risk-focused safety-and-soundness inspections section 2124

Risk-Focused Safety-and-Soundness InspectionsSection 2124.0

WHAT’S NEW IN THIS REVISEDSECTION

Effective January 2015, footnote 2 was revisedto include a reference to SR-14-4, “ExaminerLoan Sampling Requirements for State MemberBank and Credit Extending Nonbank Subsidi-aries of Banking Organizations with $10–$50Billion in Total Consolidated Assets.” This guid-ance within SR-14-4 supersedes the guidancewithin SR-94-13, “Loan Review Requirementsfor On-Site Examinations” for the specifiedbanking organizations.

2124.0.1 FULL-SCOPE INSPECTIONSAND TRANSACTION TESTING

Full-scope inspections under a risk-focusedapproach must be performed to fulfill the objec-tives of a full-scope inspection. Inspections canbe adjusted, depending on the circumstances ofthe banking organization being evaluated. At aminimum, full-scope inspections should includesufficient procedures to reach an informed judg-ment on the assigned ratings for the factorsaddressed by the bank holding companyRFI/C(D) rating system. The business of bank-ing is fundamentally predicated on taking risks,and the components of the supervisory ratingsystem are strongly influenced by risk exposure.Consequently, the procedures for full-scopeinspections focus to a large degree on assessingthe types and extent of risks to which a bankholding company and its subsidiaries areexposed, evaluating the organization’s methodsof managing and controlling its risk exposures,and ascertaining whether management anddirectors fully understand and are actively moni-toring the organization’s exposure to those risks.Given the Federal Reserve’s responsibilityfor ensuring compliance with banking lawsand regulations, inspections also include anappropriate level of compliance testing. (SeeSR-96-14.)

Historically, Federal Reserve examinationsand inspections have placed significant relianceon transaction-testing procedures. For exam-ple, to evaluate the adequacy of the credit-administration process, assess the quality ofloans, and ensure the adequacy of the allowancefor loan and lease losses (ALLL), a high per-centage of large loan amounts have traditionallybeen reviewed individually. Similarly, theassessment of the accuracy of regulatory report-ing often has involved extensive review of rec-

onciliations of a bank holding company’s gen-eral ledger to the FR Y-9C report and other FRY-series reports. Other similar procedures typi-cally have been completed to ascertain compli-ance with applicable laws and regulations, todetermine whether the banking and nonbanksubsidiaries are following their internal policiesand procedures and those of the bank holdingcompany, and to evaluate the adequacy of inter-nal control systems.

Transaction testing remains a reliable andessential inspection technique for assessing abanking organization’s condition and verifyingits adherence to internal policies, procedures,and controls. In a highly dynamic banking mar-ket, however, such testing is not sufficient forensuring continued safe and sound operations.As evolving financial instruments and marketshave enabled banking organizations to rapidlyreposition their portfolio risk exposures, peri-odic assessments of a banking organization’scondition, based on transaction testing alone,cannot keep pace with the moment-to-momentchanges occurring in financial risk profiles.

To ensure that banking organizations have inplace the processes necessary to identify, mea-sure, monitor, and control their risk exposures,inspections must focus more on evaluating theappropriateness of a very high degree of transac-tion testing. Under a risk-focused approach, thedegree of transaction testing should be reducedwhen internal risk-management processes aredetermined to be adequate or risks are consid-ered minimal. However, when an organization’srisk-management processes or internal controlsare considered inappropriate (such as when thereis an inadequate segregation of duties or whenon-site testing determines that such processes orcontrols are lacking), additional transaction test-ing sufficient to fully assess the degree of riskexposure in that function or activity must beperformed. In addition, if an examiner believesthat a banking organization’s management isbeing less than candid, has provided false ormisleading information, or has omitted materialinformation, then substantial on-site transactiontesting should be undertaken and appropriatefollow-up actions should be initiated, includingthe requirement of additional audit work andappropriate enforcement actions.

In most cases, full-scope inspections are con-ducted on or around a single date. This approachis appropriate for the vast majority of banking

BHC Supervision Manual January 2015

organizations supervised by the FederalReserve. However, as the largest banking orga-nizations have undergone considerable geo-graphic expansion and the range of their prod-ucts has become more diversified, coordinatingthe efforts of the large number of examinersnecessary to conduct inspections at a singlepoint in time has become more difficult. Toavoid causing undue burden on these bankingorganizations, full-scope inspections for manylarge companies are conducted over the courseof a year, rather than over a span of weeks, in aseries of targeted reviews focusing on one ortwo significant aspects of the bank holdingcompany’s operations. This approach to con-ducting full-scope inspections provides more-continuous supervisory contact with the largestbank holding companies and facilitatesimproved coordination of inspection efforts withother federal banking agencies. It also providesmore flexibility in the allocation of examinerresources, which has been especially importantas the complexity of banking markets and prod-ucts has increased and led to the development ofcadres of examiners with specialized skills.

2124.0.2 RISK-FOCUSEDINSPECTIONS

Developments in the business of banking haveincreased the range of banking activities, height-ening demands on examiner resources and mak-ing the need for examiners to effectively focustheir activities on areas of the greatest risk evenmore crucial. Improved in-office planning canresult in more efficient and effective on-siteinspections that are focused on risks particularto specific organizations of the bank holdingcompany. Such improved planning minimizessupervisory burden and provides for the closecoordination of the supervisory efforts of theFederal Reserve with those of the other stateand federal banking agencies. Improved plan-ning also allows information requests to be bet-ter tailored to the specific organizations.

2124.0.2.1 Risk Assessment

To focus procedures on the areas of greatestrisk, a risk assessment should be performedbefore on-site supervisory activities. The risk-assessment process highlights both the strengthsand vulnerabilities of a bank holding company

and provides a foundation from which to deter-mine the procedures to be conducted during aninspection. Risk assessments identify the finan-cial activities in which a banking organizationhas chosen to engage, determine the types andquantities of risks to which these activitiesexpose the organization, and consider the qual-ity of management and control of these risks. Atthe conclusion of the risk-assessment process, apreliminary supervisory strategy can be formu-lated for the bank holding company and itssubsidiaries and for each of their major activi-ties. Naturally, those activities that are mostsignificant to the organization’s risk profile orthat have inadequate risk-management processesor rudimentary internal controls represent thehighest risks and should undergo the most rigor-ous scrutiny and testing.

Identifying the significant activities of a bankholding company, including those activities con-ducted off-balance-sheet, should be the first stepin the risk-assessment process. These activitiesmay be identified through the review of priorbank examination and bank holding companyinspection reports and workpapers, surveillanceand monitoring reports generated by Board andReserve Bank staffs, Uniform Bank Perfor-mance Reports and Bank Holding CompanyPerformance Reports, regulatory reports (forexample, bank Call Reports and the FR Y-9Cand FFIEC 002 reports), and other relevant super-visory materials. When appropriate, the follow-ing information should be reviewed: strategicplans and budgets, internal management reports,board of directors information packages, corre-spondence and minutes of meetings between thebank holding company and the Reserve Bank,annual reports and quarterly SEC filings, pressreleases and published news stories, and stockanalysts’ reports. In addition, examiners shouldhold periodic discussions with management togain insight into their latest strategies or plansfor changes in activities or managementprocesses.

Once significant activities have been identi-fied, the types and quantities of risks to whichthese activities expose the bank holding com-pany should be determined. This allows examin-ers to identify high-risk areas that should beemphasized in conducting inspections. Thetypes of risk that may be encountered in bank-ing activities individually or in various combi-nations include, but are not limited to, credit,market, liquidity, operational, legal, and reputa-tional risks.1 For example, lending activities area primary source of credit and liquidity risks.

1. Appendix A defines these primary risk types.

Risk-Focused Safety-and-Soundness Inspections 2124.0


They may also present considerable market risk(if the bank holding company or its subsidiariesare originating mortgage loans for later resale),interest-rate risk (if fixed-rate loans are beinggranted), or legal risk (if loans are poorly docu-mented). Similarly, the asset-liability manage-ment function has traditionally been associatedwith exposures to interest-rate and liquidityrisks. Operational risks are also associated withmany of the transactions undertaken by thisfunction, and market risks are associated withthe investments and hedging instruments com-monly used by the asset-liability managementfunction. The quantity of risks associated with agiven activity may be indicated by the volumeof assets and off-balance-sheet items that theactivity represents or by the portion of revenuefor which the activity accounts. Activities thatare new to an organization or for which expo-sure is not readily quantified may also representhigh risks that should be evaluated duringinspections.

A number of analytical techniques may beused to estimate the quantity of risk exposure,depending on the activity or risk type beingevaluated. For example, to assess the quantity ofcredit risk in loans and commitments, the levelof past-due loans, internally classified or watchlist loans, nonperforming loans, and concentra-tions of credit exposure to particular industriesor geographic regions should be considered (seesection 2010.2). In addition, as part of theassessment of credit risk, the adequacy of theoverall ALLL can be evaluated by consideringtrends in past-due, special-mention, and classi-fied loans; historic charge-off levels; and thecoverage of nonperforming loans by the ALLL.Analytical techniques for gauging the exposureof a bank holding company and its subsidiariesto interest-rate risk, as part of the evaluation ofasset-liability management practices, caninclude a review of the historical performanceof net interest margins, as well as the results ofinternal projections of future earnings perfor-mance or net economic value under a variety ofplausible interest-rate scenarios. The measure-ment of the quantity of market risk arising fromtrading in cash and derivative instruments maytake into account the historic volatility of trad-ing revenues, the results of internal models cal-culating the level of capital and earnings at riskunder various market scenarios, and the marketvalue of contracts relative to their notionalamounts.

Once the types and quantities of risk in eachactivity have been identified, a preliminaryassessment of the banking organization’s pro-cess to identify, measure, monitor, and control

these risks should be completed. This evaluationshould be based on findings from previousexamination and inspection activities conductedby the Reserve Bank or other banking agencies,supplemented by the review of internal policiesand procedures, management reports, and otherdocuments that provide information on theextent and reliability of internal risk-management systems. Sound risk-managementprocesses vary from one banking organizationto another, but generally include four basic ele-ments for each individual financial activity orfunction and for the organization in aggregate.These elements are (1) active board and seniormanagement oversight; (2) adequate policies,procedures, and limits; (3) adequate risk-measurement, risk-monitoring, and managementinformation systems; and (4) comprehensiveinternal audits and controls. (See sections4070.1 (SR-95-51) and 4071.0 (SR-16-11).)

The preliminary evaluation of the risk-management process for each activity or func-tion also helps determine the extent of transac-tion testing that should be planned for each area.If the organization’s risk-management processappears appropriate and reliable, then a limitedamount of transaction testing may well suffice.If, on the other hand, the risk-management pro-cess appears inappropriate or inadequate to thetypes and quantities of risk in an activity orfunction, examiners should plan a much higherlevel of transaction testing. They should alsoplan to conduct the most testing in those areasthat comprise the most significant portions of abank holding company’s activities and, thus,typically represent high potential sources of risk.

2124.0.2.2 Preparation of a ScopeMemorandum

Once the inspection planning and risk-assessment processes are completed, a scopememorandum should be prepared. A scopememorandum provides a detailed summary ofthe supervisory strategy for a bank holding com-pany and assigns specific responsibilities toinspection team members. A scope memoran-dum should be tailored to the size and complex-ity of the bank holding company that is subjectto review, define the objectives of each inspec-tion, and generally include—


BHC Supervision Manual July 2016

1. a summary of the results of the priorinspection;

2. a summary of the strategy and significantactivities of the banking organization, includ-ing its new products and activities;

3. a description of the bank holding company’sorganization and management structure;

4. a summary of performance since the priorinspection;

5. a statement of the objectives of the currentinspection;

6. an overview of the activities and risks to beaddressed by the inspection; and

7. a description of the procedures that are to beperformed at the inspection.

For large complex organizations operating ina number of states or internationally, the plan-ning and risk-assessment processes are necessar-ily more complicated. The traditional scopememorandum may have to be broadened into amore extensive set of planning documents toreflect the unique requirements of complex bankholding companies. Examples of these planningdocuments include annual consolidated analy-ses, periodic risk assessments, and supervisoryplans.

2124.0.2.3 On-Site Procedures

The amount of review and transaction testingnecessary to evaluate particular functions oractivities of a bank holding company generallydepends on the quality of the process the com-pany uses to identify, measure, monitor, andcontrol the risks of an activity. When the risk-management process is considered sound, fur-ther procedures are limited to a relatively smallnumber of tests of the integrity of the manage-ment system. Once the integrity of the manage-ment system is verified through limited testing,conclusions on the extent of risks within thefunction or activity are drawn based on internalmanagement assessments of those risks ratherthan on the results of more-extensive transactiontesting by examiners. On the other hand, ifinitial inquiries into the risk-managementsystem—or efforts to verify the integrity of thesystem—raise material doubts as to the system’seffectiveness, no significant reliance should beplaced on the system. A more extensive seriesof tests should be undertaken to ensure that thebanking organization’s exposure to risk from agiven function or activity can be accurately

gauged and evaluated. More-extensive transac-tion testing is also generally completed foractivities that are much more significant to abank holding company than is completed forother areas, although the actual level of testingfor these significant activities may be reducedcommensurate with the quality of internal risk-management processes.

Consider, as an example, the risk exposureassociated with commercial lending activities.Traditionally, examiners have reviewed a rela-tively high number and dollar volume of realestate–associated loans.2 If, however, credit-administration practices are considered satisfac-tory, fewer loans may need be reviewed toverify that this is the case (that is, fewer loansthan would be reviewed if deficiencies in credit-administration practices were suspected). Thisreview may be achieved through a valid statisti-cal sampling technique, when appropriate. Itshould be noted that if credit-administrationpractices are initially considered sound, but ifloans reviewed to verify this raise doubts aboutthe accuracy of internal assessments or the com-pliance with internal policies and procedures,the number and volume of loans subject toreview should generally be expanded. Examin-ers should thus review a sufficient number ofloans in order to ensure that the level of risk isclearly understood, an accurate determination ofthe adequacy of the ALLL can be made, and thedeficiencies in the credit risk-management pro-cess can be comprehensively detailed.

2124.0.2.4 Evaluation of Audit Functionas Part of Assessment of Internal ControlStructure

A bank holding company’s internal controlstructure is critical to its safe and sound func-tioning in general and to its risk-managementsystem in particular. When properly structured,internal controls promote effective operationsand reliable financial and regulatory reporting;safeguard assets; and help to ensure compliancewith laws, regulations, and internal policies andprocedures. In many banking organizations,internal controls are tested by an independent

2. Guidance on the selection of loans for review is pro-vided in SR-94-13, “Loan Review Requirements for On-SiteExaminations.” The guidance within SR-94-13 is supersededby SR-14-4, “Examiner Loan Sampling Requirements forState Member Bank and Credit Extending Nonbank Subsidi-aries of Banking Organizations with $10–$50 Billion in TotalConsolidated Assets,” but only for these banking organiza-tions. SR-14-4 clarifies expectations for the assessment ofmaterial retail credit portfolios for these institutions (seeappendix 1 at section 2010.2.11).


BHC Supervision Manual July 2016

internal auditor who reports directly to the boardof directors or its audit committee. However, insome smaller banking organizations whose sizeand complexity of operations do not warrant aninternal audit department, reviews of internalcontrols may be conducted by other personnelindependent of the area subject to review.

Because the audit function is an integral partof a bank holding company’s assessment of itsinternal control system, examiners must includea review of the organization’s control-assessment activities in every inspection. Suchreviews help identify significant risks and facili-tate a comprehensive evaluation of the organiza-tion’s internal control structure and also provideinformation to determine the inspection proce-dures that should be completed in assessinginternal controls for particular functions andactivities and for the bank holding companyoverall. When conducting this review, examin-ers should evaluate the independence and com-petence of the personnel conducting controlassessments and the effectiveness of the assess-ment program in covering the bank holdingcompany’s significant activities and risks. Inaddition, examiners should meet with the inter-nal auditors or other personnel responsible forevaluating internal controls. Examiners shouldreview internal control risk assessments, workplans, reports, workpapers, and related commu-nications with the audit committee or board ofdirectors.

Depending on the size and complexity of theactivities conducted by a bank holding com-pany, the examiner should also consider con-ducting a similar review of the work performedby the company’s external auditors. Such areview often provides added insight into keyrisk areas by detailing the nature and extent ofthe external auditors’ testing of those areas.

2124.0.2.5 Evaluation of OverallRisk-Management Process

To highlight the importance of a banking organi-zation’s risk-management process, bank holdingcompanies are assigned a risk-management rat-ing on a five-point scale as a significant part ofthe evaluation of the management componentsof the bank holding company RFI/C(D) ratingsystem. (See section 4070.0.) In addition, U.S.branches and agencies of foreign banking orga-nizations are assigned a similar rating under theROCA rating system.3 These risk-management

ratings encompass evaluations of the quality ofrisk-management processes for all significantactivities and all types of risks. As such, theyshould largely summarize conclusions on theadequacy of risk-management processes foreach individual function or activity evaluated.

In assigning risk-management ratings, it isimportant that examiners consider the quality ofthe risk-management process for the bank hold-ing company overall, as well as for each indi-vidual function. At smaller bank holding compa-nies engaged in traditional banking andnonbanking activities, relatively basic risk-management processes established for each sig-nificant activity, such as lending or asset-liability management, may be adequate to allowsenior management to effectively manage theorganization’s overall risk profile. On the otherhand, at larger bank holding companies that aretypically engaged in more-complex and widelydiversified activities, effective risk-managementsystems must evaluate various functional man-agement processes in combination so that aggre-gate risk exposures can be identified and moni-tored by senior management. Managementinformation reports should typically be gener-ated for the overall organization, as well as forindividual functional areas. Some aggregate orspecific company-wide limits may also beneeded for the principal types of risks that arerelevant to the company’s activities.

A critical aspect of ensuring that a bank hold-ing company’s risk-management and controlprocedures remain adequate is the ongoing test-ing of the strength and integrity of these proce-dures and the extent to which the procedures areunderstood and followed throughout the organi-zation. When assigning a risk-management rat-ing, examiners should assess the adequacy ofthe company’s efforts to ensure that its proce-dures are being followed. The company’s vali-dation efforts must be conducted by individualswho have proper levels of organizational inde-pendence and expertise, such as internal orexternal auditors, internal risk-managementunits, or managers or other professionals of thebank holding company who have no direct con-nection to the activities for which proceduresare being assessed.

3. U.S. branches and agencies of foreign banking organiza-

tions are assigned separate ROCA ratings for risk manage-

ment, operational controls, compliance, and asset quality,

under guidance included in SR-00-14, ‘‘Enhancements to the

Interagency Program for Supervising the U.S. Operations of

Foreign Banking Organizations.’’



2124.0.2.6 Evaluation of Compliancewith Laws and Regulations

Compliance with relevant laws and regula-tions should be assessed at every inspection.The steps taken to complete these assessments,however, will vary depending on the circum-stances of the bank holding company beingreviewed. When an organization has a history ofsatisfactory compliance with relevant laws andregulations or an effective compliance function,only a relatively limited degree of transactiontesting need be conducted to assess compliance.For example, when evaluating compliance withthe appraisal requirements of Regulation Y at abank holding company with a formal compli-ance function, compliance may be ascertainedby reviewing the scope and findings of internaland external audit activities, evaluating theinternal appraisal-ordering and -review pro-cesses, and sampling a selection of appraisalsfor compliance, as part of the supervisory loan-review process. On the other hand, at bankholding companies that have a less satisfactorycompliance record or that lack a compliancefunction, more appraisals would naturally needto be tested to assess the overall compliancewith the appraisal requirements of Regulation Y.

2124.0.2.7 Documentation of SupervisoryFindings

The examiners’ workpaper documentation ofsupervisory findings is necessary for ReserveBank management to objectively verify theinspection work performed. Such documenta-tion also provides a source of information on thecondition and prospects of a bank holding com-pany that is invaluable for planning futurereviews. Most important, examiners’ workpaperdocumentation provides support for the conclu-sions and recommendations detailed in theinspection report.

2124.0.2.8 Communication ofSupervisory Findings

Effective and open communication betweenbank supervisory agencies and the board ofdirectors and management of bank holding com-panies is essential to ensuring that the results ofinspections are fully understood; the director-ship and management are aware of any identi-fied deficiencies; and, when necessary, they takeappropriate corrective actions.

2124.0.3 INSPECTION OBJECTIVES

1. To ensure that the bank holding company hasin place the processes necessary to identify,measure, monitor, and control its risk expo-sures for each of its activities or functions.

2. To improve inspection efficiencies by stress-ing increased in-office planning of inspec-tions, using a risk-focused emphasis.

3. To identify and assess significant on- andoff-balance-sheet activities and the greatesttypes and quantities of risk exposures andvulnerabilities to the bank holding company,tailoring the extent of transaction testing tothe results of this review and other inspec-tions’ findings.

4. To review and assess the effectiveness andadequacy of documentation of the bank hold-ing company’s control and assessment activi-ties and arrangements, including its internalcontrol structure, and the qualifications ofinternal and external auditors and other inde-pendent personnel involved in the program.

5. To emphasize the preparation of a risk-focused scope memorandum that is tailoredto the size and complexity of the bank hold-ing company under inspection.

6. To evaluate compliance with laws andregulations.

7. To adequately document and communicateinspection supervisory findings, recommen-dations, and conclusions.

2124.0.4 INSPECTION PROCEDURES

1. Identify the significant on- and off-balance-sheet activities of the bank holdingcompany.a. Review prior inspection reports and

workpapers, surveillance and monitoringreports generated by the Board andReserve Bank staff, Uniform Bank Per-formance Reports and Bank HoldingCompany Performance Reports, regula-tory reports (for example, bank CallReports and FR Y-series and otherFFIEC reports), and other relevant super-visory materials.

b. Review strategic plans and budgets;internal management reports; board ofdirectors information packages; corre-spondence and minutes, including min-utes of meetings held between the bankholding company and the Reserve Bank;annual reports and quarterly SEC filings;press releases and published newsstories; and stock analysts’ reports.



2. Hold periodic discussions with manage-ment to gain insight into recently adoptedstrategies or plans to change activities ormanagement processes.

3. Once the significant activities have beenidentified, determine and analyze the types(for example, credit, market, liquidity,operational, legal, and reputational) andquantities of risks to which those activitiesexpose the bank holding company, placinggreater inspection emphasis on the high-risk areas.

4. Develop an assessment of the processes thatare used to identify, measure, monitor, andcontrol the risks. Focus on the extent ofboard and senior management oversight;the adequacy of policies, procedures, limits,risk-measurement, risk-monitoring, andmanagement information systems; and theexistence of adequately documented inter-nal audits and controls.

5. Prepare a scope memorandum tailored tothe size and complexity of the bank holdingcompany under inspection.

6. Conduct limited tests of the integrity of therisk-management system. Conduct more-extensive transaction testing for those areasof a bank holding company that are verysignificant compared with other areas,adjusting the level of transaction testing tothe quality of internal risk-management pro-cesses. If initial inquiries or efforts to verifythe system raise material doubts as to itseffectiveness, place no reliance on the integ-rity of the bank holding company’s risk-management system and conduct more-extensive transaction testing.

7. Review the bank holding company’s risk-assessment control activities, including anassessment of internal controls for particu-lar functions and activities and for the bankholding company overall.a. Evaluate the independence and compe-

tence of the personnel conducting con-trol assessments and the effectiveness ofthe assessment program in covering thebank holding company’s significantactivities and risks.

b. Meet the independent external and inter-nal auditors and other personnel respon-sible for evaluating internal controls andreview the internal control risk assess-ments, work plans, reports, workpapers,and related communications with theaudit committee or the board ofdirectors.

8. Assess the adequacy of efforts to ensurethat the current risk-management and con-trol procedures are being followed.

9. Assess compliance with laws and regula-tions, adjusting the extent of transactiontesting with the organization’s history ofsatisfactory compliance.

10. Document all work performed and thesupervisory findings. Include informationon the condition and prospects of the bankholding company and its significant subsid-iaries, as well as the inspection’s conclu-sions and recommendations.

2124.0.5 APPENDIX A—DEFINITIONSOF RISK TYPES EVALUATED ATINSPECTIONS

1. Credit risk arises from the potential that aborrower or counterparty will fail to performon an obligation.

2. Market risk is the risk to a bank holdingcompany’s condition resulting from adversemovements in market rates or prices, such asinterest rates, foreign-exchange rates, orequity prices.

3. Liquidity risk is the potential that a bankholding company will be unable to meet itsobligations as they come due because of aninability to liquidate assets or obtainadequate funding (referred to as ‘‘fundingliquidity risk’’) or that it cannot easilyunwind or offset specific exposures withoutsignificantly lowering market prices becauseof inadequate market depth or market disrup-tions (‘‘market liquidity risk’’).

4. Operational risk arises from the potentialthat inadequate information systems, opera-tional problems, breaches in internal con-trols, fraud, or unforeseen catastrophes willresult in unexpected losses.

5. Legal risk arises from the potential that unen-forceable contracts, lawsuits, or adversejudgments can disrupt or otherwise nega-tively affect the operations or condition of abank holding company.

6. Reputational risk is the potential that nega-tive publicity on a bank holding company’sbusiness practices, whether true or not, willcause a decline in the customer base, costlylitigation, or revenue reductions.



Risk-Focused Supervision Framework for LargeComplex Banking Organizations Section 2124.01


Effective January 2016, this section was revisedto (1) include an additional risk-focused super-visory letter to the listing in appendix A (SR-07-1) and (2) remove an inactive SR letter fromappendix A (SR-99-18).

2124.01.1 INSPECTION APPROACHFOR RISK-FOCUSED SUPERVISION

The inspection approach for large complexbanking organizations (LCBOs) is a risk-focused process that relies on (1) an understand-ing of the banking organization1 (the institu-tion), (2) the performance of risk assessments,(3) the development of a supervisory plan, and(4) inspection procedures that are tailored to therisk profile. The process for a complex institu-tion relies more heavily on a central point ofcontact (CPC), detailed risk assessments, and asupervisory plan before the on-site inspection.The risk-focused inspection also incorporatesthe U.S. operations of foreign banking organiza-tions (FBOs), for which the Federal Reserve hasoverall supervisory authority. See SR-12-17,SR-97-24, and section 2124.05.

2124.01.1.1 Risk-Focused SupervisoryObjectives

The Federal Reserve is committed to ensuringthat the supervisory process for all bankingorganizations under its purview meets the fol-lowing objectives:

1. To provide flexible and responsive supervi-sion. The supervisory process is designed tobe dynamic and forward-looking so that itresponds to technological advances, productinnovation, and new risk-managementsystems and techniques, as well as tochanges in the condition of an individualfinancial institution and developments in themarket.

2. To foster consistency, coordination, and communication among the appropriate supervi-sors. Seamless supervision, which reducesregulatory burden and duplication, is pro-moted. The supervisory process uses exam-iner resources effectively by using the institu-tion’s internal and external risk-assessmentand risk-monitoring systems; making appro-priate use of joint and alternating examina-tions and inspections; and tailoring supervi-sory activities to an institution’s condition,risk profile, and unique characteristics.

3. To promote safety and soundness. Thesupervisory process effectively evaluates thesafety and soundness of banking organiza-tions, including the assessment of risk-management systems, financial condition,and compliance with laws and regulations.

4. To provide a comprehensive assessment ofthe institution. The supervisory process inte-grates specialty areas (for example, informa-tion technology systems, trust, capitalmarkets, and consumer compliance (seeSR-03-22/CA-03-15)) and functional riskassessments and reviews, in cooperation withinterested supervisors, into a comprehensiveassessment of the institution.

2124.01.1.2 Key Elements of theRisk-Focused Framework

To meet the established objectives and respondto the characteristics of large institutions, theframework for risk-focused supervision of largecomplex institutions contains the following keyelements:

1. Designation of a central point of contact.Large institutions typically have operationsin several jurisdictions, multiple charters, anddiverse product lines. Consequently, the pro-gram requires that a CPC be designated foreach institution to facilitate coordination andcommunication among the principal bankand other regulatory authorities (for exam-ple, securities, insurance, and other nonbank-ing supervisory entities). Further, the pro-gram requires that each CPC and LCBO beassigned a dedicated supervisory team andstaff with specialized skills, knowledge, andexperience tailored to the unique profile of aparticular institution.

1. For this section, the term banking organization refers tobank holding companies (BHCs) and their domestic and for-eign banking and nonbank subsidiaries. It is used synono-mously with the term institutions. That term, however, has aneven broader meaning since it may include other entities (forexample, Edge Act corporations and foreign branches of statemember banks). See section 2124.01.1.3.1.

BHC Supervision Manual January 2016Page 1

2. Review of functional activities. Large institu-tions are generally structured along businesslines or functions, and some activities aremanaged on a centralized basis. As a result, asingle type of risk may cross several legalentities. Therefore, the supervisory programincorporates assessments along functionallines to evaluate risk exposure and its impacton safety and soundness. These functionalreviews will be integrated into the riskassessments for specific legal entities andused to support the supervisory ratings forindividual legal entities.2

3. Focus on risk-management processes. Largeinstitutions generally have highly developedrisk-management systems, such as internalaudit, loan review, and compliance. Thesupervisory program emphasizes each insti-tution’s responsibility to be the principalsource for detecting and deterring abusiveand unsound practices through adequateinternal controls and operating procedures.The program incorporates an approach thatfocuses on and evaluates the institution’srisk-management systems, processes, andcore proficiencies for identifying, measur-ing, monitoring, and controlling key risks,including credit, market, and operationalrisks. Yet, the program retains transactiontesting and supervisory rating systems, suchas CAMELS, RFI/C(D), and ROCA. Thisdiagnostic perspective provides insight intohow effectively an institution is managingits operations and how well it is positionedto meet future business challenges. The pro-gram places less emphasis on traditional‘‘point-in-time’’ balance-sheet assessments.

4. Tailoring of supervisory activities. Largeinstitutions are unique, but all possess theability to quickly change their risk profiles.To deliver effective supervision, the pro-gram incorporates an approach that tailorssupervisory activities to the risk profile ofan institution. By concentrating on an insti-tution’s major risk areas, examiners canachieve a more relevant and penetrating un-derstanding of the institution’s condition.

5. Review of internally and externally gener-ated management information. A review of

internal management and board reports,internal and external audit reports, andpublicly available information will furthersupplement existing supervisory processes.Banking organizations are also encouragedto continually review and enhance theirpublic disclosures in order to promotetransparency and to foster and supportsupervisory processes and effective marketdiscipline.

6. Emphasis on ongoing supervision. Largeinstitutions face a rapidly changing environ-ment. The supervisory program thus empha-sizes ongoing supervision, monitoring, andassessment through increased planning; a no-less-than-quarterly reassessment of the orga-nization’s profile; and continuous off-sitemonitoring. Ongoing supervision allows fortimely adjustments to the supervisory strat-egy as conditions change within the institu-tion, enhanced information sharing System-wide and on an interagency basis, and theuse of information technology platforms thatfoster more-effective collaboration andcommunication.

7. Effective communication with management.An effective program of regular and mean-ingful contacts with management is neces-sary to maintain a current understanding ofthe institution’s risk profile and risk-management processes without imposingundue burden, interfering with legitimatemanagement prerogatives, or compromisingthe objectivity of the supervisory process.

2124.01.1.3 Banking OrganizationsCovered by the Framework

For purposes of the risk-focused supervisionframework, LCBOs generally have a functional-management structure, a broad array of prod-ucts, and operations that span multiple supervi-sory jurisdictions.3 These institutions may bestate member banks, BHCs (including their non-bank and foreign subsidiaries), savings and loanholding companies, and branches and agenciesof FBOs. The complex-institution process mayalso be appropriate for some organizations.

LCBOs are larger institutions that have par-ticularly complex operations and dynamic riskprofiles. To be effective, a supervisory program

2. When functions are located entirely in legal entities thatare not primarily supervised by the Federal Reserve, theresults of supervisory activities conducted by the primaryregulator will be used to the extent possible to avoid duplica-tion of activities.

3. Large institutions are defined differently in other regula-tory guidance regarding regulatory reports and examinationmandates.

Risk-Focused Supervision Framework for Large Complex Banking Organizations 2124.01


for LCBOs requires a heightened level of plan-ning, coordination, and innovative techniques.These organizations typically have significanton- and off-balance-sheet risk exposures, offer abroad range of products and services at thedomestic and international levels, are subject tomultiple supervisors in the United States andabroad, and participate extensively in large-value payment and settlement systems.

An important aspect of the LCBO program isthe assessment and evaluation of banking prac-tices across a group of institutions with similarbusiness lines, characteristics, and risk profiles.This ‘‘portfolio’’ approach to supervision will(1) support and enhance timely judgments aboutindividual institutions, including the identifica-tion of possible ‘‘outliers’’; (2) facilitate peer-group assessments; (3) provide an improvedframework for discerning industry trends;(4) foster more-consistent supervision of institu-tions with similar businesses and risk profiles;(5) contribute substantially to the maintenanceof a highly informed and skilled supervisorystaff; and (6) promote the development and shar-ing of the best supervisory practices within theFederal Reserve and the supervisory communitymore broadly.

2124.01.1.3.1 Foreign Institutions

U.S. supervisory authorities are host-countryrather than home-country supervisors for mostof the U.S. operations of FBOs; therefore, thesupervisory focus and objectives are somewhatdifferent for U.S. operations of FBOs and areaddressed separately in the FBO supervisionprogram. The desired result of a risk-focusedexamination process, however, should be thesame. The framework encompasses the supervi-sion and examination processes and proceduresrelevant to the U.S. operations of FBOs, to theextent that they are appropriate. Any significantremaining differences are incorporated in theFBO supervision program.

2124.01.1.3.2 Nonbank Subsidiaries ofDomestic Institutions

Nonbank subsidiaries of large complex domes-tic institutions are covered by the risk-focusedsupervision program. These subsidiaries include(1) nonbank subsidiaries of the parent bankholding company and those of the subsidiarystate member banks; (2) the significant branchoperations, primarily foreign-branch operations,

of state member banks; and (3) subsidiary for-eign banks of the holding company. The level ofsupervisory activity to be conducted for non-bank subsidiaries and foreign branches and sub-sidiaries of domestic institutions should bebased on their individual risk levels relative tothe consolidated organization. The risk associ-ated with significant nonbank subsidiaries orbranches should be identified as part of theconsolidated risk-assessment planning process,and the appropriate level of supervisory cover-age (whether on- or off-site) should be describedin the supervisory plan for the organization.Risk-focused supervisory planning should usethe workpaper ‘‘Nonbank Subsidiary of a BankHolding Company Risk-Assessment Question-naire’’ (see appendix B). It should be used as aguide for (1) determining whether a nonbanksubsidiary poses significant risk to the entireLCBO (parent bank holding company) and(2) determining whether an on-site supervisoryinspection or examination of the entity isneeded.4 The supervisory plan for the organiza-tion should also include a review of the institu-tion’s processes to ensure compliance with sec-tions 23A and 23B of the Federal Reserve Act,Regulation W, and various other regulations andguidelines that govern transactions between thebank and nonbank affiliates.

2124.01.1.3.3 Edge Act Corporations

Under section 25A, paragraph 17, of the FederalReserve Act, Edge Act corporations are subjectto examination once a year and at such othertimes as deemed necessary by the FederalReserve. While Reserve Banks must fulfill thislegal mandate, there is flexibility in determiningthe extent of examination coverage. The scopeof Edge Act corporation examinations should bedetermined through the risk-assessment process.Additionally, separate reports of examinationare not required for Edge Act corporations, pro-vided that all relevant findings are included inthe consolidated report of examination of the

4. When this workpaper is used, a separate risk assessmentof each nonbank subsidiary of the LCBO (for domestic bankholding companies) is not required. The separate-risk-assessment requirements of SR-93-19 are thus partially super-seded for LCBOs. Nonbank subsidiary risk assessmentsshould be reflected in the entire consolidated organization’srisk assessment.



parent bank.5 This reporting procedure alsoapplies to other nonbank subsidiaries of thebank or bank holding company.

2124.01.1.3.4 Specialty Areas Covered bythe Framework

The Federal Reserve regularly conducts exami-nations, inspections, or reviews of several spe-cialty areas. To achieve more-efficient supervi-sion and reduce the regulatory burden oninstitutions, steps have been taken to coordinatethese reviews with the annual full-scope inspec-tion of the consolidated organization. Under therisk-focused approach, the specialty areasshould be included in the planning process inrelation to the perceived level of risk to theconsolidated organization or any state memberbank subsidiary. Reviews of any specialty areascan be performed in conjunction with the annualfull-scope inspection, or through targetedexaminations or inspections, at any time duringthe supervisory cycle. The findings of all spe-cialty reviews should be included in the inspec-tion report for the consolidated organization.

2124.01.2 COORDINATION OFSUPERVISORY ACTIVITIES

Many large complex institutions have interstateoperations that expand with the continuation ofmergers and acquisitions. In this environment,close cooperation with the other federal andstate banking agencies is critical. To facilitatecoordination between the Federal Reserve andother regulators, district Reserve Banks havebeen assigned roles and responsibilities thatreflect their status as the responsible ReserveBank (RRB).

2124.01.2.1 Responsible Reserve Bank

The RRB facilitates the increased flexibility,planning, and coordination needed to effectivelyand efficiently supervise institutions with inter-state operations. Considering the overriding

objectives of seamless risk-focused supervision,the RRB is responsible for designating the CPCand for ensuring that all aspects of the supervi-sory process are fully coordinated with LRBsand home-state supervisors. Close coordinationamong the other appropriate regulators for eachorganization is critical to ensure a consistentrisk-focused approach to supervision.

2124.01.2.2 RRBs Working with LocalReserve Banks

The RRB is accountable for all aspects of thesupervision of a fully consolidated bankingorganization, which includes the supervision ofall the organization’s subsidiaries and affiliates(domestic, foreign, and Edge corporations) forwhich the Federal Reserve has supervisory over-sight responsibility. The RRB is generallyexpected to work with local Reserve Banks(LRBs) in conducting examinations (and inspec-tions) and other supervisory activities, particu-larly where significant banking operations areconducted in a local District. Thus, for statemember banks, the LRB has an important rolein the supervision of that subsidiary. However,the RRB retains authority and accountability forthe results of all examinations, inspections, andreviews that an LRB may perform on its behalf.

2124.01.2.2.1 RRB Defined

In general, the RRB for a banking organizationhas been the Reserve Bank in the District wherethe banking operations of the organization areprincipally conducted. For domestic bankingorganizations, the RRB typically will be theReserve Bank District where the head office ofthe top-tier organization is located and where itsoverall strategic direction is established andoverseen. For foreign banking organizations, theRRB typically will be the Reserve Bank Districtwhere the Federal Reserve has the most directinvolvement in the day-to-day supervision ofthe U.S. banking operations of the organization.

When necessary, the Board’s Division ofBanking Supervision and Regulation (BS&R),in consultation with the Division of Consumerand Community Affairs (C&CA), may desig-nate an RRB when the general principles setforth above could impede the ability of theFederal Reserve to perform its functions underlaw, do not result in an efficient allocation ofsupervisory resources, or are otherwise notappropriate. When more than one Reserve Bankcurrently shares supervisory responsibilities for

5. A separate memorandum to the file should be preparedand retained. The memorandum should provide the date ofexamination of the Edge Act corporation, a summary offindings, the rating assigned, and a reference to the consoli-dated report of examination. This information should also beforwarded to Federal Reserve Board staff.



a consolidated banking organization, Board staffwill work with Reserve Bank staff to determinethe RRB.

2124.01.2.2.2 Duties of RRBs

The RRB develops the consolidated risk assess-ment and supervisory plan and ensures that thescope and timing of planned activities con-ducted by participating Districts and agenciespursuant to the plan are appropriate, given theconsolidated risk assessment. The RRB desig-nates the central point of contact or lead exam-iner and ensures that all safety-and-soundness,information technology, trust, consumer compli-ance, Community Reinvestment Act (CRA), andother specialty examinations (and inspections)and visitations are conducted and appropriatelycoordinated within the System and with otherregulators. In addition, the RRB manages allformal communications with the foreign anddomestic supervised entity, including the com-munication of supervisory assessments, ratings,and remedial actions.6

2124.01.2.2.3 Sharing of RRB Duties

To take advantage of opportunities to enhancesupervisory effectiveness or efficiency, an RRBis encouraged to arrange for the LRB to under-take on its behalf certain examinations or othersupervisory activities. For example, a local Dis-trict may have relationships with local represen-tatives of the organization or local supervisors;leveraging these relationships may reduce cotsor facilitate communication. Additionally, LRBsmay provide specialty examination resources—in the case of CRA examinations, LRB staffoften provide valuable insights into local com-munities and lending institutions that should befactored into the CRA assessment. When otherReserve Bank Districts conduct examinations,inspections, and other supervisory activities forthe RRB, substantial reliance should be placedon the conclusions and ratings recommended bythe participating Reserve Bank(s).

The RRB retains authority and accountabilityfor the results of all examinations and reviewsperformed on its behalf and, therefore, mustwork closely with LRB examination teams toensure that examination scopes and conclusions

are consistent with the supervisory approachand message applied across the consolidatedorganization. If an LRB identifies major issuesin the course of directly conducting supervisoryactivities on behalf of an RRB, those issuesshould be brought to the attention of the RRB ina timely manner.

If an RRB arranges for an LRB to conductsupervisory activities on its behalf, the LRB isresponsible for the costs of performing theactivities. If the LRB is unable to fulfill therequest from the RRB to perform the specifiedactivities, the RRB should seek System assis-tance, if needed, by contacting Board staff orusing other established procedures for coordi-nating resources.

2124.01.2.3 Central Point of Contact

A CPC is critical to fulfilling the objectives ofseamless risk-focused supervision. The RRBshould designate a CPC for each large complexinstitution it supervises. Generally, all FederalReserve System contacts, activities, and duties,as well as those conducted with other supervi-sors, should be coordinated through this contact.The CPC should—

1. be knowledgeable, on an ongoing basis,about the institution’s financial condition,management structure, strategic plan anddirection, and overall operations;

2. remain up-to-date on the condition of theassigned institution and be knowledgeableregarding all supervisory activities, monitor-ing and surveillance information, applica-tions issues, capital-markets activities, meet-ings with management, and enforcementissues, if applicable;

3. ensure that the objectives of seamless risk-focused supervision are achieved for eachinstitution and that the supervisory products(that is, an institutional overview, a riskmatrix, a risk assessment, a supervisory plan,an inspection program, a scope memoran-dum, inspection modules, and an inspectionreport) are prepared in a timely manner;

4. ensure appropriate follow-up and tracking ofsupervisory concerns, corrective actions, orother matters that come to light throughongoing communications and/or surveil-lance; and

5. participate in the inspection or examinationprocess, as needed, to (1) ensure consistency6. Additional guidance on inter-District coordination and

supervisory responsibilities can be found in section 2124.04;SR-97-24, ‘‘Risk-Focused Framework for Supervision ofLarge Complex Institutions’’; and SR-96-33, ‘‘State/FederalProtocol and Nationwide Supervisory Agreement.’’



with the institution’s supervisory plan andeffective allocation of resources, includingcoordination of on-site efforts with specialtyexamination areas and other supervisors, asappropriate, and (2) facilitate requests forinformation from the institution, whereverpossible.

2124.01.2.4 Sharing of Information

To further promote seamless risk-focusedsupervision, information related to a specificinstitution should be provided, as appropriate, toother interested supervisors. Sharing of theseproducts with the institution, however, shouldbe carefully evaluated on a case-by-case basis.The institutional overview, risk assessment, andsupervisory plan may not be appropriate forrelease if they contain a hypothesis about aninstitution’s risk rather than assessments veri-fied through the inspection or examination pro-cess. On the other hand, it may be appropriate toshare the inspection program with the institutionin the interest of better coordination of activities.

2124.01.2.5 Coordination with OtherSupervisors

Section 305 of the Riegle Community Develop-ment and Regulatory Improvement Act of 1994directed the agencies to coordinate their exami-nations, to the extent possible, when they arejointly responsible for the examination of vari-ous entities of a bank holding company.7 Tohelp achieve the desired degree of coordination,staffs of the agencies are expected, primarily atthe regional level, to discuss examination plansand coordination issues. The institution involvedis to be kept fully informed of the coordinatedactivities planned by the agencies, including ageneral time frame of when each agency expectsto conduct its examination activities.

2124.01.3 FUNCTIONAL APPROACHAND TARGETED INSPECTIONS

The framework for risk-focused supervision oflarge complex institutions relies more heavily

on a functional-business-line approach to super-vising institutions, while effectively integratingthe functional approach into the legal-entityassessment. Bank holding companies areincreasingly being managed on a functionalbasis. Functional management allows organiza-tions to take advantage of the synergies amongtheir components, deliver better products to themarket, and provide higher returns to stockhold-ers. Virtually all of the large bank holdingcompanies operate as integrated units and aremanaged as such. For these companies, the risk-management systems are generally organizedalong business lines on a centralized basis. Akey implication of this shift in managementstructure is that much of the information andinsight gathered on inspections and examina-tions of individual legal entities can be fullyunderstood only in the context of examinationfindings of other related legal entities or central-ized functions. Developing that understandingmeans adapting some of the same functional-business-line approaches to supervision, includ-ing examination processes. Consequently, therisk-focused supervision framework incorpo-rates risk assessments, that is, inspection andexamination procedures that are organized byfunction.

The functional approach focuses principallyon the key business activities (for example,lending, treasury, retail banking) rather thanreviewing the legal entity and its balance sheet.This does not mean that the responsibility for alegal-entity assessment is ignored, nor shouldthe Federal Reserve perform examinations ofinstitutions for which other regulators have pri-mary supervisory responsibility.8 Rather, Fed-eral Reserve examiners should integrate thefindings of a functional review into the legal-entity assessment and should coordinate closelywith the primary regulator to gather sufficientinformation to form an assessment of the con-solidated organization. Nonetheless, in somecases, effective supervision of the consolidatedorganization may require Federal Reserve exam-iners to perform process reviews and, possibly,transaction testing at all levels of theorganization.

Functional-risk-focused supervision is to beachieved by the following actions:

7. In a December 1996 letter to the House Committee onBanking and Financial Services, the agencies outlined theircooperative efforts to meet the objectives of section 305.

8. With respect to U.S. banks owned by FBOs, it is particu-larly important to review the U.S. bank on a legal-entity basisand also the risk exposure to the U.S. bank from its parentforeign bank, as U.S. supervisory authorities do not superviseor regulate the parent bank.



1. Planning and conducting joint inspectionsand examinations with the primary regulatorin areas of mutual interest, such as nonde-posit investment products, interest-rate risk,liquidity, and mergers and acquisitions.

2. Leveraging off, or working from, the workperformed by the primary regulator and thework performed by the institution’s internaland external auditors by reviewing and usingtheir workpapers and conclusions to avoidduplication of effort and to lessen the burdenon the institution.

3. Reviewing inspection and examinationreports and other communications to theinstitution that were issued by othersupervisors.

4. Conducting a series of functional reviews ortargeted inspections or examinations of busi-ness lines, relevant risk areas, or areas ofsignificant supervisory concern during thesupervisory cycle.9 Functional reviews andtargeted inspections or examinations areincreasingly necessary to evaluate the rel-evant risk exposure of a large complex insti-tution and the effectiveness of related risk-management systems.

The relevant findings of functional reviews ortargeted inspections and examinations should behandled as outlined below.

1. Incorporated into the annual full-scopeinspection. In this context, a full-scopeinspection involves the analysis of data suffi-cient to determine the safety and soundnessof the institution and to assign supervisoryratings. The inspection or examination proce-dures required to arrive at those determina-tions do not necessarily have to be performedat the time of the annual inspection; they canbe a product of the collective activities per-formed throughout the supervisory cycle.However, inspection procedures shouldinclude follow-up for deficiencies noted infunctional reviews or targeted inspectionsand examinations.

2. Conveyed to the institution’s managementduring a close-out or exit meeting with therelevant area’s line management. The needto communicate the findings to senior man-agement or the board of directors is left tothe judgment of Reserve Bank management,based on the significance of the findings.

3. Communicated in a formal written report tothe institution’s management or board ofdirectors when significant weaknesses aredetected or when the findings result in adowngrade of any rating component. Other-wise, the vehicle for communicating theresults is left to the judgment of the ReserveBank’s management and may either be aformal report or a supervisory letter.10

The functional approach to risk assessmentsand the planning of supervisory activities shouldinclude a review of the parent company and itssignificant nonbank subsidiaries. However, it isanticipated that the level of supervisory activi-ties, on- or off-site, will be appropriate to therisk profile of the parent company or its non-bank subsidiary in relation to the consolidatedorganization. Intercompany transactions shouldcontinue to be reviewed as part of the inspectionprocedures performed, to ensure that they com-ply with laws and regulations and do not posesafety-and-soundness concerns.

2124.01.4 OVERVIEW OF THEPROCESS AND PRODUCTS

The risk-focused methodology for the supervi-sion program for large complex institutionsreflects a continuous and dynamic process. Astable 1 indicates, the methodology consists ofsix key steps, each of which uses certain writtenproducts to facilitate communication andcoordination.

9. A supervisory cycle is the period of time from the closeof one annual examination to the close of the followingannual examination.

10. As discussed in SR-99-17, it is Federal Reserve Sys-tem practice to update RFI/C(D) ratings between inspectionsto keep them current and to ensure that they reflect the latestinformation on the institution’s financial condition. For statemember banks, Reserve Banks are to refrain from revisingCAMELS ratings based on off-site analysis in view of theemphasis being placed on the CAMELS ratings for imple-menting risk-based insurance assessments and other supervi-sory initiatives. In accordance with SR-99-17 (see also section5010.4), Reserve Banks should notify the institution’s man-agement whenever the rating is changed as a result of off-siteanalysis.



Table 1—Steps and Products Involved inthe Risk-Focused Supervision Process

Steps Products*

1. Understandingthe institution

1. Institutional overview

2. Assessing theinstitution’s risk

2. Risk matrix3. Risk assessment

3. Planning andschedulingsupervisoryactivities

4. Supervisory plan5. Inspection/examination

program

4. Defininginspectionactivities

6. Scope memorandum7. Entry letter

5. Performinginspectionprocedures

8. Functional-inspectionmodules

6. Reporting thefindings

9. Inspection report(s)

* For examples of products 1 through 8, see appendixes Dthrough K of the Federal Reserve’s handbook ‘‘Frameworkfor Risk-Focused Supervision of Large, Complex Institu-tions,’’ referred to in SR-97-24. See also appendix B, the bankholding company nonbank subsidiary risk-assessment ques-tionnaire, which is discussed in section 2124.01.1.3.2.

With the exception of the entry letter, thewritten products associated with steps 1 through4 are designed to sharpen the supervisory focuson an institution’s business activities that posethe greatest risk, as well as to assess theadequacy of the institution’s risk-managementsystems to identify, measure, monitor, and con-trol risks. The products should be revised asnew information is received from such sourcesas the current inspection, recent targeted inspec-tions and examinations, and periodic reviews ofregulatory reports.

