In a significant development for state nonmember banks with assets of at least $10 billion (Covered Institutions), the Federal Deposit Insurance Corporation (FDIC) has recently proposed comprehensive corporate governance and risk management guidelines (NPR) that would impose significant requirements on a broad set of institutions which have historically been below the thresholds from this type of prescribed regulation and oversight. In particular, the NPR establishes new enforceable requirements on the Board of Directors (Board) of each Covered Institution in an effort to enhance an institution’s safety and soundness. Accordingly, failure to adhere to the requirements in any new regulation could result in the imposition of civil monetary penalties against the members of the Board itself. With an expectation that each Covered Institution would have to spend significant resources for recordkeeping, reporting, hiring, changes to internal systems and disclosure in order to comply with the NPR, affected institutions are encouraged to closely review the proposed guidelines and provide comments to the FDIC by the December 11, 2023 deadline.
The following reviews certain requirements set forth in the NPR:
Corporate Governance
To fulfill the obligations required in the NPR, the Board (and each Board member) of each Covered Institution is required to ensure that each Covered Institution acts in a safe and sound manner, and in compliance with all applicable laws and regulations. In a broad expansion of state corporate law fiduciary requirements, the FDIC states that the Board should consider the interests not only of shareholders, but also of depositors, creditors, customers, regulators and the public.
In addition, the Board, when assessing its overall composition, should consider how the diversity of members effectively promotes independent and effective oversight over management and satisfies all applicable requirements for independent and outside directors. Important aspects of diversity can include: skill differences; social, racial, ethnic, gender and age differences; and the extent of differences in stock ownership.
Duties of the Board
In addition to setting corporate direction which encourages responsible and ethical behavior, the Board must establish a corporate culture that does not promote imprudent risk-taking or violations of law or regulation. The Board must also articulate clear objectives to management and direct management to adopt a written strategic plan which is consistent with policies the Board has previously approved. The strategic plan must run for a period of at least three (3) years and set forth not only an overarching mission statement and strategic objectives, but also a robust assessment of risks which may impact the Covered Institution.
Furthermore, the Board must establish a written code of ethics which applies to all of the Covered Institution’s stakeholders (directors, officers and employees) which addresses, among other subjects, conflicts of interest, integrity of financial recordkeeping, reporting of illegal or unethical behavior and compliance with laws and regulation.
The Board must actively oversee management, including all activities which pose a material risk to the Covered Institution, and select qualified executive officers with the competence and experience to run a financial institution. The Board must implement a formal review process to assess management performance and develop an effective succession plan in the event of loss of key officers.
The Board should ensure that compensation and performance incentives do not encourage executives and non-executives to take on imprudent risks and should review annually all compensation and performance management programs.
- Board Committees
Each Covered Institution must have a compliant Audit Committee comprised of independent and outside directors and which oversees all accounting and financial reporting audits and processes related to financial statements and internal control over financial reporting.
Each Covered Institution must also have a Risk Committee which approves, reviews, and updates, as necessary, the Covered Institution’s risk management policies and operations that broadly oversee the Covered Institution’s risk management framework.
- Risk Management and Audit
Each Covered Institution must have and adhere to a risk management framework that manages, monitors, identifies and measures risk in a vast array of operating areas including: credit, liquidity, interest rate, operational (including information technology and cyber-security) and strategy.
In addition, each Covered Institution should create and review at least quarterly, a risk profile that identifies current risks. Based upon the evaluation of its risk profile, the Covered Institution should establish appropriate risk limits (by written statement) in the aggregate and for each line of business as well as each material activity or bank product. That risk appetite statement, together with concentration risk limits and front line unit risk limits, should be incorporated into, among other programs: strategic and annual operating plans; capital stress testing and planning processes; compensation and performance management programs and product and service risk management processes.
Each Covered Institution’s independent risk management unit should design a formal, written risk management program that implements the Covered Institution’s risk appetite statement and ensures appropriate compliance with laws and regulations.
The program should cover the following risk categories at a minimum: liquidity, interest rate, credit, concentration, model, operational (including cyber-security and information technology), strategic, and legal risk. Each program should be commensurate with the Covered Institution’s structure, risk profile, size and complexity.
Responsibility for compliance with the risk management program rests with: front line units, the independent risk management unit, and the internal audit unit. Each of these distinct units must be held accountable by the Chief Executive Officer and the Board.
- Risk Limit Breaches
The Board must establish processes that require both the independent risk management unit and the front line units to identify breaches of the risk appetite statement, concentration risk limits and front line unit risk limits. In addition, the Board must establish accountability for reporting and resolving breaches that include consequences for risk limit breaches.
- Processes Governing Identification of and Response to Violations of Law or Regulation
Finally, the Board must establish processes that adequately: respond to known or suspected violations of law or regulation; document all violations of law or regulations; and report all violations of law or regulation in a timely manner to the appropriate regulatory agency.
While bank regulatory agencies have, in the past, adopted corporate governance guidelines and guidance for financial institutions, the FDIC’s NPR imposes a potentially significant and broad enforceable governing framework over Covered Institutions. The exact scope of the final regulations will be the subject of heated debate internally within the FDIC and amongst constituent banks.