that has incurred historically high default rates, e.g., community development district bonds, Mello-Roos bonds (an alternative way for local municipalities in California to finance public improvements, including streets, sewer systems, and other infrastructure projects), sanitary improvement district bonds - all colloquially known as “dirt bonds”
  • Location in a state or geographic region suffering serious economic stress or stagnation
  • Poor vintage performance
  • Chronic budget issues
  • Illiquidity of the municipal obligor
  • Repeated late filings of financial statements or qualified audits
  • Unusually wide credit spreads (when there is an active secondary market)

Once a potentially higher-risk bond is identified, whether through monitoring of the existing portfolio or the pre-purchase review of a contemplated bond investment, management can apply more rigorous credit analysis and financial statement analysis as appropriate to develop a conclusion about its risk and suitability.

The table below depicts a straightforward example for measuring risk and determining if a general obligation bond has met its safety-and-soundness credit risk benchmark. A bank may find it beneficial to grade the bond as it grades commercial loans by assessing and scoring various factors. Cumulative scores could be generated by adding the specific scores given to each assessment factor.


Management could create a grading scale and identify the grading band where “Pass” bonds reside, that is, bonds that would satisfy-safety-and-soundness standards. Scoring systems could be made more robust by weighting each factor and including qualitative factors, e.g., scoring for the reputation and operating performance of the municipality’s management. (A similar scoring system could be designed for securities requiring an investment-grade determination. Bonds with cumulative scores at or above a certain threshold would be deemed investment grade, thus permissible for purchase.)

Corporate Bonds

The credit analysis of corporate bonds is similar to the assessment of commercial term loans, as both instruments are paid from the obligor’s cash flow and can have repayment periods extending beyond one operating cycle. Such credit analysis attempts to determine the repayment capacity of the borrower; in other words, the potential for default risk. This approach is convenient given the new rule defines investment grade, in part, as a security where default risk is low. Therefore, it is anticipated that the due diligence and monitoring process for corporate bonds will be similar to the underwriting and monitoring of commercial loans. Plus, most banks have a lending staff that understands business financial statements, underwrites and assesses default risk using business financial statements, and is experienced in monitoring commercial entities.

Corporate bond analysis (as with all bond analysis) begins with understanding the terms of the bond. Examiners will expect bank management to be familiar with the indenture and prospectus which explains the bond’s characteristics including rate information, maturity, call or convertibility options, amortization or sinking fund features, and collateral information, if applicable. These documents should be part of the security due diligence documentation and available for examiner review.

Financial analysis of the corporate borrowing entity also considers ratio analysis that measures the level and trend of debt service coverage, liquidity, cash flow, leverage, and operating efficiency. Profitability, earnings prospects, and return on equity analyses can also provide longer-term analytical insight. Peer comparison can also add perspective to the comprehensive ratio analysis.

Management can further enhance the corporate bond review by performing an industry analysis. This requires an understanding of the industry’s outlook, life cycle, competitiveness, and other issues that could affect the corporation under review.

Finally, management will need to tie the analysis together to determine whether the credit risk profile of the obligor is suitable as an investment and meets the standards established by the investment policy. This process could mean using a scoring system similar to commercial loan grading, the municipal bond scoring matrix shown previously, or another methodology that is sufficiently robust and well documented.

Risk Management Practices

In addition to verifying the adequacy of bond due diligence and the progress in satisfying the OCC rule, examiners will also likely focus on related risk management practices. Examiners may seek answers to the following questions:

  • Are the bank’s revised policies consistent with the requirements of the new regulation?
  • Given the rule’s definition of the investment-grade standard, do bank policies establish criteria or benchmarks (by security type) that must be met to satisfy the investment-grade standard?
  • Are the due diligence procedures specified in the investment policy sufficiently comprehensive for the identification, measurement, and monitoring of credit risk?
  • Are credit risk limits reasonable?
  • Does management have sufficient in-house expertise to manage the investment portfolio’s credit risk?
  • Does management devote sufficient resources to managing the portfolio’s credit risk?
  • Do minutes of the investment committee or board meetings indicate that the directorate and management review and monitor portfolio credit risk?
  • Is credit risk accurately reported to the board?
  • Do the board and senior management understand the investment portfolio’s credit risk?
  • Are third-party relationships properly managed? Does management understand the third party’s credit risk methodology, confirm the third party’s methodology is sufficiently comprehensive, not permit the delegation of decision-making to the third party, and ensure the third party is independent from the securities dealer?
  • If the bank uses credit ratings by a NRSRO as one factor in determining whether prudential credit risk standards are being met, does management have a basic understanding of the methodologies the rating agencies use and the limitations of those methodologies?
  • Written policies should provide guidance on several of the issues raised by these questions. The depth and detail of the policies that guide credit risk management in the investment portfolio will vary among banks, contingent on the nature, scope, and complexity of the instruments held.


Financial institutions should have a process for determining whether their investment securities meet creditworthiness standards. This process cannot rely exclusively on credit agency ratings. The new rules became applicable for all existing and future bond holdings on January 1, 2013. Supervisors anticipate there will be a learning curve as bankers develop, modify, and enhance due diligence methodologies to meet regulatory expectations. Examiners will expect to see evidence of progress toward compliance with the rules during initial examination reviews.

Eric W. Reither
Senior Capital Markets Specialist
Division of Risk Management Supervision

The author acknowledges the valuable contributions made by several reviewers of this article with special thanks to William R. Baxter, Senior Policy Analyst; and Timothy P. Neeck, Senior Capital Markets Specialist.

1 Dodd-Frank Wall Street Reform and Consumer Protection Act, Section 939A (July 21, 2010).

2 77 Fed. Reg. 43151, 43153 (July 24, 2012) (amending 12 C.F.R. §§ 362.9 and 362.11).

3 Alternatives to the Use of External Credit Ratings in the Regulations of the OCC, 77 Fed. Reg. 35253 (June 13, 2012) (amending 12 C.F.R Parts 1, 16, 28, and 160 to remove references to credit ratings and nationally recognized statistical rating organizations (NRSROs) and replacing references to credit ratings with non-ratings based standards of creditworthiness where appropriate). Final rule available at The OCC concurrently published guidance with the final rule, Guidance on Due Diligence Requirements in Determining Whether Securities Are Eligible for Investment, which is available at

4 Part 362 of FDIC Rules and Regulations, Activities of Insured State Banks and Insured Savings Associations, implements Section 24 of the Federal Deposit Insurance Act, which generally prohibits insured state banks and their subsidiaries from engaging in activities and investments not permissible for national banks and their subsidiaries unless the FDIC determines that the activity would pose no significant risk to the Deposit Insurance Fund.

5 See Permissible Investments for Federal and State Savings Associations: Corporate Debt Securities, 77 Fed. Reg. 43151 (July 24, 2012) available at The FDIC also concurrently published guidance with the final rule, Guidance on Due Diligence: Requirements for Savings Associations in Determining Whether a Corporate Debt Security Is Eligible for Investment, available at

6 See Financial Institution Letter (FIL)-70-2004, Uniform Agreement on the Classification of Assets and Appraisal of Securities Held by Banks and Thrifts, issued June 15, 2004, at

7 See FIL-48-2012, Revised Standards of Creditworthiness for Investment Securities, issued November 16, 2012, at

8 Part 364 of the FDIC’s Rules and Regulations establishes safety and soundness standards for all insured state nonmember banks related to asset quality, credit risk, interest rate risk, and other types of risk.