Guidelines Establishing Standards for Corporate Governance and Risk Management for Covered Institutions With Total Consolidated Assets of $10 Billion or More

The Federal Deposit Insurance Corporation, FDIC, has launched a consultation on proposed new guidelines which would establish standards for corporate governance and risk management of covered institutions with $10 billion or more in total consolidated assets. The guidelines would be introduced as new Appendix C of the FDIC’s safety and soundness regulations under Statutory Instrument 12 CFR Part 364 and would have the power of enforcement in accordance with Section 39 of the Federal Deposit Insurance Act.
The key objective of the guidelines is to enhance the safety and soundness of institutions that fall under the FDIC’s supervision. They come in response to the bank failures that occurred in the recent spring involving the Signature Bank and Silicon Valley Bank (SVB) and the conclusion that inadequacies in governance and risk management practices played a significant role in the downfall of these banks. The proposed guidelines are very extensive and would entail requirements pertaining to governance, risk management practices, and board oversight. The key provisions are briefly discussed below; for more detailed, comprehensive information, please consult the enclosed legal document:
#### Key provisions of the proposed guidelines
(1) Board of Directors: Board Composition, Board Duties, and Committees:
Composition: The guidelines would require the Board to take into account diversity among Board members to best promote effective oversight of an institution’s management and adhere to all applicable rules and regulations. Also, the majority of a financial institution’s board members should be independent and not affiliated with the institution.
Board Duties: The guidelines would require the Board to establish the right corporate culture and work environment that encourages responsible and ethical behavior. The board should ensure that the culture does not support unethical actions, imprudent risk-taking, or violations of laws and regulations in the pursuit of profit. Furthermore, the Board should require the CEO to develop a strategic plan for the institution. This plan should provide clear objectives for the institution’s management and be developed with input from various stakeholders. The plan should cover operating budgets, the institution’s philosophy, and mission. The board should review and approve the plan annually, monitor its implementation, and ensure its alignment with approved policies. Also, the Board would have to provide and facilitate a formal ongoing training for Board members which encompasses – among others – the products and services offered by the institution, business risks faced by the institution, developments in applicable laws and regulations, and other topics of relevance.
Committees: In addition to the existing audit committee, the guidelines require the establishment of risk and compensation committees along with corresponding risk management and compensation programs to ensure sufficient oversight over management’s risk taking approach and compensation.
(2) Risk Management and Implementation of a Three Lines of Defense Model:
The guidelines would require that above noted risk management program for a covered institution effectively address the identification, measurement, monitoring, and management of risks. It should be tailored to the institution’s current and expected risk environment, meeting the minimum standards outlined in the guidelines. The program should also match the institution’s size, complexity, business model, and risk profile. It should encompass various risk categories such as credit, concentration, interest rate, liquidity, price, model, operational (including conduct, IT, cybersecurity, AML/CFT compliance, third-party), strategic, and legal risks, as applicable. The Board or the risk committee should oversee and approve the risk management program and any modifications to it.
In addition, covered institution would be required to adopt, review, and update – if necessary – a risk profile that outlines existing risks and defines risk tolerance thresholds, both on an institution level and for specific business segments and significant operations or products. The risk profile should encompass both qualitative elements and numerical thresholds.
Three Lines of Defense Model: Institutions would be required to adapt this model which mandates that three separate entities, under the oversight of the CEO and the Board, must assume responsibility and be accountable for monitoring and reporting on the covered institution’s adherence to the risk management program. These entities are the operational units (front line), the independent risk management unit led by a Chief Risk Officer (second line), and the internal audit unit led by a Chief Audit Officer (third line). The frequency of monitoring and reporting should be adjusted as needed, taking into consideration the magnitude and volatility of risks, as well as any significant alterations in an institution’s business model, strategy, risk profile, or market conditions.
—
To conclude, it is worth noting that the proposed guidelines would allow a covered institution to use its parent company’s risk governance framework to meet the risk management requirements, but only when the institution’s risk profile closely aligns with that of its parent company and provided that certain other conditions are met.