The focus of the products should be on fullyachieving a risk-focused, seamless, and coordi-nated supervisory process. The content and for-mat of the products are flexible and should beadapted to correspond to the supervisory prac-tices of the agencies involved and to the struc-ture and complexity of the institution.

2124.01.5 UNDERSTANDING THEINSTITUTION

The starting point for risk-focused supervisionis developing an understanding of the institu-tion. This step is critical to tailoring the supervi-

sion program to meet the characteristics of theorganization and to adjusting that program onan ongoing basis as circumstances change. It isalso essential to clearly understand the FederalReserve’s supervisory role in relation to an insti-tution and its affiliates. For example, the FederalReserve’s role pertaining to an FBO will varydepending on whether the Federal Reserve isthe home- or host-country supervisor for theparticular legal entity. Thus, planning and moni-toring are key components.

Through increased emphasis on planning andmonitoring, supervisory activities can focus onthe significant risks to the institution and onrelated supervisory concerns. Given the techno-logical and market developments within thefinancial sector and the speed with which aninstitution’s financial condition and risk profilecan change, it is critical to keep abreast ofevents and changes in risk exposure and strat-egy. The CPC for each large complex institutionshould continuously review certain informationand prepare an institutional overview that willcommunicate the contact’s understanding of thatinstitution.

2124.01.5.1 Sources of Information

Information generated by the Federal Reserve,other supervisors, the institution, and publicorganizations may assist the CPC in formingand maintaining an ongoing understanding ofthe institution’s risk profile and current condi-tion. For example, the Federal Reserve main-tains a significant amount of financial and struc-ture information in various automated databases.In addition, prior inspection and examinationreports are excellent sources of informationregarding previously identified problems.

Each Reserve Bank has various surveillancereports that identify outliers when an institutionis compared with its peer group. The BankHolding Company Performance Report and theUniform Bank Performance Report may iden-tify significant deviations in performance rela-tive to institutions’ peer groups, currently andbetween the inspections and examinations ofthose institutions. For branches and agencies,state member banks, and domestic bank holdingcompanies that are part of FBOs, the strength-of-support assessment (SOSA) rating and rel-evant credit assessments from major ratingagencies provide information that needs to beconsidered in developing an appropriate super-visory strategy. For FBOs, the Federal Reservehas developed automated systems that provideinformation on foreign financial systems, for-



eign accounting standards, and the financial per-formance of FBOs with U.S. operations.

Leveraging off the work, knowledge, andconclusions of other supervisors is of keyimportance to understanding a large complexorganization. Ongoing contact and the exchangeof information with other supervisors who haveresponsibilities for a given institution may pro-vide insights that cannot be obtained from othersources. Additional information can be obtainedfrom examination reports issued by other super-visors and from their databases, for example,the OCC’s Supervisory Monitoring System(SMS) and the FDIC’s Bank Information Track-ing System (BITS).

Using information generated by the institu-tion’s management information systemimproves the supervisory process. It provides anefficient way to reduce on-site time, identifyemerging trends, and remain informed about theactivities of the institution and financial mar-kets. Information that may be periodicallyreviewed by the contact includes the size andcomposition of intra-day balance sheets, inter-nal risk-ratings of loans, internal limits and cur-rent risk measures regarding trading activities,and internal limits and measures covering theinstitution’s interest-rate and market risk. Addi-tionally, functional-organization charts reflect-ing the major lines of business across legalentities, changes to the organization’s strategicplan, and information provided to the board ofdirectors and management committees shouldbe reviewed.

The CPC should also hold periodic discus-sions with the institution’s management tocover, among other topics, credit-market condi-tions, new products, divestitures, mergers andacquisitions, and the results of any recentlycompleted internal and external audits. Whenother agencies have supervisory responsibilitiesfor the organization, joint meetings should beconsidered.

Publicly available information may provideadditional insight into an institution’s condition.This information may be particularly valuable inassessing an organization’s ability to raise capi-tal. Public sources of information include SECreports, press releases, and analyses by privaterating agencies and by securities dealers andunderwriters.

2124.01.5.2 Preparation of theInstitutional Overview

The institutional overview should provide anexecutive summary that communicates, in one

concise document, information demonstratingan understanding of the institution’s presentcondition and its current and prospective riskprofiles. The overview should also highlight keyissues and past supervisory findings. Generaltypes of information that may be valuable topresent in the overview are listed below: 10a

1. a brief description of the organizationalstructure (with comments on the legal andbusiness units) and changes through merger,acquisition, divestitures, consolidation, orcharter conversion since the prior review

2. a summary of the organization’s businessstrategies, key business lines, product mix,marketing emphasis, growth areas, acquisi-tion or divestiture plans, and new productsintroduced since the prior review

3. key issues for the organization, either fromexternal or internal factors (for example, dif-ficulties in keeping pace with competition orpoorly performing business lines)

4. an overview of management, commenting onthe level of board oversight, leadershipstrengths or weaknesses, policy formulation,and the adequacy of management informa-tion systems (Comments should includeanticipated changes in key management,unusual turnover in line management, andmanagement-succession plans. Key execu-tives and the extent of their participation instrategic planning, policy formulation, andrisk management may also be described.)

5. a brief analysis of the consolidated financialcondition and trends, including earnings,invested capital, and return on investment bybusiness line

6. a description of the future prospects of theorganization, expectations or strategic fore-casts for key performance areas, and budgetprojections

7. descriptions of internal and external audit,including the nature of any special workperformed by external auditors during theperiod under review

8. a summary of supervisory activity performedsince the last review, including safety-and-soundness inspections, examinations,and targeted or specialty inspections or

10a. This list is provided in the context of institutions forwhich the Federal Reserve is the home-country supervisor. Inthe case of an FBO, the analysis should begin with the SOSArating and the Summary of Condition of its U.S. operations.See SR-00-14 and also sections 2124.0.2.5, 2127.0, and3903.0.


BHC Supervision Manual July 2016Page 9

examinations; supervisory actions and theinstitution’s degree of compliance; and appli-cations approved or in process

9. considerations for conducting future inspec-tions, including the institution’s preferencefor the coordination of specialty inspectionsor examinations and combined inspectionand examination reports, as well as logisticaland timing considerations, including conver-sion activities, space planning, and manage-ment availability

2124.01.6 ASSESSING THEINSTITUTION’S RISKS

In order to focus supervisory activities on theareas of greatest risk to an institution, the CPCor designated staff personnel should perform arisk assessment. The risk assessment highlightsboth the strengths and vulnerabilities of an insti-tution and provides a foundation for determin-ing the supervisory activities to be conducted.Further, the assessment should apply to theentire spectrum of risks facing an institution,including the following risks:

1. credit risk, which arises from the potentialthat a borrower or counterparty will fail toperform on an obligation

2. market risk, which is the risk to an institu-tion’s financial condition resulting fromadverse movements in market rates or prices,such as interest rates, foreign-exchange rates,or equity prices

3. liquidity risk, which is the potential that aninstitution will be unable to meet its obliga-tions as they come due because of an inabil-ity to liquidate assets or obtain adequatefunding (referred to as ‘‘funding liquidityrisk’’) or because it cannot easily unwind oroffset specific exposures without signifi-cantly lowering market prices because ofinadequate market depth or market disrup-tions (referred to as ‘‘market liquidity risk’’)

4. operational risk, which arises from thepotential that inadequate information sys-tems, operational problems, breaches ininternal controls, fraud, or unforeseen catas-trophes will result in unexpected losses

5. legal risk, which arises from the potentialthat unenforceable contracts, lawsuits, oradverse judgments can disrupt or otherwisenegatively affect the operations or conditionof a banking organization

6. reputational risk, which is the potential thatnegative publicity regarding an institution’sbusiness practices, whether true or not, willcause a decline in the customer base, costlylitigation, or revenue reductions

An institution’s business activities presentvarious combinations and concentrations of theabove risks depending on the nature and scopeof the particular activity. When conducting therisk assessment, consideration must be given tothe institution’s overall risk environment, thereliability of its internal risk management, theadequacy of its information technology systems,and the risks associated with each of its signifi-cant business activities. The preparation of therisk matrix provides a structured approach toassessing an institution’s risks and is the basisfor preparing the narrative risk assessment. Seesections 4070.1 (SR-95-51) and 4071.0 (SR-16-11) for additional guidance on the evaluation ofan institution’s risk management.

2124.01.6.1 Assessment of the OverallRisk Environment

The starting point in the risk-assessment processis an evaluation of the institution’s risk toler-ance and of management’s perception of theorganization’s strengths and weaknesses. Suchan evaluation should entail discussions withmanagement and a review of supporting docu-ments, strategic plans, and policy statements.Management, in general, is expected to have aclear understanding of the institution’s markets;the general banking, business, and economicenvironment; and how these factors affect theinstitution (in other words, their effect on theinstitution’s use of technology, products, anddelivery channels).

The institution should have a clearly definedrisk-management structure. This structure maybe formal or informal, centralized or decentral-ized. However, the greater the risk assumed bythe institution, the more sophisticated its risk-management system should be. Regardless ofthe approach, the types and levels of risk aninstitution is willing to accept should reflect therisk appetite determined by its board ofdirectors.

2124.01.6.1.1 Internal-Risk-ManagementEvaluation

In assessing the overall risk environment, theCPC should make a preliminary evaluation of



the institution’s internal risk management. Thatincludes an assessment of the adequacy of theinstitution’s internal audit, loan-review, andcompliance functions. External audits also pro-vide important information regarding the riskprofile and condition of the institution and maybe used in the risk assessment. In completingthis evaluation, Reserve Banks should consi-der holding meetings with the external auditorand senior management who are responsible forinternal audit, loan review, and compliance,as well as with other key risk managers.As appropriate, the meetings should be heldjointly with a representative from other super-visory agencies that have an interest in theinstitution.

In addition, the CPC or designated staff per-sonnel should consider reviewing risk assess-ments developed by the internal audit depart-ment for significant lines of business, and thencompare their results with the supervisory riskassessment. Further, the CPC should considerevaluating management’s ability to aggregaterisks on a global basis. Examiners can use thispreliminary evaluation to determine how muchthey can rely on the institution’s internal riskmanagement when developing their scope ofinspection and examination activities.

2124.01.6.1.2 Supervision Program forConsumer Compliance Risk Assessment atBHCs

Changes in the banking and financial servicesindustry have highlighted the importance ofincorporating an assessment of consumer com-pliance risk into the evaluation of a bankingorganization’s overall risk profile. To addressthis need, the Federal Reserve enhanced its bankholding company supervision program to ensurethat examiners are focusing appropriately onconsumer compliance risk–related mattersacross the broad range of a BHC’s activities.(See SR-03-22.)

An enhanced supervisory framework for thesupervision of consumer compliance risk wasdeveloped for large complex banking organiza-tions (LCBOs) and for large banking organiza-tions (LBOs). 10b Under the framework, con-sumer compliance examiners are to assessconsumer compliance risk across the broad

range of a banking organization’s activities todetermine the level and trend of consumer com-pliance risk. To address the risks identified in anorganization’s business activities, the supervi-sory team will develop a supervisory plan thatincludes activities appropriate to the level of theorganization’s consumer compliance risk.

Supervisory framework for consumer compli-ance risk. For LCBOs and LBOs that are subjectto the System’s continuous supervision pro-gram, safety-and-soundness examiners are toincorporate an assessment of consumer compli-ance risk into the overall risk assessment andplanned supervisory activities for these organi-zations. When performing the consumer compli-ance risk assessment, consumer complianceexaminers are to rely, to the extent possible, onthe work conducted by the dedicated supervi-sory team or primary bank regulator, and expandthat analysis to focus on consumer compliancerisk. The consumer compliance risk assessmentis to include a determination of the level ofconsumer compliance risk (high, moderate, orlow), taking into consideration the internal con-trol and review processes in place to mitigatethe inherent risk. In addition, the risk assess-ment is to include a determination of the direc-tion of consumer compliance risk (increasing,stable, or decreasing). The consumer compli-ance examiner is to discuss the identified areasof significant consumer compliance risk withthe CPC. In addition, in coordination with theCPC and the supervisory team, the consumercompliance examiner is to evaluate how con-sumer compliance risk affects the reputational,legal, and operational risk profiles of the LCBOor LBO. The CPC will then incorporate thisinformation and the assessment of consumercompliance risk into the LCBO’s or LBO’soverall risk assessment.

The consumer compliance examiner and theCPC will determine, on a case-by-case basis,whether and what type of supervisory activitiesshould be included in the organization’s super-visory plan. The planned supervisory activitieswill vary depending on the nature and level ofan organization’s consumer compliance risk.

The CPC and the consumer complianceexaminer will coordinate with other regulatorsbefore communicating their findings to thebanking organization’s management. This coor-dination should help to ensure a seamless pro-cess in which consistent messages are deliveredto LCBO or LBO management.10b. The Board’s Division of Banking Supervision and

Regulation and its Division of Consumer and CommunityAffairs developed the consumer compliance risk assessmentframework. The supervisory approach does not apply to shellBHCs.


BHC Supervision Manual January 2007Page 10.1

2124.01.6.1.3 Adequacy of InformationTechnology Systems

Effective risk monitoring requires institutions toidentify and measure all material risk exposures.Consequently, risk-monitoring activities must besupported by management information systems(MIS) that provide senior managers and direc-tors with timely and reliable reports on thefinancial condition, operating performance, andrisk exposure of the consolidated organization.Such systems must also provide managersengaged in the day-to-day management of theorganization’s activities with regular and suffi-ciently detailed reports for their areas of respon-sibility. Moreover, in most large complex insti-tutions, MIS not only provides reportingsystems but also supports a broad range of busi-ness decisions through sophisticated risk-management and decision tools, such as creditscoring and asset/liability models and automatedtrading systems. Accordingly, the institution’srisk assessment must consider the adequacy ofinformation technology systems.

Institutions need to determine which businessunit or units are responsible for the developmentand operation of the information technologysystem. Traditionally, such systems were largelycentered on mainframe computers. However, thedevelopment of increasingly powerful and inex-pensive personal computers and sophisticatednetwork communication capabilities has giveninstitutions more timely access to a greater vol-ume of information that supports a broaderrange of business decisions—moving sometransaction processing out of the mainframeenvironment. Consequently, many large institu-tions are transferring responsibility for develop-ment and operation of the hardware (generally, alocal area or wide area network) and the relatedoperating systems and applications from acentralized, mainframe function to individualbusiness units. Many of these institutions arealso integrating the information technologyaudit function with the general internal auditfunction.

Once it has been determined which businessunits are responsible for information technol-ogy, a fuller understanding of the risk profile ofspecific functions and of the consolidated orga-nization can be gained through close coordina-tion between information systems specialistsand safety-and-soundness examiners. Sincebusiness managers must have MIS reports thatare sufficient and appropriate for identifying

risks, examiners must work with specialists toassess the adequacy of the information technol-ogy system and the extent to which it can berelied upon. Evaluating the integrity of the infor-mation in reports for business managers requiresan understanding of the information flows andthe control environment for the operation.Knowledge of the business application is essen-tial to determine whether the information flowsare complete, accurate, and appropriate in aparticular MIS. In addition, such a determina-tion requires an assessment of the extent towhich the institution’s internal audit functionhas procedures in place for reviewing and test-ing the effectiveness of the processes and inter-nal controls related to information technologysystems.



2124.01.6.2 Preparation of the RiskMatrix

A risk matrix is used to identify significantactivities, the type and level of inherent risks inthese activities, and the adequacy of risk man-agement over these activities, as well as to deter-mine composite risk assessments for each ofthese activities and the overall institution. A riskmatrix can be developed for the consolidatedorganization, for a separate affiliate, or alongfunctional business lines. The matrix is a flex-ible tool that documents the process followed toassess the overall risk of an institution and is abasis for preparation of the narrative riskassessment.

2124.01.6.2.1 Identification of SignificantActivities

Activities and their significance can be identi-fied by reviewing information from the institu-tion, the Reserve Bank, or other supervisors.Information generated by the institution mayinclude the balance sheet, off-balance-sheetreports, the income statement, managementaccounting reports, or any other report that isprepared for the institution’s board of directorsand senior management to monitor performance.A detailed income statement is particularlyinformative because it reflects significant activi-ties and their relative importance to the institu-tion’s revenue and net income. The incomestatement also yields information regarding therelationship between the return on individualassets and the inherent risk associated with theseassets, providing an important indicator of theinstitution’s overall risk appetite.

Off-site surveillance information is anothersource of information that can be used to iden-tify new or expanding business activities. Forexample, substantial growth in the loan port-folio may indicate that the institution has intro-duced a new lending activity.

In addition to financial factors, informationon strategic plans, new products, and possiblemanagement changes needs to be considered.The competitive climate in which the institutionoperates is important and should be assessed inthe identification of significant activities. Indus-try segmentation and the position the institutionoccupies within its markets should also beconsidered.

2124.01.6.2.2 Type and Level of InherentRisk of Significant Activities

After the significant activities are identified, thetype and level of risk inherent in those activitiesshould be determined. Types of risk may becategorized according to section 4070.1.2 andSR-95-51 (as amended by SR-04-18), or byusing categories defined either by the institutionor other supervisory agencies. If the institutionuses risk categories that differ from thosedefined by the supervisory agencies, the exam-iner should determine if all relevant types ofrisk are appropriately captured. If risks areappropriately captured by the institution, theexaminer should use the categories identified bythe institution.

Table 2 illustrates risk types as defined by theFederal Reserve and the OCC. This table isdesigned to show the relationship between therespective agencies’ risk categories.

Table 2—Types of Risk

Federal Reserve OCC

Credit Credit

Market PriceInterest rateForeign exchange

Liquidity Liquidity

Reputational Reputation

Operational Transaction

Legal Compliance

Strategic*

* Elements of strategic risk are reflected in each of the riskcategories as defined by the Federal Reserve.

For the identified functions or activities, theinherent risk involved in that activity should bedescribed as high, moderate, or low for eachtype of risk associated with it. For example, itmay be determined that a portfolio of commer-cial loans in a particular institution has highcredit risk, moderate market risk, moderateliquidity risk, low operational risk, low legalrisk, and low reputational risk. The followingdefinitions apply:

1. High inherent risk exists when (1) the activ-ity is significant or positions are large in



relation to the institution’s resources or to itspeer group, (2) there are a substantial num-ber of transactions, or (3) the nature of theactivity is inherently more complex than nor-mal. Thus, the activity could potentiallyresult in a significant and harmful loss to theorganization.

2. Moderate inherent risk exists when (1) posi-tions are average in relation to the institu-tion’s resources or to its peer group, (2) thevolume of transactions is average, and (3) theactivity is more typical or traditional. Thus,while the activity could potentially result in aloss to the organization, the loss could beabsorbed by the organization in the normalcourse of business.

3. Low inherent risk exists when the volume,size, or nature of the activity is such thateven if the internal controls have weak-nesses, the risk of loss is remote or, if a losswere to occur, it would have little negativeimpact on the institution’s overall financialcondition.

It is important to remember that this assessmentof risk is made without considering manage-ment processes and controls. Those factors areconsidered in evaluating the adequacy of theinstitution’s risk-management systems.

2124.01.6.2.3 Risk-ManagementAdequacy Assessment for SignificantActivities

When assessing the adequacy of an institution’srisk-management systems for identified func-tions or activities, the CPC or designated staffpersonnel should place primary considerationon findings related to the following key ele-ments of a sound risk-management system:

1. active board and senior management over-sight

2. adequate policies, procedures, and limits3. adequate risk-management, risk-monitoring,

and management information systems4. comprehensive internal controls

Taking these key elements into account, thecontact should assess the relative strength of therisk-management processes and controls foreach identified function or activity. Relative

strength should be characterized as strong,acceptable, or weak as defined below:

1. Strong risk management indicates that man-agement effectively identifies and controlsall major types of risk posed by the BHC’sactivities. Management is fully prepared toaddress risks emanating from new productsand changing market conditions. The boardand management are forward looking andactive participants in managing risk. Man-agement ensures that appropriate policies andlimits exist and are understood, reviewed,and approved by the board. Policies and lim-its are supported by risk-monitoring proce-dures, reports, and management informationsystems that provide management and theboard with the information and analysis nec-essary to make timely and appropriate deci-sions in response to changing conditions.Risk-management practices and the organi-zation’s infrastructure are flexible and highlyresponsive to changing industry practices andcurrent regulatory guidance. Staff has suffi-cient experience, expertise, and depth tomanage the risks assumed by the institution.

Internal controls and audit procedures aresufficiently comprehensive and appropriateto the size and activities of the institution.There are few noted exceptions to the institu-tion’s established policies and procedures,and none is material. Management effec-tively and accurately monitors the conditionof the institution consistent with the stan-dards of safety and soundness and in accor-dance with internal and supervisory policiesand practices. Risk-management processesare fully effective in identifying, monitoring,and controlling the risks to the institution.

2. Acceptable risk management indicates thatthe institution’s management of risk islargely effective but lacking in some modestdegree. Management demonstrates a respon-siveness and ability to cope successfully withexisting and foreseeable risks that may arisein carrying out the institution’s business plan.While the institution may have some minorrisk-management weaknesses, these prob-lems have been recognized and are in theprocess of being resolved. Overall, board andsenior management oversight, policies andlimits, risk-monitoring procedures, reports,and management information systems areconsidered satisfactory and effective in main-taining a safe and sound institution. Risks arecontrolled in a manner that does not requiremore-than-normal supervisory attention.

The BHC’s risk-management practices



and infrastructure are satisfactory and gener-ally are adjusted appropriately in response tochanging industry practices and current regu-latory guidance. Staff experience, expertise,and depth are generally appropriate to man-age the risks assumed by the institution.

Internal controls may display modestweaknesses or deficiencies, but they are cor-rectable in the normal course of business.The examiner may have recommendationsfor improvement, but the weaknesses notedshould not have a significant effect on thesafety and soundness of the institution.

3. Weak risk management indicates that risk-management practices are lacking in someimportant ways and, therefore, are a causefor more-than-normal supervisory attention.One or more of the four elements of soundrisk management11 (active board and seniormanagement oversight; adequate policies,procedures, and limits; adequate risk-management monitoring and managementinformation systems; comprehensive internalcontrols) are considered less than acceptableand have precluded the institution from fullyaddressing one or more significant risks to itsoperations. Certain risk-management prac-tices are in need of improvement to ensurethat management and the board are able toidentify, monitor, and control all significantrisks to the institution. Also, the risk-management structure may need to beimproved in areas of significant businessactivity, or staff expertise may not be com-mensurate with the scope and complexity ofbusiness activities. In addition, manage-ment’s response to changing industry prac-tices and regulatory guidance may need toimprove.

The internal control system may be lack-ing in some important aspects, particularly asindicated by continued control exceptions orby a failure to adhere to written policies andprocedures. The risk-management weak-nesses could have adverse effects on thesafety and soundness of the institution ifcorrective action is not taken bymanagement.

The definitions above apply to the risk man-agement of individual functions or activities.They parallel the definitions set forth in section

4070.1.2 (See SR-04-18 and SR-95-51) thatexaminers are to use to rate an institution’soverall risk management. However, unlike theoverall risk-management rating, the assessmentof the adequacy of risk-management systemsincorporated into the risk matrix is to be usedprimarily for planning supervisory activities. Inaddition, because the risk matrix is preparedduring the planning process, it generally wouldnot be appropriate to make fine gradations in thestrength of risk-management systems on afunction-by-function basis. In particular, for pur-poses of rating an institution’s overall risk man-agement, section 4070.1.2 (SR-04-18 and SR-95-51) makes distinctions in degrees ofweakness—fair, marginal, and unsatisfactory—that generally cannot be made appropriately ona function-by-function basis, as called for whenpreparing the risk matrix. After appropriateinspection and examination procedures are per-formed, the assessment of the institution’s riskmanagement that was prepared for the riskmatrix may be a starting point for assigningan overall risk-management rating for theinstitution.

2124.01.6.2.4 Composite Risk Assessmentof Significant Activities

The composite risk for each significant activityis determined by balancing the overall level ofinherent risk of the activity with the overallstrength of risk-management systems for thatactivity. For example, commercial real estateloans usually will be determined to be inher-ently high risk. However, the probability and themagnitude of possible loss may be reduced byhaving very conservative underwriting stan-dards, effective credit administration, stronginternal loan review, and a good early-warningsystem. Consequently, after accounting for thesemitigating factors, the overall risk profile andlevel of supervisory concern associated withcommercial real estate loans may be moderate.Table 3 provides guidance on assessing the com-posite risk of an activity by balancing theobserved quantity and degree of risk with theperceived strength of related management pro-cesses and internal controls.

To facilitate consistency in the preparation ofthe risk matrix, general definitions of the com-posite level of risk for significant activities areprovided below.11. See SR-04-18,‘‘Bank Holding Company Rating Sys-

tem,’’ which amended the rating definitions of SR-95-51,‘‘Rating the Adequacy of Risk Management Processes andInternal Controls at State Member Banks and Bank HoldingCompanies.’’



Table 3—Composite Risk for SignificantActivities

Risk-management

systems

Inherent risk of the activity

Low Moderate High

Composite risk assessment

Weak Low ormoderate

Moderateor high

High

Acceptable Low Moderate High

Strong Low Low ormoderate

Moderateor high

1. A high composite risk generally would beassigned to an activity when the risk-management system does not significantlymitigate the high inherent risk of the activity.Thus, the activity could potentially result in afinancial loss that would have a significantnegative impact on the organization’s overallcondition—in some cases, even where thesystems are considered strong. For an activ-ity with moderate inherent risk, a risk-management system that has significantweaknesses could result in a high compositerisk assessment, because managementappears to have an insufficient understandingof the risk and an uncertain capacity toanticipate and respond to changingconditions.

2. A moderate composite risk generally wouldbe assigned to an activity with moderateinherent risk where the risk-managementsystems appropriately mitigate the risk. Foran activity with a low inherent risk, signifi-cant weaknesses in the risk-managementsystem may result in a moderate compositerisk assessment. On the other hand, a strongrisk-management system may reduce therisks of an inherently high-risk activity sothat any potential financial loss from theactivity would have only a moderate nega-tive impact on the financial condition of theorganization.

3. A low composite risk generally would beassigned to an activity that has low inherentrisks. An activity with moderate inherent riskmay be assessed a low composite risk whereinternal controls and risk-management sys-tems are strong and effectively mitigate muchof the risk.

2124.01.6.2.5 Overall Composite RiskAssessment

Once the examiner has assessed the compositerisk of each identified significant activity orfunction, an overall composite risk assessmentshould be made for off-site analytical and plan-ning purposes. This assessment is the final stepin the development of the risk matrix; the evalu-ation of the overall composite risk is incorpo-rated into the written risk assessment.

2124.01.6.2.6 Preparation of the RiskAssessment

A written risk assessment should be prepared toserve as an internal supervisory planning tooland to facilitate communication with othersupervisors. A sample risk assessment is pro-vided below. The goal is to develop a documentthat presents a comprehensive risk-focused viewof the institution. The risk assessment delineatesthe areas of supervisory concern and is a plat-form for developing the supervisory plan.

The format and content of the written riskassessment are flexible and should be tailored tothe individual institution. The risk assessmentreflects the dynamics of the institution and,therefore, should consider the institution’sevolving business strategies and be amended assignificant changes in the risk profile occur. Itshould include input from other affected super-visors and specialty units to ensure that all sig-nificant risks of the institution are identified.The risk assessment should—

1. include an overall risk assessment of theorganization;

2. describe the types of risks (credit, market,liquidity, reputational, operational, legal),their level (high, moderate, low), and thedirection (increasing, stable, decreasing) ofrisks;

3. identify all major functions, business lines,activities, products, and legal entities fromwhich significant risks emanate, and identifythe key issues that could affect the risk pro-file;

4. consider the relationship between the likeli-hood of an adverse event and the potentialimpact on an institution (for example, thelikelihood of a computer system failure maybe remote, but the financial impact could besignificant); and

5. describe the institution’s risk-managementsystems. Reviews and risk assessments per-formed by internal and external auditors



should be discussed, as should the ability ofthe institution to take on and manage riskprospectively.

The CPC should attempt to identify and reportthe cause of unfavorable trends, as well as theirsymptoms. Also, it is very important that therisk assessment reflect a thorough, detailedanalysis that supports the conclusions madeabout the institution’s risk profile.

2124.01.7 PLANNING ANDSCHEDULING SUPERVISORYACTIVITIES

The supervisory plan is a bridge between theinstitution’s risk assessment, which identifiessignificant risks and supervisory concerns, andthe supervisory activities to be conducted. Indeveloping the supervisory plan and inspectionand examination schedules, the CPC shouldminimize disruption to the institution and,whenever possible, avoid duplicative inspectionand examination efforts and requests for infor-mation from other supervisors.12

The institution’s organizational structure andcomplexity are significant considerations inplanning the specific supervisory activities to beconducted. Additionally, interstate banking andbranching activities have implications for plan-ning on-site and off-site reviews. The scope andlocation of on-site work for interstate bankingoperations will depend on the significance andrisk profile of local operations, the location ofthe supervised entity’s major functions, and thedegree of its centralization. Consistent with theFederal Reserve practice of not examining eachbranch of an intrastate branching network, thebulk of safety-and-soundness examinations forbranches of an interstate bank would likely beconducted at the head office or regional offices,supplemented by periodic reviews of branchoperations and internal controls. The supervi-sory plan should reflect the need to coordinatethese reviews of branch operations with othersupervisors.

2124.01.7.1 Preparation of theSupervisory Plan

A comprehensive supervisory plan should bedeveloped annually and updated as appropriatefor the consolidated organization.13 The planshould demonstrate the supervisory concernsidentified through the risk-assessment processand how the deficiencies noted in the previousinspection or examination are being or will beaddressed. To the extent that the institution’srisk-management systems are adequate, thelevel of supervisory activity may be adjusted.The plan should generally address the followingareas:

1. All supervisory activities to be conducted,the scope of those activities (full or targeted),the objectives of those activities (for exam-ple, review of specific business lines, prod-ucts, support functions, legal entities), andspecific concerns regarding those activities,if any. Consideration should be given to—a. prioritizing supervisory resources on areas

of higher risk,b. pooling examiner resources to reduce bur-

den and redundancies,c. maximizing the use of examiners located

where the activity is being conducted,d. coordinating examinations of different

disciplines,e. determining compliance with or the

potential for supervisory action, andf. balancing mandated requirements with the

objectives of the plan.2. General logistical information (for example,

timetable of supervisory activities, partici-pants, and expected resource requirements).

3. The extent to which internal and externalaudit, internal loan review, compliance, andother risk-management systems will be testedand relied upon.

The planning horizon to be covered by theplan is generally 18 months for domestic institu-tions.14 The overall supervisory objectives andbasic framework need to be outlined by midyear

12. See section 5000.0.8.3 and SR-93-30, ‘‘InteragencyPolicy Statements on Supervisory Initiatives,’’ and its attach-ments for guidance on examination coordination of holdingcompany inspections with subsidiary bank and thrift examina-tions. See SR-00-14, ‘‘Enhancements to the Interagency Pro-gram for Supervising the U.S. Operations of Foreign BankingOrganizations,’’ regarding coordination with other agencies aspart of the FBO supervision program.

13. The supervisory plan is a high-level plan of supervi-sory activities to be conducted in monitoring the consolidatedorganization. More-detailed procedures for a specific on-siteinspection are appropriately addressed in a scope memoran-dum, which is discussed in section 2124.01.8.

14. The examination plans and assessments of condition ofU.S. operations that are used for FBO supervision use a12-month period.



to facilitate preliminary discussions with othersupervisors and to coincide with planning forthe Federal Reserve’s scheduling conferences.The plan should be finalized by the end of theyear, for execution in the following year.

2124.01.7.2 Preparation of the Inspectionor Examination Program

The inspection or examination program shouldprovide a comprehensive schedule of inspectionor examination activities for the entire organiza-tion and aid in the coordination and communica-tion of responsibilities for supervisory activities.An inspection or examination program providesa comprehensive listing of all inspection andexamination activities to be conducted at aninstitution for the given planning horizon. Toprepare a complete program and to reflect thecurrent conditions and activities of an institutionand the activities of other supervisors, the CPCneeds to be the focal point for communicationson a particular institution, including any com-munications with the Federal Reserve and theinstitution’s management and other supervisors.The inspection or examination program shouldgenerally incorporate the following logisticalelements:

1. a schedule of activities, the duration of time,and resource estimates for planned projects

2. an identification of the agencies conductingand participating in the supervisory activity(when conducted jointly with other agencies,indicate the lead agency and the agencyresponsible for a particular activity) and theresources committed by all participants tothe area(s) under review

3. the planned product for communicating find-ings (indicate whether it will be a formalreport or supervisory memorandum)

4. the need for special examiner skills andthe extent of participation by specialtydisciplines

2124.01.8 DEFINING INSPECTION OREXAMINATION ACTIVITIES

The scope memorandum is an integral productin the risk-focused methodology. The memoran-dum identifies the key objectives of the on-siteinspection or examination. The focus of on-siteinspection or examination activities, as identi-

fied in the scope memorandum, should be ori-ented to a top-down approach that includes areview of the organization’s internal risk-management systems and an appropriate levelof transaction testing. The risk-focused method-ology provides flexibility in the amount ofon-site transaction testing. Although the focusof the inspection or examination is on the insti-tution’s processes, an appropriate level of trans-action testing and asset review will be necessaryto verify the integrity of internal systems. Ifinternal systems are considered reliable, thentransaction testing should be targeted to a levelsufficient to validate that the systems are effec-tive and accurate. Conversely, if internal man-agement systems are deemed unreliable or inef-fective, then transaction testing must be adjustedto increase the amount of coverage. The entryletter identifies the information necessary for thesuccessful execution of the on-site inspection orexamination procedures.

2124.01.8.1 Scope Memorandum

After the areas to be reviewed have been identi-fied in the supervisory plan, a scope memoran-dum should be prepared that documents specificobjectives for the projected inspection or exami-nation. This document is of key importance, asthe scope will likely vary from year to year.Thus, it is necessary to identify the specificareas chosen for review and the extent of thosereviews. The scope memorandum will helpensure that the supervisory plan for the institu-tion is executed, and it will define and commu-nicate those specific objectives to the inspectionor examination staff.

The scope memorandum should be tailored tothe size, complexity, and current rating of theinstitution subject to review. For large but less-complex institutions, the scope memorandummay be combined with the supervisory plan orrisk assessment. The scope memorandum shouldgenerally include—

1. a statement of the objectives;2. an overview of the activities and risks to be

evaluated;3. the level of reliance on internal risk-

management systems and internal or exter-nal audit findings;

4. a description of the procedures that are to beperformed, indicating any sampling processto be used and the level of transaction test-ing, when appropriate;

5. identification of the procedures that areexpected to be performed off-site; and



6. a description of how the findings of targetedreviews, if any, will be used on the currentinspection or examination.


BHC Supervision Manual July 2006Page 16.1

2124.01.8.2 Entry Letter

Standardized entry inspection and examinationletters have been developed that are closelyaligned with the risk-focused approach for largecomplex institutions.15 The letters are designedto reduce the institution’s paperwork burden.The entry letters include a core section ofrequired information that is pertinent to all largeinstitutions, regardless of size or complexity. Inaddition to the core requests, supplementaryquestionnaires should be used as needed for thespecialized areas such as asset securitization/sales, information systems, private banking,securities clearance/lending, trading activities,and transfer risk. The cover letters must be used(but can be modified), as they provide specificguidance to the inspected or examinedinstitution.

The entry letters direct management to pro-vide written responses to questions and to pro-vide copies of specific documents requested, butonly if the requested information is new or haschanged since the previous examination orinspection. Examiners should not request thatmanagement provide them with copies of theinstitution’s regulatory reports that are availablewithin each Federal Reserve Bank or from otherbank regulatory agencies, such as regulatoryinspection and examination reports and variousfinancial information (for example, annualreports or Call Reports). These reports shouldbe gathered from internal sources during thepre-examination planning process. Also, entryletters should not request information that isregularly provided to designated CPCs. Theexaminer-in-charge should always reviewanticipated information and document needswith the CPC for the inspected or examinedinstitution before the mailing of any entry letter.

The entry letters should be used as a startingpoint, or template, in preparing for an examina-tion or inspection. They should be tailored dur-ing the planning process to fit the specific char-acter and profile of the institution to beinspected or examined and the scope of theactivities to be performed. Thus, the effectiveuse of entry letters is highly dependent on theplanning and scoping of a risk-focused inspec-tion or examination.

The entry letters request internal managementinformation reports for each of the key inspec-tion or examination areas. Internal management

reports should be used in all instances.If they do not provide sufficient information toinspect or examine the institution, then it wouldappear that management is not adequatelyinformed—this may well be the first inspectionor examination finding. As specific items areselected for inclusion in the entry letter, thefollowing guidelines for items should beconsidered:

1. Reflect risk-focused supervision objectivesand the inspection or examination scope.Items that are not needed to support selectedinspection or examination procedures shouldnot be requested.

2. Facilitate efficiency in the inspection orexamination process and lessen the burdenon financial institutions. Minimize the num-ber of requested items and avoid, to theextent possible, duplicate requests for infor-mation already provided to other agencies.

3. Limit, to the extent possible, requests forspecial management reports.

4. Eliminate items used for audit-type proce-dures. Such procedures (for example, verifi-cations) are generally performed only whenthere is a reason to suspect that significantproblems exist.

5. Distinguish information to be mailed to theexaminer-in-charge for off-site inspection orexamination procedures from information tobe held at the institution for on-site proce-dures. Information that is not easily repro-duced should be reviewed on-site (for exam-ple, policies, corporate minutes, or auditworkpapers).

6. Allow management sufficient lead time toprepare the requested information.

2124.01.9 PERFORMINGINSPECTION OR EXAMINATIONPROCEDURES

Inspection or examination procedures should betailored to the characteristics of each institution,keeping in mind its size, complexity, and riskprofile. The procedures should focus on devel-oping appropriate documentation to adequatelyassess management’s ability to identify, mea-sure, monitor, and control risks. Proceduresshould be completed to the degree necessary todetermine whether the institution’s managementunderstands and adequately controls the levelsand types of risks that are assumed. In terms of

15. Such entry letters should be used for a (1) combinedbank holding company inspection and lead state member bankexamination, (2) bank holding company inspection (seeappendix B), and (3) state member bank examination.



transaction testing, the volume of transactionstested should be adjusted according to manage-ment’s ability to accurately identify problemand potential problem transactions and to mea-sure, monitor, and control the institution’s riskexposure. Likewise, the level of transaction test-ing for compliance with laws, regulations, andsupervisory policy statements should take intoaccount the effectiveness of management sys-tems to monitor, evaluate, and ensurecompliance.

Most full-scope inspections or examinationsare expected to include the examiners’ evalua-tion of 10 functional areas during the supervi-sory cycle. There may be a need to identify andinclude additional functional areas. To evaluatethese functional areas, examiners must performprocedures tailored to fit (1) the risk assessmentprepared for the institution and (2) the scopememorandum. These functional areas representthe primary business activities and functions oflarge complex institutions, as well as commonsources of significant risk to them. Further, con-sistent with the risk-focused approach, examin-ers are expected to evaluate other areas that aresignificant sources of risk to an institution orthat are central to the assignment of CAMELS,RFI/C(D), and ROCA ratings. The identifiedfunctional areas include the following:

1. loan-portfolio analysis (portfolio manage-ment, loan review, consumer compliance,allowance for loan and lease losses)

2. treasury activities (asset-liability manage-ment, interest-rate risk, parent companyliquidity, funding, investments, deposits)

3. trading and capital-markets activities (for-eign exchange, commodities, equities, andother interest-rate risk; credit risk; andliquidity risk)

4. audit and internal control review5. final assessment of supervisory ratings

(CAMELS, RFI/C(D), ROCA, or other)6. information systems7. insurance and fiduciary activities8. private banking9. retail banking activities (new products and

delivery systems)10. payments system risk (wire transfers,

reserves, settlement)

2124.01.10 REPORTING THEFINDINGS

After performing the inspection or examinationprocedures, examiners should document theiroverall conclusions. Conclusions, as they relateto the functional area under review, shouldclearly communicate the examiner’s assessmentof the internal risk-management system, thefinancial condition, and compliance with lawsand regulations.

Inspection and examination activities shouldbe coordinated with the respective state andother federal banking authorities, with jointexaminations performed and joint inspectionand examination reports completed whereverpracticable. The inspection and examinationactivities should be planned over the supervi-sory cycle, culminating with an annual full-scope inspection or examination of the organiza-tion. As part of the FBO supervision program,individual examination findings are integratedinto an assessment of the FBO’s entire U.S.operations.

The results of a targeted, subsidiary, or spe-cialty inspection or examination are usuallyreported to the institution’s management in aseparate report or supervisory letter. Therefore,the report for the annual full-scope inspection ofthe consolidated parent organization shouldinclude a summary of the relevant results of anypreceding supervisory activity. When targetedor specialty inspections or examinations ofaffiliates are conducted concurrently with theannual full-scope inspection of the consolidatedparent organization, the findings from the tar-geted, consumer compliance, or specialtyexaminations (fiduciary, insurance, informationtechnology, etc.) should be incorporated into theparent’s inspection report in lieu of separatereports, unless the institution’s managementrequests separate reports. For organizations inwhich the lead bank is a state member bank, theannual full-scope examination report should becombined with the bank holding companyinspection report, as appropriate. The bank hold-ing company inspection report, or combinedinspection/examination report, may also includeother bank and nonbank subsidiaryexaminations, according to the organization’ssupervisory plan.

The contents of the report should clearly andconcisely communicate to the institution’s man-agement or to the directorate any supervisoryissues, problems, or concerns related to theinstitution, as well as disclose the assigned



supervisory rating.16 The report should alsoinclude appropriate comments regarding defi-ciencies noted in the institution’s risk-management systems. Accordingly, the descrip-tions accompanying each component of theCAMELS rating system should emphasize man-

agement’s ability to identify, measure, monitor,and control risks.17 The rating assigned shouldreflect the adequacy of the institution’s risk-management systems in light of the amount andtypes of risks that the institution has taken on.

2124.01.11 APPENDIX A—RISK-FOCUSED SUPERVISORY LETTERS AND BHCSUPERVISION MANUAL SECTION NUMBERS

SR-letter SR-letter titleBHCSM

section no.

SR-16-11 Supervisory Guidance for Assessing Risk Management at Super-vised Institutions with Total Consolidated Assets Less Than $50Billion

4071.0

SR-14-4 Examiner Loan Sampling Requirements for State Member Bankand Credit Extending Nonbank Subsidiaries of BankingOrganizations with $10-$50 Billion in Total Consolidated Assets

2010.2

SR-14-3 Supervisory Guidance on Dodd-Frank Act Company-Run StressTesting for Banking Organizations with Total Consolidated Assetsof More Than $10 Billion but Less Than $50 Billion

4069.1

SR-13-24 Managing Foreign Exchange Settlement Risks for PhysicallySettled Transactions

2124.05

SR-13-23 Risk Transfer Considerations When Assessing Capital Adequacy—Supplemental Guidance on Consolidated Supervision Frameworkfor Large Financial Institutions (SR letter 12-17/CA letter 12-14)

2124.05

SR-13-21 Inspection Frequency and Scope Requirements for Bank HoldingCompanies and Savings and Loan Holding Companies with TotalConsolidated Assets of $10 Billion or Less

5000.0.4.2

SR 13-19/CA 13-21 Guidance on Managing Outsourcing Risk 2124.3

SR-13-8/CA-13-5 Extension of the Use of Indicative Ratings for Savings and LoanHolding Companies

5000.0.4.3.1

SR-13-3 Interagency Guidance on Leveraged Lending 2010.2.3.1

SR-12-17 Consolidated Supervision Framework for Large FinancialInstitutions

2124.05

SR-12-15 Investing in Securities without Reliance on Nationally RecognizedStatistical Rating Organization Ratings

2126.2

SR 11-11/CA 11-5 Supervision of Savings and Loan Holding Companies (SLHCs) 2500.0

SR 09-4 Applying Supervisory Guidance and Regulations on the Paymentof Dividends, Stock Redemptions, and Stock Repurchases at BankHolding Companies

4060.9

SR-08-9/CA-08-12

Consolidated Supervision of Bank Holding Companies and theCombined U.S. Operations of Foreign Banking Organizations

1050.0

SR-08-8/CA-08-12

Compliance Risk-Management Programs and Oversight atLarge Banking Organizations with Complex Compliance Profiles

2124.08

SR-07-01 Concentrations in Commercial Real Estate, InteragencyGuidance on

2010.2

16. See section 5010.4 and SR-96-26 for additionalinformation.

17. See SR-96-38 for additional information on the revisedCAMELS rating system.




section no.

SR-06-15/CA-06-12

Interagency Guidance on Nontraditional Mortgage Product Risks 3070.3

SR-05-11 Interagency Credit Risk-Management Guidance for Home EquityLending

2010.2

SR-04-18 Bank Holding Company Rating System (Revised) 4070.0

SR-03-22 Framework for Assessing Consumer Compliance Risk at BankHolding Companies

2124.01.6.1.2

SR-03-5 Interagency Policy Statement on the Internal Audit Function andIts Outsourcing

2060.05.06

SR-03-4 Risk Management and Valuation of Mortgage Servicing AssetsArising from Mortgage Banking Activities

3070.0

SR-02-20 The Sarbanes-Oxley Act of 2002 2060.05

SR-02-5 Interagency Guidance on Country Risk Management 4090.0

SR-00-17 Guidance on the Risk Management of Outsourced TechnologyServices

2124.1

SR-00-14 Enhancements to the Interagency Program for Supervising theU.S. Operations of Foreign Banking Organizations

2124.0

SR-00-13 Framework for Financial Holding CompanySupervision

3900.0

SR-99-37 Risk Management and Valuation of RetainedInterests Arising from Securitization Activities

2128.06

SR-99-17 Supervisory Ratings for State Member Banks, Bank HoldingCompanies, and Foreign Banking Organizations, and RelatedRequirements for the National Examination Data System

SR-99-6 Subprime Lending 2128.08

SR-99-3 Supervisory Guidance Regarding Counterparty Credit RiskManagement

2126.3

SR-98-18 Lending Standards for Commercial Loans 2122.0

SR-98-12 FFIEC Policy Statement on Investment Securities and End-UserDerivatives Activities

2126.1

SR-98-9 Assessment of Information Technology in the Risk-FocusedFrameworks for the Supervision of Community Banks and LargeComplex Banking Organizations

2124.1

SR-97-24 Risk-Focused Framework for Supervision of Large ComplexInstitutions

2124.01

SR-97-21 Risk Management and Capital Adequacy of Exposures Arisingfrom Secondary Market Credit Activities

2129.05

SR-96-38 Uniform Financial Institution Rating System (CAMELS—addingthe ‘‘S’’ for risk management)

4020.9,4070.0.4,4080.0

SR-96-33 State/Federal Protocol and Nationwide Supervisory Agreement

SR-96-29 Supervisory Program for Risk-Based Inspection of Top 50 BankHolding Companies

SR-96-27 Guidance on Addressing Internal Control Weaknesses in U.S.Branches and Agencies of Foreign Banking Organizations ThroughSpecial Audit Procedures




section no.

SR-96-26 Provisions of Individual Components of the Rat-ing System

5010.4

SR-96-17 Supervisory Guidance for Credit Derivatives 2129.0

SR-96-14 Risk-Focused Safety and Soundness Examinationsand Inspections

2124.0

SR-96-13 Joint Policy Statement on Interest-Rate Risk 2127.0

SR-96-10 Risk-Focused Fiduciary Examinations

SR-95-51 Rating the Adequacy of Risk Management andInternal Controlsat State Member Banks and Bank Holding Com-panies

4070.1

SR-93-69 Examining Risk Management and Internal Con-trols for Trading Activities of Banking Organiza-tions

2125.0

SR-93-19 Supplemental Guidance for Inspection of Non-bank Subsidiariesof Bank Holding Companies

5000.0.4.4



2124.01.12 APPENDIX B—NONBANK SUBSIDIARY RISK-ASSESSMENTQUESTIONNAIRE

NONBANK SUBSIDIARY OF A BANK HOLDING COMPANYRISK-ASSESSMENT QUESTIONNAIRE

Name of subsidiary

Name of bank holding company

BHC Consolidated:Tier 1 capital: $ Total operating revenue*: $

*Defined as the sum of total interest income and total non-interest income, beforeextraordinary items.

Subsidiary total assets: $ Subsidiary total operating revenue: $

Questions: (Circle answer.)

1. Are the subsidiary’s total assets 10 percent or more of BHC consolidated tier 1 capital?Yes No

2. Is the subsidiary’s total operating revenue 10 percent or more of BHC consolidatedoperating revenue? Yes No

3. Does the subsidiary issue debt to unaffiliated parties? Yes No

4. Does the subsidiary rely on affiliated banks for funding debt that is either greater than$10 million or 5 percent of BHC consolidated tier 1 capital? (See SR-93-19.) Yes No

5. Is the subsidiary involved in asset securitization? Yes No

6. Does the subsidiary generate assets and sell assets to affiliates? Yes No

7. Is the subsidiary a broker-dealer affiliate engaged in underwriting, dealing, or marketmaking? Yes No

8. Does the subsidiary provide derivative instruments for sale or as a service tounaffiliated parties? Yes No

9. Has the subsidiary had a significant impact on the BHC’s conditionor performance? Yes No

If any question is answered yes, then this subsidiary should be considered for on-site review.If an on-site review is not being conducted, state the reason below.

Prepared by: Date:



2124.01.13 APPENDIX C—FEDERAL RESERVE BANK COVER LETTER ANDBHC INSPECTION QUESTIONNAIRE

D.F. RoeSenior Vice PresidentDEF BanCorpGreentree BoulevardAnytown, U.S.A. 11111

Dear Mr. Roe:

In order to facilitate an inspection of DEF BanCorp on a fully consolidated basis, you arerequested to instruct the appropriate staff to provide the information described in this questionnaire.Unless indicated otherwise, information is requested as of the financial statement date December 31,20X2. You are asked to provide written responses to questions and copies of specific documentsrequested in this questionnaire only if the requested information is new or has changed since theprevious inspection, which was conducted as of December 31, 20X1 (indicate no change whereapplicable). For each area covered by this questionnaire, please provide the most recent reports usedby management to identify, measure, monitor, and control risk in the respective areas. Please notethat examiners may make additional requests during the inspection.

Single copies of all submissions in response to the requests will be satisfactory unless otherwiseindicated and should be delivered to the examiner-in-charge or designee. Any requests for clarifica-tion or definition of terms should also be directed to the examiner-in-charge.

In order to expedite the inspection, each completed schedule and other requested informationshould be submitted as soon as prepared and should not be accumulated for submission as apackage. Please respond to every item in the questionnaire, indicating N/A if a question is notapplicable.

Most of the requested data will not be needed until the commencement of the inspection, which isMarch 15, 20X3. However, certain information may be needed earlier. Such information and thedate due will be discussed with you.

Federal Reserve examiner-in-charge Examiner’s telephone number

Federal Reserve Bankof San Francisco

Division of Banking Supervision and RegulationSan Francisco, California 94120

Risk-Focused Supervision Framework for Large, Complex Banking Organizations 2124.01

BHC Supervision Manual December 1999Page 21

FEDERAL RESERVE BANKBANK HOLDING COMPANY INSPECTION QUESTIONNAIRE

Please provide the following:

Structure

1. The most recent organization chart—

(a) for the holding company and its subsidiaries by legal entity, showing percentage ofownership if less than 100 percent; and

(b) of management by legal entity and functional business lines, if different, indicating lines ofauthority and allocation of duties for all key business lines and support areas of theorganization.

2. List new activities that the bank holding company or nonbank subsidiaries have engaged insince the previous inspection, either on- or off-balance-sheet, and identify the group responsiblefor the management of these activities. How has management identified and evaluated risk inrelation to these new activities? Provide copies of any management reports regarding theseproducts/activities. Please provide a copy of the company’s risk policy statement regarding newactivities.

3. The following on each new subsidiary formed or acquired since the prior inspection andchanges, where applicable, on existing subsidiaries.

(a) name

(b) location

(c) date acquired or formed

(d) percentage of ownership

(e) nature of business or business purpose

(f) list of branch locations by city and state

(g) balance sheet and income statement

(h) off-balance-sheet, asset securitization, and derivatives activities and description of such

(i) list of principal officers

(j) management contact person

4. Since (date), has there been any change in or transfer of functions or responsibilities betweenthe corporation and its subsidiaries and between subsidiaries and/or their affiliates? If so,describe fully.

5. Since (date), have there been any sales or other transfers of any assets among the corporationand its subsidiary banks, affiliates of the banks, and/or other subsidiaries? If so, describe fullyand include details on loan participations purchased and sold.

6. Since (date), have any subsidiaries been deactivated, sold, liquidated, transferred, or disposed ofin some other way? If so, identify the subsidiary, the reason for disposition, and the effectivedate of disposition.

7. Has the corporation planned or entered into any new agreements, written or oral, to acquire anyadditional entities? If so, give pertinent details, including name, location, type of business, andpurchase terms.



Corporate Planning and Policy Information

8. The latest financial projections or business plan(s) for revenues, expenses, assets, liabilities,capital, and contingent liabilities for the current and next fiscal years. Please include details onthe assumptions used in the preparation of the projections.

9. A copy of the strategic business plan with updates or revisions, if any.

10. If new or amended since the prior inspection, copies of policies for the following:

(a) the level of supervision exercised over subsidiaries

(b) loans and investments of subsidiaries

(c) loan participations by and between subsidiaries

(d) dividends and fees from subsidiaries

(e) dividends paid to stockholders

(f) budgeting and tax planning for subsidiaries

(g) insider transactions

(h) funds, asset-liability, and interest-rate risk management at the parent company and subsidi-aries

(i) risk identification, evaluation, and control (for example, any credit risks, market risks,liquidity risks, reputational risks, operational risks, and legal risks)

(j) internal loan-review and -grading system

(k) internal audit

(l) any authorized outstanding commitments to the Federal Reserve

(m) description of any routine tie-in arrangements that are used in providing or contracting forservices

Corporate Financial Information

11. For the consolidated company, provide consolidating balance sheet and income statement,including schedules of eliminating entries.

12. Full details on unaffiliated borrowings of the consolidated organization. For debt issued sincethe prior inspection, please provide the prospectus for public-debt offerings and a summary ofterms for private-debt placements.

13. A copy of the most current periodic financial package prepared for senior management and/ordirectors.

Subsidiary Information

14. Consolidating and consolidated balance sheets, including off-balance-sheet items, and incomestatements for each nonbank first-tier subsidiary.

15. Details of all capital injections made to subsidiaries or returns of capital from subsidiaries(excluding normal operating dividends) since the prior inspection. Also provide details on anyadvance to a subsidiary which has been reclassified as equity.

16. If subsidiary banks have made any extensions of credit to the bank holding company and/orother affiliates, give details.



17. Describe any services performed by the parent for any subsidiaries or any company in which ithas a 5 percent or greater interest.

Parent Company

18. Details on intercompany payments either (1) from the parent company to affiliates or subsidi-aries or (2) from subsidiaries or affiliates to the parent company. Segregate into dividends,interest, management or service fees, expense payments, or other transfers made since the priorinspection. If a payment is governed by an intercompany agreement, please provide a copy ofthe agreement. If not, please provide the basis of the payment made.

19. Internally generated cash-flow statement and liquidity schedule for the latest quarter ending.Make available supporting documentation. Provide access to the workpapers supporting thepreparation of the Cash-Flow Schedule (schedule PI-A) from the Y-9LP report

20. Full details on new parent company’s investments in or advances to subsidiaries, and exten-sions of credit to and borrowings from subsidiaries (including unused lines of credit) since theprevious inspection.

21. Full details on the terms of any third-party borrowing and credit lines made available since theprevious inspection.

22. If any entities (parent company and/or subsidiaries) maintain compensating balances with thirdparties, indicate restrictions, if any.

23. A copy of the contingency funding plan. If such a plan does not exist, please provide adescription of what actions would be taken to meet disruptions in the corporation’s short-termliability market.

24. Details on security and other investments held by type; par; book and market values; number ofshares owned; interest rates; maturity dates; and convertibility features, where applicable.Include a copy of all investment authorization policies and delegations of authority pertainingthereto.

25. For equity investments or any lending activity, please provide a listing with comments on anysignificant items that may not be fully collectible and any other relevant factors.

26. A copy of the capital funding plan or planned changes in equity funding, a financial analysis ofany changes in equity (including any stock redemptions), and any internal financial analysisused to evaluate capital adequacy.

27. Since the previous inspection, if the corporation has purchased or sold securities or other assetsunder an agreement to resell or repurchase, give details.

28. If the corporation has, for its own account, any incomplete purchases or sales of securitiespending, give details.

29. If the parent corporation and/or any nonbank subsidiaries have loans outstanding that aresecured by stock or any obligations of the corporation or any of its subsidiaries, give details.

30. Since the prior inspection, if the corporation, either for its own account or for others, hasguaranteed the payment of any loan or other debt obligation or guaranteed the performance ofany other undertaking, provide details.

Corporate-Debt-Markets Activities

31. The following information on commercial paper:

(a) direct placements outstanding



(b) dealer placements outstanding

(c) monthly maturity schedules showing breakdown for direct and dealer placements

(d) a copy of a ‘‘no action’’ letter, if the SEC has issued one

32. Identify any subsidiary which sells commercial paper for its own use or for its parent.

33. If any commercial paper, stock, and/or convertible debt of the corporation or its subsidiaries isheld by trust departments of subsidiary banks, provide details.

34. If there are any concentrations of commercial paper holdings in excess of 10 percent of theoutstanding commercial paper by any individual or organization, provide details.

Corporate Tax Information

35. If the corporation files a consolidated tax return, on what basis does it determine the amount oftaxes to be paid by subsidiaries? Provide a copy of the tax-sharing agreement with subsidiaries.

36. A schedule detailing the following information for (specify dates)—

(a) payments (estimated or otherwise) made by the corporate-tax-paying entity to the taxingauthorities and the dates of such payments; and

(b) payments received by the tax-paying entity from other holding company subsidiaries (orthe tax benefits paid to those subsidiaries) and transaction dates.

37. Provide details of any ongoing IRS audit.

Officers, Directors, and Shareholders

38. For senior officers of the corporation, indicate their title, responsibility, and position(s) held atsubsidiary and/or other organizations.

39. List of directors of the corporation, including—

(a) number of shares owned directly and/or indirectly, and

(b) occupation or principal business affiliation.

40. A brief biography of each senior officer appointed and director elected since the priorinspection. Please include the person’s date of birth, business background, education, andaffiliations with any outside organizations. For senior officers, indicate date of hire. Fordirectors, indicate date of election to board.

41. List of board committees, their memberships, and frequency of meetings.

42. Make available board and committee minutes.

43. Details on fees paid to directors.

44. If the corporation has entered into any contracts or agreements to pay or provide additionalsums or fringe benefits to any director, officer, or employee, provide cost and details.

45. Details on any stock option, incentive, bonus, or performance plans for officers and employees.

46. List of loans made by the parent company and/or nonbank subsidiaries to directors andexecutive officers (and their interests) of the parent company and/or subsidiaries. For thepurpose of this request, a director’s or executive officer’s interest refers to a beneficialownership, directly or indirectly, amounting to 25 percent or more and also to companiesotherwise controlled by a director or officer.

47. List of investments of the parent and/or subsidiaries in stocks, bonds, or other obligations of



corporations in which directors and executive officers have a beneficial interest.

48. List of loans to any borrower that are secured by stocks, bonds, or other obligations ofcorporations in which directors and executive officers have a beneficial interest.

49. List of shareholders who own 5 percent or more of any class of voting stock and the percentageheld.

50. List of loans made by the parent company and/or nonbank subsidiaries to shareholders whoown 5 percent or more of the parent company’s outstanding shares.

Asset Quality

51. A copy of the latest internal consolidated asset-quality tracking report with aggregate totals ofinternally criticized assets and off-balance-sheet items. Identify aggregate exposures by type,risk rating, and entity where the exposure is booked. Distinguish between direct and indirectextensions of credit.

52. Details on consolidated loans past due as to principal and/or interest, nonperforming loans andother real estate owned, and totals of such for each subsidiary.

53. A breakdown of the corporation’s consolidated and major subsidiaries’ loan-loss reserves (forexample, the allowance for loan and lease losses), including portions earmarked for thecommercial, consumer, and other segments, with a description of and supporting data for themethodology used in determining its adequacy.

Audit

(The following information should be requested only if the function resides within the parentcompany. If the function is performed at a nonmember lead bank subsidiary, then assess the auditfunction through discussions with the bank’s primary regulator.)

54. A copy of the most recent engagement letters or equivalent information which describes thescope of external audit activities performed for the corporation and any of its nonbanksubsidiaries. Make available a copy of the audit program.

55. An organization chart which shows the structure and staffing of the audit function.

56. The following information about the auditor and key assistants (if not provided at priorinspections):

(a) present position and date assumed

(b) date of employment

(c) brief summary of education, experience at this institution, and prior work experience

57. Make available the audit timetable and audit program, workpapers, and procedures used inconducting audits of the parent company and all subsidiaries.

Miscellaneous

58. A summary schedule of fidelity bond and general liability insurance, listing all areas coveredfor loss/liability, and date of board approval.

59. Make available the corporation’s latest pending litigation report describing any significantpending or potential litigation or investigations against the organization or any director, officer,or policy-making employee in their official capacity, with the following information:



(a) name(s) of plaintiff

(b) nature of claim and damages requested

(c) current status

(d) an opinion of the probable outcome, including an estimation of the organization’s liability



Consolidated Supervision Framework for Large FinancialInstitutions Section 2124.05

What’s New In This Revised Section

Effective July 2014, this section was revised toinclude Appendix B — Managing ForeignExchange Settlement Risks for Physically SettledTransactions. See SR-13-24. This guidance setsforth seven principles or “guidelines” for man-aging foreign exchange transaction settlementrisks. The Federal Reserve supports these prin-ciples as part of its continuing effort to promotethe global financial system’s ability to withstandsevere market disruptions. Institutions coveredby SR-13-24 should apply the seven guidelinesto their foreign exchange activities with thestated clarifications regarding application of theguidance in the United States.

The Federal Reserve adopted a new frameworkfor the consolidated supervision of large finan-cial institutions on December 17, 2012.1 Theframework strengthens traditional micropruden-tial supervision and regulation to enhance thesafety and soundness of individual firms. It alsoincorporates macroprudential considerations toreduce potential threats to the stability of thefinancial system and to provide insights intofinancial market trends. The consolidated super-vision framework has two primary objectives:

• Enhancing resiliency of a firm to lower theprobability of its failure or inability to serveas a financial intermediary.Each firm is expected to ensure that the con-solidated organization (or the combined U.S.operations in the case of foreign banking orga-nizations) and its core business lines2 cansurvive under a broad range of internal orexternal stresses. This requires financial resil-ience by maintaining sufficient capital andliquidity, and operational resilience by main-taining effective corporate governance, riskmanagement, and recovery planning.

• Reducing the impact on the financial systemand the broader economy in the event of afirm’s failure or material weakness.

Each firm is expected to ensure the sustain-ability of its critical operations3 and bankingoffices4 under a broad range of internal orexternal stresses. This requires, among otherthings, effective resolution planning thataddresses the complexity and the interconnec-tivity of the firm’s operations.

These objectives are consistent with key pro-visions of the 2010 Dodd-Frank Wall StreetReform and Consumer Protection Act (Dodd-Frank Act). These provisions include enhancedprudential standards, which provide the FederalReserve with the flexibility to tailor the applica-tion of these standards to individual firms orgroups of firms.5 (See SR-12-17/CA-12-14 andthe supplemental guidance in SR-13-23.)

2124.05.1 FRAMEWORKAPPLICABILITY

The new framework is designed to support atailored supervisory approach that accounts forthe unique risk characteristics of each firm,including the nature and degree of potentialsystemic risks inherent in a firm’s activities andoperations, as well as broader trends acrossfirms. This framework applies to the followinginstitutions:

• Large Institution Supervision CoordinatingCommittee (LISCC) firms: the largest, mostcomplex U.S. and foreign financial organiza-tions subject to consolidated supervision bythe Federal Reserve. Nonbank financial com-panies designated by the Financial StabilityOversight Council (FSOC) for supervision bythe Federal Reserve are included in the LISCCportfolio. LISCC firms are considered to posethe greatest systemic risk to the U.S. econ-omy.The LISCC is a multidisciplinary body that

1. The previous framework, SR-99-15, ‘‘Risk-Focused

Supervision of Large Complex Banking Organizations,’’ is

superseded. In addition, for the firms described in subsection

2124.05.1, ‘‘Framework Applicability,’’ the framework for

consolidated supervision set forth in SR-08-9/CA-08-12,

‘‘Consolidated Supervision of Bank Holding Companies and

the Combined U.S. Operations of Foreign Banking Organiza-

tions,’’ is no longer applicable.

2. ‘‘Core business lines’’ are those business lines (includ-

ing associated operations, services, functions, and support)

that, in the firm’s view, upon failure would result in a material

loss of revenue, profit, or franchise value.

3. ‘‘Critical operations’’ are those operations (including

associated services, functions, and support) that if they were

to fail or be discontinued could pose a threat to the financial

stability of the United States.

4. ‘‘Banking offices’’ are defined as U.S. depository institu-

tion subsidiaries, as well as the U.S. branches and agencies of

foreign banking organizations.

5. 12 U.S.C. 5365 and 12 U.S.C. 5365(a)(2).


oversees supervision and evaluates conditionsof supervised firms. The committee alsodevelops cross-firm perspectives and monitorsinterconnectedness and common practices thatcould lead to greater systemic risk.

• Large Banking Organizations (LBOs): domes-tic bank and savings and loan holding compa-nies with consolidated assets of $50 billion ormore that are not included in the LISCC port-folio.

• Large Foreign Banking Organizations (LargeFBOs): foreign banking organizations withcombined assets of U.S. operations of $50billion or more that are not included in theLISCC portfolio.

In certain instances, the framework applies tothe intermediate holding company that is theprimary focus of regulations and supervisoryactivities for the consolidated entity.

2124.05.2 FRAMEWORK OVERVIEW

The supervisory framework comprises theframework’s sections’ A, B, and C. Sections Aand B specifies the Federal Reserve’s expecta-tions across the following core areas of supervi-sory focus:

A. Enhancing Resiliency of a Firm(1) Capital and Liquidity Planning and Posi-

tions(2) Corporate Governance(3) Recovery Planning(4) Management of Core Business Lines

B. Reducing the Impact of a Firm’s Failure(1) Management of Critical Operations(2) Support for Banking Offices(3) Resolution Planning(4) Additional Macroprudential Supervisory

Approaches to Address Risks to Finan-cial Stability

C. Conduct of Supervisory Activities

The Federal Reserve may periodically iden-tify additional supervisory priorities beyondthese core areas of focus as necessary toenhance firm-specific supervision and developcross-firm perspectives.

Subsection 2124.05.5, ‘‘Conduct of Supervi-sory Activities,’’ (framework section C) outlinesthe conduct of supervisory activities used tomaintain a comprehensive understanding andassessment of each firm. Effective consolidated

supervision requires strong, cooperative rela-tionships between the Federal Reserve and otherbank supervisors and functional regulators. TheFederal Reserve generally relies to the fullestextent possible on the information and assess-ments provided by other supervisors and regula-tors to support effective supervision. Supervi-sory agencies engaged in the supervision oflarge financial institutions continue to enhanceformal and informal discussions to jointly iden-tify and address key vulnerabilities, and to coor-dinate supervisory strategies for these firms.

As a general matter, this framework is appli-cable in circumstances when the consolidatedorganization and its banking offices are in atleast satisfactory condition and there are nomaterial weaknesses or risks across these coreareas of supervisory focus. The Federal Reserveapplies additional supervisory expectations, andundertakes related activities, to address identi-fied concerns including areas subject to formalor informal enforcement action.

2124.05.3 ENHANCING RESILIENCYOF A FIRM

2124.05.3.1 Capital and LiquidityPlanning and Positions

The financial crisis demonstrated the need forstronger regulatory and supervisory assessmentsof firms’ financial resiliency.6 The FederalReserve noted significant weaknesses in theadequacy of firms’ point-in-time regulatorycapital to cover accumulated and prospectiverisks, as well as in firms’ liquidity buffers andrisk-management practices.7 These weaknessescontributed to the failure or near failure of manyfinancial firms and exacerbated the crisis. Tosupport effective capital and liquidity planning,and the adequacy of capital and liquidity posi-tions, each firm should:

a) Maintain strong capital and liquidity posi-tions that not only comply with regulatoryrequirements, but also support the firm’songoing ability to meet its obligations tocreditors and other counterparties, as well ascontinue to serve as a financial intermediary

6. See the Board’s final rule on capital plan requirements

for large bank holding companies (76 Fed. Reg. 74631,

December 1, 2011); SR-10-6, ‘‘Interagency Policy Statement

on Funding and Liquidity Risk Management’’ (75 Fed. Reg.

13656, March 22, 2010); and section 4066.0 of this manual.

7. The capital components of this framework, including

those related to stress testing, will apply to savings and loan

holding companies after they become subject to minimum

regulatory capital requirements.

Consolidated Supervision Framework for Large Financial Institutions 2124.05


through periods of stress.b) Have in place robust internal processes that

enable the firm to maintain capital andliquidity commensurate with its unique risksunder normal and stressful conditions, and toprovide timely restoration of financial buf-fers in the event of drawdown.

c) Maintain processes that enable the identifica-tion and measurement of potential risks toasset quality, earnings, cash flows, and otherprimary determinants of capital and liquiditypositions.

d) Utilize comprehensive projections of thelevel and composition of capital and liquid-ity resources, supported by rigorous andregular stress testing to assess the potentialimpact of a broad range of expected andpotentially adverse scenarios.

e) Maintain sound risk measurement and mod-eling capabilities, supported by comprehen-sive data collection and analysis, indepen-dent validation, and effective governance,policies, and controls.8

f) Establish goals for capital and liquidity posi-tions that are approved by the firm’s board ofdirectors and reflect the potential impact oflegal or regulatory restrictions on the transferof capital or liquidity between legal entities.

g) Maintain independent internal audit andother review functions with appropriate staffexpertise, experience, and stature in the orga-nization to monitor the adequacy of capitaland liquidity risk measurement and manage-ment processes.

2124.05.3.2 Corporate Governance

In order for a firm to be sustainable under abroad range of economic, operational, legal orother stresses, its board of directors (or equiva-lent for the U.S. operations of FBOs) shouldprovide effective corporate governance with thesupport of senior management. The board isexpected to establish and maintain the firm’sculture, incentives, structure, and processes thatpromote its compliance with laws, regulations,and supervisory guidance. Each firm’s board ofdirectors and committees, with support fromsenior management, should:

a) Maintain a clearly articulated corporate strat-egy and institutional risk appetite. The boardshould set direction and oversight for rev-enue and profit generation, risk managementand control functions, and other areas essen-

tial to sustaining the consolidatedorganization.

b) Ensure that the firm’s senior managementhas the expertise and level of involvementrequired to manage the firm’s core businesslines, critical operations, banking offices, andother material entities.9 These areas shouldreceive sufficient operational support toremain in a safe and sound condition under abroad range of stressed conditions.

c) Maintain a corporate culture that emphasizesthe importance of compliance with laws andregulations and consumer protection, as wellas the avoidance of conflicts of interest andthe management of reputational and legalrisks.

d) Ensure the organization’s internal audit, cor-porate compliance, and risk management andinternal control functions are effective andindependent, with demonstrated influenceover business-line decision making that isnot marginalized by a focus on short-termrevenue generation over longer-termsustainability.10

e) Assign senior managers with the responsibil-ity for ensuring that investments across busi-ness lines and operations align with corpo-rate strategies, and that compensationarrangements and other incentives are consis-tent with the corporate culture and institu-tional risk appetite.11

f) Ensure that management information sys-tems (MIS) support the responsibilities of theboard of directors to oversee the firm’s corebusiness lines, critical operations, and othercore areas of supervisory focus.

2124.05.3.3 Recovery Planning

Robust recovery planning is central to ensuringthe ongoing resiliency of a firm’s consolidatedoperations as well as its core business lines,critical operations, banking offices, and othermaterial entities. Each firm should plan forpotential financial or operational weaknessesand identify actions to correct those weaknesses.

8. See SR-11-7, and section 2126.0 of this manual.

9. ‘‘Material entities’’ are subsidiaries or foreign offices of

the firm that are significant to the activities of a core business

line or critical operation.

10. See SR-08-8/CA-08-11, and section 2124.07 of this

manual.

11. Refer to ‘‘Guidance on Sound Incentive Compensation

Policies’’ (75 Fed. Reg. 36395, June 25, 2010) and section

2068.0 of this manual.



Therefore, each firm should:

a) Maintain clearly documented quantitativeand qualitative criteria that would triggertimely implementation of specific elementsof the firm’s recovery plan and provide formore rigorous remediation activities if initialactions prove insufficient.

b) Ensure that trigger events reflect a suffi-ciently broad range of market- and firm-specific stresses across financial, operational,reputational, legal, and compliance risks.

c) Ensure that recovery planning reflects aholistic view of sustainability and resiliency.Recovery planning should be closely inte-grated with resolution planning, capital andliquidity planning, and other aspects of finan-cial contingency, crisis management, andbusiness continuity planning.12

d) Undertake recovery testing and training exer-cises that consider a broad range of internaland external risk scenarios and account forinterconnectivities across operations andlegal entities.

e) Ensure that the recovery plan is updated asneeded, and reflects lessons learned fromreviews of trigger events, testing, and train-ing exercises.

f) Ensure that recovery planning is sufficientlyintegrated into corporate governance struc-tures and processes, subject to independentvalidation, and effectively supported byrelated MIS reporting to the board and itscommittees.

2124.05.3.4 Management of CoreBusiness Lines

Effective management of core business lines isessential to ensuring the resilience of the con-solidated organization, as these activities are theprimary drivers of the firm’s revenue genera-tion, profitability, and franchise value. For thisreason, a firm’s corporate governance shouldextend (as discussed in subsection 2124.05.3.2,‘‘Corporate Governance’’ (framework sectionA.2)) to the management of each core businessline. Each core business line should have:

• Business-line senior management with quali-

fications and experience commensurate withthe size and complexity of related activitiesand operations;

• A strategic planning process that ensures areasof growth and innovation are effectivelymanaged;

• Appropriate compensation and other incen-tives that are consistent with the institutionalrisk appetite and in compliance with laws andregulations;

• An independent and strong risk-managementframework that supports identification, mea-surement, assessment, and control of the fullspectrum of risks; and

• Timely identification and resolution of audit,compliance, and regulatory issues

2124.05.4 REDUCING THE IMPACTOF A FIRM’S FAILURE

2124.05.4.1 Management of CriticalOperations

The failure or discontinuance of any of a firm’scritical operations could weaken the U.S. econ-omy or pose a threat to the financial stability ofthe United States. Each of the supervisoryexpectations outlined around management ofcore business lines (see subsection 2124.05.3.4,‘‘Management of Core Business Lines’’ (frame-work section A.4)) applies equally to manage-ment of critical operations to ensure their finan-cial and operational resilience. Additionally,each firm should ensure that critical operationsare sufficiently resilient to be maintained, con-tinued, and funded even in the event of failureor material financial or operational distress.These expectations should be fully reflected inrecovery and resolution planning.

2124.05.4.2 Support for Banking Offices

The Federal Reserve’s consolidated supervisionprogram has historically focused on protectingthe safety and soundness of U.S. depositoryinstitution subsidiaries of bank holding compa-nies and the U.S. branches and agencies of for-eign banking organizations (collectively definedas banking offices). This is due to the risksposed by banking offices’ access to the federalsafety net. Specifically, these offices pose risksto the payment system, the Federal Reserve’sdiscount window, and—in the case of most U.S.depository institutions—federal deposit insur-ance funds.

A consolidated organization should serve as a

12. Business continuity expectations include adherence

with expectations set forth in SR-03-9, including the geo-

graphic diversity and resiliency of data centers and opera-

tions, and testing of recovery and resumption arrangements.



source of financial and managerial strength toits banking offices. The activities of the parentcompany and affiliated nondepository subsidi-aries should not present material risks to affili-ated banking offices, the consolidated organiza-tion itself, or to the consolidated organization’sability to support its banking offices.13 Eachfirm should:

a) Provide for the strength and resiliency of itsbanking offices, ensuring prompt financialand operational support so that each officeremains in a safe and sound condition undera broad range of stressed conditions.

b) Ensure that the activities of the parent com-pany and nondepository institution subsidi-aries do not present undue direct or indirectrisks to the safety and soundness of bankingoffices. This includes the transmission offinancial, operational, legal, compliance, orreputational risks that may undermine publicconfidence in the financial strength of itsbanking offices.

c) Maintain sufficient liquidity, cash flow, andcapital strength at the parent company andnondepository institution subsidiaries to ser-vice debt obligations and cover fixedcharges. The parent company needs to con-sider whether there are any legal or regula-tory restrictions on financial transfersbetween legal entities within the organiza-tion.

d) Implement and maintain effective policies,procedures, and systems to ensure compli-ance with applicable laws and regulations.This includes compliance with respect tocovered transactions subject to the Board’sRegulation W, which implements sections23A and 23B of the Federal Reserve Act andlimits a bank’s transactions with its affili-ates.14

2124.05.4.3 Resolution Planning

To promote financial stability, the Dodd-FrankAct requires each bank holding company withconsolidated assets of $50 billion or more, aswell as nonbank financial companies designatedby the FSOC, to develop and maintain plans forrapid and orderly resolution in the event ofmaterial financial distress or failure. These plansshould be utilized as an element of the firm’sstrategic planning and address the complexityand interconnectivity of the firm’s operations.15

The Federal Reserve and the FDIC jointlyreview a firm’s resolution plan relative to super-visory requirements, including:

a) The firm’s strategic analysis describing itsplans for rapid and orderly resolution underthe U.S. Bankruptcy Code (or other relevantinsolvency regimes). This strategy must notpose systemic risk and must exclude relianceon extraordinary support from the UnitedStates or any other government to preventfailure of the firm.

b) The firm’s strategy for maintaining and fund-ing material entities, critical operations, andcore business lines in the event of materialfinancial distress.

c) Analysis of potential impediments to resolu-tion, and actions to make the firm moreresolvable or otherwise reduce its complex-ity and interconnectivity.

d) Analysis of whether the failure of a majorcounterparty would likely result in the mate-rial financial distress or failure of the firm.

e) The manner and extent to which an insureddepository subsidiary is adequately protectedfrom risks arising from the activities of non-depository subsidiaries.

f) For a U.S. firm with foreign operations, itsstrategy for addressing the risks arising fromthese foreign operations to its U.S. opera-tions, and its ability to maintain core businesslines and critical operations in foreign juris-dictions.

g) Analysis of whether resolution planning issufficiently integrated into corporate gover-nance structures and processes, subject toindependent validation, and effectively sup-ported by related MIS reporting to the boardof directors and its committees.

13. Due to structural differences, there are important dis-

tinctions in the forms of support provided to U.S. depository

institution subsidiaries versus those provided to the U.S.

branches and agencies of foreign banks. For example,

branches/agencies do not hold capital and have differing busi-

ness and liquidity profiles, governance mechanisms, and regu-

latory requirements than depository institutions. Therefore,

the Federal Reserve will consider these differences in its

implementation of this supervisory framework for the U.S.

branches and agencies of FBOs, and expects parent FBOs and

their U.S. branches and agencies to do the same. The extent of

supervisory activity undertaken to assess the adequacy of

parent company support for U.S branches and agencies of

FBOs is scaled to the condition, size, and interconnectedness

of these offices.

14. See SR-03-2, and section 2020.1 of this manual.

15. Refer to 12 C.F.R. 243 (Federal Reserve) and 12 C.F.R.

381 (FDIC) for the ‘‘Resolution Plans Required’’ regulations.

See also, 76 Fed. Reg. 67323, November 1, 2011.



2125.05.4.4 Additional MacroprudentialSupervisory Approaches to Address Risksto Financial Stability

The financial crisis demonstrated that too nar-row a focus on the safety and soundness ofindividual firms can result in a failure to detectand address emerging threats to financial stabil-ity that arise across many firms. The Dodd-Frank Act requires the Federal Reserve to con-sider the broader risks to financial stabilityposed by individual companies and through theinterconnectedness among these companies. Seesection 1040.0.3 of this manual.

The Federal Reserve aims to reduce systemicrisks by increasing the capacity of firms andmarkets to absorb shocks when problems occur,and by reducing potential costs in the event offinancial distress or failure of a systemicallyimportant institution. Supervision carried outunder this framework will support a variety ofmacroprudential supervisory approaches beyondthose already discussed, including:

a) Using insights developed through micropru-dential supervision and related data collec-tion and analysis to identify, understand, andassess potential systemic risks. Areas ofreview could include, for example, emergingtrends in critical operations, interconnected-ness, rapidly expanding markets, cyclicalindustries, and financial products lackingsubstitutes or effecting large market seg-ments.

b) Identifying potential risks to financial stabil-ity indicated by the information in supervi-sory stress tests and through trends in sce-narios employed by firms in their internalstress tests.

c) Using comparative and aggregate analysis tomonitor industry practices, common invest-ment or funding strategies, changes in degreeor form of financial interconnectedness, orother developments with implications forfinancial stability.

d) Coordinating with the Federal Reserve’ssupervision of systemically important finan-cial market utilities to identify and addressrisks related to payment, clearing, and settle-ment activities, as well as to identify poten-tial structural vulnerabilities.

e) Working closely with the FSOC and otherregulators and supervisors to support the des-ignation and supervision of systemicallyimportant nonbank firms, and to enhance the

monitoring of systemic risk.f) Enhancing international coordination with

foreign counterparts, including nationalsupervisors and international bodies such asthe Basel Committee on Bank Supervision,the Financial Stability Board, and the SeniorSupervisors Group. These activities focus onenhancing oversight of internationally activefinancial firms and markets and on minimiz-ing the opportunities for firms to take advan-tage of weaker or inconsistent regulations.

2124.05.5 CONDUCT OFSUPERVISORY ACTIVITIES

The Federal Reserve uses a range of supervisoryactivities to maintain a comprehensive under-standing and assessment of each firm, including:

a) Coordinated horizontal reviews involveexamination of several institutions simulta-neously, encompassing firm-specific supervi-sion and the development of cross-firm per-spectives. The Federal Reserve recognizesthe priority of these reviews through thededication of multidisciplinary skills andexperienced staff. Examples include analysisof capital adequacy and planning via theComprehensive Capital Analysis and Review(CCAR), as well as horizontal evaluations ofresolution plans and incentive compensationpractices.

b) Firm-specific examination and continuousmonitoring activities16 are undertaken tomaintain an understanding and assessmentacross the core areas of supervisory focus foreach firm. These activities include reviewand assessment of changes in strategy, inher-ent risks, control processes, and key person-nel, and follow-up on previously identifiedconcerns (for example, areas subject toenforcement actions or other supervisoryissues, or emerging vulnerabilities).

c) In developing and executing a detailedsupervisory plan for each firm, the FederalReserve generally relies to the fullest extentpossible on the information and assessmentsprovided by other relevant supervisors andfunctional regulators. The Federal Reserveactively participates in interagency informa-

16. ‘‘Continuous monitoring activities’’ include meetings

with a banking organization’s management; analysis of inter-

nal MIS reports, market indicators, and other internal and

external information; review of internal and external audit

findings; and coordination with other relevant supervisors and

functional regulators and utilization of their work as appropri-

ate.



tion sharing and coordination, consistent withapplicable laws, to promote comprehensiveand effective supervision and limit unneces-sary duplication of information requests.Supervisory agencies continue to enhanceformal and informal discussions to jointlyidentify and address key vulnerabilities, andto coordinate supervisory strategies for largefinancial institutions.

d) In certain instances, supervisors may be ableto rely on a firm’s internal audit or internalcontrol functions in developing a compre-hensive understanding and assessment.

2124.05.6 APPENDIX A

2124.05.6.1 Risk Transfer ConsiderationsWhen Assessing Capital Adequacy

The following discussion, SR-13-23, providessupplemental guidance to SR-12-17/CA letter12-14 pertaining to its supervisory focus on aninstitution’s capital adequacy and liquidity suffi-ciency. The supplemental guidance centers onhow certain risk transfer transactions affectassessments of capital adequacy at large finan-cial institutions (hereafter referred to as firms).17

It provides clarification on supervisory expecta-tions when assessing a firm’s capital adequacyin certain circumstances when the risk-basedcapital framework may not fully capture theresidual risks of a transaction.18

Risk mitigation techniques can reduce afirm’s level of risk. In general, the FederalReserve views a firm’s engagement in risk-reducing transactions as a sound risk-management practice. There are, however, cer-tain risk-reducing transactions for which therisk-based capital framework may not fullycapture the residual risks that a firm faces on apost-transaction basis. As a result of inquiriesand discussions with market participants, theFederal Reserve has identified specific charac-teristics of risk transfer transactions that give

rise to this concern and on which further guid-ance is needed, including cases in which

• A firm transfers the risk of a portfolio to acounterparty (which may be a thinly capital-ized special purpose vehicle (SPV)) that isunable to absorb losses equal to the risk-basedcapital requirement for the risk transferred; or

• A firm transfers the risk of a portfolio to anunconsolidated, ‘‘sponsored’’ affiliate entityof the firm (which also may be an SPV).

In cases involving unaffiliated counterparties,while the transactions may result in a significantreduction in a firm’s risk-weighted assets andassociated capital requirements under the regu-latory capital framework, the firm may nonethe-less face residual risks. These residual risksarise because the effectiveness of a firm’s hedgeinvolving a thinly capitalized SPV counterpartywould be limited to the loss absorption capacityof the SPV itself. In cases involving unconsoli-dated ‘‘sponsored’’ affiliates of the firm, theresidual risk arises from the implicit obligationthe sponsoring firm may have to provide sup-port to the affiliate in times of stress. SR-13-23addresses how the Federal Reserve supervisorystaff will view such risk-reducing transactions19

in evaluating a firm under the Board’s capitalplan rule and the associated annual Comprehen-sive Capital Analysis and Review (CCAR).20

In the case of a risk transfer transaction with anon-affiliated, limited-recourse SPV or othercounterparty with limited loss-absorption capac-ity, Federal Reserve supervisory staff will evalu-ate the difference between the amount of capitalrequired for the hedged exposures before therisk transfer transaction and the counterparty’sloss-absorbing resources. When evaluating capi-tal adequacy, including in the context of CCAR,supervisory staff will evaluate whether a firmholds sufficient capital in addition to its mini-mum regulatory capital requirements to coverthis difference.21 In addition, when a firmengages in such a risk transfer transaction, the

17. This guidance applies to large financial institutions that

are domestic bank and savings and loan holding companies

with consolidated assets of $50 billion or more and foreign

banking organizations with combined assets of U.S. opera-

tions of $50 billion or more.

18. See 12 CFR 217. The risk-based capital framework

establishes risk-based and leverage capital requirements for

banking organizations, including top-tier savings and loan

holding companies, except those that are substantially

engaged in insurance underwriting or commercial activities.

This guidance would apply to such entities at such time as

risk-based and leverage capital requirements become applica-

ble to them.

19. While the cases described are examples, the principles

set forth should apply to other transactions that call into

question the degree to which risk transfer has occurred.

20. See 12 CFR 225.8(d)(2)(i). For additional guidance on

CCAR, refer to the Federal Reserve’s website at

www.federalreserve.gov/bankinforeg/ccar.htm. The capital

plan rule and CCAR apply only to bank holding companies

with total consolidated assets of $50 billion or more.

21. Supervisory staff may also analyze whether the coun-

terparty has liabilities in addition to the specific risk transfer

transaction.



firm should be able to demonstrate that it reflectsthe residual risk in its internal assessment ofcapital adequacy and maintains sufficient capitalto address such risk. In this regard, a commit-ment by a third party to provide additional capi-tal in a period of financial stress would not becounted toward the loss-absorbing capacity ofthe counterparty.

Example: A firm has a $100 portfolio that hasa capital requirement of $8. If the firm under-takes a transaction to transfer the risk of thisportfolio to an unaffiliated SPV with paid-incapital of $3, then the firm would need to beable to demonstrate that, in addition to meet-ing its minimum regulatory capital require-ments, the firm has sufficient capital to coverthe $5 difference between the SPV’s capitaland the capital requirement associated withthe portfolio.

In the case of risk transfer to an unconsoli-dated, ‘‘sponsored’’ affiliated entity, the natureof the firm’s relationship with the entity callsinto question the degree of risk transfer in thetransaction. Firms are discouraged from enter-ing into such transactions, which generally donot involve effective risk transfer because of thesponsored entity’s ongoing relationship with thefirm and, as noted above, the implicit obligationthat the firm may have to provide capital to thesponsored entity in a period of financial stressaffecting the sponsored entity. Firms engagingin such transactions should presume for the pur-pose of their internal capital adequacy assess-ment as well as for capital planning purposesthat no risk transfer has occurred.

Supervisors will strongly scrutinize risk trans-fer transactions that result in substantial reduc-tions in risk-weighted assets, including in super-visors’ assessment of a firm’s overall capitaladequacy, capital planning, and risk manage-ment through CCAR. Based on an assessmentof the risks retained by the firm, the Board mayin particular cases determine not to recognize atransaction as a risk mitigant for risk-based capi-tal purposes.22 Firms should bring these types of

risk transfer transactions to the attention of theirsenior management and supervisors. Supervi-sors will evaluate whether a firm can adequatelydemonstrate that the firm has taken into accountany residual risks in connection with the trans-action.

2124.05.7 APPENDIX B—MANAGINGFOREIGN EXCHANGE SETTLEMENTRISKS FOR PHYSICALLY SETTLEDTRANSACTIONS

The Federal Reserve notes that the Basel Com-mittee on Banking Supervision (Committee),with input from the Federal Reserve,23 pub-lished ‘‘Supervisory Guidance for ManagingRisks Associated with the Settlement of ForeignExchange Transactions’’ (guidance) in February2013. This guidance sets forth seven principlesor ‘‘guidelines’’ for managing foreign exchangetransaction-settlement risks. The FederalReserve considers this guidance on foreignexchange settlement risks to be a component ofits current, broad-based focus on banking insti-tutions’ foreign exchange activities.

The Federal Reserve supports these principlesas part of its continuing effort to promote theglobal financial system’s ability to withstandsevere market disruptions, and has determinedthat the institutions subject to SR-13-24 (cov-ered institutions)24 should apply the sevenguidelines, which are summarized below (seesections 3.1 through 3.7 of the guidance), totheir foreign exchange activities, with the fol-lowing clarifications regarding application ofthe guidance in the United States.25

22. See generally 12 CFR 217.1(d)(1), (d)(3), and (d)(5).

In addition, under the Board’s current capital adequacy guide-

lines for bank holding companies and state member banks

(banking organizations), the Board may determine that the

regulatory capital treatment for a banking organization’s

exposure or other relationship to an entity not consolidated on

the banking organization’s balance sheet is not commensurate

with the actual risk relationship of the banking organization to

the entity. In making this determination, the Board may

require the banking organization to treat the entity as if it were

consolidated onto the balance sheet of the banking organiza-

tion for risk-based capital purposes and calculate the appropri-

ate risk-based capital ratios accordingly, all as specified by the

Board. See 12 CFR parts 208 and 225, Appendix A, section I.

23. This guidance applies to large financial institutions

supervised by the Federal Reserve, as defined in SR-12-17/

CA-12-14. This guidance does not apply to community and

regional banking organizations, defined as those with less

than $50 billion in total consolidated assets, unless the bank-

ing organization engages in significant foreign exchange

activities.

24. While the Committee’s guidance uses the term ‘‘bank,’’

for purposes of SR-13-24, ‘‘covered institutions’’ are those

defined in SR-12-17/CA-12-14 as Large Institution Supervi-

sion Coordinating Committee (LISCC) firms, large banking

organizations (LBOs), and U.S operations of large foreign

banking Organizations (large FBOs), as well as any other

banking organization that engages in significant foreign

exchange activities.

25. The guidance applies to foreign exchange transactions

that consist of two settlement payment flows. This includes

spot transactions, forwards, swaps, deliverable options, and



• Guideline 1—Governance. A bank shouldhave strong governance arrangements over itsforeign exchange settlement-related risks,including a comprehensive risk-managementprocess and active engagement by the boardof directors.

Paragraph 3.1.8 of the guidance states thatthe board of directors of a covered institutionshould oversee the management of the com-pliance function associated with settling for-eign exchange transactions. For purposes ofthe application of the guidelines by coveredinstitutions, senior management should rou-tinely communicate significant compliancematters to the board of directors. The board ofdirectors may choose to delegate regular over-sight to a single board member or a committeeof the board.

• Guideline 2—Principal risk. A bank shoulduse financial market infrastructures that pro-vide payment-versus-payment settlement toeliminate principal risk when settling foreignexchange transactions. Where payment-versus-payment settlement is not practicable,a bank should properly identify, measure, con-trol, and reduce the size and duration of itsremaining principal risk.

• Guideline 3—Replacement-cost risk. A bankshould employ prudent risk-mitigationregimes to properly identify, measure, moni-tor, and control replacement-cost risk for for-eign exchange transactions until settlementhas been confirmed and reconciled.

Paragraph 3.3.7 of the guidance refers totransactions with affiliates. Covered institu-tions are encouraged to exchange variationmargin for inter-affiliate transactions as a mat-ter of sound business practice.

• Guideline 4—Liquidity risk. A bank shouldproperly identify, measure, monitor, and con-trol its liquidity needs and risks in each cur-rency when settling foreign exchange transac-tions.

• Guideline 5—Operational risk. A bank shouldproperly identify, assess, monitor, and controlits operational risks. A bank should ensurethat its systems support appropriate risk-management controls, and have sufficientcapacity, scalability, and resiliency to handleforeign exchange volumes under normal andstressed conditions.

• Guideline 6—Legal risk. A bank shouldensure that agreements and contracts arelegally enforceable for each aspect of itsactivities in all relevant jurisdictions.

Paragraph 3.6.2 of the guidance states thatinstitutions conducting business in multiplejurisdictions should identify, measure, moni-tor, and control for the risks arising fromconflicts of laws across jurisdictions and sug-gests accomplishing these objectives byobtaining legal opinions from qualified inter-nal or external counsel. The Federal Reservedoes not expect a covered institution to obtaina legal opinion for every transaction; rather,management should seek legal advice thataddresses standardized terms, master nettingand other significant agreements, and indi-vidual transactions as appropriate.

• Guideline 7—Capital for foreign exchangetransactions. When analyzing capital needs, abank should consider all foreign exchangesettlement-related risks, including principalrisk and replacement-cost risk. A bank shouldensure that sufficient capital is held againstthese potential exposures, as appropriate.

While the Federal Reserve acknowledges theprinciples set forth in section 3.7 of the guid-ance, and in particular that all risks related to thesettlement of foreign exchange transactionsshould be considered in determining capitalneeds under the applicable capital framework,the guidance does not and is not intended tomodify the calculation of regulatory capitalrequirements for covered institutions.

currency swaps involving exchange of principal. It excludes

instruments that involve one-way settlement payments, such

as non-deliverable forwards, non-deliverable options, and

contracts for difference. The Federal Reserve expects that the

guidance will be applied broadly by the covered institutions

and notes that there may be limited instances in which an

institution need not apply this guidance to an insignificant

currency exposure.



Compliance Risk-Management Programs and Oversight at Large BankingOrganizations with Complex Compliance Profiles Section 2124.07

Banking organizations have greatly expandedthe scope, complexity, and global nature of theirbusiness activities. At the same time, compli-ance requirements associated with these activi-ties have become more complex. As a result,organizations have confronted significant riskmanagement and corporate governance chal-lenges, particularly with respect to compliancerisks that transcend business lines, legal entities,and jurisdictions of operation.1 To address thesechallenges, many banking organizations haveimplemented or enhanced firmwide compliancerisk-management programs and programoversight.

While the guiding principles of sound riskmanagement are the same for compliance as forother types of risk, the management and over-sight of compliance risk presents certain chal-lenges. For example, quantitative limits reflect-ing the board of directors’ risk appetite can beestablished for market and credit risks, allocatedto the various business lines within the organiza-tion, and monitored by units independent of thebusiness line. Compliance risk does not lenditself to similar processes for establishing andallocating overall risk tolerance, in part becauseorganizations must comply with applicable rulesand standards. Additionally, existing compli-ance risk metrics are often less meaningful interms of aggregation and trend analysis as com-pared with more traditional market- and credit-risk metrics. These distinguishing characteris-tics of compliance risk underscore the need for afirmwide approach to compliance risk manage-ment and oversight for large, complex organiza-tions. A firmwide compliance function thatplays a key role in managing and overseeingcompliance risk while promoting a strong cul-ture of compliance across the organization isparticularly important for large, complex organi-zations that have a number of separate businesslines and legal entities that must comply with awide range of applicable rules and standards.

The Federal Reserve strongly encourageslarge banking organizations with complexcompliance profiles to ensure that the neces-sary resources are dedicated to fully implement-ing effective firmwide compliance risk-

management programs and oversight in a timelymanner.2

The Federal Reserve’s expectations for allsupervised banking organizations are consistentwith the principles outlined in a paper issued inApril 2005 by the Basel Committee on BankingSupervision, entitled Compliance and the com-pliance function in banks (Basel compliancepaper). The principles in the Basel compliancepaper have become widely recognized as globalsound practices for compliance risk manage-ment and oversight, and the Federal Reserveendorses these principles. This section providesclarification as to the Federal Reserve’s viewsregarding certain compliance risk managementand oversight matters with regard to bankingorganizations with complex compliance profilesin the specific areas addressed within this sec-tion (see SR-08-8/CA-08-11):

1. organizations that should implement a firm-wide approach to compliance risk manage-ment and oversight;

2. independence of compliance staff;3. compliance monitoring and testing; and4. responsibilities of boards of directors and

senior management regarding compliancerisk management and oversight.

2124.07.1 FIRMWIDE COMPLIANCERISK MANAGEMENT ANDOVERSIGHT

2124.07.1.1 Overview

Organizations supervised by the FederalReserve, regardless of size and complexity,should have effective compliance risk-management programs that are appropriately tai-lored to the organizations’ risk profiles.3 The

1. Compliance risk is the risk of legal or regulatory sanc-tions, financial loss, or damage to reputation resulting fromfailure to comply with laws, regulations, rules, other regula-tory requirements, or codes of conduct and other standards ofself-regulatory organizations applicable to the banking organi-zation (applicable rules and standards). (See, generally, Com-pliance and the compliance function in banks, Basel Commit-tee on Banking Supervision, April 2005, www.bis.org.)

2. Effective compliance risk-management programs incor-porate controls designed to maintain compliance with applica-ble rules and standards, including safety and soundness andconsumer protection guidance issued by supervisoryauthorities.

3. See SR-95-51, ‘‘Rating the Adequacy of Risk Manage-ment Processes and Internal Controls at State Member Banksand Bank Holding Companies’’ (section 4070.1). This letteror section provides general guidance on risk-managementprocesses and internal controls for consolidated organizationsand discusses the elements of a sound risk-management sys-tem applicable to all banking organizations for which theFederal Reserve has supervisory responsibility. SR-95-51


manner in which the program is implementedand the type of oversight needed for that pro-gram can vary considerably, depending upon thescope and complexity of the organization’sactivities, the geographic reach of the organiza-tion, and other inherent risk factors. Larger,more complex banking organizations tend toconduct a wide range of business activities thatare subject to complex compliance requirementsthat frequently transcend business lines andlegal entities and, accordingly, present risk-management and corporate governance chal-lenges. Consequently, these organizations typi-cally require a firmwide approach to compliancerisk management and oversight that includes acorporate compliance function. In contrast,smaller, less-complex banking organizations arenot generally confronted with the types of com-pliance risks and challenges that require a com-prehensive firmwide approach to effectivelymanage and oversee compliance risk. The fol-lowing discussion, therefore, is not directed atsmaller, less-complex banking organizations.

Firmwide compliance risk management re-fers to the processes established to managecompliance risk across an entire organization,both within and across business lines, supportunits, legal entities, and jurisdictions of opera-tion. This approach ensures that compliancerisk management is conducted in a contextbroader than would take place solely withinindividual business lines or legal entities. Theneed for a firmwide approach to compliancerisk management at larger, more complex bank-ing organizations is well demonstrated in areassuch as anti-money-laundering, privacy, affili-ate transactions, conflicts of interest, and fairlending, where legal and regulatory require-ments may apply to multiple business lines orlegal entities within the banking organization.Certain other compliance risks may also war-rant a firmwide risk-management approach toaddress similar rules and standards that applyto the organization’s operations across differentjurisdictions. In all such instances, compliancerisk management benefits from an aggregateview of the organization’s compliance riskexposure and an integrated approach to manag-ing those risks.

The processes established for managing com-pliance risk on a firmwide basis should be for-malized in a compliance program that estab-lishes the framework for identifying, assessing,controlling, measuring, monitoring, and report-ing compliance risks across the organization,and for providing compliance training through-out the organization. A banking organization’scompliance risk-management program shouldbe documented in the form of compliance poli-cies and procedures and compliance risk-management standards.4

Firmwide compliance oversight refers to theprocesses established to oversee compliance riskmanagement across the entire organization, bothwithin and across business lines, legal entities,and jurisdictions of operation. In addition to theoversight provided by the board of directors andvarious executive and management committeesof an organization, a key component of firm-wide compliance oversight in larger, more com-plex banking organizations is a corporate com-pliance function that has day-to-dayresponsibility for overseeing and supporting theimplementation of the organization’s firmwidecompliance risk-management program, and thatplays a key role in controlling compliance risksthat transcend business lines, legal entities, andjurisdictions of operation.

states that all bank holding companies should be able to assessthe major risks of the consolidated organization. See also 12C.F.R. 208, appendix D-1, ‘‘Interagency Guidelines Establish-ing Standards for Safety and Soundness.’’

4. Compliance policies refer to both (1) firmwide compli-ance policies that apply to all employees throughout theorganization as they conduct their business and support activi-ties and (2) the more detailed, business-specific policies thatare further tailored to, and more specifically address, compli-ance risks inherent in specific business lines and jurisdictionsof operation, and apply to employees conducting business andsupport activities for the specific business line and/or jurisdic-tion of operation. Compliance procedures refer to the controlprocedures that are designed to implement compliance poli-cies. Compliance risk-management standards refer to policiesand procedures applicable to compliance staff as they fulfilltheir day-to-day compliance responsibilities. Compliancestandards should clearly articulate expectations regarding theprocesses to be followed in implementing the organization’sfirmwide compliance risk-management program, includingthe processes and criteria to be utilized in identifying, assess-ing, controlling, measuring, monitoring, and reporting compli-ance risk, and in providing compliance training. Compliancestandards should also clearly articulate the roles and responsi-bilities of the various committees, functions, and staff withcompliance support and oversight responsibilities.

Compliance Risk-Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles 2124.07


2124.07.1.2 Federal Reserve SupervisoryPolicies on Compliance Risk Managementand Oversight

2124.07.1.2.1 Large BankingOrganizations with Complex ComplianceProfiles

Although balance sheet size is not the definingindication of a banking organization’s compli-ance risk-management needs, experience hasdemonstrated that banking organizations with$50 billion or more in consolidated total assetstypically have multiple legal entities that posethe type of compliance risks and challenges thatcall for a comprehensive firmwide approach toappropriately control compliance risk and pro-vide effective oversight. Accordingly, such orga-nizations should generally implement firmwidecompliance risk-management programs andhave a corporate compliance function.

Compliance programs at such organizationsshould include more robust processes for identi-fying, assessing, controlling, measuring, moni-toring, and reporting compliance risk, and forproviding compliance training throughout theorganization in order to appropriately controlthe heightened level and complexity of compli-ance risk. The corporate compliance functionshould play a key role in overseeing and sup-porting the implementation of the compliancerisk-management program and in controllingcompliance risks that transcend business lines,legal entities, and jurisdictions of operation.5

2124.07.1.2.2 Large BankingOrganizations with Less-ComplexCompliance Profiles

In some instances, banking organizations thatmeet the $50 billion asset threshold may havefew legal entities, may be less complex innature, and may engage in only a very limitedrange of business activities. Such organizations

may be able to effectively manage and overseecompliance risk without implementing a com-prehensive firmwide approach. Alternatively,these organizations may choose to implement afirmwide approach whose scope is highly risk-focused on particular compliance risks that existthroughout the organization. In lieu of relyingon a corporate compliance function to play akey role in providing day-to-day oversight ofthe compliance program, these organizationsmay rely on executive and management com-mittees that are actively involved in providingongoing corporate oversight of the compliancerisk-management program. An organization thatadopts this approach, however, should ensurethat its compliance program incorporates con-trols that effectively address compliance risksthat transcend business lines, legal entities, andjurisdictions of operation; that appropriate firm-wide standards are established for the businesslines to follow in managing compliance risk andreporting on key compliance matters; and thatthe organization is appropriately overseeing theimplementation of its compliance risk-management program.

2124.07.1.2.3 Foreign BankingOrganizations

Each foreign banking organization supervisedby the Federal Reserve should implement acompliance program that is appropriately tai-lored to the scope, complexity, and risk profileof the organization’s U.S. operations. The pro-gram should be reasonably designed to ensurethat the organization’s U.S. operations complywith applicable U.S. rules and standards andshould establish effective controls over compli-ance risks that transcend business lines or legalentities. Foreign banking organizations withlarge, complex U.S. operations should imple-ment compliance programs for these operationsthat have more robust processes for identifying,assessing, controlling, measuring, monitoring,and reporting compliance risk, and for provid-ing compliance training, than would be appro-priate for foreign banking organizations withsmaller, less-complex U.S. operations.6

5. While the corporate compliance function is generallyresponsible for overseeing and supporting the compliancerisk-management program, it is recognized that the board ofdirectors may assign primary responsibility for aspects of thecompliance program to other units within the organization(e.g., finance, information technology, human resources, etc.).The corporate compliance function, therefore, may or may nothave responsibility for monitoring and testing the controlsover certain compliance activities embedded within theseunits, such as those over regulatory reporting and regulatorycapital. Nevertheless, it is important that an organization’scompliance program incorporates appropriate controls overthese risks and that proper oversight of the management ofthese risks is conducted.

6. Foreign banking organizations with $50 billion or morein U.S. third-party assets will generally be considered as largebanking organizations with complex compliance profiles forpurposes of SR 08-8/CA 08-1, unless their U.S. activities areless complex in nature as described in subsection 2124.07.1.The Federal Reserve’s views on compliance risk-management



With respect to oversight, foreign bankingorganizations should provide effective oversightof compliance risks within their U.S. operations,including risks that transcend business lines orlegal entities. A foreign banking organization,however, has flexibility in organizing its over-sight structure. Compliance oversight of U.S.activities may be conducted in a manner that isconsistent with the foreign banking organiza-tion’s broader compliance risk-managementframework. Alternatively, a separate functionmay be established specifically to provide com-pliance oversight of the organization’s U.S.operations. Regardless of the oversight structureutilized by a foreign banking organization, itsestablished oversight mechanisms, governingpolicies and procedures, and supporting infra-structure for its U.S. operations should be suffi-ciently transparent for the Federal Reserve toassess their adequacy.

2124.07.2 INDEPENDENCE OFCOMPLIANCE STAFF

Federal Reserve supervisory findings at large,complex banking organizations consistently re-inforce the need for compliance staff to be ap-propriately independent of the business linesfor which they have compliance responsibili-ties. Compliance independence facilitates ob-jectivity and avoids inherent conflicts of inter-est that may hinder the effective implementa-tion of a compliance program. A particularchallenge for many organizations is attainingan appropriate level of independence with re-spect to compliance staff operating within thebusiness lines.

The Federal Reserve does not prescribe aparticular organizational structure for the com-pliance function. Large banking organizationswith complex compliance profiles are encour-aged, however, to avoid inherent conflicts ofinterest by ensuring that accountability existsbetween the corporate compliance function andcompliance staff within the business lines. Suchaccountability would provide the corporate com-pliance function with ultimate authority regard-ing the handling of compliance matters, person-nel decisions, and actions relating to compliancestaff, including retaining control over the budget

for, and remuneration of, all compliance staff.7Compliance independence should not, however,preclude compliance staff from working closelywith the management and staff of the variousbusiness lines. To the contrary, compliancefunctions are generally more effective whenstrong working relationships between compli-ance and business line staff exist.

The Federal Reserve recognizes, however,that many large, complex banking organizationshave chosen to implement an organizationalstructure in which compliance staff within abusiness line have a reporting line into the man-agement of the business. In these circumstances,compliance staff should also have a reportingline through to the corporate compliance func-tion with respect to compliance responsibilities.In addition, a banking organization that choosesto implement such a dual reporting structureshould ensure that the following minimum stan-dards are observed in order to minimize poten-tial conflicts of interest associated with thisapproach:

1. In organizations with dual reporting-linestructures, the corporate compliance func-tion should play a key role in determininghow compliance matters are handled and inpersonnel decisions and actions (includingremuneration) affecting business-linecompliance and local compliance staff,particularly senior compliance staff.Furthermore, the organization should have inplace a process designed to ensure thatdisputes between the corporate compliancefunction and business-line managementregarding compliance matters are resolvedobjectively. Under such a process, the finaldecision-making authority should rest eitherwith the corporate compliance function orwith a member or committee of seniormanagement that has no business-lineresponsibilities.

2. Compensation and incentive programsshould be carefully structured to avoid under-mining the independence of compliance staff.Compliance staff should not be compensatedon the basis of the financial performance ofthe business line. Such an arrangement cre-ates an improper conflict of interest.

3. Banking organizations with dual reporting-line structures should implement appropriatecontrols and enhanced corporate oversight toidentify and address issues that may arisefrom conflicts of interest affecting compli-

programs apply equally to the large, complex U.S. operationsof foreign banking organizations.

7. The reference to all compliance staff includes corporate,business-line, and local compliance staff.



ance staff within the business lines. Forexample, in these circumstances, the processfor providing corporate oversight of monitor-ing and testing activities performed by com-pliance staff within the business lines shouldbe especially robust.

2124.07.3 COMPLIANCEMONITORING AND TESTING

Robust compliance monitoring and testing playa key role in identifying weaknesses in exist-ing compliance risk-management controls andare, therefore, critical components of an effec-tive firmwide compliance risk-managementprogram.

2124.07.3.1 Risk Assessments andMonitoring and Testing Programs

Risk assessments are the foundation of an effec-tive compliance monitoring and testing pro-gram. The scope and frequency of compliancemonitoring and testing activities should be afunction of a comprehensive assessment of theoverall compliance risk associated with a par-ticular business activity.8 Large complex bank-ing organizations should ensure that comprehen-sive risk-assessment methodologies aredeveloped and fully implemented, and that com-pliance monitoring and testing activities arebased upon the resulting risk assessments.

2124.07.3.2 Testing

Compliance testing is necessary to validate(1) that key assumptions, data sources, and pro-cedures utilized in measuring and monitoringcompliance risk can be relied upon on an ongo-ing basis and (2) in the case of transactiontesting, that controls are working as intended.The testing of controls and remediation of defi-ciencies identified as a result of testing activitiesare essential to maintaining an effective internalcontrol framework.

The scope and frequency of compliance test-ing activities should be based upon the assess-ment of the specific compliance risks associatedwith a particular business activity. Periodic test-

ing of compliance controls by compliance staffis strongly encouraged as this practice tends toresult in an enhanced level of compliance test-ing. If, however, compliance testing is per-formed exclusively by the internal audit func-tion, particular care should be taken to ensurethat high-risk compliance elements are not oth-erwise obscured by a lower overall risk rating ofa broadly defined audit entity. Otherwise, thescope and frequency of audit coverage ofhigher-risk compliance elements tend to beinsufficient.

2124.07.4 RESPONSIBILITIES OF THEBOARD OF DIRECTORS ANDSENIOR MANAGEMENT

The primary responsibility for complying withapplicable rules and standards rests with theindividuals within the organization as theyconduct their day-to-day business and supportactivities. The board, senior management, andthe corporate compliance function areresponsible for working together to establishand implement a comprehensive and effectivecompliance risk-management program andoversight framework that is reasonably designedto prevent and detect compliance breaches andissues.

2124.07.4.1 Boards of Directors.9

Boards of directors are responsible for settingan appropriate culture of compliance withintheir organizations, for establishing clear poli-cies regarding the management of key risks, andfor ensuring that these policies are adhered to inpractice. The following discussion is intended toclarify existing Federal Reserve supervisoryviews with regard to responsibilities of theboard related to compliance risk managementand oversight, and to differentiate theseresponsibilities from those of seniormanagement.

To achieve its objectives, a sound and effec-tive firmwide compliance risk-management pro-gram should have the support of the board andsenior management. As set forth in applicable

8. Risk assessments should be based upon firmwide stan-dards that establish the method for, and criteria to be utilizedin, assessing risk throughout the organization. Risk assess-ments should take into consideration both the risk inherent inthe activity and the strength and effectiveness of controlsdesigned to mitigate the risk.

9. Foreign banking organizations should ensure that, withrespect to their U.S. operations, the responsibilities of theboard described in this section are fulfilled in an appropriatemanner through their oversight structure and risk-managementframework.



law and supervisory guidance, the board andsenior management of a banking organizationhave different, but complementary, roles in man-aging and overseeing compliance risk.10

The board has the responsibility for promot-ing a culture that encourages ethical conductand compliance with applicable rules and stan-dards. A strong compliance culture reinforcesthe principle that an organization must conductits activities in accordance with applicable rulesand standards and encourages employees to con-duct all activities in accordance with both theletter and the spirit of applicable rules and stan-dards. The board should have an appropriateunderstanding of the types of compliance risksto which the organization is exposed. The levelof technical knowledge required of directors tofulfill these responsibilities may vary, depend-ing on the particular circumstances at theorganization.

The board should ensure that senior manage-ment is fully capable, qualified, and properlymotivated to manage the compliance risks aris-ing from the organization’s business activities ina manner that is consistent with the board’sexpectations. The board should ensure that itsviews about the importance of compliance areunderstood and communicated by senior man-agement across, and at all levels of, the organi-zation through ongoing training and othermeans. The board should ensure that seniormanagement has established appropriate incen-tives to integrate compliance objectives into themanagement goals and compensation structureacross the organization and that appropriate dis-ciplinary actions and other measures are takenwhen serious compliance failures are identified.Finally, the board should ensure that the corpo-rate compliance function has an appropriatelyprominent status within the organization. Seniormanagement within the corporate compliancefunction and senior compliance personnel withinindividual business lines should have the appro-priate authority, independence, and access topersonnel and information within the organiza-tion, and appropriate resources to conduct theiractivities effectively.

The board should be knowledgeable about thegeneral content of the compliance program andexercise appropriate oversight of the program.Accordingly, the board should review andapprove key elements of the organization’scompliance risk-management program and over-sight framework, including firmwide compli-ance policies, compliance risk-managementstandards, and roles and responsibilities of com-mittees and functions with compliance oversightresponsibilities. The board should oversee man-agement’s implementation of the complianceprogram and the appropriate and timely resolu-tion of compliance issues by senior manage-ment. The board should exercise reasonable duediligence to ensure that the compliance programremains effective by at least annually reviewinga report on the effectiveness of the program. Theboard may delegate these tasks to an appropriateboard-level committee.

2124.07.4.2 Senior Management

Senior management across the organization isresponsible for communicating and reinforcingthe compliance culture established by the boardand for implementing measures to promote theculture. Senior management also should imple-ment and enforce the compliance policies andcompliance risk-management standards thathave been approved by the board. Senior man-agement of the corporate compliance functionshould establish, support, and oversee the orga-nization’s compliance risk-management pro-gram. The corporate compliance function shouldreport to the board, or a committee thereof, onsignificant compliance matters and the effective-ness of the compliance risk-managementprogram.

Senior management of a foreign bankingorganization’s U.S. operations should providesufficient information to governance or controlfunctions in its home country and should ensurethat responsible senior management, includingin the home country, maintain a thorough under-standing of the risk and control environmentgoverning U.S. operations. U.S. managementshould assess the effectiveness of establishedgovernance and control mechanisms on anongoing basis, including processes for reportingand escalating areas of concern and implementa-tion of corrective action as necessary.

10. See, for example, the Basel compliance paper; SR-04-18, ‘‘Bank Holding Company Rating System’’(section4070.0); SR-95-51, ‘‘Rating the Adequacy of Risk Manage-ment Processes and Internal Controls at State Member Banksand Bank Holding Companies’’(section 4070.1); and theUnited States Sentencing Commission’s Federal SentencingGuidelines Manual, Chapter Eight, ‘‘Sentencing ofOrganizations.’’



Assessment of Information Technology in Risk-FocusedSupervision Section 2124.1

The Federal Reserve had adopted risk-focusedsupervision frameworks for community banksand large complex banking organizations,including foreign banking organizations. Theseframeworks incorporate a methodology to assessan organization’s risks and business activitiesand to tailor supervisory activities to its riskprofile. These frameworks aim to sharpen thefocus of supervisory activities on areas that posethe greatest risk to the safety and soundness ofbanking organizations and on management pro-cesses to identify, measure, monitor, and controlrisks.1

The Federal Reserve recognizes that the useof information technology can greatly affect abanking organization’s financial condition andoperating performance.2 With the increasingdependency of banking organizations on the useof information technology, the Federal Reserveexpects an organization’s management andboard of directors to effectively manage therisks associated with information technology.Accordingly, examiners must consider the risksassociated with information technology in theirevaluations of an organization’s significant busi-ness activities and assess the effectiveness of therisk-management process that the organizationapplies to information technology. See SR-98-09.

This section supplements further the guidanceon the evaluation of banking organizations’ risk-management processes. The primary objectivesare to—

1. highlight the critical dependence of the finan-cial services industry on information technol-ogy and its potential effect on safety andsoundness,

2. reinforce the concept that the risk-focusedsupervisory process and related products(risk assessments, supervisory plans, andscope memoranda) for an organization must

address the risks associated with its use ofinformation technology,3 and

3. provide a basic framework and a commonvocabulary to evaluate the effectiveness ofprocesses used to manage the risks associ-ated with information technology.

2124.1.1 CHANGING ROLE OFINFORMATION TECHNOLOGY

As the automated processing of information hasmoved beyond centralized mainframe opera-tions to encompass end-user computer and dis-tributed processing systems, the use of informa-tion technology in general has expanded greatly.In the banking industry, information technologywas once limited to automation of routine trans-actions and preparation of financial reports butis now used to automate all levels of a bankingorganization’s operations and information pro-cessing. Some decision-making processes suchas credit scoring and securities trading havebeen fully automated. New, complex financialproducts are possible largely because of valua-tion models that depend on technology. More-over, technological advances in communica-tions and connectivity have minimizedgeographic constraints within the industry.

While information technology enables bank-ing organizations to carry out their activitiesmore efficiently and effectively, informationtechnology also can be a source of risk to theindustry. The operational concerns associatedwith information processing, traditionally thedomain of the ‘‘back office,’’ have assumedcritical importance during banking mergers andconsolidations.

Banking organizations, recognizing thedependency of their operations and decision-making processes on information technology,have placed increased emphasis on the manage-ment of this important resource. In large bank-ing organizations, the positions of the chiefinformation officer and chief technology officerhave become more visible in the top executiveranks of banking organizations. In addition,managers of activities that rely on end-usercomputing and distributed processing systems

1. The types of risk may be categorized according to thosepresented in the guidelines for rating risk management (thatis, credit, market, liquidity, operational, legal, and reputa-tional) or by categories defined by the institution or othersupervisory agencies. If the institution uses risk categoriesthat differ from those defined by the supervisory agencies,those categories may be used if all relevant types of risks arecaptured. See SR-95-51, ‘‘Rating the Adequacy of Risk Man-agement Processes and Internal Controls at State MemberBanks and Bank Holding Companies.’’

2. Information technology refers to a business resourcethat is the combination of computers (hardware and software),telecommunications, and information.

3. The supervisory products are described in SR-97-24 forlarge complex institutions and SR-97-25 for communitybanks.


have been assigned more direct responsibilityfor the information technology used in conduct-ing their business. As a result, the managementof the risks associated with information technol-ogy must be evaluated for each significantbusiness activity as well as for the overallorganization.

Notwithstanding the move towards decentral-ized management of information technology,large centralized mainframe computer systemsare still an integral part of the information tech-nology on which many large banking organiza-tions rely. This includes systems critical to theglobal payments system and to the transfer andcustody of securities. Similarly, with the contin-ued growth of outsourcing, many third-partyinformation technology service centers also per-form a vital role in the banking industry. There-fore, the review of the effectiveness and relia-bility of the critical mainframe systems andthird-party processors will continue to be animportant part of the Federal Reserve’s supervi-sory activities.

2124.1.2 IMPLICATIONS FORRISK-FOCUSED SUPERVISION

The risk-focused supervisory process is evolv-ing and adapting to the changing role of infor-mation technology, with a greater emphasisbeing placed on an evaluation of informationtechnology and an assessment of its effect on anorganization’s safety and soundness. Accord-ingly, examiners should explicitly considerinformation technology when developing theirrisk assessments and supervisory plans. It isexpected that examiners will exercise appropri-ate judgment in determining the level of review,given the characteristics, size, and businessactivities of the organization. Moreover, todetermine the scope of supervisory activitiesclose coordination is needed between generalsafety-and-soundness examiners and informa-tion technology specialists during the riskassessment and planning, as well as during theon-site phase of the examination or inspection.In general, examiners should take the followingactions:

1. Develop a broad understanding of the organi-zation’s approach, strategy, and structurewith regard to information technology. Thisrequires a determination of the role andimportance of information technology to the

organization and any unique characteristicsor issues.

2. Incorporate an analysis of information tech-nology systems into risk assessments, super-visory plans, and scope memoranda. Theanalysis should include identification of criti-cal information technology systems, relatedmanagement responsibility, and the majortechnology components.4 An organization’sinformation technology systems should beconsidered in relation to the size, activities,and complexity of the organization, as wellas the degree of reliance on these systems.

3. Assess the organization’s critical systems,that is, those that support its major businessactivities, and the degree of reliance thoseactivities have on information technologysystems. The level of review should be suffi-cient to determine that the systems are deliv-ering the services necessary for the organiza-tion to conduct its business safely andsoundly.

4. Determine whether the board of directorsand senior management are adequately iden-tifying, measuring, monitoring, and control-ling the significant risks associated withinformation technology for the overall orga-nization and its major business activities.

2124.1.3 FRAMEWORK FOREVALUATING INFORMATIONTECHNOLOGY

In order to provide a common terminology andconsistent approach for evaluating the adequacyof an organization’s information technology,five information technology elements are intro-duced and defined below. These elements maybe used to evaluate the information technologyprocesses at the functional business level or forthe organization as a whole. They may also beapplied to a variety of information technologymanagement structures: centralized, decentral-ized, or outsourced.5

Although deficiencies in information technol-ogy appear to be most directly related to opera-tional risk, information technology also canaffect the other business risks (credit, market,liquidity, legal, and reputational) depending on

4. These components include mainframe, local area net-work, and personal computers, as well as software applica-tions.

5. When banking organizations outsource operations, theydelegate a certain level of responsibility and authority to anoutside party (depending on the contractual arrangements).However, ultimate accountability remains with the bankingorganization.

Assessment of Information Technology in Risk-Focused Supervision 2124.1


the specific circumstances. Examiners shouldview the information technology elements in anintegrated manner with the overall businessrisks of the organization or business activity; adeficiency in any one of the elements couldhave a substantive adverse effect on the organi-zation’s or activity’s business risks. Moreover,the elements below do not replace or indepen-dently add to the business risks described inSR-95-51. Rather, these elements should beassessed in relation to all business risks.

The elements are to be used as a flexible toolto facilitate consideration and discussion of therisks associated with information technology.Where an organization uses different terminol-ogy to describe information technology ele-ments, examiners may use that terminology pro-vided the organization adequately addresses allelements. Regardless of the terminologyemployed, examiners should focus on those sys-tems and issues that are considered critical tothe organization.

The five information technology elements aredescribed below:

1. Management processes.Management pro-cesses6 encompass planning, investment,development, execution, and staffing ofinformation technology from a corporate-wide and business-specific perspective. Man-agement processes over information technol-ogy are effective when they are adequatelyand appropriately aligned with, and support-ive of, the organization’s mission and busi-ness objectives. Management processesinclude strategic planning, management andreporting hierarchy, management succession,and a regular independent review function.Examiners should determine if the informa-tion technology strategy for the businessactivity or organization is consistent with theorganization’s mission and business objec-tives and whether the information technol-ogy function has effective management pro-cesses to execute that strategy.

2. Architecture. Architecture7 refers to theunderlying design of an automated informa-tion system and its individual components.The underlying design encompasses bothphysical and logical architecture, includingoperating environments, as well as the orga-nization of data. The individual componentsrefer to network communications, hardware,and software, which includes operating sys-tems, communications software, database

management systems, programming lan-guages, and desktop software. Effectivearchitecture meets current and long-termorganizational objectives, addresses capacityrequirements to ensure that systems allowusers to easily enter data at both normal andpeak processing times, and provides satisfac-tory solutions to problems that arise wheninformation is stored and processed in two ormore systems that cannot be connected elec-tronically. In assessing the adequacy of infor-mation technology architecture, examinersshould consider the hardware’s capability torun the software, the compatibility and inte-gration with other systems and sources ofdata, the ability to upgrade to higher levels ofperformance and capacity, and the adequacyof controls.

3. Integrity. Integrity refers to the reliability,accuracy, and completeness of informationdelivered to the end-user. An informationtechnology system has an effective level ofintegrity when the resulting informationflows are accurate and complete. Insufficientintegrity in an organization’s systems couldadversely affect day-to-day reliability, pro-cessing performance, input and output accu-racy, and the ease of use of critical informa-tion. Examiners should review and considerwhether the organization relies upon infor-mation system audits or independent applica-tion reviews to ensure the integrity of itssystems. To assess the integrity of an organi-zation’s systems, examiners should reviewthe reliability, accuracy, and completeness ofinformation delivered.

4. Security.Security refers to the safety affordedto information assets and their data process-ing environments, using both physical andlogical controls to achieve a level of protec-tion commensurate with the value of theassets. Information technology has effectivesecurity when controls prevent unauthorizedaccess; modification; destruction; or disclo-sure of information assets during their cre-ation, transmission, processing, maintenance,or storage. Examiners should ensure thatoperating procedures and controls are com-mensurate with the potential for and risksassociated with security breaches, which maybe either physical or electronic, inadvertentor intentional, or internal or external.

5. Availability. Availability refers to the deliv-ery of information to end-users. Informationtechnology has effective availability when

6. Also referred to as ‘‘organization’’ or ‘‘strategic.’’7. Sometimes referred to as ‘‘infrastructure.’’



information is consistently delivered on atimely basis in support of business anddecision-making processes. In assessing theadequacy of availability, examiners shouldconsider the capability of information tech-nology to provide information from eitherprimary or secondary sources to the end-users, as well as the ability of back-up sys-tems, presented in contingency plans, to miti-gate business disruption. Contingency plansshould set out a process for an organizationto restore or replace its information-processing resources, reconstruct its informa-tion assets, and resume its business activityfrom disruption caused by human error orintervention, natural disaster, or infrastruc-ture failure (including the loss of utilities andcommunication lines and operational fail-ure of hardware, software, and networkcommunications).

Appendix A provides a table with examplesof situations where deficiencies in informationtechnology elements potentially have a negativeeffect on the business risks of an organization.The table also provides possible actions that anorganization could take in these situations tomitigate its risks. The examples in this table arerepresentative and should not be viewed as anexhaustive list of the risks associated with infor-mation technology.

2124.1.4 ALIGNING EXAMINERSTAFFING WITH THE TECHNOLOGYENVIRONMENT

While mainframe computer systems are still anintegral part of the information technology forlarge organizations, information technology pro-cesses have become embedded in the variousbusiness activities of a banking organization—particularly with the increased use of local areanetwork and personal computers. In contrast,many community and regional banks continueto rely on third-party information technologyservice centers. Given this variability of infor-mation technology environments, the level oftechnical expertise needed for a particularexamination or inspection will vary and shouldbe identified during its planning phase. Forexample, a specialist in information technologyor the particular business activity may be themost appropriate person to review informationtechnology integrity, while general safety-and-

soundness examiners may be better suited toreview management processes related to infor-mation technology. Development of the overallsupervisory approach for an organizationrequires continuous collaboration between gen-eral safety-and-soundness examiners and infor-mation technology specialists. Accordingly, adiscussion of information technology should beintegrated into the supervisory process andproducts. That is, examiners should considerand comment on the risks associated with infor-mation technology when developing an under-standing of an organization, assessing an organi-zation’s risks, and preparing a scopememorandum.


1. To assess the risks associated with informa-tion technology when developing the scopeof supervisory plans and activities.

2. To consider the various risks associated withinformation technology along with the riskevaluation of the banking organization’sbusiness activities.

3. To assess the effectiveness of the risk-management process that the banking organi-zation applies to information technology.

4. To view the banking organization’s informa-tion technology elements in an integratedmanner along with the overall business risksof the banking organization or its businessactivity, and ascertain if there are any defi-ciencies therein.


1. Develop a broad understanding of the organi-zation’s approach, strategy, and structurewith regard to information technology.

2. Incorporate an analysis of information tech-nology systems into risk assessments,supervisory plans, and scope memoranda.

3. Assess the banking organization’s criticalsystems and the degree of reliance thoseactivities have on information technologysystems.

4. Determine that the information systems aredelivering the services necessary for the or-ganization to conduct its business safely andsoundly.

5. Determine if the board of directors or seniormanagement has conducted an independentreview, either by independent qualified staffor by an independent third-party consultant,of the current architecture, assessing the risks



associated with the institution’s informationtechnology. Did the review establish whetherthe organization’s architecture had providedfor—a. current and long-term organizational

objectives,b. capacity requirements during normal and

peak processing periods,c. solutions when information is stored and

processed in two or more separatesystems,

d. the hardware’s capability to run the soft-ware and its compatibility and integrationwith other systems and sources of data,

e. the ability to upgrade to higher levels ofperformance and capacity, and

f. the adequacy of controls.6. Determine if the institution relies on informa-

tion system audits or independent applicationreviews to determine whether informationflows are accurate and complete.

7. Review, on a sample basis, the reliability,accuracy, and completeness of processeddelivered information.

8. Determine whether the operating proce-dures and controls are commensurate withthe potential for, and risks associated with,security breaches, which may be eitherphysical or electronic, inadvertent or inten-tional, or internal or external.

9. Determine whether the board of directorsand senior management are adequatelyidentifying, measuring, monitoring, andcontrolling the significant risks associatedwith information technology for the overallbanking organization and its major businessactivities.

10. After developing an understanding of thebanking organization, assess and commenton the information technology risks andmanagement in a scope memorandum.



2124.1.7 Appendix A—Examples of Information Technology Elements that Should Be Considered in Assessing Business Risks ofParticular Situations

Situation IT elements to be considered Potential effect on business risks Risk mitigants

A bank holding company expandsvery rapidly via acquisition intonew product lines and geographicareas.

Management processes.Lack of clear,cohesive strategies could result independence on different systems thatare incompatible and fragmented.

Integrity.Unreliable information couldbe produced due to incompatiblesystems.

Availability. Critical information maynot be available to management whenneeded.

Credit risk.Exposure to less creditwor-thy borrowers may increase.

Liquidity risk.Depositors may with-draw funds or close accounts due tounreliable account information.

Operational risk.Controls may beinadequate to address the increase inmanual interventions to correct incom-patibility problems between affiliates’systems, leading to a greater potentialfor fraudulent transactions.

Develop a well-thought-out plan forintegrating acquired systems, mappingdata flows and sources, and ensuringreliability of systems.

A bank’s consumer loan divisioninputs erroneous entries into thegeneral-ledger system.

Integrity.Billing errors and unwar-ranted late-payment fees could occurdue to the inaccurate loan informationmaintained by the system.

Reputational risk.Knowledge of errorscould become widespread resulting inadverse public opinion.

Operational risk.Increased expendi-tures may be required to resolveaccounting operations problems.

Legal risk.Litigation could arisebecause of errors in customer accountsdue to processing deficiencies.

Improve policies and procedures relatedto input of accounting entries.

Ensure internal audit considers systemaspects of accounting operations.

Substantial turnover occurs inbank’s wire-transfer department.

Security.Security procedures could becompromised due to inadequate train-ing and lack of qualified personnel.

Integrity.System may not be able toprovide ‘‘real-time’’ funds availability.

Operational risk.Financial lossescould occur due to fraud or incorrectlysent wire transfers.

Legal risk.Litigation could arise as aresult of errors in customer accountsand fraudulent wire transfers.

Reputational risk.Knowledge offraudulent or erroneous wire operationscould result in adverse public opinion.

Increase and strengthen procedural andaccess controls for wire operations.

Implement security measures such aspasswords and firewalls.

Develop and monitor appropriate audittrails.

Provide for adequate training programand staffing levels.

Assessm

entof

Information

Technologyin

Risk-F

ocusedS

upervision2124.1

BH

CS

up

ervisio

nM

an

ua

lD

ecember

1998P

age6

Managing Outsourcing RiskSection 2124.3

The Federal Reserve issued this guidance toassist financial institutions in understanding andmanaging the risks associated with outsourcinga bank activity to a service provider to performthat activity. Refer to SR-13-19/CA-13-21.

In addition to traditional core bank processingand information technology services, financialinstitutions1 outsource operational activitiessuch as accounting, appraisal management,internal audit, human resources, sales and mar-keting, loan review, asset and wealth manage-ment, procurement, and loan servicing. The Fed-eral Reserve has issued this guidance tofinancial institutions to highlight the potentialrisks that arise from the use of service providersand to describe the elements of an appropriateservice provider risk-management program.This guidance supplements existing guidance ontechnology service provider (TSP) risk,2 andapplies to service provider relationships wherebusiness functions or activities are outsourced.For purposes of this guidance, ‘‘service provid-ers’’ is broadly defined to include all entities3

that have entered into a contractual relationshipwith a financial institution to provide businessfunctions or activities.

2124.3.1 RISKS FROM THE USE OFSERVICE PROVIDERS

The use of service providers to perform opera-tional functions presents various risks to finan-cial institutions. Some risks are inherent to theoutsourced activity itself, whereas others areintroduced with the involvement of a serviceprovider. If not managed effectively, the use ofservice providers may expose financial institu-tions to risks that can result in regulatory action,financial loss, litigation, and loss of reputation.Financial institutions should consider the fol-lowing risks before entering into and while man-aging outsourcing arrangements.

• Compliance risks arise when the services,products, or activities of a service providerfail to comply with applicable U.S. laws andregulations.

• Concentration risks arise when outsourcedservices or products are provided by a limitednumber of service providers or are concen-trated in limited geographic locations.

• Reputational risks arise when actions or poorperformance of a service provider causes thepublic to form a negative opinion about afinancial institution.

• Country risks arise when a financial institu-tion engages a foreign-based service provider,exposing the institution to possible economic,social, and political conditions and eventsfrom the country where the provider islocated.

• Operational risks arise when a service pro-vider exposes a financial institution to lossesdue to inadequate or failed internal processesor systems or from external events and humanerror.

• Legal risks arise when a service providerexposes a financial institution to legalexpenses and possible lawsuits.

2124.3.2 BOARD OF DIRECTORSAND SENIOR MANAGEMENTRESPONSIBILITIES

The use of service providers does not relieve afinancial institution’s board of directors andsenior management of their responsibility toensure that outsourced activities are conductedin a safe-and-sound manner and in compliancewith applicable laws and regulations. Policiesgoverning the use of service providers should beestablished and approved by the board of direc-tors, or an executive committee of the board.These policies should establish a serviceprovider risk management program thataddresses risk assessments and due diligence,standards for contract provisions andconsiderations, ongoing monitoring of serviceproviders, and business continuity andcontingency planning.

Senior management is responsible for ensur-ing that board-approved policies for the use ofservice providers are appropriately executed.This includes overseeing the development andimplementation of an appropriate risk-management and reporting framework thatincludes elements described in this guidance.Senior management is also responsible for regu-larly reporting to the board of directors on

1. For purposes of this guidance, a ‘‘financial institution’’

refers to state member banks, bank and savings and loan

holding companies (including their nonbank subsidiaries),

and U.S. operations of foreign banking organizations.

2. Refer to the FFIEC Outsourcing Technology Services

Booklet (June 2004) at http://ithandbook.ffiec.gov/it-booklets/

outsourcing-technology-services.aspx.

3. Entities may be a bank or nonbank, affiliated or non-

affiliated, regulated or non-regulated, or domestic or foreign.


adherence to policies governing outsourcingarrangements.

2124.3.3 SERVICE PROVIDERRISK-MANAGEMENT PROGRAMS

A financial institution’s service provider risk-management program should be risk-focusedand provide oversight and controls commensu-rate with the level of risk presented by theoutsourcing arrangements in which the financialinstitution is engaged. It should focus on out-sourced activities that have a substantial impacton a financial institution’s financial condition;are critical to the institution’s ongoing opera-tions; involve sensitive customer information ornew bank products or services; or pose materialcompliance risk.

The depth and formality of the service pro-vider risk-management program will depend onthe criticality, complexity, and number of mate-rial business activities being outsourced. A com-munity banking organization may have criticalbusiness activities being outsourced, but thenumber may be few and to highly reputableservice providers. Therefore, the risk-management program may be simpler and useless elements and considerations. For thosefinancial institutions that may use hundreds orthousands of service providers for numerousbusiness activities that have material risk, thefinancial institutions may find that they need touse many more elements and considerations of aservice provider risk-management program tomanage the higher level of risk and reliance onservice providers.

While the activities necessary to implementan effective service provider risk-managementprogram can vary based on the scope and natureof a financial institution’s outsourced activities,effective programs usually include the followingcore elements:

• risk assessments, due diligence and selectionof service providers;

• contract provisions and considerations;

• incentive compensation review;

• oversight and monitoring of service provid-ers; and

• business continuity and contingency plans.

A. Risk Assessments

Risk assessment of a business activity and theimplications of performing the activity in-houseor having the activity performed by a serviceprovider are fundamental to the decision ofwhether or not to outsource. A financial institu-tion should determine whether outsourcing anactivity is consistent with the strategic directionand overall business strategy of the organiza-tion. After that determination is made, a finan-cial institution should analyze the benefits andrisks of outsourcing the proposed activity aswell as the service provider risk, and determinecost implications for establishing the outsourc-ing arrangement. Consideration should also begiven to the availability of qualified and experi-enced service providers to perform the serviceon an ongoing basis. Additionally, managementshould consider the financial institution’s abilityand expertise to provide appropriate oversightand management of the relationship with theservice provider.

This risk assessment should be updated atappropriate intervals consistent with the finan-cial institution’s service provider risk-management program. A financial institutionshould revise its risk mitigation plans, if appro-priate, based on the results of the updated riskassessment.

B. Due Diligence and Selections ofService Providers

A financial institution should conduct an evalua-tion of and perform the necessary due diligencefor a prospective service provider prior toengaging the service provider. The depth andformality of the due diligence performed willvary depending on the scope, complexity, andimportance of the planned outsourcing arrange-ment, the financial institution’s familiarity withprospective service providers, and the reputa-tion and industry standing of the service pro-vider. Throughout the due diligence process,financial institution technical experts and keystakeholders should be engaged in the reviewand approval process as needed. The overall duediligence process includes a review of the ser-vice provider with regard to business back-ground, reputation, and strategy; financial per-formance and condition; and operations andinternal controls.

Managing Outsourcing Risk Section 2124.3


1. Business Background, Reputation, andStrategy

Financial institutions should review a prospec-tive service provider’s status in the industry andcorporate history and qualifications; review thebackground and reputation of the service pro-vider and its principals; and ensure that theservice provider has an appropriate backgroundcheck program for its employees.

The service provider’s experience in provid-ing the proposed service should be evaluated inorder to assess its qualifications and competen-cies to perform the service. The service provid-er’s business model, including its business strat-egy and mission, service philosophy, qualityinitiatives, and organizational policies should beevaluated. Financial institutions should alsoconsider the resiliency and adaptability of theservice provider’s business model as factors inassessing the future viability of the provider toperform services.

Financial institutions should check the ser-vice provider’s references to ascertain its perfor-mance record, and verify any required licensesand certifications. Financial institutions shouldalso verify whether there are any pending legalor regulatory compliance issues (for example,litigation, regulatory actions, or complaints) thatare associated with the prospective service pro-vider and its principals.

2. Financial Performance and Condition

Financial institutions should review the finan-cial condition of the service provider and itsclosely related affiliates. The financial reviewmay include:• The service provider’s most recent financial

statements and annual report with regard tooutstanding commitments, capital strength,liquidity, and operating results.

• The service provider’s sustainability, includ-ing factors such as the length of time that theservice provider has been in business and theservice provider’s growth of market share fora given service.

• The potential impact of the financial institu-tion’s business relationship on the service pro-vider’s financial condition.

• The service provider’s commitment (both interms of financial and staff resources) to pro-vide the contracted services to the financialinstitution for the duration of the contract.

• The adequacy of the service provider’s insur-ance coverage.

• The adequacy of the service provider’s review

of the financial condition of any subcontrac-tors.

• Other current issues the service provider maybe facing that could affect future financialperformance.

3. Operations and Internal Controls

Financial institutions are responsible for ensur-ing that services provided by service providerscomply with applicable laws and regulationsand are consistent with safe-and-sound bankingpractices. Financial institutions should evaluatethe adequacy of standards, policies, and proce-dures. Depending on the characteristics of theoutsourced activity, some or all of the followingmay need to be reviewed:

1. internal controls;2. facilities management (such as access

requirements or sharing of facilities);3. training, including compliance training for

staff;4. security of systems (for example, data and

equipment);5. privacy protection of the financial institu-

tion’s confidential information;6. maintenance and retention of records;7. business resumption and contingency plan-

ning;8. systems development and maintenance;9. service support and delivery;

10. employee background checks; and11. adherence to applicable laws, regulations,

and supervisory guidance.

C. Contract Provisions andConsiderations

Financial institutions should understand the ser-vice contract and legal issues associated withproposed outsourcing arrangements. The termsof service agreements should be defined in writ-ten contracts that have been reviewed by thefinancial institution’s legal counsel prior toexecution. The characteristics of the businessactivity being outsourced and the service pro-vider’s strategy for providing those services willdetermine the terms of the contract. Elements ofwell-defined contracts and service agreementsusually include:

1. Scope: Contracts should clearly define the



rights and responsibilities of each party,including:

• support, maintenance, and customer ser-vice;

• contract timeframes;

• compliance with applicable laws, regula-tions, and regulatory guidance;

• training of financial institution employ-ees;

• the ability to subcontract services;

• the distribution of any required state-ments or disclosures to the financialinstitution’s customers;

• insurance coverage requirements; and

• terms governing the use of the financialinstitution’s property, equipment, andstaff.

2. Cost and compensation: Contracts shoulddescribe the compensation, variablecharges, and any fees to be paid for non-recurring items and special requests. Agree-ments should also address which party isresponsible for the payment of any legal,audit, and examination fees related to theactivity being performed by the service pro-vider. Where applicable, agreements shouldaddress the party responsible for theexpense, purchasing, and maintenance ofany equipment, hardware, software or anyother item related to the activity being per-formed by the service provider. In addition,financial institutions should ensure that anyincentives (for example, in the form of vari-able charges, such as fees and/or commis-sions) provided in contracts do not providepotential incentives to take imprudent riskson behalf of the institution.

3. Right to audit: Agreements may provide forthe right of the institution or its representa-tives to audit the service provider and/or tohave access to audit reports. Agreementsshould define the types of audit reports thefinancial institution will receive and the fre-quency of the audits and reports.

4. Establishment and monitoring of perfor-mance standards: Agreements shoulddefine measurable performance standardsfor the services or products being provided.

5. Confidentiality and security of information:Consistent with applicable laws, regula-tions, and supervisory guidance, serviceproviders should ensure the security andconfidentiality of both the financial institu-tion’s confidential information and thefinancial institution’s customer information.

Information security measures for out-sourced functions should be viewed as ifthe activity were being performed by thefinancial institution and afforded the sameprotections. Financial institutions have aresponsibility to ensure service providerstake appropriate measures designed to meetthe objectives of the information securityguidelines within Federal Financial Institu-tions Examination Council (FFIEC) guid-ance,4 as well as comply with section501(b) of the Gramm-Leach-Bliley Act.These measures should be mapped directlyto the security processes at financial institu-tions, as well as be included or referencedin agreements between financial institutionsand service providers.

Service agreements should also addressservice provider use of financial institutioninformation and its customer information.Information made available to the serviceprovider should be limited to what isneeded to provide the contracted services.Service providers may reveal confidentialsupervisory information only to the extentauthorized under applicable laws and regu-lations.5

If service providers handle any of thefinancial institution customer’s NonpublicPersonal Information (NPPI), the serviceproviders must comply with applicable pri-vacy laws and regulations.6 Financial insti-tutions should require notification from ser-vice providers of any breaches involvingthe disclosure of NPPI data. Generally,NPPI data is any nonpublic personally iden-tifiable financial information; and any list,description, or other grouping of consumers(and publicly available information pertain-ing to them) derived using any personallyidentifiable financial information that is notpublicly available.7 Financial institutionsand their service providers who maintain,store, or process NPPI data are responsiblefor that information and any disclosure ofit. The security of, retention of, and accessto NPPI data should be addressed in anycontracts with service providers.

When a breach or compromise of NPPIdata occurs, financial institutions have legalrequirements that vary by state and these

4. For further guidance regarding vendor security prac-

tices, refer to the FFIEC Information Security Booklet (July

2006) at http://ithandbook.ffiec.gov/it-booklets/information-

security.aspx.

5. See 12 CFR Part 261.

6. See 12 C.F.R. 1016.

7. See 12 U.S.C. 6801(b).



requirements should be made part of thecontracts between the financial institutionand any service provider that provides stor-age, processing, or transmission of NPPIdata. Misuse or unauthorized disclosure ofconfidential customer data by service pro-viders may expose financial institutions toliability or action by a federal or state regu-latory agency. Contracts should clearlyauthorize and disclose the roles and respon-sibilities of financial institutions and serviceproviders regarding NPPI data.

6. Ownership and license: Agreements shoulddefine the ability and circumstances underwhich service providers may use financialinstitution property inclusive of data, hard-ware, software, and intellectual property.Agreements should address the ownershipand control of any information generated byservice providers. If financial institutionspurchase software from service providers,escrow agreements may be needed to ensurethat financial institutions have the ability toaccess the source code and programs undercertain conditions.8

7. Indemnification: Agreements should pro-vide for service provider indemnification offinancial institutions for any claims againstfinancial institutions resulting from the ser-vice provider’s negligence.

8. Default and termination: Agreementsshould define events of a contractualdefault, list of acceptable remedies, and pro-vide opportunities for curing default. Agree-ments should also define termination rights,including change in control, merger oracquisition, increase in fees, failure to meetperformance standards, failure to fulfill thecontractual obligations, failure to providerequired notices, and failure to prevent vio-lations of law, bankruptcy, closure, or insol-vency. Contracts should include terminationand notification requirements that providefinancial institutions with sufficient time totransfer services to another service pro-vider. Agreements should also address aservice provider’s preservation and timelyreturn of financial institution data, records,and other resources.

9. Dispute resolution: Agreements shouldinclude a dispute resolution process in orderto expedite problem resolution and address

the continuation of the arrangementbetween the parties during the dispute reso-lution period.

10. Limits on liability: Service providers maywant to contractually limit their liability.The board of directors and senior manage-ment of a financial institution should deter-mine whether the proposed limitations arereasonable when compared to the risks tothe institution if a service provider fails toperform.9

11. Insurance: Service providers should haveadequate insurance and provide financialinstitutions with proof of insurance. Fur-ther, service providers should notify finan-cial institutions when there is a materialchange in their insurance coverage.

12. Customer complaints: Agreements shouldspecify the responsibilities of financial insti-tutions and service providers related toresponding to customer complaints. If ser-vice providers are responsible for customercomplaint resolution, agreements shouldprovide for summary reports to the financialinstitutions that track the status and resolu-tion of complaints.

13. Business resumption and contingency planof the service provider: Agreements shouldaddress the continuation of services pro-vided by service providers in the event ofoperational failures. Agreements shouldaddress service provider responsibility forbacking up information and maintainingdisaster recovery and contingency plans.Agreements may include a service provid-er’s responsibility for testing of plans andproviding testing results to financial institu-tions.

14. Foreign-based service providers: For agree-ments with foreign-based service providers,financial institutions should considerincluding express choice of law and juris-dictional provisions that would provide forthe adjudication of all disputes between thetwo parties under the laws of a single, spe-cific jurisdiction. Such agreements may besubject to the interpretation of foreigncourts relying on local laws. Foreign lawmay differ from U.S. law in the enforcementof contracts. As a result, financial institu-

8. Escrow agreements are established with vendors when

buying or leasing products that have underlying proprietary

software. In such agreements, an organization can only access

the source program code under specific conditions, such as

discontinued product support or financial insolvency of the

vendor.

9. Refer to SR-06-4, ‘‘Interagency Advisory on the Unsafe

and Unsound Use of Limitations on Liability Provisions in

External Audit Engagement Letters,’’ regarding restrictions

on the liability limitations for external audit engagements or

section 2060.1.



tions should seek legal advice regarding theenforceability of all aspects of proposedcontracts with foreign-based service provid-ers and the other legal ramifications of sucharrangements.

15. Subcontracting: If agreements allow forsubcontracting, the same contractual provi-sions should apply to the subcontractor.Contract provisions should clearly state thatthe primary service provider has overallaccountability for all services that the ser-vice provider and its subcontractors pro-vide. Agreements should define the servicesthat may be subcontracted, the service pro-vider’s due diligence process for engagingand monitoring subcontractors, and thenotification and approval requirementsregarding changes to the service provider’ssubcontractors. Financial institutions shouldpay special attention to any foreign subcon-tractors, as information security and dataprivacy standards may be different in otherjurisdictions. Additionally, agreementsshould include the service provider’s pro-cess for assessing the subcontractor’s finan-cial condition to fulfill contractual obliga-tions.

D. Incentive Compensation Review

Financial institutions should also ensure that aneffective process is in place to review andapprove any incentive compensation that maybe embedded in service provider contracts,including a review of whether existing gover-nance and controls are adequate in light of risksarising from incentive compensation arrange-ments. As the service provider represents theinstitution by selling products or services on itsbehalf, the institution should consider whetherthe incentives provided might encourage theservice provider to take imprudent risks. Inap-propriately structured incentives may result inreputational damage, increased litigation, orother risks to the financial institution. An exam-ple of an inappropriate incentive would be onewhere variable fees or commissions encouragethe service provider to direct customers to prod-ucts with higher profit margins without due con-sideration of whether such products are suitablefor the customer.

E. Oversight and Monitoring of ServiceProviders

To effectively monitor contractual requirements,financial institutions should establish acceptableperformance metrics that the business line orrelationship management determines to beindicative of acceptable performance levels.Financial institutions should ensure that person-nel with oversight and management responsibili-ties for service providers have the appropriatelevel of expertise and stature to manage theoutsourcing arrangement. The oversight pro-cess, including the level and frequency of man-agement reporting, should be risk-focused.Higher risk service providers may require morefrequent assessment and monitoring and mayrequire financial institutions to designate indi-viduals or a group as a point of contact for thoseservice providers. Financial institutions shouldtailor and implement risk mitigation plans forhigher risk service providers that may includeprocesses such as additional reporting by theservice provider or heightened monitoring bythe financial institution. Further, more frequentand stringent monitoring is necessary for serviceproviders that exhibit performance, financial,compliance, or control concerns. For lower riskservice providers, the level of monitoring can belessened.

Financial condition: Financial institutionsshould have established procedures to monitorthe financial condition of service providers toevaluate their ongoing viability. In performingthese assessments, financial institutions shouldreview the most recent financial statements andannual report with regard to outstanding com-mitments, capital strength, liquidity, and operat-ing results. If a service provider relies signifi-cantly on subcontractors to provide services tofinancial institutions, then the service provider’scontrols and due diligence regarding the subcon-tractors should also be reviewed.

Internal controls: For significant service pro-vider relationships, financial institutions shouldassess the adequacy of the provider’s controlenvironment. Assessments should includereviewing available audits or reports such as theAmerican Institute of Certified Public Accoun-tants’ Service Organization Control 2 report.10

If the service provider delivers information tech-nology services, the financial institution canrequest the FFIEC Technology Service Providerexamination report from its primary federalregulator. Security incidents at the service pro-vider may also necessitate the institution to

10. Refer to www.AICPA.org.



elevate its monitoring of the service provider.Escalation of oversight activities: Financial

institutions should ensure that risk-managementprocesses include triggers to escalate oversightand monitoring when service providers are fail-ing to meet performance, compliance, control,or viability expectations. These proceduresshould include more frequent and stringentmonitoring and follow-up on identified issues,on-site control reviews, and when an institutionshould exercise its right to audit a service pro-vider’s adherence to the terms of the agreement.Financial institutions should develop criteria forengaging alternative outsourcing arrangementsand terminating the service provider contract inthe event that identified issues are notadequately addressed in a timely manner.

F. Business Continuity and ContingencyConsiderations

Various events may affect a service provider’sability to provide contracted services. For exam-ple, services could be disrupted by a provider’sperformance failure, operational disruption,financial difficulty, or failure of business conti-nuity and contingency plans during operationaldisruptions or natural disasters. Financial insti-tution contingency plans should focus on criti-cal services provided by service providers andconsider alternative arrangements in the eventthat a service provider is unable to perform.11

When preparing contingency plans, financialinstitutions should

• ensure that a disaster recovery and businesscontinuity plan exists with regard to the con-tracted services and products;

• assess the adequacy and effectiveness of aservice provider’s disaster recovery and busi-ness continuity plan and its alignment to theirown plan;

• document the roles and responsibilities formaintaining and testing the service provider’sbusiness continuity and contingency plans;

• test the service provider’s business continuityand contingency plans on a periodic basis toensure adequacy and effectiveness; and

• maintain an exit strategy, including a pool ofcomparable service providers, in the eventthat a contracted service provider is unable toperform.

G. Additional Risk Considerations

Suspicious Activity Report (SAR) reporting func-tions: The confidentiality of suspicious activityreporting makes the outsourcing of any SAR-related function more complex. Financial insti-tutions need to identify and monitor the risksassociated with using service providers to per-form certain suspicious activity reporting func-tions in compliance with the Bank Secrecy Act(BSA). Financial institution management shouldensure they understand the risks associated withsuch an arrangement and any BSA-specificguidance in this area.

Foreign-based service providers: Financialinstitutions should ensure that foreign-based ser-vice providers are in compliance with applicableU.S. laws, regulations, and regulatory guidance.Financial institutions may also want to considerlaws and regulations of the foreign-based pro-vider’s country or regulatory authority regard-ing the financial institution’s ability to performon-site review of the service provider’s opera-tions. In addition, financial institutions shouldconsider the authority or ability of home coun-try supervisors to gain access to the financialinstitution’s customer information while exam-ining the foreign-based service provider.

Internal audit: Financial institutions shouldrefer to existing guidance on the engagement ofindependent public accounting firms and otheroutside professionals to perform work that hasbeen traditionally carried out by internal audi-tors.12 The Sarbanes-Oxley Act of 2002 specifi-cally prohibits a registered public accountingfirm from performing certain non-audit servicesfor a public company client for whom it per-forms financial statement audits.

Risk-management activities: Financial institu-tions may outsource various risk-managementactivities, such as aspects of interest rate risk andmodel risk management. Financial institutionsshould require service providers to provideinformation that demonstrates developmentalevidence explaining the product components,design, and intended use, to determine whether

11. For further guidance regarding business continuity

planning with service providers, refer to the FFIEC Business

Continuity Booklet (March 2008) at http://

ithandbook.ffiec.gov/it-booklets/business-continuity-

planning.aspx.

12. Refer to SR-13-1, ‘‘Supplemental Policy Statement on

the Internal Audit Function and Its Outsourcing,’’ specifically

the section titled, ‘‘Depository Institutions Subject to the

Annual Audit and Reporting Requirements of Section 36 of

the FDI Act.’’ See section 2060.07 of this manual. Refer also

to SR-03-5, ‘‘Amended Interagency Guidance on the Internal

Audit Function and its Outsourcing,’’ particularly the section

titled,‘‘Institutions Not Subject to Section 36 of the FDI Act

that are Neither Public Companies nor Subsidiaries of Public

Companies.’’ See section 2060.05 of this manual.



the products and/or services are appropriate forthe institution’s exposures and risks.13 Financialinstitutions should also have standards andprocesses in place for ensuring that service

providers offering model risk-managementservices, such as validation, do so in a way thatis consistent with existing model risk-management guidance.

13. Refer to SR-11-7, ‘‘Guidance on Model Risk Manage-

ment’’ or section 2126.0 which informs financial institutions

of the importance and risk to the use of models and the

supervisory expectations that financial institutions should

adhere to.



Information Security StandardsSection 2124.4


Effective July 2012, this section was revised toremove references to SR-97-32, ‘‘Sound Prac-tices Guidance for Information Security Net-works’’ and SR-00-4, ‘‘Outsourcing of Informa-tion and Transaction Processing,’’ which weredeemed inactive by SR-12-6. A reference to inac-tive SR-03-12, ‘‘Revisions to the SuspiciousActivity Report Form,’’ was also removed.

2124.4.1 INTERAGENCY GUIDELINESESTABLISHING INFORMATIONSECURITY STANDARDS

The federal banking agencies jointly issuedinteragency guidelines establishing informationsecurity standards (the information securitystandards), which became effective July 1,2001.1 (See appendix A, section 2124.4.5.) TheBoard of Governors of the Federal Reserve Sys-tem approved amendments to the standards onDecember 16, 2004 (effective July 1, 2005). Theamended information security standards imple-ment sections of 501 and 505 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805)and section 216 of the Fair and Accurate CreditTransactions Act of 2003 (15 U.S.C. 1681w).The Gramm-Leach-Bliley Act requires the agen-cies to establish information standards consist-ing of administrative, technical, and physicalsafeguards for customer records and informa-tion. (See SR-01-15.) Bank holding companiesand financial holding companies must complywith the information security standards (seeappendix F for Regulation Y).2 The informationsecurity standards apply to customer informa-tion maintained by or on behalf of state memberbanks, bank holding companies, and the non-bank subsidiaries or affiliates of each.3 The

information security standards include standardsfor the proper disposal of consumer and cus-tomer information and guidance on responseprograms for unauthorized access to customerinformation. (See SR-05-23/CA-05-10.) Seesections 2124.4.1.1 and 2124.4.2.

Under the information security standards,each bank holding company falling within thescope of the standards must implement a com-prehensive, written information security pro-gram.4 A bank holding company’s board ofdirectors, or an appropriate committee of theboard, must oversee the company’s develop-ment, implementation, and maintenance of theinformation security program—this board over-sight includes assigning specific responsibilityfor the program’s implementation and review-ing reports received from management. Theinformation security program should includeadministrative, technical, and physical safe-guards appropriate to the size and complexity ofthe bank holding company and the nature andscope of its activities.

While all parts of a bank holding companyare not required to implement a uniform infor-mation security program and set of policies, allelements of the information security programmust be coordinated. A bank holding companymust ensure that each of its subsidiaries is sub-ject to a comprehensive information securityprogram. It may fulfill this requirement either1) by including a subsidiary within the scope ofthe bank’s holding company’s comprehensiveinformation security program or (2) by havingthe subsidiary implement a separate comprehen-sive information security program in accordancewith the information security standards and pro-cedures of appendix F, Regulation Y.

A bank holding company’s information secu-rity program must be designed to (1) ensure thesecurity and confidentiality of customer infor-mation,5 (2) protect against anticipated threats

1. The 2001 information security standards were titledInteragency Guidelines Establishing Standards for Safeguard-ing Customer Information. See 66 Fed. Reg. 8,616–8,641(February 1, 2001); 69 Fed. Reg. 7,610–7,621 (December 28,2004); and Regulation H, 12 CFR 208, appendix D-2; Regula-tion K, 12 CFR 211.9 and 211.24; and Regulation Y, 12 CFR225, appendix F.

2. The discussion in this section applies equally to finan-cial holding companies and bank holding companies.

3. The information security standards do not apply to bro-kers, dealers, investment companies, and investment advisers,or to persons providing insurance under the applicable stateinsurance authority of the state in which the person is domi-ciled. The appropriate federal agency or state insuranceauthority regulates these insurance entities under sections 501and 505 of the Gramm-Leach-Bliley Act.

4. The information security standards apply to customerinformation; as a result, a bank holding company that does notmaintain any customer information is not subject to the infor-mation security standards. In addition, when customer infor-mation is maintained only in the banking subsidiaries orfunctionally regulated nonbank subsidiaries of the holdingcompany, examiners generally may rely on the primary super-visor’s assessment of the subsidiaries’ information securityprograms, if applicable, to determine the holding company’scompliance with the information security standards.

5. Customer information is defined to include any record,whether in paper, electronic, or other form, containing non-


or hazards to the security or integrity of suchinformation, (3) protect against unauthorizedaccess to or use of customer information thatcould result in substantial harm or inconve-nience to any customer, and (4) ensure theproper disposal of customer information andconsumer information.6 Each bank holding com-pany must identify reasonably foreseeable inter-nal and external threats that could result inunauthorized disclosure, misuse, alteration, ordestruction of customer information or customerinformation systems. An assessment must bemade of the (1) likelihood and potential damageof these threats, taking into consideration thesensitivity of the customer information, and(2) sufficiency of policies, procedures, customerinformation systems, and other arrangementsthat are in place to control risks.

Appropriate policies, procedures, training,and testing must be implemented to manage andcontrol identified risks. Management must alsoreport at least annually to the board of directorsor an appropriate committee of the board. Man-agement’s reports should describe the overallstatus of the information security program andthe bank holding company’s compliance withthe information security standards. The reportsshould discuss material matters related to theBHC’s information security program, address-ing issues such as risk assessment, risk-management and -control decisions, service-provider arrangements, results of testing,security breaches or violations and manage-ment’s responses to them, and recommenda-tions for changes in the information securityprogram.

The information security standards outlinespecific information security measures that bankholding companies must consider in implement-ing an information security program. A bankholding company should adopt appropriate mea-sures to manage and control identified risks,commensurate with the sensitivity of the infor-mation as well as the complexity and scope of

its activities. The measures that a bank holdingcompany must consider and may adopt includeaccess controls, access restrictions, encryptionof electronic customer information, dual controlprocedures, segregation of duties, and employeebackground checks for employees who haveresponsibilities for or access to customer infor-mation. In addition, a bank holding companymust have monitoring systems and responseprograms and measures to protect againstdestruction, loss, or damage of customer infor-mation due to potential environmental hazards,such as fire and water damage or technologicalfailures. Training and testing, are critical com-ponents to implement an effective informationsecurity program. Each bank holding companymust regularly test the key controls, systems,and procedures. Tests should be conducted orreviewed by independent third parties or by staffwho are independent of the individuals whodevelop or maintain the security program.

The Federal Reserve recognizes that bankingorganizations are highly sensitive to the impor-tance of safeguarding customer information andthe need to maintain effective information secu-rity programs. Existing examination and inspec-tion procedures and supervisory processesalready address information security. As a result,most banking organizations may not need toimplement any new controls and procedures.

Examiners should assess compliance with theinformation security standards during eachsafety-and-soundness inspection, which mayinclude targeted reviews of information technol-

public personal information, as defined in Regulation P, abouta financial institution’s customer that is maintained by or onbehalf of the bank holding company.

6. A customer is defined in the same manner in RegulationP—a consumer who has established a continuing relationshipwith a bank holding company, under which the bank holdingcompany provides one or more financial products or servicesto the consumer to be used primarily for personal, family, orhousehold purposes. The definition of customer does notinclude a business, nor does it include a consumer who hasnot established an ongoing relationship with the bank holdingcompany.

Information Security Standards 2124.4


ogy. Ongoing compliance with the informationsecurity standards should be monitored asneeded during the risk-focused inspection pro-cess. Material instances of noncomplianceshould be noted in the inspection report.

Bank holding companies are required to over-see their service-provider arrangements in orderto (1) protect the security of customer informa-tion maintained or processed by their serviceproviders; (2) ensure that their service providersproperly dispose of customer and consumerinformation; and (3) whenever warranted, moni-tor their service providers to confirm that aprovider has satisfied its contractual obligations.

A bank holding company must use appropri-ate due diligence in selecting its service provid-ers. Bank holding companies should review apotential service provider’s information securityprogram or the measures the service providerwill use to protect the bank holding company’scustomer information.7 All contracts mustrequire that the service provider implementappropriate measures designed to meet theobjectives of the information security standards.

When indicated by the bank holding compa-ny’s risk assessment, the performance of itsservice providers must be monitored to confirmthat they have satisfied their obligations underthe information security program. A bank hold-ing company’s methods for overseeing its ser-vice providers may differ depending on the typeof services, the service provider, or the level ofrisk to the customer information. For example,if a service provider is subject to regulations ora code of conduct that imposes a duty to protectcustomer information consistent with the objec-tives of the information security standards, abank holding company may consider that dutyin exercising its due diligence and oversight ofthe service provider. If a service provider hires asubservicer (that is, subcontracts), the subser-vicer would not be considered a ‘‘service pro-vider’’ under the guidelines.

2124.4.1.1 Disposal of Customer andConsumer Information

The information security standards address stan-dards for the proper disposal of consumer infor-mation, pursuant to sections 621 and 628 of theFair Credit Reporting Act (15 U.S.C. 1681s and1681w). Under section 225.4 of Regulation Y, a

BHC is required to properly dispose of con-sumer information in accordance with 16 C.F.R.682. To address the risks associated with iden-tity theft, a BHC and its nonbank subsidiariesand affiliates (a financial institution) is generallyrequired to develop, implement, and maintain,as part of its existing information security pro-gram, appropriate measures to properly disposeof consumer information derived from con-sumer reports.

Consumer information is defined as anyrecord about an individual, whether in paper,electronic, or other form, that is a consumerreport or is derived from a consumer report andthat is maintained or otherwise possessed by oron behalf of the banking organization for abusiness purpose. Consumer information alsomeans a compilation of such records.

The following are examples of consumerinformation:

1. a consumer report that a bank obtains2. information from a consumer report that the

bank obtains from its affiliate after the con-sumer has been given a notice and haselected not to opt out of that sharing

3. information from a consumer report that thebank obtains about an individual who appliesfor but does not receive a loan, including anyloan sought by an individual for a businesspurpose

4. information from a consumer report that thebank obtains about an individual who guar-antees a loan (including a loan to a businessentity)

5. information from a consumer report that thebank obtains about an employee or prospec-tive employee

Consumer information does not include anyrecord that does not personally identify an indi-vidual, nor does it include the following:

1. aggregate information, such as the meancredit score, derived from a group of con-sumer reports

2. blind data, such as payment history onaccounts that are not personally identifiable,that may be used for developing credit scor-ing models or for other purposes

7. A service provider is deemed to be a person or entitythat maintains, processes, or is otherwise permitted access tocustomer information through its direct provision of servicesdirectly to the bank holding company.



2124.4.2 RESPONSE PROGRAMS FORUNAUTHORIZED ACCESS TOCUSTOMER INFORMATION ANDCUSTOMER NOTICE

The information security standards list measuresto be included in a bank holding company’sinformation security program. These measuresinclude ‘‘response programs that specify actionsto be taken when the bank suspects or detectsthat unauthorized individuals have gained accessto customer information systems, includingappropriate reports to regulatory and lawenforcement agencies.’’8 A response program isthe principal means for a financial institution toprotect against the unauthorized ‘‘use’’ of cus-tomer information that could lead to ‘‘substan-tial harm or inconvenience’’ for its customer.For example, customer notification is an impor-tant tool that enables a customer to take steps toprevent identity theft, such as by arranging tohave a fraud alert placed in his or her credit file.

Prompt action by both the institution and thecustomer following any unauthorized access tocustomer information is crucial to preventing orlimiting damages from identity theft. As a result,every financial institution should develop andimplement a response program appropriate to itssize and complexity and to the nature and scopeof its activities. The program should be designedto address incidents of unauthorized access tocustomer information.

The Interagency Guidance on Response Pro-grams for Unauthorized Access to CustomerInformation and Customer Notice9 (the guid-ance) interprets section 501(b) of the Gramm-Leach-Bliley Act (the GLB Act) and the infor-mation security standards.10 The guidancedescribes the response programs, including cus-tomer notification procedures, that a financialinstitution should develop and implement toaddress unauthorized access to or use of cus-tomer information that could result in substan-tial harm or inconvenience to a customer.

When evaluating the adequacy of an institu-tion’s required information security program,examiners are to consider whether the institu-tion has developed and implemented a responseprogram equivalent to the guidance. At a mini-mum, an institution’s response program shouldcontain procedures for (1) assessing the natureand scope of an incident, and identifying whatcustomer information systems and types of cus-tomer information have been accessed or mis-used; (2) notifying its primary federal regulatoras soon as possible when the institution becomesaware of an incident involving unauthorizedaccess to or use of sensitive customer informa-tion, as defined later in the guidance; (3) imme-diately notifying law enforcement in situationsinvolving federal criminal violations requiringimmediate attention; (4) taking appropriate stepsto contain and control the incident to preventfurther unauthorized access to or use of cus-tomer information, such as by monitoring, freez-ing, or closing affected accounts, whilepreserving records and other evidence; and(5) notifying customers when warranted.

The guidance does not apply to a financialinstitution’s foreign offices, branches, or affili-ates. However, a financial institution subject tothe information security standards is responsiblefor the security of its customer information,whether the information is maintained within oroutside of the United States, such as by a ser-vice provider located outside of the UnitedStates.

The guidance also applies to customer infor-mation, meaning any record containing nonpub-lic personal information about a financial insti-tution’s customer, whether in paper, electronic,or other form, that is maintained by or on behalfof the institution.11 (See the Board’s privacyrule, Regulation P, at section 216.3(n)(2) (12C.F.R. 216.3(n)(2).) Consequently, the guidanceapplies only to information that is within thecontrol of the institution and its service provid-ers. The guidance would not apply to informa-tion directly disclosed by a customer to a thirdparty, for example, through a fraudulent website.

The guidance also does not apply to informa-tion involving business or commercial accounts.Instead, the guidance applies to nonpublic per-sonal information about a ‘‘customer’’ as thatterm is used in the information security stan-dards, namely, a consumer who obtains a finan-cial product or service from a financial institu-tion to be used primarily for personal, family, or

8. See the information security standards, 12 CFR 225,appendix F, supplement A.

9. The guidance was jointly issued on March 23, 2005(effective March 29, 2005), by the Board of Governors of theFederal Reserve System, the Federal Deposit Insurance Cor-poration, the Office of the Comptroller of the Currency, andthe Office of Thrift Supervision.

10. See 12 C.F.R. 225, appendix F. The Interagency Guide-lines Establishing Information Security Standards were for-merly known as the Interagency Guidelines Establishing Stan-dards for Safeguarding Customer Information.

11. See the information security standards, 12 C.F.R. 225,appendix F, section I.C.2.c.



household purposes, and who has a continuingrelationship with the institution.12

2124.4.2.1 Response Programs

Financial institutions should take preventivemeasures to safeguard customer informationagainst attempts to gain unauthorized access tothe information. For example, financial institu-tions should place access controls on customerinformation systems and conduct backgroundchecks on employees who are authorized toaccess customer information.13 However, everyfinancial institution should also develop andimplement a risk-based response program toaddress incidents of unauthorized access to cus-tomer information in customer information sys-tems14 that occur nonetheless. A response pro-gram should be a key part of an institution’sinformation security program. The programshould be appropriate to the size and complexityof the institution and the nature and scope of itsactivities.

In addition, each institution should be able toaddress incidents of unauthorized access to cus-tomer information in customer information sys-tems maintained by its domestic and foreignservice providers. Therefore, consistent with theobligations in the information security standardsthat relate to these arrangements and with exist-ing guidance on this topic issued by the agen-cies, an institution’s contract with its serviceprovider should require the service provider totake appropriate actions to address incidents ofunauthorized access to the financial institution’scustomer information. These actions includenotifying the institution as soon as possible ofany such incident, which enables the institutionto expeditiously implement its responseprogram.

2124.4.2.1.1 Components of a ResponseProgram

At a minimum, an institution’s response pro-gram should contain procedures for thefollowing:

1. assessing the nature and scope of an incident,and identifying what customer informationsystems and types of customer informationhave been accessed or misused

2. notifying its primary federal regulator assoon as possible when the institutionbecomes aware of an incident involvingunauthorized access to or use of sensitivecustomer information, as defined below

3. consistent with the Suspicious ActivityReport (SAR) regulations,15 notifying appro-priate law enforcement authorities, in addi-tion to filing a timely SAR in situationsinvolving federal criminal violations requir-ing immediate attention, such as when areportable violation is ongoing

4. taking appropriate steps to contain and con-trol the incident to prevent further unauthor-ized access to or use of customer informa-tion, for example, by monitoring, freezing, orclosing affected accounts, while preservingrecords and other evidence

5. notifying customers when warranted

As noted above for the second component, afinancial institution and a bank holding com-pany are to notify its primary federal regulatorof a security breach involving sensitive cus-tomer information, whether or not it notifies itscustomers. The banking organization experienc-ing such a breach should promptly notify itssupervisory central point of contact at itsReserve Bank and provide information on thenature of the incident and on whether lawenforcement authorities were notified or a SARwas or will be filed. When reporting securitybreaches involving sensitive customer informa-tion, the institution should provide the centralpoint of contact with information on the stepstaken to contain and control the incident, the

12. See the information security standards, 12 C.F.R. 225,appendix F, at section I.C.2.b. and the Board’s Privacy Rule(Regulation P), section 216.3(h) (12 C.F.R. 216.3(h)).

13. Institutions should also conduct background checks onemployees to ensure that they do not violate 12 U.S.C. 1829,which prohibits an institution from hiring an individual con-victed of certain criminal offenses or who is subject to aprohibition order under 12 U.S.C. 1818(e)(6).

14. Under the information security standards, an institu-tion’s customer information systems consist of all the methodsused to access, collect, store, use, transmit, protect, or disposeof customer information, including the systems maintained byits service providers. See the information security standards,12 C.F.R. 225, appendix F, section I.C.2.d.

15. An institution’s obligation to file a SAR is set out inthe SAR regulations and supervisory guidance. See 12 C.F.R.208.62 (state member banks); 12 C.F.R. 211.5(k) (Edge andagreement corporations); 12 C.F.R. 211.24(f) (uninsured statebranches and agencies of foreign banks); and 12 C.F.R.225.4(f) (bank holding companies and their nonbank subsidi-aries). See also SR-01-11, ‘‘Identity Theft and PretextCalling.’’



number of customers potentially affected,whether customer notification is warranted, andwhether a service provider was involved. Abanking organization should not delay provid-ing prompt initial notification to its central pointof contact. (See SR-05-23/CA-05-10.)

If an incident of unauthorized access to cus-tomer information involves customer informa-tion systems maintained by an institution’s ser-vice providers, the financial institution isresponsible for notifying its customers and regu-lator. However, an institution may authorize orcontract with its service provider to notify theinstitution’s customers or regulator on its behalf.

2124.4.2.2 Customer Notice

Financial institutions have an affirmative duty toprotect their customers’ information againstunauthorized access or use. Notifying customersof a security incident involving the unauthorizedaccess or use of the customer information, inaccordance with the standard set forth below, isa key part of that duty.

Timely notification of customers is importantto managing an institution’s reputation risk.Effective notice also may reduce an institution’slegal risk, assist in maintaining good customerrelations, and enable the institution’s customersto take steps to protect themselves against theconsequences of identity theft. When customernotification is warranted, an institution may notforgo notifying its customers of an incidentbecause the institution believes that it may bepotentially embarrassed or inconvenienced bydoing so.

2124.4.2.2.1 Standard for ProvidingNotice

When a financial institution becomes aware ofan incident of unauthorized access to sensitivecustomer information, the institution shouldconduct a reasonable investigation to promptlydetermine the likelihood that the informationhas been or will be misused. If the institutiondetermines that misuse of its information abouta customer has occurred or is reasonably pos-sible, it should notify the affected customer assoon as possible.

Customer notice may be delayed if an appro-priate law enforcement agency determines thatnotification will interfere with a criminal inves-

tigation and provides the institution with a writ-ten request for the delay. However, the institu-tion should notify its customers as soon asnotification will no longer interfere with theinvestigation.

2124.4.2.2.2 Sensitive CustomerInformation

Under the information security standards, aninstitution must protect against unauthorizedaccess to or use of customer information thatcould result in substantial harm or inconve-nience to any customer. Substantial harm orinconvenience is most likely to result fromimproper access to sensitive customer informa-tion because this type of information is mostlikely to be misused, as in the commission ofidentity theft.

For purposes of the guidance, sensitive cus-tomer information means a customer’s name,address, or telephone number, in conjunctionwith the customer’s Social Security number,driver’s license number, account number, creditor debit card number, or with a personal identifi-cation number or password that would permitaccess to the customer’s account. Sensitive cus-tomer information also includes any combina-tion of components of customer information thatwould allow someone to log on to or access thecustomer’s account, such as a user name andpassword or a password and an account number.

2124.4.2.2.3 Affected Customers

If a financial institution, on the basis of itsinvestigation, can determine from its logs orother data precisely which customers’ informa-tion has been improperly accessed, it may limitnotification to those customers for whom theinstitution determines that misuse of their infor-mation has occurred or is reasonably possible.However, there may be situations in which aninstitution determines that a group of files hasbeen accessed improperly but is unable to iden-tify which specific customers’ information hasbeen accessed. If the circumstances of the unau-thorized access lead the institution to determinethat misuse of the information is reasonablypossible, it should notify all customers in thegroup.



2124.4.2.2.4 Content of Customer Notice

Customer notice should be given in a clear andconspicuous manner. The notice should describethe incident in general terms and the type ofcustomer information that was the subject ofunauthorized access or use. The notice shouldalso generally describe what the institution hasdone to protect the customers’ information fromfurther unauthorized access, and include a tele-phone number that customers can call for fur-ther information and assistance.16 The noticeshould remind customers of the need to remainvigilant over the next 12 to 24 months, and topromptly report incidents of suspected identitytheft to the institution. The notice should includethe following additional items, whenappropriate:

1. a recommendation that the customer reviewaccount statements and immediately reportany suspicious activity to the institution

2. a description of fraud alerts and an explana-tion of how the customer may place a fraudalert in his or her consumer reports to put thecustomer’s creditors on notice that the cus-tomer may be a victim of fraud

3. a recommendation that the customer periodi-cally obtain credit reports from each nation-wide credit reporting agency and have infor-mation relating to fraudulent transactionsdeleted

4. an explanation of how the customer mayobtain a credit report free of charge

5. information about the availability of the Fed-eral Trade Commission (FTC) online guid-ance regarding steps consumers can take toprotect themselves against identity theft (Thenotice should encourage the customer toreport any incidents of identity theft to theFTC and should provide the FTC’s web siteaddress and toll-free telephone number thatcustomers may use to obtain the identitytheft guidance and to report suspected inci-dents of identity theft.)17

Financial institutions are encouraged to notifythe nationwide consumer reporting agenciesbefore sending notices to a large number ofcustomers when those notices include contactinformation for the reporting agencies.

2124.4.2.2.5 Delivery of Customer Notice

Customer notice should be delivered in anymanner designed to ensure that a customer canreasonably be expected to receive it. For exam-ple, the institution may choose to contact allaffected customers by telephone, by mail, orby electronic mail in the case of customersfor whom it has a valid e-mail address andwho have agreed to receive communicationselectronically.

2124.4.3 Inspection Objective

1. To review and assess the bank holding com-pany’s compliance with the InteragencyGuidelines Establishing Information SecurityStandards, which include standards for safe-guarding customer information (the examin-ers should thus review the BHC’s informa-tion security program, including its responseprogram for unauthorized access to customerinformation and customer notice and itsguidelines on the proper disposal of cus-tomer information and consumer informa-tion) and all other applicable laws, rules, andregulations.

2124.4.4 Inspection Procedures

1. Referencing the ‘‘Establishment of Informa-tion Security Standards’’ section of the inter-nal control questionnaire in section 4060.4 ofthe System’s Commercial Bank ExaminationManual, assess the BHC’s compliance withthe Interagency Guidelines EstablishingInformation Security Standards including itsstandards for safeguarding customerinformation.

2. Conduct a review that is a sufficient basis forevaluating the BHC’s overall informationsecurity program and its compliance with theinformation security standards.

16. The institution should, therefore, ensure that it hasreasonable policies and procedures in place, including trainedpersonnel, to respond appropriately to customer inquiries andrequests for assistance.

17. The FTC web site for the ID theft brochure and theFTC hotline phone number are www.ftc.gov/bcp/consumer.shtm and 1-877-IDTHEFT. The institution may alsorefer customers to any materials developed pursuant to section151(b) of the FACT Act (educational materials developed bythe FTC to teach the public how to prevent identity theft).



2124.4.5 APPENDIX A—INTERAGENCY GUIDELINESESTABLISHING INFORMATIONSECURITY STANDARDS

Sections II and III of the information securitystandards are provided below. For more infor-mation, see the Interagency Guidelines Estab-lishing Information Security Standards in Regu-lation Y, section 225, appendix F (12 C.F.R.225, appendix F). The guidelines were previ-ously titled Interagency Guidelines EstablishingStandards for Safeguarding Customer Informa-tion. The information security standards wereamended, effective July 1, 2005, to implementsection 216 of the Fair and Accurate CreditTransactions Act of 2003 (the FACT Act). Toaddress the risks associated with identity theft,the amendments generally require financialinstitutions to develop, implement, and main-tain, as part of their existing information secu-rity program, appropriate measures to properlydispose of consumer information derived fromconsumer reports. The term consumer informa-tion is defined in the revised rule.

II. Standards for Safeguarding CustomerInformation

A. Information Security Program

Each bank holding company is to implement acomprehensive, written information securityprogram that includes administrative, technical,and physical safeguards appropriate to the sizeand complexity of the bank holding companyand the nature and scope of its activities. Whileall parts of the bank holding company are notrequired to implement a uniform set of policies,all elements of the information security programare to be coordinated. A bank holding companyis also to ensure that each of its subsidiaries issubject to a comprehensive information securityprogram. The bank holding company may fulfillthis requirement either by including a subsidiarywithin the scope of the bank holding company’scomprehensive information security program orby causing the subsidiary to implement a sepa-rate comprehensive information security pro-gram in accordance with the standards and pro-cedures in sections II and III that apply to bankholding companies.

B. Objectives

A bank holding company’s information securityprogram shall be designed to—

1. ensure the security and confidentiality of cus-tomer information;

2. protect against any anticipated threats orhazards to the security or integrity of suchinformation;

3. protect against unauthorized access to or useof such information that could result in sub-stantial harm or inconvenience to any cus-tomer; and

4. ensure the proper disposal of customer infor-mation and consumer information.

III. Development and Implementation OfInformation Security Program

A. Involve the Board of Directors

The board of directors or an appropriate com-mittee of the board of each bank holding com-pany is to—

1. approve the bank holding company’s writteninformation security program; and

2. oversee the development, implementation,and maintenance of the bank holding com-pany’s information security program, includ-ing assigning specific responsibility for itsimplementation and reviewing reports frommanagement.

B. Assess Risk

Each bank holding company is to—

1. identify reasonably foreseeable internal andexternal threats that could result in unauthor-ized disclosure, misuse, alteration, ordestruction of customer information or cus-tomer information systems;

2. assess the likelihood and potential damage ofthese threats, taking into consideration thesensitivity of customer information;

3. assess the sufficiency of policies, procedures,customer information systems, and otherarrangements in place to control risks; and

4. ensure the proper disposal of customer infor-mation and consumer information.



C. Manage and Control Risk


1. Design its information security program tocontrol the identified risks, commensuratewith the sensitivity of the information as wellas the complexity and scope of the bankholding company’s activities. Each bankholding company must consider whether thefollowing security measures are appropriatefor the bank holding company and, if so,adopt those measures the bank holding com-pany concludes are appropriate:a. access controls on customer information

systems, including controls to authenti-cate and permit access only to authorizedindividuals and controls to preventemployees from providing customerinformation to unauthorized individualswho may seek to obtain this informationthrough fraudulent means

b. access restrictions at physical locationscontaining customer information, such asbuildings, computer facilities, and recordsstorage facilities to permit access only toauthorized individuals;

c. encryption of electronic customer infor-mation, including while in transit or instorage on networks or systems to whichunauthorized individuals may have access

d. procedures designed to ensure that cus-tomer information system modificationsare consistent with the bank holding com-pany’s information security program

e. dual control procedures, segregation ofduties, and employee background checksfor employees with responsibilities for oraccess to customer Information

f. monitoring systems and procedures todetect actual and attempted attacks on orintrusions into customer informationsystems

g. response programs that specify actions tobe taken when the bank holding companysuspects or detects that unauthorized indi-viduals have gained access to customerinformation systems, including appropri-ate reports to regulatory and law enforce-ment agencies

h. measures to protect against destruction,loss, or damage of customer informationdue to potential environmental hazards,such as fire and water damage or techno-logical failures

2. Train staff to implement the bank holdingcompany’s information security program.

3. Regularly test the key controls, systems, and

procedures of the information security pro-gram. The frequency and nature of such testsshould be determined by the bank holdingcompany’s risk assessment. Tests should beconducted or reviewed by independent thirdparties or staff independent of those thatdevelop or maintain the security programs.

4. Develop, implement, and maintain, as part ofits information security program, appropriatemeasures to properly dispose of customerinformation and consumer information inaccordance with each of the requirements inthis section III.

D. Oversee Service-ProviderArrangements


1. exercise appropriate due diligence in select-ing its service providers;

2. require its service providers by contract toimplement appropriate measures designed tomeet the objectives of the information secu-rity standards; and

3. where indicated by the bank holding compa-ny’s risk assessment, monitor its service pro-viders to confirm that they have satisfiedtheir obligations with regard to the require-ments for overseeing provider arrangements.As part of this monitoring, a bank holdingcompany should review audits, summaries oftest results, or other equivalent evaluations ofits service providers.

E. Adjust the Program

Each bank holding company is to monitor,evaluate, and adjust, as appropriate, the informa-tion security program in light of any relevantchanges in technology, the sensitivity of its cus-tomer information, internal or external threats toinformation, and the bank holding company’sown changing business arrangements, such asmergers and acquisitions, alliances and jointventures, outsourcing arrangements, andchanges to customer information systems.

F. Report to the Board

Each bank holding company is to report to itsboard or an appropriate committee of the board



at least annually. This report should describe theoverall status of the information security pro-gram and the bank holding company’s compli-ance with the information security standards.The reports should discuss material mattersrelated to its program, addressing issues such asrisk assessment; risk management and controldecisions; service-provider arrangements;results of testing; security breaches or violations

and management’s responses; and recommenda-tions for changes in the information securityprogram.

G. Implement the Standards

For effective dates, see 12 C.F.R. 225, appendixF, section III.G.



Identity Theft Red Flags and Address DiscrepanciesSection 2124.5

2124.5.1 IDENTITY THEFT REDFLAGS PREVENTION PROGRAM

The federal financial institution regulatoryagencies1 and the Federal Trade Commission(FTC) have issued joint regulations andguidelines on the detection, prevention, andmitigation of identity theft in connection withopening of certain accounts or maintainingcertain existing accounts in response to the Fairand Accurate Credit Transactions Act of 2003(The FACT Act).2 Under the FACT Act, bankholding companies (BHCs) and their nonbanksubsidiaries are subject to the FTC’s regula-tions.3 These regulations require financialinstitutions4 or creditors5 that offer or maintainone or more ‘‘covered accounts’’ to develop andimplement a written Identity Theft PreventionProgram (Program). A Program is to be designedto detect, prevent, and mitigate identity theft inconnection with the opening of a covered accountor any existing covered account. The Programmust be tailored to the entity’s size, complexity,and the nature and scope of its operations andactivities. The regulations also require (debit andcredit) card issuers to validate notifications ofchanges of address under certain circumstances.

The joint final rules and guidelines wereeffective on January 1, 2008. The mandatorycompliance date for the rules was November 1,2008.6 (See section 681 of the FTC’s Red Flags

Rule (16 CFR 681) and 72 Fed. Reg. 63718-63775, November 9, 2007.)

This section describes the provisions of theRed Flags Rule and its guidelines (appendix A)to be used when examining a BHC and itsnonbank subsidiaries over which the FederalReserve has supervisory authority (collectivelyreferred to as ‘‘BHC’’). (See SR-08-7/CA-08-10and its interagency attachments.)

2124.5.1.1 Risk Assessment

Prior to the development of the Program, afinancial institution or creditor must initiallyand then periodically conduct a risk assessmentto determine whether it offers or maintains cov-ered accounts. It must take into consideration(1) the methods it provides to open its accounts,(2) the methods it provides to access accounts,and (3) its previous experiences with identitytheft. If the financial institution or creditor hascovered accounts, it must evaluate its potentialvulnerability to identity theft. The institutionshould also consider whether a reasonably fore-seeable risk of identity theft may exist in con-nection with the accounts it offers or maintainsand those that may be opened or accessedremotely, through methods that do not requireface-to-face contact, such as through the Inter-net or telephone. Financial institutions or credi-tors that offer or maintain business accounts thathave been the target of identity theft shouldfactor those experiences with identity theft intotheir determination.

If the financial institution or creditor deter-mines that it has covered accounts, the riskassessment will enable it to identify which of itsaccounts the Program must address. If a finan-cial institution or creditor initially determinesthat it does not have covered accounts, it mustperiodically reassess whether it must developand implement a Program in light of changes inthe accounts that it offers or maintains.

1. The Board of Governors of the Federal Reserve System(FRB), the Office of the Comptroller of the Currency (OCC),the Office of Thrift Supervision (OTS), the Federal DepositInsurance Corporation (FDIC), and the National Credit UnionAdministration (NCUA).

2. Section 111 of the FACT Act defines ‘‘identity theft’’ as‘‘a fraud committed or attempted using the identifying infor-mation of another person.’’

3. The FACT Act gives the Board the authority to writerules for state member banks but not BHCs. Nonetheless, theBoard retains its supervisory and enforcement authority overBHCs, pursuant to section 1818 of the Federal Deposit Insur-ance Act. The Board and FTC Red Flags Rules are substan-tially the same.

4. For purposes of the rule, the term ‘‘financial institution’’means a ‘‘State or National bank, a State or Federal savingsand loan association, a mutual savings bank . . . or any otherperson that, directly or indirectly, holds a transaction account. . . belonging to a consumer.’’

5. Under section 111 of the FACT Act, the term ‘‘creditor’’means any person (a natural person, a corporation, govern-ment or governmental subdivision, trust, estate, partnership,cooperative, or association) who regularly extends, renews, orcontinues credit; any person who regularly arranges for theextension, renewal, or continuation of credit; or any assigneeor original creditor who participates in the decision to extend,renew, or continue credit.

6. The FTC subsequently granted a six-month delay ofenforcement of its Red Flags Rule until May 1, 2009.

(See www2.ftc.gov/opa/2008/10/redflags.shtm.) This delay inenforcement is limited to the Identity Theft Red Flags Rule(16 CFR 681.1), and does not extend to the rule regardingchanges of address applicable to card issuers (16 C.F.R.681.2).


2124.5.1.2 Elements of the Program

The elements of the actual Program will varydepending on the size and complexity of thefinancial institution or creditor. A financial insti-tution or creditor that determines that it isrequired to establish and maintain an IdentityTheft Prevention Program must (1) identify rel-evant Red Flags for its covered accounts,(2) detect the Red Flags that have been incorpo-rated into its Program, and (3) respond appropri-ately to the detected Red Flags. The Red Flagsare patterns, practices, or specific activities thatindicate the possible existence of identity theftor the potential to lead to identity theft. A finan-cial institution or creditor must ensure (1) thatits Program is updated periodically to addressthe changing risks associated with its customersand their accounts and (2) the safety and sound-ness of the financial institution or creditor fromidentity theft.

2124.5.1.3 Guidelines

Each financial institution or creditor that isrequired to implement a written Program mustconsider the Guidelines for Identity TheftDetection, Prevention, and Mitigation (16 C.F.R.681, appendix A of the rule) (the Guidelines)and include those guidelines that are appropriatein its Program. Section I of the Guidelines,‘‘The Program,’’ discusses a Program’s designthat may include, as appropriate, existing poli-cies, procedures, and arrangements that controlforeseeable risks to the institution’s customersor to the safety and soundness of the financialinstitution or creditor from identity theft.

2124.5.1.3.1 Identification of Red Flags

A financial institution or creditor should incor-porate relevant Red Flags into the Program fromsources such as (1) incidents of identity theftthat it has experienced, (2) methods of identitytheft that have been identified as reflectingchanges in identity theft risks, and (3) applica-ble supervisory guidance.

2124.5.1.3.2 Categories of Red Flags

Section II of the Guidelines, ‘‘Categories of RedFlags,’’ provides some guidance in identifying

relevant Red Flags.7 A financial institution orcreditor should include, as appropriate,1. alerts, notifications, or other warnings

received from consumer reporting agenciesor service providers, such as fraud detectionservices;

2. the presentation of suspicious documents;3. the presentation of suspicious personal iden-

tifying information, such as a suspiciousaddress change;

4. the unusual use of, or other suspicious activ-ity related to, a covered account; and

5. notices received from customers, victims ofidentity theft, law enforcement authorities, orother persons regarding possible identitytheft in connection with covered accountsheld by the financial institution or creditor.

The above categories do not represent a com-prehensive list of all types of Red Flags thatmay indicate the possibility of identity theft.Institutions must also consider specific businesslines and any previous exposures to identitytheft. No specific Red Flag is mandatory for allfinancial institutions or creditors. Rather, theProgram should follow the risk-based, nonpre-scriptive approach regarding the identificationof Red Flags.

2124.5.1.3.3 Detect the Program’s RedFlags

In accordance with Section III of the Guide-lines, each financial institution or creditor’s Pro-gram should address the detection of Red Flagsin connection with the opening of coveredaccounts and existing covered accounts. Afinancial institution or creditor is required todetect, prevent, and mitigate identity theft inconnection with such accounts. The policies andprocedures regarding opening a covered accountsubject to the Program should explain how aninstitution could identify information about, andverify the identity of, a person opening anaccount.8 In the case of existing coveredaccounts, institutions could authenticate custom-ers, monitor transactions, and verify the validityof change of address requests.

7. Examples of Red Flags from each of these categories areappended as supplement A to appendix A.

8. See 31 U.S.C. 5318(l) and 31 C.F.R. 103.121.

Identity Theft Red Flags and Address Discrepancies 2124.5


2124.5.1.3.4 Respond Appropriately toany Detected Red Flags

A financial institution or creditor should con-sider precursors to identity theft to stop identitytheft before it occurs. Section IV of the Guide-lines, ‘‘Prevention and Mitigation,’’ states thatan institution’s procedures should provide forappropriate responses to Red Flags that it hasdetected that are commensurate with the degreeof risk posed. When determining an appropriateresponse, the institution should consider aggra-vating factors that may heighten its risk of iden-tity theft. Such factors may include (1) a datasecurity incident that results in unauthorizeddisclosures of nonpublic personal information,(2) records the institution holds or that are heldby another creditor or third party, or (3) noticethat the institution’s customer has providedinformation related to its covered account tosomeone fraudulently claiming to represent theinstitution or to a fraudulent website. Appropri-ate responses may include the following:(1) monitoring a covered account for evidenceof identity theft; (2) contacting the customer;(3) changing any passwords, security codes, orother security devices that permit access to asecured account; (4) reopening a coveredaccount with a new account number; (5) notopening a new covered account; (6) closing anexisting covered account; (7) not attempting tocollect on a covered account or not selling acovered account to a debt collector; (8) notify-ing law enforcement; or (9) determining that noresponse is warranted under the particularcircumstances.

2124.5.1.3.5 Periodically Updating theProgram’s Relevant Red Flags

Section V of the Guidelines, ‘‘Updating theProgram,’’ states that a financial institution orcreditor should periodically update its Program(including its relevant Red Flags) to reflect anychanges in risks to its customers or to the safetyand soundness of the institution from identitytheft, based on (but not limited to) factors suchas

1. the experiences of the institution with iden-tity theft,

2. changes in methods of identity theft,3. changes in methods to detect, prevent, and

mitigate identity theft,4. changes in the types of accounts that the

institution offers or maintains, and5. changes in the institution’s structure,

including its mergers, acquisitions, joint ven-tures, and any business arrangements, suchas alliances and service providerarrangements.

2124.5.1.4 Administration of Program

A financial institution or creditor that is requiredto implement a Program must provide for thecontinued oversight and administration of itsProgram. The following are the steps that areneeded in the administration of a Red FlagsProgram:

1. Obtain approval from either the institution’sboard of directors or any appropriate com-mittee of the board of directors of the initialwritten Program;

2. Involve either the board of directors, a desig-nated committee of the board of directors, ora designated senior-management-levelemployee in the oversight, development,implementation, and administration of theProgram.9 This includes• assigning specific responsibility for the

Program’s implementation,• reviewing reports prepared by staff regard-

ing the institution’s compliance (thereports should be prepared at least annu-ally), and

• reviewing material changes to the Programas necessary to address changing identitytheft risks.

3. Train staff. The financial institution or credi-tor must train relevant staff to effectivelyimplement and monitor the Program. Train-ing should be provided as changes are madeto the financial institution or creditor’s Pro-gram based on its periodic risk assessment.

4. Exercise appropriate and effective oversightof service provider arrangements. Section VIof the Guidelines, ‘‘Methods for Administer-ing the Program,’’ indicates a financial insti-tution or creditor is ultimately responsiblefor complying with the rules and guidelinesfor outsourcing an activity to a third-party

9. BHC subsidiaries can use the security program devel-oped at the holding company level. However, if subsidiaryinstitutions choose to use a security program developed at theholding company level, the board of directors or an appropri-ate committee at each subsidiary institution must conduct anindependent review to ensure that the program is suitable andcomplies with the requirements prescribed by its primaryregulator.



service provider. Whenever a financial insti-tution or creditor engages a service providerto perform an activity in connection with oneor more covered accounts, the institutionshould ensure that the activity of the serviceprovider is conducted in accordance withreasonable policies and procedures designedto detect, prevent, and mitigate the risk ofidentity theft. With regard to the institution’soversight of its Program, periodic reportsfrom service providers are to be issued on theProgram’s development, implementation,and administration.


1. To determine if the BHC has developed,implemented, and maintained a written Pro-gram for new and existing accounts that arecovered by the FACT Act and the FederalTrade Commission’s rules on Fair CreditReporting, section 681, Subpart A—IdentityTheft Red Flags (16 C.F.R. 681, subpart A),which implements provisions of the FACTAct.

2. To make a determination of whether the Pro-gram isa. designed to detect, prevent, and mitigate

identity theft in connection with the open-ing of a new, or an existing, coveredaccount and if the Program includes thedetection of relevant ‘‘Red Flags’’ and

b. appropriate to the size and complexity ofthe ‘‘financial institution’’ or ‘‘creditor’’and the nature and scope of its activities.

3. To ascertain whether the BHC assesses thevalidity of change of address notificationsthat it receives for the credit and debit cardsthat it has issued to customers.


1. Verify that the BHC has determined initially,and periodically thereafter, whether it offersor maintains accounts covered by the FACTAct and section 681, Subpart A—IdentityTheft Red Flags (16 C.F.R. 681, subpart A).

2. Determine if the BHC has adequately devel-oped and maintains a written Program that isdesigned to detect, prevent, and monitortransactions to mitigate identity theft in con-nection with the opening of certain new andexisting accounts covered by the FACT Act.

3. Evaluate whether the Program includes rea-sonable policies and procedures toa. identify and detect relevant Red Flags for

the BHC’s covered accounts and whetherit incorporated those Red Flags into itsProgram,

b. respond appropriately to any detected RedFlags to prevent and mitigate identitytheft, and

c. ensure that the Program is updated peri-odically to reflect changes in identity theftrisks to the customers and the safety andsoundness of the institution.

4. If a required Program has been establishedby the BHC, ascertain if it has provided forthe Program’s continued administration,includinga. involving the board of directors, an appro-

priate committee thereof, or a designatedemployee at the level of senior manage-ment in the continued oversight, develop-ment, implementation, and administrationof the Program;

b. training staff, as necessary, to effectivelyimplement the Program; and

c. appropriate and effective oversight of ser-vice provider arrangements.

5. If the BHC has established and maintains arequired Program that applies to its coveredaccounts, determine if the Program includesthe relevant and appropriate guidelineswithin the rule’s appendix A (16 C.F.R. 681,appendix A).



Trading Activities of Banking Organizations(Risk Management and Internal Controls)1 Section 2125.0

The review of risk management and internalcontrols is an essential element of the inspectionor examination of trading activities. In view ofthe increasing importance of these activities tothe overall risk profile and profitability of cer-tain banking organizations,2 this guidance high-lights key considerations when inspecting orexamining the risk management and internalcontrols of trading activities in both cash andderivative instruments.3The principles set forth in this guidance apply

to the risk management practices of bank hold-ing companies, which should manage and con-trol aggregate risk exposures on a consolidatedbasis while recognizing legal distinctionsamong subsidiaries. This guidance is specifi-cally designed to target trading, market making,and customer accommodation activities in cashand derivative instruments at state memberbanks, branches and agencies of foreign banks,and Edge corporations. Many of the principlesadvanced can also be applied to banking organi-zations’ use of derivatives as end-users. Exam-iners should assess management’s applicationof this guidance to the holding company andto a banking organization’s end-user derivativeactivities where appropriate, given the nature ofthe organization’s activities and current account-ing standards.This examiner guidance is specifically pro-

vided for evaluating the following elements ofan organization’s risk management process fortrading and derivatives activities:

• Board of directors and management oversight• The measurement procedures, limit systems,and monitoring and review functions of therisk management process

• Internal controls and audit procedures

In assessing the adequacy of these elementsat individual institutions, examiners shouldconsider the nature and volume of a bankingorganization’s activities and its overall approachtoward managing the various types of risks

involved. As with the inspection of other activi-ties, examiner judgment plays a key role inassessing the adequacy and necessary sophisti-cation of a banking organization’s risk manage-ment system for cash and derivative instrumenttrading and hedging activities.Many of the managerial practices and exam-

iner procedures contained in this guidance arefundamental and are generally accepted assound banking practices for both trading andnontrading activities. However, other elementsmay be subject to change, as both supervisoryand bank operating standards evolve in responseto new technologies, financial innovations, anddevelopments in market and business practices.

2125.0.1 OVERSIGHT OF THE RISKMANAGEMENT PROCESS

As is standard practice for most banking activi-ties, banking organizations should maintainwritten policies and procedures that clearly out-line the organization’s risk management guid-ance for trading and derivative activities. At aminimum these policies should identify the risktolerances of the board of directors and shouldclearly delineate lines of authority and responsi-bility for managing the risk of these activities.Individuals throughout the trading and deriva-tives areas should be fully aware of all poli-cies and procedures that relate to their specificduties.The board of directors, senior-level manage-

ment, and members of independent risk manage-ment functions are all important participants inthe risk management process. Examiners shouldensure that these participants are aware of theirresponsibilities and that they adequately per-form their appropriate role in managing the riskof trading and derivative activities.

2125.0.1.1 Board of Directors’ Approvalof Risk Management Policies

The board of directors should approve all signif-icant policies relating to the management ofrisks throughout the organization. These poli-cies, which should include those related to trad-ing activities, should be consistent with theorganization’s broader business strategies, capi-tal adequacy, expertise, and overall willingness

1. The following is the text of SR-93-69, adapted for thismanual. Section numbers have been added for reference.2. The term ‘‘banking organizations’’ refers to institutions

or entities that are directly supervised by the Board of Gover-nors of the Federal Reserve System, such as state memberbanks and bank holding companies, including the nonbanksubsidiaries of the holding company.3. In general terms, derivative instruments are bilateral

contracts or agreements whose value derives from the valueof one or more underlying assets, interest rates, exchangerates, commodities, or financial or commodity indexes.

BHC Supervision Manual June 1994Page 1

to take risk. Accordingly, the board should beinformed regularly of risk exposure and shouldregularly reevaluate significant risk manage-ment policies and procedures with specialemphasis placed on those defining the institu-tion’s risk tolerance regarding these activities.The board of directors should also conduct andencourage discussions between its members andsenior management, as well as between seniormanagement and others in the organization,regarding its risk management process and riskexposure.

2125.0.1.2 Senior Management’s RiskManagement Responsibilities

Senior management is responsible for ensuringthat there are adequate policies and proceduresfor conducting trading operations on both along-range and day-to-day basis. This responsi-bility includes ensuring that there are cleardelineations of lines of responsibility for man-aging risk, adequate systems for measuring risk,appropriately structured limits on risk taking,effective internal controls, and a comprehensiverisk-reporting process.Senior management should regularly evaluate

the procedures in place to manage risk to ensurethat those procedures are appropriate and sound.Senior management should also foster and par-ticipate in active discussions with the board,with staff of risk management functions, andwith traders regarding procedures for measuringand managing risk. Management must alsoensure that trading and derivative activities areallocated sufficient resources and staff to man-age and control risks.

2125.0.1.3 Independent RiskManagement Functions

The process of measuring, monitoring, and con-trolling risk consistent with the established poli-cies and procedures should be managed inde-pendently of individuals conducting tradingactivities, up through senior levels of the institu-tion. An independent system for reporting expo-sures to both senior-level management and tothe board of directors is an important element ofthis process.Banking organizations should have highly

qualified personnel throughout their trading andderivatives areas, including their risk manage-ment and internal control functions. The person-

nel staffing independent risk management func-tions should have a complete understanding ofthe risks associated with all traded on- andoff-balance-sheet instruments. Accordingly,compensation policies for these individualsshould be adequate to attract and retain person-nel qualified to judge these risks. As a matter ofgeneral policy, compensation policies, espe-cially in the risk management, control, andsenior management functions, should be struc-tured in a way that avoids the potential incen-tives for excessive risk taking that can occur if,for example, salaries are tied too closely to theprofitability of trading or derivatives activities.

2125.0.2 THE RISK MANAGEMENTPROCESS

The primary components of a sound risk man-agement process are a comprehensive risk mea-surement approach; a detailed structure of lim-its, guidelines, and other parameters used togovern risk taking; and a strong managementinformation system for monitoring and report-ing risks. These components are fundamental toboth trading and nontrading activities alike.Moreover, the underlying risks associated withthese activities, such as credit, market, liquidity,and operating risk, are not new to banking orga-nizations, although their measurement andmanagement can be somewhat more complex.Accordingly, the process of risk managementfor trading activities should be integrated intothe organization’s overall risk management sys-tem to the fullest extent possible using a concep-tual framework common to its other activities.Such a common framework enables the organi-zation to manage its consolidated risk exposuremore effectively, especially since the variousindividual risks involved in trading activitiescan, at times, be interconnected and can oftentranscend specific markets.As is the case with all risk-bearing activities,

the risk exposures a banking organizationassumes in its trading and derivatives activitiesshould be fully supported by an adequate capitalposition. Banking organizations should ensurethat their capital positions are sufficiently strongto support all trading and derivatives risks on afully consolidated basis and that adequate capi-tal is maintained in all affiliated entities engagedin these activities.

2125.0.2.1 Risk Measurement Systems

A banking organization’s system for measuring

Trading Activities of Banking Organizations (Risk Management and Internal Controls) 2125.0


the various risks of trading and derivativesactivities should be both comprehensive andaccurate. Risks should be measured and aggre-gated across trading and nontrading activities onan organizationwide basis to the fullest extentpossible.While examiners should not require the use

of a single prescribed risk measurement ap-proach for management purposes, they shouldevaluate the extent to which the organization’sprocedures enable management to assess expo-sures on a consolidated basis. Examiners shouldalso evaluate whether the risk measures and therisk measurement process are sufficiently robustto accurately reflect the multiple types of risksfacing the banking organization. Risk measure-ment standards should be understood by rele-vant personnel at all levels—from individualtraders to the board of directors—and shouldprovide a common framework for limiting andmonitoring risk-taking activities.The process of marking trading and deriva-

tives positions to market is fundamental to mea-suring and reporting exposures accurately andon a timely basis. Banking organizations activein dealing in foreign exchange, derivatives, andother traded instruments should have the abilityto monitor credit exposures, trading positions,and market movements at least daily. Someorganizations should also have the capacity, orat least the goal, of monitoring their moreactively traded products on a real-time basis.Analyzing stress situations, including combi-

nations of market events that could affect thebanking organization, is also an importantaspect of risk measurement. Sound risk mea-surement practices include identifying possibleevents or changes in market behavior that couldhave unfavorable effects on the organizationand assessing its ability to withstand them.These analyses should consider not only thelikelihood of adverse events, reflecting theirprobability, but also plausible ‘‘worst-case’’ sce-narios. Ideally, such worst-case analysis shouldbe conducted on an organizationwide basis bytaking into account the effect of unusual pricechanges or the default of a large counterpartyacross both the derivatives and cash-tradingportfolios and the loan and funding portfolios.Such stress tests should not be limited to

quantitative exercises that compute potentiallosses or gains. They should also include morequalitative analyses of the actions managementmight take under particular scenarios. Contin-gency plans outlining operating procedures andlines of communication, both formal and infor-mal, are important products of such qualitativeanalyses.

2125.0.2.2 Limiting Risks

A sound system of integrated organizationwidelimits and risk-taking guidelines is an essentialcomponent of the risk management process.Such a system should set boundaries for organi-zational risk-taking and should also ensure thatpositions that exceed certain predeterminedlevels receive prompt management attention, sothat they can be either reduced or prudentlyaddressed. The limit system should be consis-tent with the effectiveness of the organization’soverall risk management process and with theadequacy of its capital position. An appropriatelimit system should permit management tocontrol exposures, to initiate discussion aboutopportunities and risks, and to monitor actualrisk-taking against predetermined tolerances, asdetermined by the board of directors and seniormanagement.Global limits should be set for each major

type of risk involved. These limits should beconsistent with the banking organization’s over-all risk measurement approach and should beintegrated to the fullest extent possible withorganizationwide limits on those risks as theyarise in all other activities of the firm. The limitsystem should provide the capability to allocatelimits down to individual business units.At times, especially when markets are vola-

tile, traders may exceed their limits. While suchexceptions may occur, they should be madeknown to senior management and approved onlyby authorized personnel. These positions shouldalso prompt discussions between traders andmanagement about the consolidated risk-takingactivities of the firm or the trading unit. Theseriousness of individual or continued limitexceptions depends in large part upon manage-ment’s approach toward setting limits and onthe actual size of individual and organizationallimits relative to the organization’s capacity totake risk. Banking organizations with relativelyconservative limits may encounter more excep-tions to those limits than do organizations wherelimits may be less restrictive. Ultimately, exam-iners should ensure that stated policies areenforced and that the level of exposure is man-aged prudently.

2125.0.2.3 Reporting

An accurate, informative, and timely manage-ment information system is essential to the pru-



dent operation of a trading or derivatives activ-ity. Accordingly, the examiner’s assessment ofthe quality of the management information sys-tem is an important factor in the overall evalua-tion of the risk management process. Examinersshould determine the extent to which the riskmanagement function monitors and reports itsmeasures of trading risks to appropriate levelsof senior management and to the board of direc-tors. Exposures and profit and loss statementsshould be reported at least daily to managerswho supervise but do not, themselves, conducttrading activities. More frequent reports shouldbe made as market conditions dictate. Reports toother levels of senior management and the boardmay occur less frequently, but examiners shoulddetermine whether the frequency of reportingprovides these individuals with adequate infor-mation to judge the changing nature of the orga-nization’s risk profile.Examiners should ensure that the manage-

ment information systems translate the mea-sured risk from a technical and quantitative for-mat to one that can be easily read andunderstood by senior managers and directors,who may not have specialized and technicalknowledge of trading activities and derivativeproducts. Risk exposures arising from variousproducts within the trading function should bereported to senior managers and directors usinga common conceptual framework for measuringand limiting risks.

2125.0.2.4 Management Evaluation andReview of the Risk Management Process

Management should ensure that the variouscomponents of an organization’s risk manage-ment process are regularly reviewed and evalu-ated. This review should take into accountchanges in the activities of the organization andin the market environment, since the changesmay have created exposures that require addi-tional management and examiner attention. Anymaterial changes to the risk management systemshould also be reviewed.The independent risk management functions

should regularly assess the methodologies, mod-els, and assumptions used to measure risk and tolimit exposures. Proper documentation of theseelements of the risk measurement system isessential for conducting meaningful reviews.The review of limit structures should comparelimits to actual exposures and should also con-

sider whether existing measures of exposure andlimits are appropriate in view of the bankingorganization’s past performance and currentcapital position.The frequency and extent to which banking

organizations should reevaluate their risk mea-surement methodologies and models depends,in part, on the specific risk exposures created bytheir trading activities, on the pace and nature ofmarket changes, and on the pace of innovationwith respect to measuring and managing risks.At a minimum, banking organizations with sig-nificant trading and derivative activities shouldreview the underlying methodologies of theirmodels at least annually—and more often asmarket conditions dictate—to ensure they areappropriate and consistent. Such internal evalu-ations may, in many cases, be supplemented byreviews by external auditors or other qualifiedoutside parties, such as consultants who haveexpertise with highly technical models and riskmanagement techniques. Assumptions should beevaluated on a continual basis.Banking organizations should also have an

effective process to evaluate and review therisks involved in products that are either new tothe firm or new to the marketplace and of poten-tial interest to the firm. In general, a bankingorganization should not trade a product untilsenior management and all relevant personnel(including those in risk management, internalcontrol, legal, accounting, and auditing) under-stand the product and are able to integrate theproduct into the banking organization’s riskmeasurement and control systems. Examinersshould determine whether the banking organiza-tion has a formal process for reviewing newproducts and whether it introduces new productsin a manner that adequately limits potentiallosses.

2125.0.2.5 Managing Specific Risks

The following discussions present examinerguidance for evaluating the specific componentsof a firm’s risk management process in thecontext of each of the risks involved in tradingcash and derivatives instruments.

2125.0.2.5.1 Credit Risk

Broadly defined, credit risk is the risk that acounterparty will fail to perform on an obliga-tion to the banking organization. Banking orga-nizations should evaluate both settlement and



presettlement credit risk at the customer levelacross all traded derivative and nonderivativeproducts. On settlement day, the exposure tocounterparty default may equal the full value ofany cash flows or securities the banking organi-zation is to receive. Prior to settlement, creditrisk is measured as the sum of the replacementcost of the position, plus an estimate of thebanking organization’s potential future expo-sure from the instrument as a result of marketchanges. Replacement cost should be deter-mined using current market prices or generallyaccepted approaches for estimating the presentvalue of future payments required under eachcontract, given current market conditions.Potential credit-risk exposure is measured

more subjectively than current exposure and isprimarily a function of the time remaining tomaturity and the expected volatility of the price,rate, or index underlying the contract. It is oftenassessed through simulation analysis and option-valuation models, but can also be addressed byusing ‘‘add-ons,’’ such as those included in therisk-based capital standard. In either case, exam-iners should evaluate the reasonableness of theassumptions underlying the banking organiza-tion’s risk measure and should also ensure thatbanking organizations that measure exposuresusing a portfolio approach do so in a prudentmanner.Master netting agreements and various credit

enhancements, such as collateral or third-partyguarantees, can be used by banking organiza-tions to reduce their counterparty credit risk. Insuch cases, a banking organization’s creditexposures should reflect these risk-reducing fea-tures only to the extent that the agreements andrecourse provisions are legally enforceable in allrelevant jurisdictions. This legal enforceabilityshould extend to any insolvency proceedings ofthe counterparty. Banking organizations shouldbe able to demonstrate that they have exerciseddue diligence in evaluating the enforceability ofthese contracts and that individual transactionshave been executed in a manner that providesadequate protection.Credit limits that consider both settlement

and presettlement exposures should be estab-lished for all counterparties with whom thebanking organization trades. As a matter of gen-eral policy, trading with a counterparty shouldnot commence until a credit line has beenapproved. The structure of the credit-approvalprocess may differ among organizations, reflect-ing the organizational and geographic structureof the organization and the specific needs of itstrading activities. Nevertheless, in all cases, it isimportant that credit limits be determined by

personnel who are independent of the tradingfunction, that these personnel use standards thatare consistent with those used for nontradingactivities, and that counterparty credit lines areconsistent with the organization’s policies andconsolidated exposures.Examiners should consider the extent to

which credit limits are exceeded and whetherexceptions were resolved according to the bank-ing organization’s adopted policies and proce-dures. Examiners should also evaluate whetherthe organization’s reports adequately providetraders and credit officers with relevant, accu-rate, and timely information about the creditexposures and approved credit lines.Trading activities that involve cash instru-

ments often involve short-term exposures thatare eliminated at settlement. However, in thecase of derivative products traded in over-the-counter markets, the exposure can often existfor a period similar to that commonly associatedwith a loan from a banking organization. Giventhis potentially longer-term exposure and thecomplexity associated with some derivativeinstruments, banking organizations should con-sider not only the overall financial strength ofthe counterparty and its ability to perform on itsobligation, but should also consider the counter-party’s ability to understand and manage therisks inherent in the derivative product.

2125.0.2.5.2 Market Risk

Market risk is the risk to a banking organiza-tion’s financial condition resulting from adversemovements in market prices. Accurately mea-suring a banking organization’s market riskrequires timely information about the currentmarket values of its assets, liabilities, and off-balance-sheet positions. Although there aremany types of market risks that can affect aportfolio’s value, they can generally be de-scribed as those involving forward risk andthose involving options. Forward risks arisefrom factors such as changing interest rates andcurrency exchange rates, the liquidity of mar-kets for specific commodities or financial instru-ments, and local or world political and eco-nomic events. Market risks related to optionsinclude these factors as well as evolving percep-tions of the volatility of price changes, the pas-sage of time, and the interactive effect of othermarket risks. All of these sources of potentialmarket risk can affect the value of the organiza-



tion and should be considered in the risk mea-surement process.Market risk is increasingly measured by mar-

ket participants using a value-at-risk approach,which measures the potential gain or loss in aposition, portfolio, or organization that is associ-ated with a price movement of a given probabil-ity over a specified time horizon. Banking orga-nizations should revalue all trading portfoliosand calculate their exposures at least daily.Although banking organizations may use riskmeasures other than value at risk, examinersshould consider whether the measure used issufficiently accurate and rigorous and whether itis adequately incorporated into the bankingorganization’s risk management process.Examiners should also ensure that the organi-

zation compares its estimated market-risk expo-sures with actual market-price behavior. Inparticular, the output of any market-risk modelsthat require simulations or forecasts of futureprices should be compared with actual prices. Ifthe projected and actual results differ materially,the models should be modified, as appropriate.Banking organizations should establish limits

for market risk that relate to their risk measuresand that are consistent with maximum expo-sures authorized by their senior managementand board of directors. These limits should beallocated to business units and individual tradersand be clearly understood by all relevant parties.Examiners should ensure that exceptions to lim-its are detected and adequately addressed bymanagement. In practice, some limit systemsmay include additional elements such as stop-loss limits and trading guidelines that may playan important role in controlling risk at the traderand business-unit level; examiners shouldinclude them in their review of the limit system.

2125.0.2.5.3 Liquidity Risk

Banking organizations face two types of liquid-ity risk in their trading activities: those relatedto specific products or markets and those relatedto the general funding of the banking organiza-tion’s trading activities. The former is the riskthat a banking organization cannot easily un-wind or offset a particular position at or near theprevious market price because of inadequatemarket depth or because of disruptions in themarketplace. Funding-liquidity risk is the riskthat the banking organization will be unable tomeet its payment obligations on settlement

dates. Since neither type of liquidity risk isunique to trading activities, management shouldevaluate these risks in the broader context of theorganization’s overall liquidity. When establish-ing limits, organizations should be aware of thesize, depth, and liquidity of the particular mar-ket and establish trading guidelines accordingly.Management should also give consideration tothe potential problems associated with replacingcontracts that terminate early in volatile orilliquid markets.In developing guidelines for controlling the

liquidity risks in trading activities, bankingorganizations should consider the possibilitythat they could lose access to one or moremarkets, either because of concerns about thebanking organization’s own creditworthiness,the creditworthiness of a major counterparty, orbecause of generally stressful market condi-tions. At such times, the banking organizationmay have less flexibility in managing itsmarket-, credit-, and liquidity-risk exposures.Banking organizations that make markets inover-the-counter derivatives or that dynamicallyhedge their positions require constant access tofinancial markets, and that need may increase intimes of market stress. The banking organiza-tion’s liquidity plan should reflect the organiza-tion’s ability to turn to alternative markets, suchas futures or cash markets, or to provide suffi-cient collateral or other credit enhancements inorder to continue trading under a broad range ofscenarios.Examiners should ensure that banking organi-

zations that participate in over-the-counterderivative markets adequately consider the po-tential liquidity risks associated with the earlytermination of derivative contracts. Many formsof standardized contracts for derivative transac-tions allow counterparties to request collateralor to terminate their contracts early if the bank-ing organization experiences an adverse creditevent or a deterioration in its financial condi-tion. In addition, under conditions of marketstress, customers may ask for the early termina-tion of some contracts within the context of thedealer’s market-making activities. In such situa-tions, a banking organization that owes moneyon derivative transactions may be required todeliver collateral or settle a contract early andpossibly at a time when the banking organiza-tion may face other funding and liquidity pres-sures. Early terminations may also open upadditional, unintended, market positions. Man-agement and directors should be aware ofthese potential liquidity risks and shouldaddress them in the banking organization’sliquidity plan and in the broader context of the



banking organization’s liquidity managementprocess. In their reviews, examiners should con-sider the extent to which such potential obliga-tions could present liquidity risks to the bankingorganization.

2125.0.2.5.4 Operational Risk, LegalRisk, and Business Practices

Operating risk is the risk that deficiencies ininformation systems or internal controls willresult in unexpected loss. Legal risk is the riskthat contracts are not legally enforceable or doc-umented correctly. Although operating and legalrisks are difficult to quantify, they can often beevaluated by examining a series of plausible‘‘worst-case’’ or ‘‘what-if’’ scenarios, such as apower loss, a doubling of transaction volume, amistake found in the pricing software for collat-eral management, or an unenforceable contract.They can also be assessed through periodicreviews of procedures, documentation require-ments, data processing systems, contingencyplans, and other operating practices. Suchreviews may help to reduce the likelihood oferrors and breakdowns in controls, improve thecontrol of risk and the effectiveness of the limitsystem, and prevent unsound marketing prac-tices and the premature adoption of new prod-ucts or lines of business. Considering the heavyreliance of trading activities on computerizedsystems, banking organizations should haveplans that take into account potential problemswith their normal processing procedures.Banking organizations should also ensure that

trades that are consummated orally are con-firmed as soon as possible. Oral transactionsconducted via telephone should be recorded ontape and subsequently supported by written doc-uments. Examiners should ensure that the orga-nization monitors the consistency between theterms of a transaction as they were orally agreedupon and the terms as they were subsequentlyconfirmed.Examiners should also consider the extent to

which banking organizations evaluate and con-trol operating risks through the use of internalaudits, stress testing, contingency planning, andother managerial and analytical techniques.Banking organizations should also haveapproved policies that specify documentationrequirements for trading activities and formalprocedures for saving and safeguarding impor-tant documents that are consistent with legalrequirements and internal policies. Relevant per-sonnel should fully understand the requirements.Legal risks should be limited and managed

through policies developed by the organiza-tion’s legal counsel (typically in consultationwith officers in the risk management process)that have been approved by the banking organi-zation’s senior management and board of direc-tors. At a minimum, there should be guidelinesand processes in place to ensure the enforceabil-ity of counterparty agreements. Examinersshould determine whether a banking organiza-tion is adequately evaluating the enforceabilityof its agreements before individual transactionsare consummated. Banking organizations shouldalso ensure that the counterparty has sufficientauthority to enter into the transaction and thatthe terms of the agreement are legally sound.Banking organizations should further ascertainthat their netting agreements are adequately doc-umented, that they have been executed properly,and that they are enforceable in all relevantjurisdictions. Banking organizations shouldhave knowledge of relevant tax laws and inter-pretations governing the use of these instru-ments. Knowledge of these laws is necessarynot only for the banking organization’s market-ing activities, but also for its own use of deriva-tive products.Sound business practices provide that bank-

ing organizations take steps to ascertain thecharacter and financial sophistication of counter-parties. This includes efforts to ensure that thecounterparties understand the nature of and therisks inherent in the agreed transactions. Wherethe counterparties are unsophisticated, eithergenerally or with respect to a particular type oftransaction, banking organizations should takeadditional steps to ensure that counterparties aremade aware of the risks attendant in the specifictype of transaction. While counterparties areultimately responsible for the transactions intowhich they choose to enter, where a bankingorganization recommends specific transactionsfor an unsophisticated counterparty, the bankingorganization should ensure that it has adequateinformation regarding its counterparty on whichto base its recommendation.

2125.0.3 INTERNAL CONTROLS ANDAUDITS

A review of internal controls has long beencentral to the Federal Reserve’s examinationand inspection of trading and derivatives activi-ties. Policies and related procedures for theoperation of these activities should be an exten-



sion of the organization’s overall structure ofinternal controls and should be fully integratedinto routine work-flows. Properly structured, asystem of internal controls should promoteeffective and efficient operations, reliable finan-cial and regulatory reporting, and compliancewith relevant laws, regulations, and bankingorganization policies. In determining whetherinternal controls meet those objectives, examin-ers should consider the overall control environ-ment of the organization; the process for iden-tifying, analyzing, and managing risk; theadequacy of management information systems;and adherence to control activities such asapprovals, confirmations, and reconciliations.Assessing the adequacy of internal controls

involves a process of understanding, document-ing, evaluating, and testing an organization’sinternal control system. This assessment shouldinclude product- or business-line reviews which,in turn, should start with an assessment ofthe line’s organizational structure. Examinersshould check for adequate separation of duties,especially between trading desk personnel andinternal control and risk management functions,adequate oversight by a knowledgeable man-ager without day-to-day trading responsibilities,and the presence of separate reporting lines forrisk management and internal control personnelon one side and for trading personnel on theother. Product-by-product reviews of manage-ment structure should supplement the overallassessment of the organizational structure of thetrading and derivatives areas.Examiners are expected to conduct in-depth

reviews of the internal controls of key activities.For example, for transaction recording and pro-cessing, examiners should evaluate written poli-cies and procedures for recording trades, assessthe trading area’s adherence to policy, and ana-lyze the transaction processing cycle, includingsettlement, to ensure the integrity and accuracyof the banking organization’s records and man-agement reports. Examiners should review therevaluation process in order to assess the ade-quacy of written policies and procedures forrevaluing positions and for creating any associ-ated revaluation reserves. Examiners shouldreview compliance with revaluation policies andprocedures, the frequency of revaluation, andthe independence and quality of the sources ofrevaluation prices, especially for instrumentstraded in illiquid markets. All significant inter-nal controls associated with the management of

market risk, such as position versus limit reportsand limit overage approval policies and proce-dures, should also be reviewed. Examinersshould also review the credit approval processto ensure that the risks of specific products areadequately captured and that credit approvalprocedures are followed for all transactions.An important step in the process of reviewing

internal controls is the examiner’s appraisal ofthe frequency, scope, and findings of indepen-dent internal and external auditors and the abil-ity of those auditors to review the banking orga-nization’s trading and derivatives activities.Internal auditors should audit and test the riskmanagement process and internal controls on aperiodic basis, with the frequency based on acareful risk assessment. The depth and fre-quency of internal audits should be increased ifweaknesses and significant issues are discov-ered or if significant changes have been made toproduct lines, modeling methodologies, the riskoversight process, internal controls, or the over-all risk profile of the organization.In reviewing the risk management functions

in particular, internal auditors should thoroughlyevaluate the effectiveness of internal controlsrelevant to measuring, reporting, and limitingrisks. Internal auditors should also evaluatecompliance with risk limits and the reliabilityand timeliness of information reported to thebanking organization’s senior management andboard of directors. Internal auditors are alsoexpected to evaluate the independence and over-all effectiveness of the banking organization’srisk management functions.The level of confidence that examiners place

in the banking organization’s audit programs,the nature of the audit findings, and manage-ment’s response to those findings will influencethe scope of the current examination of tradingand derivatives activities. Even when the auditprocess and findings are satisfactory, examinersshould document, evaluate, and test criticalinternal controls.Similar to the focus of internal auditors,

examiners should pay special attention to signif-icant changes in product lines, risk measure-ment methodologies, limits, and internal con-trols that have occurred since the lastexamination. Meaningful changes in earningsfrom trading or derivatives activities, or in thesize of positions or the value at risk associatedwith these activities, should also receive empha-sis during the inspection or examination.



Model Risk ManagementSection 2126.0

Banking organizations should be attentive to thepossible adverse consequences (including finan-cial loss) of decisions based on models that areincorrect or misused and should address thoseconsequences through active model risk man-agement. The key aspects of an effective modelrisk-management framework are described inmore detail below, including robust modeldevelopment, implementation, and use; effec-tive validation; and sound governance, policies,and controls. (See SR-11-7.)

2126.0.1 INTRODUCTION—PART I

Banks rely heavily on quantitative analysis andmodels in most aspects of financial decisionmaking.1 They routinely use models for a broadrange of activities, including underwriting cred-its; valuing exposures, instruments, and posi-tions; measuring risk; managing and safeguard-ing client assets; determining capital and reserveadequacy; and many other activities. In recentyears, banks have applied models to more com-plex products and with more ambitious scope,such as enterprise-wide risk measurement, whilethe markets in which they are used have alsobroadened and changed. Changes in regulationhave spurred some of the recent developments,particularly the U.S. regulatory capital rules formarket, credit, and operational risk based on theframework developed by the Basel Committeeon Banking Supervision. Even apart from theseregulatory considerations, however, banks havebeen increasing the use of data-driven, quantita-tive decision making tools for a number ofyears.

The expanding use of models in all aspects ofbanking reflects the extent to which models canimprove business decisions, but models alsocome with costs. There is the direct cost ofdevoting resources to develop and implementmodels properly. There are also the potentialindirect costs of relying on models, such as thepossible adverse consequences (including finan-cial loss) of decisions based on models that areincorrect or misused. Those consequencesshould be addressed by active management ofmodel risk.

This guidance describes the key aspects ofeffective model risk management. Part IIexplains the purpose and scope of the guidance,and part III gives an overview of model riskmanagement. Part IV discusses robust modeldevelopment, implementation, and use. Part Vdescribes the components of an effective valida-tion framework. Part VI explains the salientfeatures of sound governance, policies, and con-trols over model development, implementation,use, and validation. Part VII concludes.

2126.0.2 PURPOSE ANDSCOPE—PART II

The purpose of this section is to provide com-prehensive guidance for banks on effectivemodel risk management. Rigorous model vali-dation plays a critical role in model risk man-agement; however, sound development, imple-mentation, and use of models are also vitalelements. Furthermore, model risk managementencompasses governance and control mecha-nisms such as board and senior managementoversight, policies and procedures, controls andcompliance, and an appropriate incentive andorganizational structure.

Previous guidance and other publicationsissued by the Office of the Comptroller of theCurrency (OCC) and the Federal Reserve on theuse of models pay particular attention to modelvalidation.2 Based on supervisory and industryexperience over the past several years, thisdocument expands on existing guidance—mostimportantly by broadening the scope to includeall aspects of model risk management. Manybanks may already have in place a large portionof these practices, but all banks should ensurethat internal policies and procedures are consis-

1. Unless otherwise indicated, banks refers to nationalbanks and all other institutions for which the Office of theComptroller of the Currency is the primary supervisor, and tobank holding companies, state member banks, and all otherinstitutions for which the Federal Reserve Board is the pri-mary supervisor.

2. For instance, the OCC provided guidance on model risk,focusing on model validation, in OCC 2000-16 (May 30,2000), other bulletins, and certain subject matter booklets ofthe Comptroller’s Handbook. The Federal Reserve issuedSR-09-01, ‘‘Application of the Market Risk Rule in BankHolding Companies and State Member Banks,’’ which high-lights various concepts pertinent to model risk management,including standards for validation and review, model valida-tion documentation, and back-testing. The Federal Reserve’sTrading and Capital-Markets Activities Manual also discussesvalidation and model risk management. In addition, theadvanced-approaches risk-based capital rules (12 CFR 3,Appendix C; 12 CFR 208, Appendix F; and 12 CFR 225,Appendix G) contain explicit validation requirements for sub-ject banking organizations.


tent with the risk-management principles andsupervisory expectations contained in this guid-ance. Details may vary from bank to bank, aspractical application of this guidance should becustomized to be commensurate with a bank’srisk exposures, its business activities, and thecomplexity and extent of its model use. Forexample, steps taken to apply this guidance at acommunity bank using relatively few models ofonly moderate complexity might be signifi-cantly less involved than those at a larger bankwhere use of models is more extensive orcomplex.

2126.0.3 OVERVIEW OF MODEL RISKMANAGEMENT—PART III

For the purposes of this section, the term modelrefers to a quantitative method, system, orapproach that applies statistical, economic,financial, or mathematical theories, techniques,and assumptions to process input data into quan-titative estimates. A model consists of threecomponents: an information input component,which delivers assumptions and data to themodel; a processing component, which trans-forms inputs into estimates; and a reportingcomponent, which translates the estimates intouseful business information. Models meetingthis definition might be used for analyzing busi-ness strategies; informing business decisions;identifying and measuring risks; valuing expo-sures, instruments, or positions; conductingstress testing; assessing adequacy of capital;managing client assets; measuring compliancewith internal limits; maintaining the formal con-trol apparatus of the bank; meeting financial orregulatory reporting requirements; and issuingpublic disclosures. The definition of model alsocovers quantitative approaches whose inputs arepartially or wholly qualitative or based on expertjudgment, provided that the output is quantita-tive in nature.3

Models are simplified representations of real-world relationships among observed characteris-tics, values, and events. Simplification is inevi-table, due to the inherent complexity of thoserelationships, but also intentional, to focus atten-tion on particular aspects considered to be mostimportant for a given model application. Model

quality can be measured in many ways: preci-sion, accuracy, discriminatory power, robust-ness, stability, and reliability, to name a few.Models are never perfect, and the appropriatemetrics of quality, and the effort that should beput into improving quality, depend on the situa-tion. For example, precision and accuracy arerelevant for models that forecast future values,while discriminatory power applies to modelsthat rank order risks. In all situations, it isimportant to understand a model’s capabilitiesand limitations given its simplifications andassumptions.

The use of models invariably presents modelrisk, which is the potential for adverse conse-quences from decisions based on incorrect ormisused model outputs and reports. Model riskcan lead to financial loss, poor business andstrategic decision making, or damage to a bank’sreputation. Model risk occurs primarily for tworeasons:

• The model may have fundamental errors andmay produce inaccurate outputs when viewedagainst the design objective and intendedbusiness uses. The mathematical calculationand quantification exercise underlying anymodel generally involves application oftheory, choice of sample design and numericalroutines, selection of inputs and estimation,and implementation in information systems.Errors can occur at any point from designthrough implementation. In addition, short-cuts, simplifications, or approximations usedto manage complicated problems could com-promise the integrity and reliability of outputsfrom those calculations. Finally, the quality ofmodel outputs depends on the quality of inputdata and assumptions, and errors in inputs orincorrect assumptions will lead to inaccurateoutputs.

• The model may be used incorrectly or inap-propriately. Even a fundamentally soundmodel producing accurate outputs consistentwith the design objective of the model mayexhibit high model risk if it is misapplied ormisused. Models by their nature are simplifi-cations of reality, and real-world events mayprove those simplifications inappropriate. Thisis even more of a concern if a model is usedoutside the environment for which it wasdesigned. Banks may do this intentionally asthey apply existing models to new products ormarkets, or inadvertently as market conditionsor customer behavior changes. Decision mak-ers need to understand the limitations of amodel to avoid using it in ways that are notconsistent with the original intent. Limitations

3. While outside the scope of this guidance, more qualita-tive approaches used by banking organizations—i.e., thosenot defined as models according to this guidance—shouldalso be subject to a rigorous control process.

Model Risk Management 2126.0


come in part from weaknesses in the modeldue to its various shortcomings, approxima-tions, and uncertainties. Limitations are also aconsequence of assumptions underlying amodel that may restrict the scope to a limitedset of specific circumstances and situations.

Model risk should be managed like othertypes of risk. Banks should identify the sourcesof risk and assess the magnitude. Model riskincreases with greater model complexity, higheruncertainty about inputs and assumptions,broader use, and larger potential impact. Banksshould consider risk from individual models andin the aggregate. Aggregate model risk isaffected by interaction and dependencies amongmodels; reliance on common assumptions, data,or methodologies; and any other factors thatcould adversely affect several models and theiroutputs at the same time. With an understandingof the source and magnitude of model risk inplace, the next step is to manage it properly.

A guiding principle for managing model riskis ‘‘effective challenge’’ of models, that is, criti-cal analysis by objective, informed parties whocan identify model limitations and assumptionsand produce appropriate changes. Effectivechallenge depends on a combination of incen-tives, competence, and influence. Incentives toprovide effective challenge to models arestronger when there is greater separation of thatchallenge from the model development processand when challenge is supported by well-designed compensation practices and corporateculture. Competence is a key to effectivenesssince technical knowledge and modeling skillsare necessary to conduct appropriate analysisand critique. Finally, challenge may fail to beeffective without the influence to ensure thatactions are taken to address model issues. Suchinfluence comes from a combination of explicitauthority, stature within the organization, andcommitment and support from higher levels ofmanagement.

Even with skilled modeling and robust valida-tion, model risk cannot be eliminated, so othertools should be used to manage model riskeffectively. Among these are establishing limitson model use, monitoring model performance,adjusting or revising models over time, andsupplementing model results with other analysisand information. Informed conservatism, ineither the inputs or the design of a model orthrough explicit adjustments to outputs, can bean effective tool, though not an excuse to avoidimproving models.

As is generally the case with other risks,materiality is an important consideration in

model risk management. If at some banks theuse of models is less pervasive and has lessimpact on their financial condition, then thosebanks may not need as complex an approach tomodel risk management in order to meet super-visory expectations. However, where modelsand model output have a material impact onbusiness decisions, including decisions relatedto risk management and capital and liquidityplanning, and where model failure would have aparticularly harmful impact on a bank’s finan-cial condition, a bank’s model risk-managementframework should be more extensive andrigorous.

Model risk management begins with robustmodel development, implementation, and use.Another essential element is a sound modelvalidation process. A third element is gover-nance, which sets an effective framework withdefined roles and responsibilities for clear com-munication of model limitations and assump-tions, as well as the authority to restrict modelusage. Each of these elements is discussed in thefollowing sections.

2126.0.4 MODEL DEVELOPMENT,IMPLEMENTATION, AND USE—PART IV

Model risk management should include disci-plined and knowledgeable development andimplementation processes that are consistentwith the situation and goals of the model userand with bank policy. Model development isnot a straightforward or routine technical pro-cess. The experience and judgment of develop-ers, as much as their technical knowledge,greatly influence the appropriate selection ofinputs and processing components. The trainingand experience of developers exercising suchjudgment affects the extent of model risk.Moreover, the modeling exercise is often amultidisciplinary activity drawing on econom-ics, finance, statistics, mathematics, and otherfields. Models are employed in real-world mar-kets and events and, therefore, should be tai-lored for specific applications and informed bybusiness uses. In addition, a considerableamount of subjective judgment is exercised atvarious stages of model development, imple-mentation, use, and validation. It is importantfor decision makers to recognize that this sub-jectivity elevates the importance of sound



and comprehensive model risk-managementprocesses.4

2126.0.4.1 Model Development andImplementation

An effective development process begins with aclear statement of purpose to ensure that modeldevelopment is aligned with the intended use.The design, theory, and logic underlying themodel should be well documented and generallysupported by published research and soundindustry practice. The model methodologies andprocessing components that implement thetheory, including the mathematical specificationand the numerical techniques and approxima-tions, should be explained in detail with particu-lar attention to merits and limitations. Develop-ers should ensure that the components work asintended, are appropriate for the intended busi-ness purpose, and are conceptually sound andmathematically and statistically correct. Com-parison with alternative theories and approachesis a fundamental component of a sound model-ing process.

The data and other information used todevelop a model are of critical importance; thereshould be rigorous assessment of data qualityand relevance, and appropriate documentation.Developers should be able to demonstrate thatsuch data and information are suitable for themodel and that they are consistent with thetheory behind the approach and with the chosenmethodology. If data proxies are used, theyshould be carefully identified, justified, anddocumented. If data and information are notrepresentative of the bank’s portfolio or othercharacteristics, or if assumptions are made toadjust the data and information, these factorsshould be properly tracked and analyzed so thatusers are aware of potential limitations. This isparticularly important for external data andinformation (from a vendor or outside party),especially as they relate to new products, instru-ments, or activities.

An integral part of model development istesting, in which the various components of a

model and its overall functioning are evaluatedto determine whether the model is performingas intended. Model testing includes checkingthe model’s accuracy, demonstrating that themodel is robust and stable, assessing potentiallimitations, and evaluating the model’s behaviorover a range of input values. It should alsoassess the impact of assumptions and identifysituations where the model performs poorly orbecomes unreliable. Testing should be appliedto actual circumstances under a variety of mar-ket conditions, including scenarios that are out-side the range of ordinary expectations, andshould encompass the variety of products orapplications for which the model is intended.Extreme values for inputs should be evaluatedto identify any boundaries of model effective-ness. The impact of model results on other mod-els that rely on those results as inputs shouldalso be evaluated. Included in testing activitiesshould be the purpose, design, and execution oftest plans, summary results with commentaryand evaluation, and detailed analysis of informa-tive samples. Testing activities should be appro-priately documented.

The nature of testing and analysis will dependon the type of model and will be judged bydifferent criteria depending on the context. Forexample, the appropriate statistical tests dependon specific distributional assumptions and thepurpose of the model. Furthermore, in manycases statistical tests cannot unambiguouslyreject false hypotheses or accept true ones basedon sample information. Different tests have dif-ferent strengths and weaknesses under differentconditions. Any single test is rarely sufficient,so banks should apply a variety of tests todevelop a sound model.

Banks should ensure that the development ofthe more judgmental and qualitative aspects oftheir models is also sound. In some cases, banksmay take statistical output from a model andmodify it with judgmental or qualitative adjust-ments as part of model development. Whilesuch practices may be appropriate, banks shouldensure that any such adjustments made as partof the development process are conducted in anappropriate and systematic manner and are welldocumented.

Models typically are embedded in largerinformation systems that manage the flow ofdata from various sources into the model andhandle the aggregation and reporting of modeloutcomes. Model calculations should be prop-erly coordinated with the capabilities andrequirements of information systems. Soundmodel risk management depends on substantialinvestment in supporting systems to ensure data

4. Smaller banks that rely on vendor models may be able tosatisfy the standards in this guidance without an in-house staffof technical, quantitative model developers. However, even ifa bank relies on vendors for basic model development, thebank should still choose the particular models and variablesthat are appropriate to its size, scale, and lines of business andensure the models are appropriate for the intended use.



and reporting integrity, together with controlsand testing to ensure proper implementation ofmodels, effective systems integration, andappropriate use.

2126.0.4.2 Model Use

Model use provides additional opportunity totest whether a model is functioning effectivelyand to assess its performance over time as con-ditions and model applications change. It canserve as a source of productive feedback andinsights from a knowledgeable internal constitu-ency with strong interest in having models thatfunction well and reflect economic and businessrealities. Model users can provide valuable busi-ness insight during the development process. Inaddition, business managers affected by modeloutcomes may question the methods or assump-tions underlying the models, particularly if themanagers are significantly affected by, and donot agree with, the outcome. Such questioningcan be healthy if it is constructive and causesmodel developers to explain and justify theassumptions and design of the models.

However, challenge from model users may beweak if the model does not materially affecttheir results, if the resulting changes in modelsare perceived to have adverse effects on thebusiness line, or if change in general is regardedas expensive or difficult. User challenges alsotend not to be comprehensive because theyfocus on aspects of models that have the mostdirect impact on the user’s measured businessperformance or compensation, and thus mayignore other elements and applications of themodels. Finally, such challenges tend to beasymmetric because users are less likely to chal-lenge an outcome that results in an advantagefor them. Indeed, users may incorrectly believethat model risk is low simply because outcomesfrom model-based decisions appear favorable tothe institution. Thus, the nature and motivationbehind model users’ input should be evaluatedcarefully, and banks should also solicit construc-tive suggestions and criticism from sourcesindependent of the line of business using themodel.

Reports used for business decision makingplay a critical role in model risk management.Such reports should be clear and comprehen-sible and take into account the fact that decisionmakers and modelers often come from quitedifferent backgrounds and may interpret thecontents in different ways. Reports that providea range of estimates for different input-valuescenarios and assumption values can give deci-

sion makers important indications of the mod-el’s accuracy, robustness, and stability as wellas information on model limitations.

An understanding of model uncertainty andinaccuracy and a demonstration that the bank isaccounting for them appropriately are importantoutcomes of effective model development,implementation, and use. Because they are bydefinition imperfect representations of reality,all models have some degree of uncertainty andinaccuracy. These can sometimes be quantified,for example, by an assessment of the potentialimpact of factors that are unobservable or notfully incorporated in the model, or by the confi-dence interval around a statistical model’s pointestimate. Indeed, using a range of outputs, ratherthan a simple point estimate, can be a usefulway to signal model uncertainty and avoid spu-rious precision. At other times, only a qualita-tive assessment of model uncertainty and inac-curacy is possible. In either case, it can beprudent for banks to account for model uncer-tainty by explicitly adjusting model inputs orcalculations to produce more severe or adversemodel output in the interest of conservatism.Accounting for model uncertainty can alsoinclude judgmental conservative adjustments tomodel output, placing less emphasis on thatmodel’s output, or ensuring that the model isonly used when supplemented by other modelsor approaches.5

While conservative use of models is prudentin general, banks should be careful in applyingconservatism broadly or claiming to make con-servative adjustments or add-ons to addressmodel risk, because the impact of such conser-vatism in complex models may not be obviousor intuitive. Model aspects that appear conserva-tive in one model may not be truly conservativecompared with alternative methods. For exam-ple, simply picking an extreme point on a givenmodeled distribution may not be conservative ifthe distribution was misestimated or misspeci-fied in the first place. Furthermore, initially con-servative assumptions may not remain conserva-tive over time. Therefore, banks should justifyand substantiate claims that model outputs areconservative with a definition and measurementof that conservatism that is communicated tomodel users. In some cases, sensitivity analysisor other types of stress testing can be used to

5. To the extent that models are used to generate amountsincluded in public financial statements, any adjustments formodel uncertainty must comply with generally acceptedaccounting principles.



demonstrate that a model is indeed conserva-tive. Another way in which banks may chooseto be conservative is to hold an additional cush-ion of capital to protect against potential lossesassociated with model risk. However, conserva-tism can become an impediment to propermodel development and application if it is seenas a solution that dissuades the bank from mak-ing the effort to improve the model; in addition,excessive conservatism can lead model users todiscount the model outputs.

As previously explained, robust model devel-opment, implementation, and use is important tomodel risk management. But it is not enough formodel developers and users to understand andaccept the model. Because model risk is ulti-mately borne by the bank as a whole, the bankshould objectively assess model risk and theassociated costs and benefits using a soundmodel-validation process.

2126.0.5 MODEL VALIDATION—PART V

Model validation is the set of processes andactivities intended to verify that models are per-forming as expected, in line with their designobjectives and business uses. Effective valida-tion helps ensure that models are sound. It alsoidentifies potential limitations and assumptionsand assesses their possible impact. As with otheraspects of effective challenge, model validationshould be performed by staff with appropriateincentives, competence, and influence.

All model components, including input, pro-cessing, and reporting, should be subject to vali-dation; this applies equally to models developedin-house and to those purchased from, or devel-oped by, vendors or consultants. The rigor andsophistication of validation should be commen-surate with the bank’s overall use of models, thecomplexity and materiality of its models, andthe size and complexity of the bank’s opera-tions.

Validation involves a degree of independencefrom model development and use. Generally,validation should be done by people who are notresponsible for development or use and do nothave a stake in whether a model is determinedto be valid. Independence is not an end in itselfbut rather helps ensure that incentives arealigned with the goals of model validation.While independence may be supported by sepa-ration of reporting lines, it should be judged by

actions and outcomes, since there may be addi-tional ways to ensure objectivity and preventbias. As a practical matter, some validation workmay be most effectively done by model develop-ers and users; it is essential, however, that suchvalidation work be subject to critical review byan independent party, who should conduct addi-tional activities to ensure proper validation.Overall, the quality of the process is judged bythe manner in which models are subject to criti-cal review. This could be determined by evaluat-ing the extent and clarity of documentation, theissues identified by objective parties, and theactions taken by management to address modelissues.

In addition to independence, banks can sup-port appropriate incentives in validation throughcompensation practices and performance evalu-ation standards that are tied directly to the qual-ity of model validations and the degree of criti-cal, unbiased review. In addition, corporateculture plays a role if it establishes support forobjective thinking and encourages questioningand challenging of decisions.

Staff doing validation should have the requi-site knowledge, skills, and expertise. A highlevel of technical expertise may be neededbecause of the complexity of many models, bothin structure and in application. These staff alsoshould have a significant degree of familiaritywith the line of business using the model andthe model’s intended use. A model’s developeris an important source of information but cannotbe relied on as an objective or sole source onwhich to base an assessment of model quality.

Staff conducting validation work should haveexplicit authority to challenge developers andusers and to elevate their findings, includingissues and deficiencies. The individual or unit towhom those staff report should have sufficientinfluence or stature within the bank to ensurethat any issues and deficiencies are appropri-ately addressed in a timely and substantive man-ner. Such influence can be reflected in reportinglines, title, rank, or designated responsibilities.Influence may be demonstrated by a pattern ofactual instances in which models, or the use ofmodels, have been appropriately changed as aresult of validation.

The range and rigor of validation activitiesconducted prior to first use of a model should bein line with the potential risk presented by useof the model. If significant deficiencies are notedas a result of the validation process, use of themodel should not be allowed or should be per-mitted only under very tight constraints untilthose issues are resolved. If the deficiencies aretoo severe to be addressed within the model’s



framework, the model should be rejected. If it isnot feasible to conduct necessary validationactivities prior to model use because of datapaucity or other limitations, that fact should bedocumented and communicated in reports tousers, senior management, and other relevantparties. In such cases, the uncertainty about theresults that the model produces should be miti-gated by other compensating controls. This isparticularly applicable to new models and to theuse of existing models in new applications.

Validation activities should continue on anongoing basis after a model goes into use, totrack known model limitations and to identifyany new ones. Validation is an important checkon model use during periods of benign eco-nomic and financial conditions, when estimatesof risk and potential loss can become overlyoptimistic, and when the data at hand may notfully reflect more stressed conditions. Ongoingvalidation activities help to ensure that changesin markets, products, exposures, activities, cli-ents, or business practices do not create newmodel limitations. For example, if credit riskmodels do not incorporate underwriting changesin a timely manner, flawed and costly businessdecisions could be made before deterioration inmodel performance becomes apparent.

Banks should conduct a periodic review—atleast annually but more frequently ifwarranted—of each model to determine whetherit is working as intended and if the existingvalidation activities are sufficient. Such a deter-mination could simply affirm previous valida-tion work, suggest updates to previous valida-tion activities, or call for additional validationactivities. Material changes to models shouldalso be subject to validation. It is generally goodpractice for banks to ensure that all modelsundergo the full validation process, as describedin the following section, at some fixed interval,including updated documentation of allactivities.

Effective model validation helps reducemodel risk by identifying model errors, correc-tive actions, and appropriate use. It also pro-vides an assessment of the reliability of a givenmodel, based on its underlying assumptions,theory, and methods. In this way, it providesinformation about the source and extent ofmodel risk. Validation also can reveal deteriora-tion in model performance over time and can setthresholds for acceptable levels of error, throughanalysis of the distribution of outcomes aroundexpected or predicted values. If outcomes fallconsistently outside this acceptable range, thenthe models should be redeveloped.

2126.0.5.1 Key Elements ofComprehensive Validation

An effective validation framework shouldinclude three core elements:

• Evaluation of conceptual soundness, includ-ing developmental evidence

• Ongoing monitoring, including process verifi-cation and benchmarking

• Outcomes analysis, including back-testing

2126.0.5.1.1 Evaluation of ConceptualSoundness

This first element involves assessing the qualityof the model design and construction. It entailsreview of documentation and empirical evi-dence supporting the methods used and vari-ables selected for the model. Documentationand testing should convey an understanding ofmodel limitations and assumptions. Validationshould ensure that judgment exercised in modeldesign and construction is well informed, care-fully considered, and consistent with publishedresearch and with sound industry practice.Developmental evidence should be reviewedbefore a model goes into use and also as part ofthe ongoing validation process, in particularwhenever there is a material change in themodel.

A sound development process will producedocumented evidence in support of all modelchoices, including the overall theoretical con-struction, key assumptions, data, and specificmathematical calculations. As part of modelvalidation, those model aspects should be sub-jected to critical analysis by both evaluating thequality and extent of developmental evidenceand conducting additional analysis and testingas necessary. Comparison to alternative theoriesand approaches should be included. Keyassumptions and the choice of variables shouldbe assessed, with analysis of their impact onmodel outputs and particular focus on anypotential limitations. The relevance of the dataused to build the model should be evaluated toensure that it is reasonably representative of thebank’s portfolio or market conditions, depend-ing on the type of model. This is an especiallyimportant exercise when a bank uses externaldata or the model is used for new products oractivities.

Where appropriate to the particular model,



banks should employ sensitivity analysis inmodel development and validation to check theimpact of small changes in inputs and parametervalues on model outputs to make sure they fallwithin an expected range. Unexpectedly largechanges in outputs in response to small changesin inputs can indicate an unstable model. Vary-ing several inputs simultaneously as part of sen-sitivity analysis can provide evidence of unex-pected interactions, particularly if theinteractions are complex and not intuitivelyclear. Banks benefit from conducting modelstress testing to check performance over a widerange of inputs and parameter values, includingextreme values, to verify that the model isrobust. Such testing helps establish the boundar-ies of model performance by identifying theacceptable range of inputs as well as conditionsunder which the model may become unstable orinaccurate.

Management should have a clear plan forusing the results of sensitivity analysis and otherquantitative testing. If testing indicates that themodel may be inaccurate or unstable in somecircumstances, management should considermodifying certain model properties, putting lessreliance on its outputs, placing limits on modeluse, or developing a new approach.

Qualitative information and judgment used inmodel development should be evaluated, includ-ing the logic, judgment, and types of informa-tion used, to establish the conceptual soundnessof the model and set appropriate conditions forits use. The validation process should ensurethat qualitative, judgmental assessments areconducted in an appropriate and systematicmanner, are well supported, and aredocumented.

2126.0.5.1.2 Ongoing Monitoring

The second core element of the validation pro-cess is ongoing monitoring. Such monitoringconfirms that the model is appropriately imple-mented and is being used and is performing asintended.

Ongoing monitoring is essential to evaluatewhether changes in products, exposures, activi-ties, clients, or market conditions necessitateadjustment, redevelopment, or replacement ofthe model and to verify that any extension of themodel beyond its original scope is valid. Anymodel limitations identified in the developmentstage should be regularly assessed over time, as

part of ongoing monitoring. Monitoring beginswhen a model is first implemented in productionsystems for actual business use. This monitoringshould continue periodically over time, with afrequency appropriate to the nature of themodel, the availability of new data or modelingapproaches, and the magnitude of the riskinvolved. Banks should design a program ofongoing testing and evaluation of model perfor-mance along with procedures for responding toany problems that appear. This program shouldinclude process verification and benchmarking.

Process verification checks that all modelcomponents are functioning as designed. Itincludes verifying that internal and external datainputs continue to be accurate, complete, consis-tent with model purpose and design, and of thehighest quality available. Computer code imple-menting the model should be subject to rigorousquality and change control procedures to ensurethat the code is correct, that it cannot be alteredexcept by approved parties, and that all changesare logged and can be audited. System integra-tion can be a challenge and deserves specialattention because the model processing compo-nent often draws from various sources of data,processes large amounts of data, and then feedsinto multiple data repositories and reporting sys-tems. User-developed applications, such asspreadsheets or ad hoc database applicationsused to generate quantitative estimates, are par-ticularly prone to model risk. As the content orcomposition of information changes over time,systems may need to be updated to reflect anychanges in the data or its use. Reports derivedfrom model outputs should be reviewed as partof validation to verify that they are accurate,complete, and informative, and that they containappropriate indicators of model performanceand limitations.

Many of the tests employed as part of modeldevelopment should be included in ongoingmonitoring and be conducted on a regular basisto incorporate additional information as itbecomes available. New empirical evidence ortheoretical research may suggest the need tomodify or even replace original methods. Analy-sis of the integrity and applicability of internaland external information sources, includinginformation provided by third-party vendors,should be performed regularly.

Sensitivity analysis and other checks forrobustness and stability should likewise berepeated periodically. They can be as usefulduring ongoing monitoring as they are duringmodel development. If models only work wellfor certain ranges of input values, market condi-tions, or other factors, they should be monitored



to identify situations where these constraints areapproached or exceeded.

Ongoing monitoring should include theanalysis of overrides with appropriate documen-tation. In the use of virtually any model, therewill be cases where model output is ignored,altered, or reversed based on the expert judg-ment of model users. Such overrides are anindication that, in some respect, the model is notperforming as intended or has limitations. Banksshould evaluate the reasons for overrides andtrack and analyze override performance. If therate of overrides is high, or if the overrideprocess consistently improves model perfor-mance, it is often a sign that the underlyingmodel needs revision or redevelopment.

Benchmarking is the comparison of a givenmodel’s inputs and outputs to estimates fromalternative internal or external data or models. Itcan be incorporated in model development aswell as in ongoing monitoring. For credit-riskmodels, examples of benchmarks include mod-els from vendor firms or industry consortia anddata from retail credit bureaus. Pricing modelsfor securities and derivatives often can be com-pared with alternative models that are moreaccurate or comprehensive but also too time-consuming to run on a daily basis. Whatever thesource, benchmark models should be rigorous,and benchmark data should be accurate andcomplete to ensure a reasonable comparison.

Discrepancies between the model output andbenchmarks should trigger investigation into thesources and degree of the differences, andexamination of whether they are within anexpected or appropriate range given the natureof the comparison. The results of that analysismay suggest revisions to the model. However,differences do not necessarily indicate that themodel is in error. The benchmark itself is analternative prediction, and the differences maybe due to the different data or methods used. Ifthe model and the benchmark match well, that isevidence in favor of the model, but it should beinterpreted with caution so the bank does not geta false degree of comfort.

2126.0.5.1.3 Outcomes Analysis

The third core element of the validation processis outcomes analysis, a comparison of modeloutputs to corresponding actual outcomes. Theprecise nature of the comparison depends on theobjectives of a model and might include anassessment of the accuracy of estimates or fore-casts, an evaluation of rank-ordering ability, orother appropriate tests. In all cases, such com-

parisons help to evaluate model performance byestablishing expected ranges for those actualoutcomes in relation to the intended objectivesand assessing the reasons for observed variationbetween the two. If outcomes analysis producesevidence of poor performance, the bank shouldtake action to address those issues. Outcomesanalysis typically relies on statistical tests orother quantitative measures. It can also includeexpert judgment to check the intuition behindthe outcomes and confirm that the results makesense. When a model itself relies on expertjudgment, quantitative outcomes analysis helpsto evaluate the quality of that judgment. Out-comes analysis should be conducted on an ongo-ing basis to test whether the model continues toperform in line with design objectives and busi-ness uses.

A variety of quantitative and qualitative test-ing and analytical techniques can be used inoutcomes analysis. The choice of techniqueshould be based on the model’s methodology,and its complexity, data availability, and themagnitude of potential model risk to the bank.Outcomes analysis should involve a range oftests because any individual test will have weak-nesses. For example, some tests are better atchecking a model’s ability to rank-order or seg-ment observations on a relative basis, whereasothers are better at checking absolute forecastaccuracy. Tests should be designed for eachsituation, as not all will be effective or feasiblein every circumstance, and attention should bepaid to choosing the appropriate type of out-comes analysis for a particular model.

Models are regularly adjusted to take intoaccount new data or techniques, or because ofdeterioration in performance. Parallel outcomesanalysis, under which both the original andadjusted models’ forecasts are tested againstrealized outcomes, provides an important test ofsuch model adjustments. If the adjusted modeldoes not outperform the original model, devel-opers, users, and reviewers should realize thatadditional changes—or even a wholesaleredesign—are likely necessary before theadjusted model replaces the original one.

Back-testing is one form of outcomesanalysis; specifically, it involves the comparisonof actual outcomes with model forecasts dur-ing a sample time period not used in modeldevelopment and at an observation frequencythat matches the forecast horizon orperformance window of the model. Thecomparison is generally done using expected



ranges or statistical confidence intervals aroundthe model forecasts. When outcomes falloutside those intervals, the bank should analyzethe discrepancies and investigate the causes thatare significant in terms of magnitude orfrequency. The objective of the analysis is todetermine whether differences stem from theomission of material factors from the model,whether they arise from errors with regard toother aspects of model specification such asinteraction terms or assumptions of linearity, orwhether they are purely random and thusconsistent with acceptable model performance.Analysis of in-sample fit and of modelperformance in holdout samples (data set asideand not used to estimate the original model) areimportant parts of model development but arenot substitutes for back-testing.

A well-known example of back-testing is theevaluation of value-at-risk (VaR), in whichactual profit and loss is compared with a modelforecast loss distribution. Significant deviationin expected versus actual performance andunexplained volatility in the profits and lossesof trading activities may indicate that hedgingand pricing relationships are not adequatelymeasured by a given approach. Along withmeasuring the frequency of losses in excess of asingle VaR percentile estimator, banks shoulduse other tests, such as assessing any cluster-ing of exceptions and checking the distributionof losses against other estimated percentiles.

Analysis of the results of even high-qualityand well-designed back-testing can pose chal-lenges, since it is not a straightforward,mechanical process that always produces unam-biguous results. The purpose is to test the model,not individual forecast values. Back-testing mayentail analysis of a large number of forecastsover different conditions at a point in time orover multiple time periods. Statistical testing isessential in such cases, yet such testing can posechallenges in both the choice of appropriatetests and the interpretation of results; banksshould support and document both the choice oftests and the interpretation of results.

Models with long forecast horizons should beback-tested, but given the amount of time itwould take to accumulate the necessary data,that testing should be supplemented by evalua-tion over shorter periods. Banks should employoutcomes analysis consisting of ‘‘early warn-ing’’ metrics designed to measure performancebeginning very shortly after model introductionand trend analysis of performance over time.

These outcomes analysis tools are not substi-tutes for back-testing, which should still be per-formed over the longer time period, but ratherare very important complements.

Outcomes analysis and the other elements ofthe validation process may reveal significanterrors or inaccuracies in model development oroutcomes that consistently fall outside thebank’s predetermined thresholds of acceptabil-ity. In such cases, model adjustment, recalibra-tion, or redevelopment is warranted. Adjust-ments and recalibration should be governed bythe principle of conservatism and shouldundergo independent review.

Material changes in model structure or tech-nique, and all model redevelopment, should besubject to validation activities of appropriaterange and rigor before implementation. Attimes, banks may have a limited ability to usekey model validation tools like back-testing orsensitivity analysis for various reasons, such aslack of data or of price observability. In thosecases, even more attention should be paid to themodel’s limitations when considering the appro-priateness of model usage, and senior manage-ment should be fully informed of those limita-tions when using the models for decisionmaking. Such scrutiny should be applied to indi-vidual models and models in the aggregate.

2126.0.5.2 Validation of Vendor andOther Third-Party Products

The widespread use of vendor and other third-party products—including data, parameter val-ues, and complete models—poses unique chal-lenges for validation and other model risk-management activities because the modelingexpertise is external to the user and becausesome components are considered proprietary.Vendor products should nevertheless be incor-porated into a bank’s broader model risk-management framework, following the sameprinciples as applied to in-house models,although the process may be somewhatmodified.

As a first step, banks should ensure that thereare appropriate processes in place for selectingvendor models. Banks should require the vendorto provide developmental evidence explainingthe product components, design, and intendeduse, to determine whether the model is appropri-ate for the bank’s products, exposures, and risks.Vendors should provide appropriate testingresults that show their product works asexpected. They should also clearly indicate themodel’s limitations and assumptions and where



the product’s use may be problematic. Banksshould expect vendors to conduct ongoing per-formance monitoring and outcomes analysis,with disclosure to their clients, and to makeappropriate modifications and updates overtime.

Banks are expected to validate their own useof vendor products. External models may notallow full access to computer coding and imple-mentation details, so the bank may have to relymore on sensitivity analysis and benchmarking.Vendor models are often designed to provide arange of capabilities and so may need to becustomized by a bank for its particular circum-stances. A bank’s customization choices shouldbe documented and justified as part of valida-tion. If vendors provide input data or assump-tions, or use them to build models, their rel-evance for the bank’s situation should beinvestigated. Banks should obtain informationregarding the data used to develop the modeland assess the extent to which that data arerepresentative of the bank’s situation. The bankalso should conduct ongoing monitoring andoutcomes analysis of vendor model performanceusing the bank’s own outcomes.

Systematic procedures for validation help thebank to understand the vendor product and itscapabilities, applicability, and limitations. Suchdetailed knowledge is necessary for basic con-trols of bank operations. It is also very impor-tant for the bank to have as much knowledgein-house as possible, in case the vendor or thebank terminates the contract for any reason, or ifthe vendor is no longer in business. Banksshould have contingency plans for instanceswhen the vendor model is no longer available orcannot be supported by the vendor.

2126.0.6 GOVERNANCE, POLICIES,AND CONTROLS—PART VI

Developing and maintaining strong gover-nance, policies, and controls over the modelrisk-management framework is fundamentallyimportant to its effectiveness. Even if modeldevelopment, implementation, use, and valida-tion are satisfactory, a weak governance func-tion will reduce the effectiveness of overallmodel risk management. A strong governanceframework provides explicit support and struc-ture to risk-management functions throughpolicies defining relevant risk-management ac-tivities, procedures that implement those poli-cies, allocation of resources, and mechanismsfor evaluating whether policies and proceduresare being carried out as specified. Notably, the

extent and sophistication of a bank’s gover-nance function is expected to align with theextent and sophistication of model usage.

2126.0.6.1 Board of Directors and SeniorManagement

Model risk governance is provided at the high-est level by the board of directors and seniormanagement when they establish a bank-wideapproach to model risk management. As part oftheir overall responsibilities, a bank’s board andsenior management should establish a strongmodel risk-management framework that fits intothe broader risk management of the organiza-tion. That framework should be grounded in anunderstanding of model risk—not just for indi-vidual models but also in the aggregate. Theframework should include standards for modeldevelopment, implementation, use, andvalidation.

While the board is ultimately responsible, itgenerally delegates to senior management theresponsibility for executing and maintaining aneffective model risk-management framework.Duties of senior management include establish-ing adequate policies and procedures and ensur-ing compliance, assigning competent staff,overseeing model development andimplementation, evaluating model results,ensuring effective challenge, reviewing valida-tion and internal audit findings, and takingprompt remedial action when necessary. In thesame manner as for other major areas of risk,senior management, directly and throughrelevant committees, is responsible for regularlyreporting to the board on significant model risk,from individual models and in the aggregate,and on compliance with policy. Board membersshould ensure that the level of model risk iswithin their tolerance and should direct changeswhere appropriate. These actions will set thetone for the whole organization about theimportance of model risk and the need foractive model risk management.

2126.0.6.2 Policies and Procedures

Consistent with good business practices andexisting supervisory expectations, banks shouldformalize model risk-management activitieswith policies and the procedures to implementthem. Model risk-management policies should



be consistent with this guidance and also becommensurate with the bank’s relative complex-ity, business activities, corporate culture, andoverall organizational structure. The board or itsdelegates should approve model risk-management policies and review them annuallyto ensure consistent and rigorous practicesacross the organization. Those policies shouldbe updated as necessary to ensure that modelrisk-management practices remain appropriateand keep current with changes in market condi-tions, bank products and strategies, bank expo-sures and activities, and practices in the indus-try. All aspects of model risk managementshould be covered by suitable policies, includ-ing model and model risk definitions; assess-ment of model risk; acceptable practices formodel development, implementation, and use;appropriate model validation activities; and gov-ernance and controls over the model risk-management process.

Policies should emphasize testing and analy-sis and promote the development of targets formodel accuracy, standards for acceptable levelsof discrepancies, and procedures for review of,and response to, unacceptable discrepancies.They should include a description of the pro-cesses used to select and retain vendor models,including the people who should be involved insuch decisions.

The prioritization, scope, and frequency ofvalidation activities should be addressed in thesepolicies. They should establish standards for theextent of validation that should be performedbefore models are put into production and thescope of ongoing validation. The policies shouldalso detail the requirements for validation ofvendor models and third-party products. Finally,they should require maintenance of detaileddocumentation of all aspects of the model risk-management framework, including an inventoryof models in use, results of the modeling andvalidation processes, and model issues and theirresolution.

Policies should identify the roles and assignresponsibilities within the model risk-management framework with clear detail onstaff expertise, authority, reporting lines, andcontinuity. They should also outline controls onthe use of external resources for validation andcompliance and specify how that work will beintegrated into the model risk-managementframework.

2126.0.6.3 Roles and Responsibilities

Conceptually, the roles in model risk manage-ment can be divided among ownership, con-trols, and compliance. While there are severalways in which banks can assign the responsibili-ties associated with these roles, it is importantthat reporting lines and incentives be clear, withpotential conflicts of interest identified andaddressed.

Business units are generally responsible forthe model risk associated with their businessstrategies. The role of model owner involvesultimate accountability for model use and per-formance within the framework set by bankpolicies and procedures. Model owners shouldbe responsible for ensuring that models areproperly developed, implemented, and used.The model owner should also ensure that mod-els in use have undergone appropriate validationand approval processes, promptly identify newor changed models, and provide all necessaryinformation for validation activities.

Model risk taken by business units should becontrolled. The responsibilities for risk controlsmay be assigned to individuals, committees, ora combination of the two, and include risk mea-surement, limits, and monitoring. Other respon-sibilities include managing the independent vali-dation and review process to ensure thateffective challenge takes place. Appropriateresources should be assigned for model valida-tion and for guiding the scope and prioritizationof work. Issues and problems identified throughvalidation and other forms of oversight shouldbe communicated by risk-control staff to rel-evant individuals and business users throughoutthe organization, including senior management,with a plan for corrective action. Control staffshould have the authority to restrict the use ofmodels and monitor any limits on model usage.While they may grant exceptions to typical pro-cedures of model validation on a temporarybasis, that authority should be subject to othercontrol mechanisms, such as timelines for com-pleting validation work and limits on model use.

Compliance with policies is an obligation ofmodel owners and risk-control staff, and thereshould be specific processes in place to ensurethat these roles are being carried out effectivelyand in line with policy. Documentation andtracking of activities surrounding model devel-opment, implementation, use, and validation areneeded to provide a record that makes compli-ance with policy transparent.



2126.0.6.4 Internal Audit

A bank’s internal audit function should assessthe overall effectiveness of the model risk-management framework, including the frame-work’s ability to address both types of modelrisk for individual models and in the aggregate.Findings from internal audit related to modelsshould be documented and reported to the boardor its appropriately delegated agent. Banksshould ensure that internal audit operates withthe proper incentives, has appropriate skills, andhas adequate stature in the organization to assistin model risk management. Internal audit’s roleis not to duplicate model risk-managementactivities. Instead, its role is to evaluate whethermodel risk management is comprehensive, rig-orous, and effective. To accomplish this evalua-tion, internal audit staff should possess suffi-cient expertise in relevant modeling concepts aswell as their use in particular business lines. Ifsome internal audit staff perform certain valida-tion activities, then they should not be involvedin the assessment of the overall model risk-management framework.

Internal audit should verify that acceptablepolicies are in place and that model owners andcontrol groups comply with those policies. Inter-nal audit should also verify records of modeluse and validation to test whether validationsare performed in a timely manner and whethermodels are subject to controls that appropriatelyaccount for any weaknesses in validation activi-ties. Accuracy and completeness of the modelinventory should be assessed. In addition, pro-cesses for establishing and monitoring limits onmodel usage should be evaluated. Internal auditshould determine whether procedures for updat-ing models are clearly documented and testwhether those procedures are being carried outas specified. Internal audit should check thatmodel owners and control groups are meetingdocumentation standards, including risk report-ing. Additionally, internal audit should performassessments of supporting operational systemsand evaluate the reliability of data used bymodels.

Internal audit also has an important role inensuring that validation work is conducted prop-erly and that appropriate effective challenge isbeing carried out. It should evaluate the objec-tivity, competence, and organizational standingof the key validation participants, with the ulti-mate goal of ascertaining whether those partici-pants have the right incentives to discover andreport deficiencies. Internal audit should reviewvalidation activities conducted by internal andexternal parties with the same rigor to see if

those activities are being conducted in accor-dance with this guidance.

2126.0.6.5 External Resources

Although model risk management is an internalprocess, a bank may decide to engage externalresources to help execute certain activitiesrelated to the model risk-management frame-work. These activities could include model vali-dation and review, compliance functions, orother activities in support of internal audit.These resources may provide added knowledgeand another level of critical and effective chal-lenge, which may improve the internal modeldevelopment and risk-management processes.However, this potential benefit should beweighed against the added costs for suchresources and the added time that external par-ties require to understand internal data, systems,and other relevant bank-specific circumstances.

Whenever external resources are used, thebank should specify the activities to be con-ducted in a clearly written and agreed-uponscope of work. A designated internal party fromthe bank should be able to understand and evalu-ate the results of validation and risk-controlactivities conducted by external resources. Theinternal party is responsible for verifying thatthe agreed upon scope of work has been com-pleted; evaluating and tracking identified issuesand ensuring they are addressed; and makingsure that completed work is incorporated intothe bank’s overall model risk-managementframework. If the external resources are onlyutilized to do a portion of validation or compli-ance work, the bank should coordinate internalresources to complete the full range of workneeded. The bank should have a contingencyplan in case an external resource is no longeravailable or is unsatisfactory.

2126.0.6.6 Model Inventory

Banks should maintain a comprehensive set ofinformation for models implemented for use,under development for implementation, orrecently retired. While each line of businessmay maintain its own inventory, a specific partyshould also be charged with maintaining a firm-wide inventory of all models, which shouldassist a bank in evaluating its model risk in theaggregate. Any variation of a model that war-



rants a separate validation should be included asa separate model and cross-referenced withother variations.

While the inventory may contain varying lev-els of information, given different model com-plexity and the bank’s overall level of modelusage, the following are some general guide-lines. The inventory should describe the purposeand products for which the model is designed,actual or expected usage, and any restrictions onuse. It is useful for the inventory to list the typeand source of inputs used by a given model andunderlying components (which may includeother models), as well as model outputs andtheir intended use. It should also indicatewhether models are functioning properly, pro-vide a description of when they were lastupdated, and list any exceptions to policy. Otheritems include the names of individuals respon-sible for various aspects of the model develop-ment and validation; the dates of completed andplanned validation activities; and the time frameduring which the model is expected to remainvalid.

2126.0.6.7 Documentation

Without adequate documentation, model riskassessment and management will be ineffective.Documentation of model development and vali-dation should be sufficiently detailed so thatparties unfamiliar with a model can understandhow the model operates, its limitations, and itskey assumptions. Documentation provides forcontinuity of operations, makes compliance withpolicy transparent, and helps track recommenda-tions, responses, and exceptions. Developers,users, control and compliance units, and super-visors are all served by effective documentation.Banks can benefit from advances in informationand knowledge management systems and elec-tronic documentation to improve the organiza-tion, timeliness, and accessibility of the variousrecords and reports produced in the model risk-management process.

Documentation takes time and effort, andmodel developers and users who know themodels well may not appreciate its value. Banksshould therefore provide incentives to produce

effective and complete model documentation.Model developers should have responsibilityduring model development for thoroughdocumentation, which should be kept up-to-date as the model and application environmentchanges. In addition, the bank should ensurethat other participants in model risk-management activities document their work,including ongoing monitoring, process verifica-tion, benchmarking, and outcomes analysis.Also, line of business or other decision makersshould document information leading to selec-tion of a given model and its subsequent valida-tion. For cases in which a bank uses modelsfrom a vendor or other third party, it shouldensure that appropriate documentation of thethird-party approach is available so that themodel can be appropriately validated.

Validation reports should articulate modelaspects that were reviewed, highlighting poten-tial deficiencies over a range of financial andeconomic conditions, and determining whetheradjustments or other compensating controls arewarranted. Effective validation reports includeclear executive summaries, with a statement ofmodel purpose and an accessible synopsis ofmodel and validation results, including majorlimitations and key assumptions.

2126.0.7 CONCLUSION—PART VII

This section provides comprehensive guidanceon effective model risk management. Many ofthe activities described are common industrypractice. But all banks should confirm that theirpractices conform to the principles in this guid-ance for model development, implementation,and use, as well as model validation. Banksshould also ensure that they maintain stronggovernance and controls to help manage modelrisk, including internal policies and proceduresthat appropriately reflect the risk-managementprinciples described in this guidance. Details ofmodel risk-management practices may varyfrom bank to bank, as practical application ofthis guidance should be commensurate with abank’s risk exposures, its business activities,and the extent and complexity of its model use.



Investment Securities and End-User DerivativesActivities Section 2126.1


Effective January 2013, this section was revisedto acknowledge and to include minor changesrelating to the issuance of SR-12-15, ‘‘Investingin Securities without Reliance on NationallyRecognized Statistical Rating Organizations,’’and its OCC attachment . (See section 2126.2 ofthis manual.) The section also updates the citedaccounting standards references.

2126.1.0 SOUND RISK-MANAGEMENT PRACTICES FORPORTFOLIO INVESTMENT

On April 23, 1998, the Federal FinancialInstitutions Examination Council (FFIEC) issueda Supervisory Policy Statement on InvestmentSecurities and End-User Derivatives Activitiesthat became effective on May 25, 1998. Thestatement was adopted by the Board ofGovernors and provides guidance on soundpractices for managing the risks of investmentactivities. The guidance focuses on risk-management practices of state member banksand Edge corporations. The basic principles alsoapply to bank holding companies, which shouldmanage and control risk exposures on aconsolidated basis, recognizing the legal distinc-tions and potential obstacles to cash movementsamong subsidiaries. The statement’s risk-management principles should also beincorporated into the policies of U.S. branchesand agencies of foreign banks.1

The statement’s principles set forth soundrisk-management practices that are relevant tomost portfolio-management endeavors. Thestatement places greater emphasis on a risk-focused approach to supervision. Instrumentsheld for end-user reasons are considered, takinginto consideration a variety of factors such asmanagement’s ability to manage and measurerisk within the institution’s holdings and theimpact of those holdings on aggregate portfoliorisk.

The statement focuses on managing the mar-ket, credit, liquidity, operational, and legal risksof investment and end-user activities. When

managing the interest-rate-risk component ofmarket risk, institutions are informed of themerits of developing internal policies thatspecify the type of pre-acquisition analysis(stress testing) that is consistent with the scope,sophistication, and complexity of their invest-ment securities and end-user derivative hold-ings. Such analyses should be conducted forcertain types of instruments, including thosethat have complex or potentially volatile riskprofiles. Institutions are advised to periodicallymonitor the price sensitivity of their portfolios,ensuring that they meet the established limits ofthe board of directors. Institutions are furtheradvised to fully assess the creditworthiness oftheir counterparties, including brokers and issu-ers. Institutions are to ensure that they takeproper account of the liquidity of the instru-ments held. (See SR-98-12.)

2126.1.1 SUPERVISORY POLICYSTATEMENT ON INVESTMENTSECURITIES AND END-USERDERIVATIVES ACTIVITIES

2126.1.1.1 Purpose

This policy statement (statement) providesguidance to financial institutions (institutions) onsound practices for managing the risks ofinvestment securities and end-user derivativesactivities.2 The FFIEC agencies—the Board ofGovernors of the Federal Reserve System, theFederal Deposit Insurance Corporation, theOffice of the Comptroller of the Currency, andthe National Credit Union Administration—believe that effective management of the risksassociated with securities and derivative instru-ments represents an essential component of safeand sound practices. This guidance describes thepractices that a prudent manager normally wouldfollow and is not intended to be a checklist.Management should establish practices andmaintain documentation appropriate to theinstitution’s individual circumstances, consistentwith this statement.

1. Appropriate adaptations should be made to reflect thefact that (1) those offices are an integral part of a foreign bankthat must also manage its consolidated risks and recognizepossible obstacles to cash movement among branches and(2) the foreign bank is subject to overall supervision by itshome-country supervisory authority.

2. The 1998 statement does not supersede any otherrequirements of the respective agencies’ statutory rules, regu-lations, policies, or supervisory guidance.


2126.1.1.2 Scope

This guidance applies to all securities inheld-to-maturity and available-for-sale accounts.See FASB Accounting Standards Codificationsection 320-10-35, ‘‘Investment Debt and EquitySecurities—Overall—Subsequent Measure-ment’’ (formerly FAS 115, ‘‘Accounting forCertain Debt and Equity Securities’’). It alsoapplies to certificates of deposit held forinvestment purposes, and end-user derivativecontracts not held in trading accounts. Thisguidance covers all securities used for invest-ment purposes, including money market instru-ments, fixed-rate and floating-rate notes andbonds, structured notes, mortgage pass-throughand other asset-backed securities, and mortgage-derivative products. Similarly, this guidancecovers all end-user derivative instruments usedfor nontrading purposes, such as swaps, futures,and options.3 This statement applies to allfederally insured commercial banks, savingsbanks, savings associations, and federallychartered credit unions.

As a matter of sound practice, institutionsshould have programs to manage the market,credit, liquidity, legal, operational, and otherrisks of investment securities and end-userderivatives activities (investment activities).While risk-management programs will differamong institutions, there are certain elementsthat are fundamental to all sound risk-management programs. These elements includeboard and senior management oversight and acomprehensive risk-management process thateffectively identifies, measures, monitors, andcontrols risk. This statement describes soundprinciples and practices for managing and con-trolling the risks associated with investmentactivities.

Institutions should fully understand and effec-tively manage the risks inherent in their invest-ment activities. Failure to understand andadequately manage the risks in these areas con-stitutes an unsafe and unsound practice.

2126.1.1.3 Board and SeniorManagement Oversight

Board of director and senior management

oversight is an integral part of an effectiverisk-management program. The board of direc-tors is responsible for approving major policiesfor conducting investment activities, includingthe establishment of risk limits. The board shouldensure that management has the requisite skills tomanage the risks associated with such activities.To properly discharge its oversight responsibili-ties, the board should review portfolio activityand risk levels, and require management todemonstrate compliance with approved risklimits. Boards should have an adequateunderstanding of investment activities. Boardsthat do not should obtain professional advice toenhance its understanding of investment-activityoversight, so as to enable it to meet itsresponsibilities under this statement.

Senior management is responsible for thedaily management of an institution’s invest-ments. Management should establish andenforce policies and procedures for conductinginvestment activities. Senior managementshould have an understanding of the nature andlevel of various risks involved in the institu-tion’s investments and how such risks fit withinthe institution’s overall business strategies.Management should ensure that the risk-management process is commensurate with thesize, scope, and complexity of the institution’sholdings. Management should also ensure thatthe responsibilities for managing investmentactivities are properly segregated to maintainoperational integrity. Institutions with signifi-cant investment activities should ensure thatback-office, settlement, and transaction-reconciliation responsibilities are conducted andmanaged by personnel who are independent ofthose initiating risk-taking positions.

2126.1.1.4 Risk-Management Process

An effective risk-management process forinvestment activities includes (1) policies, pro-cedures, and limits; (2) the identification, mea-surement, and reporting of risk exposures; and(3) a system of internal controls.

2126.1.1.4.1 Policies, Procedures, andLimits

Investment policies, procedures, and limits pro-vide the structure to effectively manage invest-ment activities. Policies should be consistentwith the organization’s broader business strate-gies, capital adequacy, technical expertise, andrisk tolerance. Policies should identify relevantinvestment objectives, constraints, and guide-

3. Natural-person federal credit unions are not permitted topurchase nonresidential mortgage asset-backed securities andmay participate in derivative programs only if authorized by theNational Credit Union Administration.

Investment Securities and End-User Derivatives Activities 2126.1


lines for the acquisition and ongoing manage-ment of securities and derivative instruments.Potential investment objectives include generat-ing earnings, providing liquidity, hedging riskexposures, taking risk positions, modifying andmanaging risk profiles, managing tax liabilities,and meeting pledging requirements, if applica-ble. Policies should also identify the risk charac-teristics of permissible investments and shoulddelineate clear lines of responsibility and author-ity for investment activities.

An institution’s management should under-stand the risks and cash-flow characteristics ofits investments. This is particularly importantfor products that have unusual, leveraged, orhighly variable cash flows. An institution shouldnot acquire a material position in an instrumentuntil senior management and all relevant per-sonnel understand and can manage the risksassociated with the product.

An institution’s investment activities shouldbe fully integrated into any institution-wide risklimits. In so doing, some institutions rely onlyon the institution-wide limits, while others mayapply limits at the investment portfolio, sub-portfolio, or individual instrument level.

The board and senior management shouldreview, at least annually, the appropriateness ofits investment strategies, policies, procedures,and limits.

2126.1.1.4.2 Risk Identification,Measurement, and Reporting

Institutions should ensure that they identify andmeasure the risks associated with individualtransactions prior to acquisition and peri-odically after purchase. This can be done at theinstitutional, portfolio, or individual-instrumentlevel. Prudent management of investmentactivities entails examination of the risk profileof a particular investment in light of its impacton the risk profile of the institution. To theextent practicable, institutions should measureexposures to each type of risk, and thesemeasurements should be aggregated andintegrated with similar exposures arising fromother business activities to obtain theinstitution’s overall risk profile.

In measuring risks, institutions should con-duct their own in-house pre-acquisition analy-ses, or to the extent possible, make use of spe-cific third-party analyses that are independent ofthe seller or counterparty. Irrespective of anyresponsibility, legal or otherwise, assumed by adealer, counterparty, or financial advisor regard-ing a transaction, the acquiring institution is

ultimately responsible for the appropriate per-sonnel understanding and managing the risks ofthe transaction.

Reports to the board of directors and seniormanagement should summarize the risks relatedto the institution’s investment activities andshould address compliance with the investmentpolicy’s objectives, constraints, and legalrequirements, including any exceptions to estab-lished policies, procedures, and limits. Reportsto management should generally reflect moredetail than reports to the board of the institution.Reporting should be frequent enough to providetimely and adequate information to judge thechanging nature of the institution’s risk profileand to evaluate compliance with stated policyobjectives and constraints.

2126.1.1.4.3 Internal Controls

An institution’s internal control structure is criti-cal to the safe and sound functioning of theorganization generally and the management ofinvestment activities in particular. A system ofinternal controls promotes efficient operations;reliable financial and regulatory reporting; andcompliance with relevant laws, regulations, andinstitutional policies. An effective system ofinternal controls includes enforcing official linesof authority, maintaining appropriate separationof duties, and conducting independent reviewsof investment activities.

For institutions with significant investmentactivities, internal and external audits are inte-gral to the implementation of a risk-management process to control risks in invest-ment activities. An institution should conductperiodic independent reviews of its risk-management program to ensure its integrity,accuracy, and reasonableness. Items that shouldbe reviewed include—

1. compliance with and the appropriateness ofinvestment policies, procedures, and limits;

2. the appropriateness of the institution’s risk-measurement system given the nature, scope,and complexity of its activities; and

3. the timeliness, integrity, and usefulness ofreports to the board of directors and seniormanagement.

The review should note exceptions to poli-cies, procedures, and limits and suggest correc-tive actions. The findings of such reviews should



be reported to the board and corrective actionstaken on a timely basis.

The accounting systems and procedures usedfor public and regulatory reporting purposes arecritically important to the evaluation of an orga-nization’s risk profile and the assessment of itsfinancial condition and capital adequacy.Accordingly, an institution’s policies shouldprovide clear guidelines regarding the reportingtreatment for all securities and derivatives hold-ings. This treatment should be consistent withthe organization’s business objectives, generallyaccepted accounting principles (GAAP), andregulatory reporting standards.

2126.1.1.5 Risks of Investment Activities

The following discussion identifies particularsound practices for managing the specific risksinvolved in investment activities. In addition tothese sound practices, institutions should followany specific guidance or requirements from theirprimary supervisor related to these activities.

2126.1.1.5.1 Market Risk

Market risk is the risk to an institution’s finan-cial condition resulting from adverse changes inthe value of its holdings arising from move-ments in interest rates, foreign-exchange rates,equity prices, or commodity prices. An institu-tion’s exposure to market risk can be measuredby assessing the effect of changing rates andprices on either the earnings or economic valueof an individual instrument, a portfolio, or theentire institution. For most institutions, the mostsignificant market risk of investment activities isinterest-rate risk.

Investment activities may represent a signifi-cant component of an institution’s overallinterest-rate-risk profile. It is a sound practicefor institutions to manage interest-rate risk onan institution-wide basis. This sound practiceincludes monitoring the price sensitivity of theinstitution’s investment portfolio (changes in theinvestment portfolio’s value over differentinterest-rate/yield curve scenarios). Consistentwith agency guidance, institutions shouldspecify institution-wide interest-rate-risk limitsthat appropriately account for these activitiesand the strength of the institution’s capital posi-tion. These limits are generally established foreconomic value or earnings exposures. Institu-tions may find it useful to establish price-

sensitivity limits on their investment portfolioor on individual securities. These sub-institutionlimits, if established, should also be consistentwith agency guidance.

It is a sound practice for an institution’s man-agement to fully understand the market risksassociated with investment securities andderivative instruments prior to acquisition andon an ongoing basis. Accordingly, institutionsshould have appropriate policies to ensure suchunderstanding. In particular, institutions shouldhave policies that specify the types of market-risk analyses that should be conducted for vari-ous types or classes of instruments, includingthat conducted prior to their acquisition (pre-purchase analysis) and on an ongoing basis.Policies should also specify any required docu-mentation needed to verify the analysis.

It is expected that the substance and form ofsuch analyses will vary with the type of instru-ment. Not all investment instruments may needto be subjected to a pre-purchase analysis. Rela-tively simple or standardized instruments, therisks of which are well known to the institution,would likely require no or significantly lessanalysis than would more volatile, complexinstruments.4

For relatively more complex instruments, lessfamiliar instruments, and potentially volatileinstruments, institutions should fully addresspre-purchase analyses in their policies. Price-sensitivity analysis is an effective way to per-form the pre-purchase analysis of individualinstruments. For example, a pre-purchase analy-sis should show the impact of an immediateparallel shift in the yield curve of plus andminus 100, 200, and 300 basis points. Whereappropriate, such analysis should encompass awider range of scenarios, including nonparallelchanges in the yield curve. A comprehensiveanalysis may also take into account other rel-evant factors, such as changes in interest-ratevolatility and changes in credit spreads.

When the incremental effect of an investmentposition is likely to have a significant effect onthe risk profile of the institution, it is a soundpractice to analyze the effect of such a positionon the overall financial condition of theinstitution.

Accurately measuring an institution’s marketrisk requires timely information about the cur-rent carrying and market values of its invest-ments. Accordingly, institutions should havemarket-risk-measurement systems commensu-

4. Federal credit unions must comply with the investment-monitoring requirements of 12 C.F.R. 703.90. See 62 Fed.Reg. 32,989 (June 18, 1997).



rate with the size and nature of these invest-ments. Institutions with significant holdings ofhighly complex instruments should ensure thatthey have the means to value their positions.Institutions employing internal models shouldhave adequate procedures to validate the modelsand to periodically review all elements of themodeling process, including its assumptions andrisk-measurement techniques. Managementsrelying on third parties for market-risk-measurement systems and analyses shouldensure that they fully understand the assump-tions and techniques used.

Institutions should provide reports to theirboards on the market-risk exposures of theirinvestments on a regular basis. To do so, theinstitution may report the market-risk exposureof the whole institution. Alternatively, reportsshould contain evaluations that assess trends inaggregate market-risk exposure and the perfor-mance of portfolios in terms of establishedobjectives and risk constraints. They also shouldidentify compliance with board-approved limitsand identify any exceptions to established stan-dards. Institutions should have mechanisms todetect and adequately address exceptions to lim-its and guidelines. Management reports on mar-ket risk should appropriately address potentialexposures to yield curve changes and other fac-tors pertinent to the institution’s holdings.

2126.1.1.5.2 Credit Risk

Broadly defined, credit risk is the risk that anissuer or counterparty will fail to perform on anobligation to the institution. For many financialinstitutions, credit risk in the investment port-folio may be low relative to other areas, such aslending. However, this risk, as with any otherrisk, should be effectively identified, measured,monitored, and controlled.

An institution should not acquire investmentsor enter into derivative contracts without assess-ing the creditworthiness of the issuer or counter-party. The credit risk arising from these posi-tions should be incorporated into the overallcredit-risk profile of the institution as compre-hensively as practicable. Institutions are to meetcertain creditworthiness standards for securitypurchases. Many institutions may maintain andupdate internal credit-rating reports and assess-ments that can be supplemented by reports frommajor external credit-rating services. For non-rated securities, institutions should establishguidelines to ensure that the securities meetlegal requirements and that the institution fullyunderstands the risk involved. Institutions

should establish limits on individual counter-party exposures. Policies should also providecredit-risk and concentration limits. Such limitsmay define concentrations relating to a single orrelated issuer or counterparty, a geographicalarea, or obligations with similar characteristics.

In managing credit risk, institutions shouldconsider settlement and presettlement creditrisk. These risks are the possibility that a coun-terparty will fail to honor its obligation at orbefore the time of settlement. The selection ofdealers, investment bankers, and brokers is par-ticularly important in effectively managing theserisks. The approval process should include areview of each firm’s financial statements andan evaluation of its ability to honor its commit-ments. An inquiry into the general reputation ofthe dealer is also appropriate. This includesreview of information from state or federal secu-rities regulators and industry self-regulatoryorganizations such as the National Associationof Securities Dealers concerning any formalenforcement actions against the dealer, its affili-ates, or associated personnel.

The board of directors is responsible forsupervision and oversight of investment port-folio and end-user derivatives activities, includ-ing the approval and periodic review of policiesthat govern relationships with securities dealers.

Sound credit-risk management requires thatcredit limits be developed by personnel who areas independent as practicable of the acquisitionfunction. In authorizing issuer and counterpartycredit lines, these personnel should use stan-dards that are consistent with those used forother activities conducted within the institutionand with the organization’s overall policies andconsolidated exposures.

2126.1.1.5.3 Liquidity Risk

Liquidity risk is the risk that an institution can-not easily sell, unwind, or offset a particularposition at a fair price because of inadequatemarket depth. In specifying permissible instru-ments for accomplishing established objectives,institutions should ensure that they take intoaccount the liquidity of the market for thoseinstruments and the effect that such characteris-tics have on achieving their objectives. Theliquidity of certain types of instruments maymake them inappropriate for certain objectives.Institutions should ensure that they consider theeffects that market risk can have on the liquidity



of different types of instruments under variousscenarios. Accordingly, institutions shouldarticulate clearly the liquidity characteristics ofinstruments to be used in accomplishing institu-tional objectives.

Complex and illiquid instruments can ofteninvolve greater risk than actively traded, moreliquid securities. Oftentimes, this higher poten-tial risk arising from illiquidity is not capturedby standardized financial modeling techniques.Such risk is particularly acute for instrumentsthat are highly leveraged or that are designed tobenefit from specific, narrowly defined marketshifts. If market prices or rates do not move asexpected, the demand for such instruments canevaporate, decreasing the market value of theinstrument below the modeled value.

2126.1.1.5.4 Operational (Transaction)Risk

Operational (transaction) risk is the risk thatdeficiencies in information systems or internalcontrols will result in unexpected loss. Sourcesof operating risk include inadequate procedures,human error, system failure, or fraud. Inaccu-rately assessing or controlling operating risks isone of the more likely sources of problemsfacing institutions involved in investmentactivities.

Effective internal controls are the first line ofdefense in controlling the operating risksinvolved in an institution’s investment activi-ties. Of particular importance are internal con-trols that ensure the separation of duties andsupervision of persons executing transactionsfrom those responsible for processing contracts,confirming transactions, controlling variousclearing accounts, preparing or posting theaccounting entries, approving the accountingmethodology or entries, and performingrevaluations.

Consistent with the operational support ofother activities within the financial institution,securities operations should be as independentas practicable from business units. Adequateresources should be devoted, such that systemsand capacity are commensurate with the sizeand complexity of the institution’s investmentactivities. Effective risk management shouldalso include, at least, the following:

1. Valuation. Procedures should ensure inde-pendent portfolio pricing. For thinly traded

or illiquid securities, completely independentpricing may be difficult to obtain. In suchcases, operational units may need to useprices provided by the portfolio manager.For unique instruments where the pricingisbeing provided by a single source (e.g., thedealer providing the instrument), the institu-tion should review and understand theassumptions used to price the instrument.

2. Personnel. The increasingly complex natureof securities available in the marketplacemakes it important that operational personnelhave strong technical skills. This will enablethem to better understand the complex finan-cial structures of some investmentinstruments.

3. Documentation. Institutions should clearlydefine documentation requirements for secu-rities transactions, saving and safeguardingimportant documents, as well as maintainingpossession and control of instrumentspurchased.

An institution’s policies should also provideguidelines for conflicts of interest for employeeswho are directly involved in purchasing andselling securities for the institution from securi-ties dealers. These guidelines should ensure thatall directors, officers, and employees act in thebest interest of the institution. The board maywish to adopt policies prohibiting these employ-ees from engaging in personal securities transac-tions with these same securities firms withoutspecific prior board approval. The board mayalso wish to adopt a policy applicable to direc-tors, officers, and employees restricting or pro-hibiting the receipt of gifts, gratuities, or travelexpenses from approved securities dealer firmsand their representatives.

2126.1.1.5.5 Legal Risk

Legal risk is the risk that contracts are notlegally enforceable or documented correctly.Institutions should adequately evaluate theenforceability of its agreements before indi-vidual transactions are consummated. Institu-tions should also ensure that the counterpartyhas authority to enter into the transaction andthat the terms of the agreement are legallyenforceable. Institutions should further ascertainthat netting agreements are adequately docu-mented, executed properly, and are enforceablein all relevant jurisdictions. Institutions shouldhave knowledge of relevant tax laws andinterpretations governing the use of theseinstruments.



Investing in Securities without Reliance on Ratings of NationallyRecognized Statistical Rating Organizations Section 2126.2

On November 15, 2012, state member bankswere advised, effective January 1, 2013, thatthey may no longer rely solely on credit ratingsissued by nationally recognized statistical ratingorganizations (NRSROs) or external credit rat-ings to determine whether a particular securityis an ‘‘investment security’’ that is permissiblefor investment by a state member bank. Underthe regulations of the Office of the Comptrollerof the Currency (OCC), securities qualify forinvestment by national banks only if they aredetermined by the bank to be ‘‘investmentgrade’’ and not predominantly speculative innature. (See SR-12-15 and its attachment.) Thebasic sound risk-management principles of thispolicy and other referenced guidance that fol-lows also applies to bank holding companies(BHCs) and savings and loan holding compa-nies (SLHCs). They should manage and controltheir risk exposures on a consolidated basis andgive recognition to the legal distinctions andpotential obstacles to the cash movementsamong their financial institution subsidiaries.Since a BHC’s structure can include nationalbanks, state member banks, and other financialinstitution subsidiaries, the referenced statutory,regulatory, and supervisory guidance is pro-vided.

Under the Federal Reserve Act (12 USC 335)and the Federal Reserve (FR)’s Regulation H(12 CFR 208.21), state member banks are sub-ject to the same limitations and conditions withrespect to the purchasing, selling, underwriting,and holding of investment securities and stockas national banks under the National BankingAct (12 USC 24 (Seventh)). Therefore, wheninvesting in securities, state member banks mustcomply with the provisions of the NationalBanking Act and the OCC regulations in 12CFR part 1. In addition to this federal require-ment, a state member bank may purchase, sell,underwrite, or hold securities and stock only tothe extent permitted under applicable state law.

National banks are to assess a security’s cred-itworthiness to determine if it is ‘‘investmentgrade.’’ A security meets the ‘‘investmentgrade’’ test only if the issuer has an adequatecapacity to meet its financial commitmentsunder the security for the projected life of theasset or exposure. Under this definition, theissuer has an adequate capacity to meet financialcommitments if (1) the risk of default by theobligor is low and (2) the full and timely repay-ment of principal and interest is expected.1

National banks are expected to consider a num-ber of factors, to the extent appropriate in mak-ing this determination. While a national bankmay continue to take into account external creditratings and assessments as a valuable source ofinformation, the bank is expected to supplementthese ratings with a degree of due diligenceprocesses and additional analyses appropriatefor the bank’s risk profile and for the size andcomplexity of the instrument.2

The OCC issued guidance, effective January1, 2013 (OCC investment guidance), to clarifyregulatory expectations with respect to invest-ment purchase decisions and ongoing portfoliodue diligence processes. See appendix 1 below(section 2126.2.1). The guidance clarifies thatgenerally, investment securities are expected tohave good to very strong credit quality. In thecase of structured securities, this determinationmay be influenced more by the quality of theunderlying collateral, the cash flow rules, andthe structure of the security itself than by thecondition of the issuer.

The OCC also expects national banks to con-duct an appropriate level of due diligence tounderstand the inherent risks of a security anddetermine that it is a permissible investment.The extent of the due diligence should be suffi-cient to support the institution’s conclusion thata security meets the ‘‘investment-grade’’ stan-dards. The depth of the due diligence should bea function of the security’s credit quality, thecomplexity of the structure, and the size of theinvestment. Third-party analytics may be part ofthis analysis, although the national bank’s man-agement remains responsible for the investmentdecision and should ensure that prospectivethird parties are independent, reliable, and quali-fied. The guidance also sets forth an expectationthat the board of directors should oversee man-agement to make sure appropriate decisionmak-ing processes are in place.3

Investment in securities and stock by statemember banks are required under the FederalReserve Act and Regulation H to comply withthe revised 12 CFR part 1 and should also meetthe supervisory expectations set forth in theOCC investment guidance and this FR guid-ance. In addition, state member banks areexpected to continue to meet long-established

1. See 77 Fed. Reg. 35257 (June 13, 2012).

2. See 77 Fed. Reg. 35254 (June 13, 2012).3. See 77 Fed. Reg. 35259 (June 13, 2012).


supervisory expectations for risk-managementprocesses to ensure that the credit risk of thebank, including the credit risk of the investmentportfolio, is effectively identified, measured,monitored, and controlled.

2126.2.1 APPENDIX 1—OCCGUIDANCE ON DUE DILIGENCEREQUIREMENTS IN DETERMININGWHETHER SECURITIES AREELIGIBLE FOR INVESTMENT

The guidance below was issued by the Office ofthe Comptroller of the Currency (OCC) on June13, 2012, and is being included for ease ofreference. The official guidance was publishedin the Federal Register (77 Fed. Reg. 35259),and is available as an attachment to OCC Bulle-tin 2012-18. As discussed in SR-12-15, the Fed-eral Reserve also expects that state memberbanks (SMBs) will meet the supervisory expecta-tions set forth in the OCC guidance as thisguidance provides further clarification to theOCC rule with which SMBs must comply. (See12 CFR part 1, and 77 Fed. Reg. 35253, June13, 2012.)

Purpose

The OCC has issued final rules to revise thedefinition of ‘‘investment grade,’’ as that term isused in 12 CFR parts 1 and 160 in order tocomply with section 939A of the Dodd-FrankAct. Institutions, effective January 1, 2013, areto ensure that existing investments comply withthe revised ‘‘investment grade’’ standard, asapplicable based on investment type, and safetyand soundness practices described in 12 CFR1.5 and this guidance. This implementationperiod also will provide management with timeto evaluate and amend existing policies andpractices to ensure new purchases comply withthe final rules and guidance. National banks thathave established due diligence review processes,and that have not relied exclusively on externalcredit ratings, should not have difficulty estab-lishing compliance with the new standard.

The OCC is issuing this guidance (Guidance)to clarify steps national banks ordinarily areexpected to take to demonstrate they have prop-erly verified their investments meet the newlyestablished credit-quality standards under 12CFR part 1 and steps national banks are

expected to take to demonstrate they are incompliance with due diligence requirementswhen purchasing investment securities and con-ducting ongoing reviews of their investmentportfolios. The standards below describe hownational banks may purchase, sell, deal in,underwrite, and hold securities consistent withthe authority contained in 12 U.S.C. 24 (Sev-enth). The activities of national banks must beconsistent with safe and sound banking prac-tices, and this Guidance reminds national banksof the supervisory risk-management expecta-tions associated with permissible investmentportfolio holdings under parts 1 and 160.

Background

Parts 1 and 160 provide standards for determin-ing whether securities have appropriate creditquality and marketability characteristics to bepurchased and held by national banks. Theserequirements also establish limits on the amountof investment securities an institution may holdfor its own account. As defined in 12 CFR part1, an ‘‘investment security’’ must be ‘‘invest-ment grade.’’ For the purpose of part 1, ‘‘invest-ment grade’’ securities are those where theissuer has an adequate capacity to meet thefinancial commitments under the security for theprojected life of the investment. An issuer hasan adequate capacity to meet financial commit-ments if the risk of default by the obligor is lowand the full and timely repayment of principaland interest is expected. Generally, securitieswith good to very strong credit quality will meetthis standard. In the case of a structured security(that is, a security that relies primarily on thecash flows and performance of underlying col-lateral for repayment, rather than the credit ofthe entity that is the issuer), the determinationthat full and timely repayment of principal andinterest is expected may be influenced more bythe quality of the underlying collateral, the cashflow rules, and the structure of the security itselfthan by the condition of the issuer.

National banks must be able to demonstratethat their investment securities meet applicablecredit-quality standards. This Guidance providescriteria that national banks can use in meetingpart 1 credit-quality standards and that nationalbanks can use in meeting due diligencerequirements.

Investing in Securities without Reliance on Ratings of NRSROs 2126.2


Determining Whether Securities ArePermissible Prior to Purchase

The OCC’s elimination of references to creditratings in its regulations, in accordance with theDodd-Frank Act, does not substantively changethe standards institutions should use whendeciding whether securities are eligible for pur-chase under part 1. The OCC’s investment secu-rities regulations generally require a nationalbank to determine whether or not a security is‘‘investment grade’’ in order to determinewhether purchasing the security is permissible.Investments are considered ‘‘investment grade’’if they meet the regulatory standard for creditquality. To meet this standard, a national bankmust be able to determine that the security has(1) low risk of default by the obligor and (2) theexpectation of full and timely repayment ofprincipal and interest over the expected life ofthe investment.

For national banks, Type I securities, asdefined in part 1, generally are government obli-gations and are not subject to investment gradecriteria for determining eligibility to purchase.Typical Type I obligations include U.S. Treasur-ies, agencies, municipal government generalobligations, and for well-capitalized institutions,municipal revenue bonds. While Type I obliga-tions do not have to meet the investment gradecriteria to be eligible for purchase, all invest-ment activities should comply with safe andsound banking practices as stated in 12 CFR 1.5and in previous regulatory guidance. UnderOCC rules, Treasury and agency obligations donot require individual credit analysis, but bankmanagement should consider how those securi-ties fit into the overall purpose, plans, and riskand concentration limitations of the investmentpolicies established by the board of directors.Municipal bonds should be subject to an initialcredit assessment and then ongoing review con-sistent with the risk characteristics of the bondsand the overall risk of the portfolio.

Financial institutions should be wellacquainted with fundamental credit analysis asthis is central to a well-managed loan portfolio.The foundation of a fundamental credit analysis-character, capacity, collateral, and covenants-applies to investment securities just as it does tothe loan portfolio. Accordingly, the OCCexpects national banks to conduct an appropri-ate level of due diligence to understand theinherent risks and determine that a security is apermissible investment. The extent of the duediligence should be sufficient to support theinstitution’s conclusion that a security meets theinvestment grade standards. This may include

consideration of internal analyses, third partyresearch and analytics including external creditratings, internal risk ratings, default statistics,and other sources of information as appropriatefor the particular security. Some institutions mayhave the resources to do most or all of theanalytical work internally. Some, however, maychoose to rely on third parties for much of theanalytical work. While analytical support maybe delegated to third parties, management maynot delegate its responsibility for decisionmak-ing and should ensure that prospective thirdparties are independent, reliable, and qualified.The board of directors should oversee manage-ment to assure that an appropriate decisionmak-ing process is in place.

The depth of the due diligence should be afunction of the security’s credit quality, the com-plexity of the structure, and the size of theinvestment. The more complex a security’sstructure, the more credit-related due diligencean institution should perform, even when thecredit quality is perceived to be very high. Man-agement should ensure it understands the securi-ty’s structure and how the security may performin different default environments, and should beparticularly diligent when purchasing structuredsecurities.4 The OCC expects national banks toconsider a variety of factors relevant to theparticular security when determining whether asecurity is a permissible and sound investment.The range and type of specific factors an institu-tion should consider will vary depending on theparticular type and nature of the securities. As ageneral matter, a national bank will have agreater burden to support its determination ifone factor is contradicted by a finding underanother factor.

The following matrix provides examples offactors for national banks to consider as part ofa robust credit-risk assessment framework fordesignated types of instruments. The types ofsecurities included in the matrix require a credit-focused pre-purchase analysis to meet theinvestment grade standard or safety and sound-ness standards. Again, the matrix is provided asa guide to better inform the credit-risk assess-ment process. Individual purchases may requiremore or less analysis dependent on the securi-ty’s risk characteristics, as previously described.

4. For example, a national bank should be able to demon-strate an understanding of the effects on cash flows of astructured security assuming varying default levels in theunderlying assets.



Key factors Corporatebonds

Municipalgovernment

generalobligations

Revenuebonds

Structuredsecurities

Confirm spread to U.S. Treasuries is consistentwith bonds of similar credit quality X X X X

Confirm risk of default is low and consistentwith bonds of similar credit quality X X X X

Confirm capacity to pay and assess operatingand financial performance levels and trendsthrough internal credit analysis and/or otherthird party analytics, as appropriate for theparticular security X X X X

Evaluate the soundness of a municipal’s bud-getary position and stability of its tax rev-enues. Consider debt profile and level ofunfunded liabilities, diversity of revenuesources, taxing authority, and managementexperience X

Understand local demographics/economics.Consider unemployment data, local employ-ers, income indices, and home values X X

Assess the source and strength of revenuestructure for municipal authorities. Considerobligor’s financial condition and reserve lev-els, annual debt service and debt coverageratio, credit enhancement, legal covenants,and nature of project X

Understand the class or tranche and its relativeposition in the securitization structure X

Assess the position in the cash flow waterfall XUnderstand loss allocation rules, specific defini-

tion of default, the potential impact of perfor-mance and market value triggers, and supportprovided by credit and/or liquidityenhancements X

Evaluate and understand the quality of theunderwriting of the underlying collateral aswell as any risk concentrations X

Determine whether current underwriting isconsistent with the original underwritingunderlying the historical performance of thecollateral and consider the effect of anychanges X

Assess the structural subordination anddetermine if adequate given current under-writing standards X

Analyze and understand the impact of collateraldeterioration on tranche performance andpotential credit losses under adverse eco-nomic conditions

X



Additional Guidance on StructuredSecurities Analysis

The creditworthiness assessment for an invest-ment security that relies on the cash flows andcollateral of the underlying assets for repayment(i.e., a structured security) is inherently differentfrom a security that relies on the financial capac-ity of the issuer for repayment. Therefore, afinancial institution should demonstrate anunderstanding of the features of a structuredsecurity that would materially affect its perfor-mance and that its risk of loss is low even underadverse economic conditions. Management’sassessment of key factors, such as those pro-vided in this guidance, will be considered acritical component of any structured securityevaluation. Existing OCC guidance, includingOCC Bulletin 2002-19, ‘‘Supplemental Guid-ance, Unsafe and Unsound Investment PortfolioPractices,’’ states that it is unsafe and unsoundto purchase a complex high-yield security with-out an understanding of the security’s structureand performing a scenario analysis that evalu-ates how the security will perform in differentdefault environments. Policies that specificallypermit this type of investment should establishappropriate limits, and prepurchase due dili-gence processes should consider the impact ofsuch purchases on capital and earnings under avariety of possible scenarios. The OCC expectsinstitutions to understand the effect economicstresses may have on an investment’s cashflows. Various factors can be used to define thestress scenarios. For example, an institutioncould evaluate the potential impact of changesin economic growth, stock market movements,unemployment, and home values on default andrecovery rates. Some institutions have theresources to perform this type of analytical workinternally. Generally, analyses of the applicationof various stress scenarios to a structured securi-ty’s cash flow are widely available from thirdparties. Many of these analyses evaluate theperformance of the security in a base case and amoderate and severe stress case environment.Even under severe stress conditions, the stressscenario analysis should determine that the riskof loss is low and full and timely repayment ofprincipal and interest is expected.

Maintaining an Appropriate and EffectivePortfolio Risk-Management Framework

The OCC has had a long-standing expectationthat national banks implement a risk-management process to ensure credit risk,

including credit risk in the investment portfolio,is effectively identified, measured, monitored,and controlled. The 1998 Interagency Supervi-sory Policy Statement on Investment Securitiesand End-User Derivatives Activities (PolicyStatement) contains risk-management standardsfor the investment activities of banks and sav-ings associations.5 The Policy Statement empha-sizes the importance of establishing and main-taining risk processes to manage the market,credit, liquidity, legal, operational, and otherrisks of investment securities. Other previouslyissued guidance that supplements OCC invest-ment standards are OCC 2009-15, ‘‘Risk Man-agement and Lessons Learned’’ (which high-lights lessons learned during the marketdisruption and re-emphasizes the key principlesdiscussed in previously issued OCC guidanceon portfolio risk management); OCC 2004-25,‘‘Uniform Agreement on the Classification ofSecurities’’ (which describes the importance ofmanagement’s credit-risk analysis and its use inexaminer decisions concerning investment secu-rity risk ratings and classifications); and OCC2002-19, ‘‘Supplemental Guidance, Unsafe andUnsound Investment Portfolio Practices’’(which alerts banks to the potential risk to futureearnings and capital from poor investment deci-sions made during periods of low levels ofinterest rates and emphasizes the importance ofmaintaining prudent credit, interest rate, andliquidity risk-management practices to controlrisk in the investment portfolio).

National banks must have in place an appro-priate risk-management framework for the levelof risk in their investment portfolios. Failure tomaintain an adequate investment portfolio risk-management process, which includes under-standing key portfolio risks, is considered anunsafe and unsound practice.

Having a strong and robust risk-managementframework appropriate for the level of risk in aninstitution’s investment portfolio is particularlycritical for managing portfolio credit risk. A keyrole for management in the oversight process isto translate the board of directors’ tolerance forrisk into a set of internal operating policies andprocedures that govern the institution’s invest-ment activities. Policies should be consistentwith the organization’s broader business strate-gies, capital adequacy, technical expertise, and

5. On April 23, 1998, the FRB, FDIC, NCUA, and OCCissued the ‘‘Supervisory Policy Statement on InvestmentSecurities and End-User Derivatives Activities.’’



risk tolerance. Institutions should ensure thatthey identify and measure the risks associatedwith individual transactions prior to acquisitionand periodically after purchase. This can bedone at the institutional, portfolio, or individualinstrument level. Investment policies alsoshould provide credit-risk concentration limits.Such limits may apply to concentrations relatingto a single or related issuer, a geographical area,and obligations with similar characteristics.Safety-and-soundness principles warrant effec-tive concentration risk-management programsto ensure that credit exposures do not reach anexcessive level.

The aforementioned risk-management poli-cies, principles, and due diligence processesshould be commensurate with the complexity ofthe investment portfolio and the materiality ofthe portfolio to the financial performance andcapital position of the institution. Investmentreview processes, following the pre-purchaseanalysis, may vary from institution to institutionbased on the individual characteristics of theportfolio, the nature and level of risk involved,and how that risk fits into the overall risk profileand operation of the institution. Investment port-folio reviews may be risk-based and focus onmaterial positions or specific groups of invest-ments or stratifications to enable analysis and

review of similar risk positions.As with pre-purchase analytics, some institu-

tions may have the resources necessary to domost or all of their portfolio reviews internally.However, some may choose to rely on thirdparties for much of the analytical work. Third-party vendors offer risk analysis and data bench-marks that could be periodically reviewedagainst existing portfolio holdings to assesscredit-quality changes over time. Holdingswhere current financial information or other keyanalytical data is unavailable should warrantmore frequent analysis. High-quality invest-ments generally will not require the same levelof review as investments further down thecredit-quality spectrum. However, any materialpositions or concentrations should be identifiedand assessed in more depth and more frequently,and any system should ensure an accurate andtimely risk assessment and reporting processthat informs the board of material changes to therisk profile and prompts action when needed.National banks should have investment port-folio review processes that effectively assessand manage the risks in the portfolio and ensurecompliance with policies and risk limits. Institu-tions should reference existing regulatory guid-ance for additional supervisory expectations forinvestment portfolio risk-management practices.

2126.2.2 LAWS, REGULATIONS, INTERPRETATIONS, AND ORDERS

Subject Laws 1 Regulations 2 Interpretations 3 Orders

State member banks are subject tosame limitations and conditions forinvestments activities as nationalbanks

24 (Sev-enth), 335

1, 208.21

Federal financial institution regula-tory agencies to remove referencesto, and requirements of reliance on,external credit ratings in any regu-lation that requires the assessmentof the creditworthiness of a secu-rity or money market instrument.

15 U.S.C.780

Supervisory and risk expectations 1, 160

Safety and soundness practices 1.5

1. 12 U.S.C., unless specifically stated otherwise.2. 12 C.F.R., unless specifically stated otherwise.3. Federal Reserve Regulatory Service reference.



Risk-Focused Supervision (Counterparty Credit RiskManagement Systems) Section 2126.3

Bank holding companies should directly man-age and control their aggregate risk exposureson a consolidated basis and, if appropriate, forindividual subsidiaries, in view of the distinctlegal existence of various subsidiaries and pos-sible obstacles to moving cash, other assets, andcontractual agreements among subsidiaries.1 SeeSR-99-3.

2126.3.1 FUNDAMENTAL ELEMENTSOF COUNTERPARTY CREDIT RISKMANAGEMENT

When conducting bank holding companyinspections and supervisory contacts, and whenmonitoring trading and derivatives activities,supervisors and examiners should fully eval-uate the integrity of certain key elements ofa banking organization’s (BO) counterpartycredit risk management process, such as thefollowing:

1. The BO’s assessment of counterparty credit-worthiness, both initially and on an ongoingbasis. A counterparty’s creditworthiness canbe evidenced by its capital strength, lev-erage, any on- and off-balance-sheet riskfactors, and contingencies. Creditworthinesscan also be evidenced by the counterparty’sliquidity, operating results, reputation, andability to understand and manage the risksinherent in its line of business, as well as therisks involved in the particular products andtransactions that define a particular customerrelationship.

2. The standards, methodologies, and tech-niques used in measuring counterparty-credit-risk exposures on an individual instru-ment, counterparty, and portfolio basis.

3. The use and management of credit enhance-ments to mitigate counterparty credit risks,including collateral arrangements andcollateral-management systems, contractualdowngrades or material-change triggers, andcontractual ‘‘option-to-terminate’’ or close-out provisions.

4. The risk-limit and -monitoring systems thatinvolve (1) setting meaningful limits oncounterparty credit risk, (2) monitoring expo-sures against those limits, and (3) initiatingmeaningful risk assessments and risk-controlling actions in the event that expo-sures exceed limits.

The confluence of competitive pressures, pur-suit of earnings, and overreliance on customerreputation can lead to substantive lapses in fun-damental risk-management principles regardingcounterparty risk assessment, exposure monitor-ing, and the management of credit-risk limits.Policies governing these activities may beunduly general so as to compromise their useful-ness in managing the risks involved with par-ticular types of counterparties. Practices maynot conform to the stated policies or their intent.Situations may also exist where internal con-trols, including documentation and independentreview, may be inadequate or lack rigor. Forsome larger BOs, regimes for measuring andmonitoring counterparty-credit-risk exposuremay be effective in more traditional areas ofcredit extension, but may need enhancementswhen used in trading and derivatives activities.

2126.3.2 TARGETING SUPERVISORYRESOURCES

When risk focusing their supervisory initiatives,examiners should continue to target those activ-ities and areas with significant growth andabove-normal profitability profiles—especiallyin trading and derivatives activities where thepress of business and competitive pressures mayinvite a BO to offer new product lines before theapproval of counterparties and the necessaryrisk-management infrastructure or proceduresare fully in place. Supervisors and examinersshould encourage a BO to adopt growth, profit-ability, and size criteria for their audit and inde-pendent risk-management functions to use intargeting their reviews.

2126.3.3 ASSESSMENT OFCOUNTERPARTYCREDITWORTHINESS

Supervisors and examiners should increase their

1. These basic principles are also to be employed in thesupervision of U.S. branches and agencies of foreign banks,with appropriate adaptations to reflect that (1) those officesare an integral part of a foreign bank that should be managingits risks on a consolidated basis and recognizing possibleobstacles to cash movements among branches, and (2) theforeign bank is subject to overall supervision by its home-country authorities.


focus on the appropriateness, specificity, andrigor of the policies, procedures, and internalcontrols that a BO currently uses to assessthe counterparty credit risks arising from itstrading and derivatives activities. BOs shouldhave extensive written policies covering theirassessment of counterparty creditworthiness forboth the initial due-diligence process (that is,before conducting business with a customer)and for ongoing monitoring. Examiners shouldfocus particular attention on how such policiesare structured and implemented. Broadly struc-tured, general policies that apply to all types ofcounterparties may prove inadequate for direct-ing staff in the proper review of the risks posedby particular types of counterparties. For exam-ple, although most policies call for the assess-ment and monitoring of the capital strength andleverage of customers, the assessment of hedge-fund counterparties should not rely exclusivelyon simple balance-sheet measures and tradi-tional assessments of financial condition. Thisinformation may be insufficient for those coun-terparties whose off-balance-sheet positions area source of significant leverage and whose riskprofiles are narrowly based on concentratedbusiness lines (such as with hedge funds andsimilar institutional investors). General policiescalling for periodic counterparty credit reviewsover significant intervals (such as annually) areanother example of broad policies that maycompromise the integrity of the assessmentof individual counterparties or types ofcounterparties—a counterparty’s risk profile canchange significantly over much shorter timehorizons.

Credit-risk-assessment policies should alsoproperly define the types of analyses to be con-ducted for particular types of counterpartiesbased on the nature of their risk profiles. Stresstesting and scenario analysis may be needed, inaddition to customizing fundamental analysesbased on industry and business-line charac-teristics. Customized analyses are particularlyimportant when a counterparty’s creditworthi-ness may be adversely affected by short-termfluctuations in financial markets, especiallywhen potential credit exposure to a counterpartyincreases at the same time the counterparty’scredit quality deteriorates.

Examiners should continue to pay specialattention to areas where banking organizationpractices may not conform to stated policies.Such supervisory efforts may be especially diffi-cult when the BO’s policies are not specificic

enough for it to properly focus its counterpartyrisk assessments. Therefore, examiners mustensure that the banking organization’s policiessufficiently address the risk profiles of particulartypes of counterparties and instruments. Thepolicies should specify (1) the types of counter-parties that may require special consideration;(2) the types and frequency of information to beobtained from such counterparties; (3) the typesand frequency of analyses to be conducted,including the need for and type of any stress-testing analysis; and (4) how such informationand analyses appropriately address the risk pro-file of the particular type of counterparty. Thisspecificity in credit-assessment policies is par-ticularly important when limited transparencymay hinder market discipline on the risk-takingactivities of counterparties—as may be the casewith hedge funds.

Examiners should also place increasingemphasis on ensuring that a BO’s existing prac-tice conforms both with its stated objectives andthe intent of its established policies. For exam-ple, some BOs may not obtain and evaluate allthe information on the financial strength, condi-tion, and liquidity of some types of counterpar-ties that may be required by their own policies.In highly competitive and fast-moving transac-tion areas, organizations should be sufficientlyrigorous in conducting the analyses specifiedin their policies, such as the review of a counter-party’s ability to manage the risks of itsbusiness.

Necessary internal controls for ensuring thatpractices conform with stated policies includeactively enforced documentation standards andperiodic independent reviews by internal audi-tors or other risk-control units, particularlyfor business lines, products, and exposures toparticular groups of counterparties and indi-vidual customers that exhibit significant growthor above-normal profitability. Using targetedinspections and reviews, examiners shouldevaluate the integrity of a BO’s internal con-trols. Examiners should thus conduct their owntransaction testing of such situations. This test-ing should include robust sampling of transac-tions with major counterparties in the targetedarea, as well as sufficient stratification to ensurethat practices involving smaller relationshipsalso adhere to stated policies.

2126.3.4 CREDIT-RISK-EXPOSUREMEASUREMENT

Financial market turbulence emphasizes theimportant interrelationships between market

Counterparty Credit Risk Management Systems 2126.3


movements and the credit-risk exposuresinvolved in derivatives activities. Accordingly,supervisors and examiners should be alert tosituations where a BO may need to be morediligent in conducting current computations ofthe loan equivalents and potential future expo-sures (PFE) that are used to measure, monitor,and control its derivatives counterparty creditexposure.

Most BOs fully recognize that the credit riskof derivatives positions includes both the cur-rent replacement cost of a contract as well as thecontract’s PFE. PFEs are generally calculatedusing statistical techniques to estimate the worstpotential loss over a specified time horizon atsome specified confidence interval (for exam-ple, 95 percent, 97.5 percent, and 99 percent),which is generally derived in some mannerfrom historically observed market fluctuations.Together with the current replacement cost, suchPFEs are used to convert derivatives contractsto ‘‘loan equivalents’’ for aggregating creditexposures across products and instruments.

The time horizon used to calculate PFEs canvary depending on the banking organization’srisk tolerance, collateral protection, and abilityto terminate its credit exposure. Some BOs mayuse a time horizon equal to the life of therespective instrument. While such a time hori-zon may be appropriate for unsecured positions,for collateralized exposures, the use of lifetime,worst-case-estimate PFEs may be ineffective tomeasure the true nature of counterparty riskexposure. While life-of-contract PFE measuresprovide an objective and conservative long-termexposure estimate, they bear little relationshipto the actual credit exposures typically incurredin the case of collateralized relationships. Insuch cases, a banking organization’s actualcredit exposure is the PFE from the time acounterparty fails to meet a collateral call untilthe time the bank liquidates its collateral andcloses out the derivative contract—a periodwhich is typically much shorter than the con-tract’s life. The lack of realism in conservativemeasurement can cause managers and traders todiscount them and may result in inappropriatelimits being set, thereby compromising theentire risk-management process.

More realistic measures of collateralizedcredit-risk exposures should also take intoaccount the shorter time horizons over whichaction can be taken to mitigate losses in times ofmarket stress. These measures should incorpo-rate estimates of collateral-recovery rates giventhe potential market liquidity impacts of stressevents on collateral values. Some BOs alreadydo stress tests, calculating measures that assess

the worst-case value of positions over a timehorizon of one or two weeks—their estimateof a reasonable liquidation period in times ofstress. They also perform scenario analyses ofcounterparty credit exposures. Stress testing andscenario analyses should evaluate the impactof large market moves on the credit exposureto individual counterparties, and they shouldassess the implications inherent in liquidatingpositions under such conditions. Analysesshould consider the effects of market liquidityon the value of positions and any related collat-eral. The use of meaningful scenario analyses isparticularly important since stress tests derivedfrom simple applications of higher confidenceintervals or longer time horizons to PFE, value-at-risk, and other measures may not adequatelycapture the market and exposure dynamicsunder turbulent market conditions, particularlyas they relate to the interaction between market,credit, and liquidity risk.

The results of stress testing and scenarioanalyses should be incorporated into seniormanagement reports. Such reports should pro-vide sufficient information to ensure an ade-quate understanding of the nature of the expo-sure and the analyses conducted. Informationshould also be sufficient to trigger risk-controlling actions where necessary.

Other BOs are moving to build the capabilityof estimating portfolio-based PFEs by any oneof several different time horizons or buckets,depending on the liquidity and breadth of theunderlying instrument or risk factor. Based onmanagement’s opinion of the appropriate work-out timeframe, different time horizons can beused for different counterparties, transactions, orcollateral types to more precisely define expo-sures. Supervisors and examiners should be alertto situations where collateralized exposures maybe inaccurately estimated, and should encouragemanagement at these BOs to enhance theirexposure-measurement systems accordingly.

Supervisors should also be cognizant of themanner in which the credit exposures are aggre-gated for individual counterparties. Some BOsmay take a purely transactional approach toaggregation andnot incorporate the netting oflong and short derivatives contracts, even whenlegally enforceable bilateral netting agreementsare available. In such cases,simple sum esti-mates of positive exposures may seriously over-estimate true credit exposure, and examinersshould monitor and encourage a BO’s move-ment toward more realistic measures of counter-



party exposure. Other BOs may take a portfolioapproach, in which information systems allowand incorporate netting (both within and acrossproducts, business lines, or risk factors) andportfolio correlation effects to construct morecomprehensive counterparty exposure measures.In such cases, supervisors should ensure that aBO has adequate internal controls governingexposure estimation, including robust model-review processes and data-integrity checks.

When stratifying samples and selecting thecounterparties and transactions to use for theirtargeted testing of practices and internal con-trols, supervisors and examiners should incor-porate measures of potential future exposureregardless of the collateralization of currentmarket-value exposures. As recent events haveshown, meaningful counterparty credit risks thatsurface during periods of stress can go undetec-ted when too much emphasis is placed on collat-eralization of current market values and onlyunsecured current market exposures are used fortargeting transaction testing.

2126.3.5 CREDIT ENHANCEMENTS

BOs continue to rely increasingly on differenttypes of credit enhancements to mitigate coun-terparty credit risks. These enhancementsinclude the use of collateral arrangements, con-tractual downgrades or material-change triggersthat enable the alteration of collateral or margin-ing arrangements, or the activation of contrac-tual ‘‘option to terminate’’ or closeout provi-sions.

CollateraIization of exposures has become anindustry standard for many types of counter-parties. Collateralization mitigates but does noteliminate credit risks. BOs therefore shouldensure that overreliance on collateral does notcompromise other elements of sound counter-party credit-risk management, such as the due-diligence process. Clear policies should governthe determination of loss thresholds and margin-ing requirements for derivatives counterpartiesof BOs. Such policies should not be so broadthat they compromise the risk-reducing natureof collateral agreements with specific types ofcounterparties. Policies governing collateralarrangements should specifically define thosecases in which initial and variation margin isrequired, and they should explicitly identifysituations in which the lack of transparency,business-line risk profiles, and other counter-

party characteristics merit special treatment—asmay be the case with some highly leveragedcounterparties such as hedge funds. Where con-sistent with the risk profile of the counterpartyand instruments involved, policies shouldspecify when margining requirements based onestimates of potential future exposures might bewarranted.

Adequate policies should also govern theuse of material-change triggers and closeoutprovisions, which should take into accountcounterparty-specific situations and risk pro-files. For example, closeout provisions based onannual events or material-change triggers basedon long-term performance may prove ineffec-tive for counterparties whose risk profiles canchange rapidly. Also, such material-change trig-gers, closeout provisions, and related covenantsshould be designed to adequately protect againstdeterioration in a counterparty’s creditworthi-ness. They should ensure that a BO is madeaware of adverse financial developments on atimely basis and should facilitate action as coun-terparty risk increases—well in advance of thetime when termination of a relationship isappropriate.

Internal assessments of potential risk expo-sures sometimes dictate loss thresholds, margin-ing requirements, and closeout provisions withsome counterparties. Insufficient internal con-trols may unduly expose certain BOs to these aswell as other types of trading and derivativescounterparties. When evaluating the manage-ment of collateral arrangements and other creditenhancements, examiners should not only assessthe adequacy of a banking organization’s poli-cies but should also determine whether internalcontrols are sufficient to ensure that practicescomply with these policies. Examiners shouldidentify the types of credit enhancements andcontractual covenants that are being used whenreviewing areas of counterparty risk manage-ment, and then determine whether the bankingorganization has sufficiently assessed the ade-quacy of these enhancements and covenantsrelative to the risk profile of the counterparty.

2126.3.6 CREDIT-RISK-EXPOSURELIMIT-SETTING AND MONITORINGSYSTEMS

Exposure-monitoring and limit systems are criti-cal to the effective management of counter-party credit risk. Examiners should focus spe-cial attention on the policies, practices, andinternal controls employed within such systemsat large, complex BOs. An effective exposure-



monitoring system consists of (1) establishingmeaningful limits on the risk exposures a BO iswilling to take, (2) independent, ongoing moni-toring of exposures against such limits, and(3) adequate controls to ensure that meaningfulrisk-controlling action takes place when limitsare exceeded. An effective exposure-monitoringand limit process depends on meaningfulexposure-measurement methodologies, so super-visors should closely evaluate measurementmethodologies, especially for the estimation ofPFEs. Inaccurate measurement can easily com-promise well-structured policies and procedures.Such situations can lead to limits driven pri-marily by customer demand and used only todefine and monitor customer facilities, ratherthan limits that serve as strict levels definedby credit management and that initiate risk-controlling actions.

Supervisors and examiners should also assessthe procedures used for controlling credit-riskexposures when they become large, when acounterparty’s credit standing weakens, or whenthe market comes under stress. Managementshould demonstrate its clear ability to reducelarge positions. Such actions can include ‘‘cap-ping’’ current exposures, curtailing new busi-ness, assigning transactions to another counter-party (where feasible), and restructuring thetransaction to limit potential exposure or makeit less sensitive to market volatility. BOs canalso use various credit-enhancement tools tomanage exposures that have become undulylarge or highly sensitive to market volatility.


1. To determine if sufficient resources aredevoted and adequate attention is given tothe management of the risks involved ingrowing, highly profitable, or potentiallyhigh-risk activities and product lines.

2. To ascertain if the banking organization’sinternal audit and independent risk-management functions adequately focus ongrowth, profitability, and risk criteria whentargeting their reviews.

3. To determine if there is an appropriatebalance among all elements of credit-riskmanagement.Thisbalanceincludesbothquali-tative and quantitative assessments of coun-terparty creditworthiness; measurement andevaluation of on- and off-balance sheet expo-sures, including potential future exposure;adequate stress testing; reliance on collateraland other credit enhancements; and the mon-

itoring of exposures against meaningfullimits.

4. To ascertain whether the banking organiza-tion employs policies that are sufficientlycalibrated to the risk profiles of particulartypes of counterparties and instruments,which ensures adequate credit-risk assess-ment, exposure measurement, limit setting,and use of credit enhancements.

5. To ensure that the banking organization’sactual business practices conform withtheir stated policies and the intent of thesepolicies.

6. To establish if the banking organization ismoving in a timely fashion to enhance itsmeasurement of counterparty credit-riskexposures, including refining potential futureexposure measures and establishing stress-testing methodologies to better incorporatethe interaction of market and credit risks.

7. To accomplish the above inspection objec-tives by using sufficient, targeted transactiontesting on those activities, business lines, andproducts experiencing significant growth,above-normal profitability, or large potentialfuture exposures.


1. Give increased focus to the adequacy, appro-priateness, specificity, and rigor of the poli-cies, procedures, and internal controls that aBO currently uses to assess the counterpartycredit risks arising from its trading andderivatives activities.a. Determine if sufficient written policies

cover the assessment of counterpartycreditworthiness for the initial due-diligence process (that is, before conduct-ing business with a customer) and forongoing monitoring.

b. Give particular attention to how such poli-cies are structured, their adequacy, andhow they are implemented.

2. Focus special attention on areas where aBO’s practices may not conform to its statedpolicies.a. Determine if the banking organization’s

policies sufficiently address the risk pro-files of its particular types of counter-parties and instruments.

b. Ascertain whether existing practices con-form to the stated objectives and theintent of the organization’s establishedpolicies.



3. Evaluate the banking organization’s docu-mentation standards.

4. Determine whether the internal reviews areadequately conducted for business lines,products, and exposures to particular groupsof counterparties and individual customersthat exhibit significant growth or above-normal profitability.

5. Evaluate the integrity of the internal controlsthat the banking organization uses to assessits own transaction testing during internalreviews.

6. Conduct independent targeted reviews of theinternal controls.a. Use robust sampling when testing transac-

tions of major counterparties within a tar-geted area.

b. Employ sufficient stratification to ensurethat practices involving smaller relation-ships also adhere to stated policies.

c. Be alert to situations whereby the currentcomputations of loan equivalents andpotential exposures—that are used tomeasure, monitor, and control derivativescounterparty credit exposures—could bedeliberately enhanced.

7. Determine if the banking organization needsto develop more meaningful measures ofcredit-risk exposures, such as using stresstesting and scenario analyses, under volatilemarket conditions.



Procedures for a Banking Entity to Request an ExtendedTransition Period for Illiquid Funds Section 2126.5

The Federal Reserve approved supervisory guid-ance on December 9, 2016, to provide bankingentities1 with information on the procedures forsubmitting a request for an extended transitionperiod for a hedge fund or private equity fund(referred to as “covered fund”) that qualifies asan illiquid fund pursuant to section 13 of theBank Holding Company Act of 1956 (BHCAct).2 Under the statute, a banking entity mustapply to the Board for an extended transitionperiod for an illiquid fund regardless of thebanking entity’s primary financial regulatoryagency. (Refer to the Board’s press releaseissued December 12, 2016, its attached State-

ment of Policy Regarding Illiquid Fund Invest-

ments Under Section 13 of the Bank Holding

Company Act, and its attached SR letter 16-18.)

2126.5.1 VOLKER RULE’SBACKGROUND

Section 619 of the Dodd-Frank Wall StreetReform and Consumer Protection Act added anew section 13 to the BHC Act, also known asthe Volcker rule, which generally prohibits anybanking entity from engaging in proprietarytrading or from acquiring or retaining an owner-ship interest in, sponsoring, or having certainrelationships with a covered fund, subject tocertain exemptions.3 The restrictions and prohi-bitions of section 13 of the BHC Act becameeffective on July 21, 2012;4 however, the statuteprovided banking entities a period of two yearsuntil July 21, 2014, to conform their activitiesand investments to the requirements of the stat-ute and any rule issued by the Board, the Officeof the Comptroller of the Currency (OCC), theFederal Deposit Insurance Corporation (FDIC),the Commodity Futures Trading Commission

(CFTC), and the Securities and Exchange Com-mission (SEC). The statute also granted exclu-sively to the Board authority to provide bankingentities additional time to conform or divesttheir activities and investments covered by sec-tion 13.

The statute provides that the Board may, byrule or order, extend this general conformanceperiod “for not more than one year at a time,”up to three times, if in the judgment of theBoard, an extension is consistent with the pur-poses of section 13 and would not be detrimen-tal to the public interest.5 On July 7, 2016, theBoard issued an order extending the final one-year conformance period for banking entities toconform investments in and relationships withcovered funds and foreign funds that were inplace prior to December 31, 2013 (legacy cov-ered funds) until July 21, 2017.6

Section 13 also permits the Board, upon theapplication of a banking entity, to provide anadditional transition period of up to five years toconform investments in a limited class of legacyilliquid funds.7 An illiquid fund is defined bythe statute as a fund that is “principallyinvested” in illiquid assets and holds itself outas employing a strategy to invest principally inilliquid assets.8 The statute provides that thisextension applies only to the extent that thebanking entity’s retention of the ownershipinterest in the fund, or provision of additionalcapital to the fund, is necessary to fulfill acontractual obligation of the banking entity thatwas in effect on May 1, 2010.9 The statuteprovides that the Board may grant an extensionfor each illiquid fund only once and for a periodof up to five years.10 The Board’s conformancerule sets forth provisions governing the submis-

1. The term “banking entity” is defined by statute toinclude, with limited exceptions: (i) any insured depositoryinstitution (IDI) (as defined in section 3 of the Federal DepositInsurance Act (12 U.S.C. 1813)); (ii) any company that con-trols an IDI (including a bank holding company (BHC),savings and loan holding company (SLHC), and any othercompany that controls an insured depository institution butthat is not a BHC or SLHC, such as the parent company of anindustrial loan company); (iii) any company that is treated asa bank holding company for purposes of section 8 of theInternational Banking Act of 1978 (for example, any foreignbank operating a branch or agency in the United States); and(iv) any affiliate or subsidiary of any of the foregoing (forexample, a broker-dealer subsidiary of a BHC). 12 U.S.C.1851(h)(1).

2. See 12 U.S.C. 1851(c)(3)-(4) and (h)(7).3. See 12 U.S.C. 1851.4. See 12 U.S.C. 1851(c)(1).

5. See 12 U.S.C. 1851(c)(2). The Board issued rules imple-menting the Volcker rule conformance provisions in 2011.See “Conformance Period for Entities Engaged in ProhibitedProprietary Trading or Private Equity Fund or Hedge FundActivities,” 76 Fed. Reg. 8265 (February 14, 2011) (confor-mance rule).

6. See Board press release, July 7, 2016, at:www.federalreserve.gov/newsevents/press/bcreg/20160707a.htm.

7. See 12 U.S.C. 1851(c)(3)-(4) and (h)(7).8. See12 U.S.C. 1851(h)(7).9. See 12 U.S.C. 1851(c)(3)(A). In addition, the statute

provides that a banking entity may not engage in a prohibitedcovered fund investment after the date on which the contrac-tual obligation to invest in the illiquid fund terminates. See12 U.S.C. 1851(c)(4)(A).

10. See 12 U.S.C. 1851(c)(3)(B).


http://www.federalreserve.gov/newsevents/press/bcreg/20160707a.htm

http://www.federalreserve.gov/newsevents/press/bcreg/20160707a.htm

sion and review of extension requests.11

In its statement of policy for legacy illiquidcovered funds, the Board also generally outlineda simplified and streamlined process for grant-ing extensions of the holding period for illiquidfunds. That process is outlined below.

2126.5.2 Requirements for SubmittingRequests

In filing a request for an extended transitionperiod for illiquid funds, a banking entity isexpected to provide

• a list or simple chart of illiquid funds forwhich an extension is sought.

• a short description of each fund, including theinvestment strategy and types of investmentsmade by each fund, which entity within thefirm holds the investment, the size of eachfund, the total exposure of the banking entityto each fund, the date by which each remain-ing illiquid fund is expected to mature by itsterms or be conformed to section 13 of theBHC Act, and the banking entity’s relation-ship with the fund (for example, general part-ner, sponsor, investment adviser, and inves-tor).

• a description of the banking entity’s specificefforts to divest or conform its illiquid funds,including a description of the overall coveredfunds (both liquid and illiquid) that have beendivested or conformed to date, the progressthat has been made towards divesting or con-forming the investments for which an exten-sion is being sought (for example, the numberof funds sold, the number of funds that con-tinue to be held, and the amount of invest-ments remaining in each fund and in aggre-gate).

• a certification by the general counsel or chiefcompliance officer of the entity that sponsorsor invests in the illiquid funds that each fundmeets the definition of illiquid funds in sec-tion 13 of the BHC Act and the Board’sconformance rule, including that the exten-sion is necessary to fulfill a contractual obliga-tion of the banking entity that was in effect onMay 1, 2010.12

• the length of the requested extension of the

conformance period and a description of thebanking entity’s plan for divesting or con-forming each illiquid fund prior to the end ofthe requested extension period.

In addition, the Federal Reserve may, on a case-by-case basis, require a banking entity to pro-vide a progress report on fund sales, maturities,or other conformance efforts as appropriate atany time during the period that the bankingentity continues to hold illiquid funds in reli-ance on an extension.

A banking entity would not be required toexercise a so-called “regulatory out” provision13

or otherwise seek consent from third parties (forexample, the general partner or other investorsin the fund) to terminate an investment in anilliquid fund in order to qualify for the extendedtransition period.

2126.5.3 Procedures for Filing anExtension Request

A request for an extended transition period forilliquid funds should be submitted in writing tothe Applications Unit of the appropriate FederalReserve Bank by the top-tier banking entity inthe district where it is headquartered (referred toas the “responsible Federal Reserve Bank”).14

The request may be submitted at any time atleast 180 days prior to the expiration of thegeneral conformance period (that is, at least 180days prior to July 21, 2017).15 In the case wherethe banking entity that sponsors or invests in theilliquid fund is supervised primarily by anotherfederal banking agency, the SEC, or the CFTC,the top-tier banking entity should also provide acopy of the extension request to the relevantagency for the subsidiary banking entity.16 Abanking entity also should provide the name,phone number, and email address of the banking

11. See 12 CFR 225.181 and 225.182.12. See 12 U.S.C. 1851(c)(3)-(c)(4) and (h)(7); and

12 CFR 225.180(f).

13. So-called “regulatory-out” provisions are provisionswhereby a banking entity’s contractual obligation to remaininvested in a fund may be excused or otherwise terminated ifthe banking entity’s compliance with the obligation wouldcause, or would be reasonably likely to cause, the bankingentity or the fund to be in violation of applicable laws andregulations.

14. For banking entities not regulated by the FederalReserve, the following link provides information on each ofthe 12 Reserve Banks, including their addresses:www.federalreserveeducation.org/about-the-fed/structure-and-functions/districts/. For Federal Reserve regulated bank-ing entities, notices may also be submitted electronicallythrough the Federal Reserve System’s Electronic ApplicationsSystem, E-Apps.

15. See 12 CFR 225.181(c)(1).16. Refer to the List of Contacts at Other Agencies within

the attachment one to SR-16-18.

Procedures for a Banking Entity to Request an Extended Transition Period for Illiquid Funds 2126.5


http://www.federalreserveeducation.org/about-the-fed/structure-and-functions/districts/

http://www.federalreserveeducation.org/about-the-fed/structure-and-functions/districts/

entity’s point of contact to whom Board andReserve Bank staff may submit all inquiries.

Authority to grant (but not to deny) requestshas been delegated to the Federal ReserveBanks, in consultation with Board staff. FederalReserve Banks may approve extension requestsif all of the following criteria are met:

• the extension request relates only to illiquidfunds;

• no significant issues have been identifiedregarding the firm’s compliance programrequired under section 248.20(c) of the finalrule (this citation applies to entities underFederal Reserve supervision)17 designed tohelp ensure and monitor compliance with theprohibitions and restrictions of the Volckerrule;

• the primary federal agency responsible forcompliance with the Volcker rule by the bank-ing entity that invests in or sponsors the illiq-uid fund (if other than the Federal Reserve)does not object to the extension;

• the banking entity has made meaningful prog-ress toward conforming the majority of itscovered fund investments (including fundsother than illiquid funds) as of the date of theextension request; and

• the banking entity provides supporting infor-mation regarding its efforts to conform theilliquid funds for which an extension is beingsought. Such supporting information could

include, but would not be limited to, informa-tion regarding specific bids that have beensought and other specific actions taken toconform the funds for which an extension isbeing sought.

Consistent with the statute, the extension wouldbe granted for the shortest of (i) five years fromthe date of the expiration of the general confor-mance period (that is, July 21, 2017), (ii) thedate by which each remaining fund is expectedto mature by its terms or be conformed to sec-tion 13 of the BHC Act, or (iii) a shorter perioddetermined by the Board. The responsible Fed-eral Reserve Bank should expect to act on anextension request within 30 days of receiving allrequired information. If the request does notmeet the requirements for delegated action, theFederal Reserve Bank will immediately referthe matter to the Board. The Board may thenapprove or deny the request based on the rel-evant facts. The Board expects that the illiquidfunds of banking entities will generally qualifyfor extensions, though extensions may not begranted in certain cases—for example, wherethe banking entity has not demonstrated mean-ingful progress to conform or divest its illiquidfunds, has a deficient compliance program underthe Volcker rule, or where the Board has con-cerns about evasion.

17. For the other agencies, refer to 12 CFR 44.20(c) (OCCrule); 12 CFR 351.20(c) (FDIC rule); 17 CFR 75.20(c) (CFTCrule); 17 CFR 255.20(c) (SEC rule).

Procedures for a Banking Entity to Request an Extended Transition Period for Illiquid Funds 2126.5


Interest-Rate Risk(Risk Management and Internal Controls) Section 2127.0

WHAT NEW IN THIS REVISEDSECTION

Effective January 2010 this section was revisedto include a brief overview of the January 6,2010, interagency advisory on interest-rate riskmanagement that targets interest-rate risk man-agement at insured depository institutions. Theadvisory does not constitute new guidance. Theprinciples and supervisory expectations dis-cussed within the guidance apply also to bankholding companies, which should manage andcontrol aggregate risk exposures on a consoli-dated basis. See SR-10-1.

2127.0.1 ASSESSING THEMANAGEMENT AND INTERNALCONTROLS OVER INTEREST-RATERISK

Interest-rate risk (IRR) is the exposure of abanking organization’s financial condition toadverse movements in interest rates. Acceptingthis risk can be an important source of profit-ability and shareholder value. However, exces-sive levels of IRR can pose a significant threatto a bank’s or bank holding company’s (BHC’s)earnings and capital base. Accordingly, effec-tive risk management that maintains IRR atprudent levels is essential to the organization’ssafety and soundness.

Evaluating a BHC’s exposure to changes ininterest rates is an important element of anyfull-scope inspection and may be the sole topicfor specialized or targeted inspections. Thisevaluation includes assessing both the adequacyof the management process used to control IRRand the organization’s quantitative level ofexposure. When assessing the IRR managementprocess, examiners should ensure that appropri-ate policies, procedures, management informa-tion systems, and internal controls are in placeto maintain IRR at prudent levels with consis-tency and continuity. Evaluating the quantitativelevel of IRR exposure requires examiners toassess the existing and potential future effects ofchanges in interest rates on a BHC’s consoli-dated financial condition including its capitaladequacy; earnings; liquidity; and, where appro-priate, asset quality. To ensure that these assess-ments are both effective and efficient, examinerresources must be appropriately targeted at thoseelements of an organization’s IRR that pose thegreatest threat to its financial condition. Thistargeting requires an inspection process built on

a well-focused assessment of IRR exposurebefore the on-site engagement, a clearly definedinspection scope, and a comprehensive programfor following up on inspection findings andongoing monitoring.

2127.0.2 JOINT AGENCY POLICYSTATEMENT: INTEREST-RATE RISK

The Board, together with the Office of theComptroller of the Currency and the FederalDeposit Insurance Corporation, adopted a May23, 1996, Joint Agency Policy Statement onInterest-Rate Risk, effective June 26, 1996. (SeeSR-96-13.) It provides guidance to examinersand bankers on sound practices for managingIRR, which form the basis for ongoing evalua-tion of the adequacy of IRR management atsupervised institutions.

The policy statement outlines fundamentalelements of sound management that have beenidentified in prior Federal Reserve guidance anddiscusses the importance of these elements inthe context of managing IRR.1 Specifically, theguidance emphasizes the need for active boardand senior management oversight and a compre-hensive risk-management process that effec-tively identifies, measures, and controls IRR.

Although the guidance targets IRR manage-ment at commercial banks and Edge Act corpo-rations, the basic principles presented in thepolicy statement are to be applied to bank hold-ing companies (BHCs). BHCs should manageand control aggregate risk exposure on a con-solidated basis by recognizing legal distinctionsand possible obstacles to cash movementsamong subsidiaries. The assessment of interest-rate risk management made by examiners inaccordance with the 1996 Joint Policy State-ment will be incorporated into a BHC’s overall

1. Guidance to examiners identifying fundamental ele-ments of sound risk management includes SR-00-14,‘‘Enhancements to the Interagency Program for Supervisingthe U.S. Operations of Foreign Banking Organizations’’;SR-96-14 (see section 2124.0), ‘‘Risk-Focused Safety andSoundness Examinations and Inspections’’; SR-96-13, ‘‘JointPolicy Statement on Interest-Rate Risk’’; SR-96-10, ‘‘Risk-Focused Fiduciary Examinations’’; SR-95-51 (see section4070.1), ‘‘Rating the Adequacy of Risk-Management Pro-cesses and Internal Controls at State Member Banks and BankHolding Companies’’; and SR-93-69 (see section 2125.0),‘‘Examining Risk Management and Internal Controls forTrading Activities of Banking Organizations.’’


risk-management rating. BHC examiners shouldrefer to section 4090.1 of the Commercial BankExamination Manual for more detailed inspec-tion guidance on the joint policy statement onIRR.

2127.0.3 INTERAGENCY ADVISORYON INTEREST RATE RISKMANAGEMENT

A January 6, 2010, interagency advisory wasissued by the Board of Governors of the FederalReserve System and other federal regulators2

that reminds institutions of supervisory expecta-tions on sound practices for managing IRR. Theadvisory does not constitute new guidance. Itreiterates basic principles of sound IRR manage-

ment that each of the regulators has codified inits existing guidance, as well as in the inter-agency guidance on IRR management issued bythe banking agencies in SR-96-13. The advisoryhighlights also the need for active board andsenior management oversight and a comprehen-sive risk-management process that effectivelymeasures, monitors, and controls IRR.

The advisory targets IRR management atinsured depository institutions. However, theprinciples and supervisory expectations articu-lated also apply to BHCs, which are remindedof long-standing supervisory guidance that theyshould manage and control aggregate risk expo-sures on a consolidated basis while recognizinglegal distinctions and possible obstacles to cashmovements among subsidiaries. See SR-10-1.

2 The other financial regulators include the FederalDeposit Insurance Corporation (FDIC), the National CreditUnion Administration (NCUA), the Office of the Comptrollerof the Currency (OCC), the Office of Thrift Supervision(OTS), and the Federal Financial Institutions ExaminationCouncil (FFIEC) State Liaison Committee (collectively, theregulators).

Interest-Rate Risk (Risk Management and Internal Controls) 2127.0


risk-focused safety-and-soundness inspections section 2124

Documents