Key Takeaways from the FDIC’s Proposed Addition to Part 364 on Corporate Governance and Risk Management

In October 2023, the FDIC announced a proposed rulemaking in the Federal Register, inviting comments on new guidelines for governance and risk management at FDIC-supervised insured depository institutions with assets exceeding $10 billion.

These guidelines, referred to as the Proposed Guidelines, would be added as Appendix C to the FDIC’s standards for safety and soundness in part 364 and enforced under Section 39 of the Federal Deposit Insurance Act (FDI Act). The link to the announcement and the guidelines is as follows:

https://www.fdic.gov/news/inactive-financial-institution-letters/2023/fil23055.html

The Proposed Guidelines aim to enhance the safety and soundness of these large institutions, particularly in the wake of recent bank failures. The FDIC and the Federal Reserve Board (FRB) identified poor governance and risk management as key factors in the collapse of Signature Bank and Silicon Valley Bank (SVB). The FDIC drew inspiration from the Office of the Comptroller of the Currency (OCC) Guidelines for Large Insured National Banks and the FRB’s Regulation YY, intending to align its supervision framework with other federal banking regulators. However, the FDIC’s threshold for application is significantly lower, applying to banks with $10 billion or more in assets, whereas the OCC and FRB thresholds are at $50 billion and $100 billion, respectively.

The Proposed Guidelines also aim to formalize previous FDIC guidance and supervisory expectations, particularly regarding the role of the board of directors. Some aspects of these guidelines are more stringent and prescriptive than the OCC’s Heightened Expectations, while others differ in their approach.¹

The FDIC is inviting the public to submit its comments on the Proposed Guidelines, and the deadline for comments was extended to February 9, 2024.

Key takeaways from the proposed guidelines:

The guidelines would heighten compliance burdens for covered institutions, especially regional banks, and potentially lead to more FDIC enforcement actions.

The guidelines include standards for corporate governance, risk management practices, and board oversight. Specifics include leveraging parent company structures for risk management and addressing various types of risks in the risk management program.

Board of directors
The guidelines set minimum standards for board composition, emphasizing independence and diversity. They require the establishment of risk, compensation, and audit committees, with detailed responsibilities for each.² The guidelines envision a covered institution’s board taking an active role in establishing key components of the risk management program and overseeing management.

Under the new guidelines, the board would be more involved, approving its institution’s strategic plan and Code of Ethics, among other policies.³ Additionally, these policies must be reviewed and approved by the board at least annually. Furthermore, the board would have to review and approve a covered institution’s risk appetite statement at least quarterly, or more frequently as necessary, depending on the size and volatility of risks and any material changes in the covered institution’s business model, strategy, risk profile, or market conditions. This requirement contrasts with the Heightened Expectations, which only require an annual review of the risk appetite statement and can be conducted by the board’s risk committee alone.
Risk Management Program
The guidelines require institutions to implement a robust Risk Management Program by adopting a three-lines-of-defense model, with distinct responsibilities for each unit. The guidelines are more prescriptive than the Heightened Expectations, particularly regarding the role of the independent risk management unit.

Three lines of defense model framework:
1) First line of defense or a front-line unit: This unit is exclusive of a covered institution’s legal department and manages risks.

2) Second line of defense or an independent risk management unit: This unit is led by a chief risk officer who oversees risks/risk control and compliance.

3) Third line of defense or an internal audit unit: This unit is led by a chief audit officer who provides independent assurance/risk assurance.

These three distinct units with these responsibilities should be held accountable by the CEO and the board for monitoring and reporting on the institution's compliance with the Risk Management Program. Monitoring and reporting should be performed as often as necessary based on the size and volatility of risks and any material change in the covered institution’s business model, strategy, risk profile, or market conditions.

The Proposed Guidelines do allow a covered institution to use its parent company’s risk governance framework to satisfy the guidelines in instances where the covered institution has a substantially similar risk profile to its parent company, provided that:

1) The parent company decisions do not jeopardize the safety and soundness of the covered institution.

2) The covered institution’s risk profile is easily distinguishable and separate from that of its parent for risk management and supervisory reporting purposes.
Identifying and reporting violations
New requirements for documenting and reporting violations of law and regulation were also introduced, representing a shift from the FDIC’s current practices. Specifically, the Proposed Guidelines would require a covered institution’s board to establish processes by which personnel in front line and risk management units would identify, document, and notify the CEO and the board’s audit and risk committees of violations of law or regulation. The requirement for documenting and reporting violations of law and regulation in writing would be a new addition currently absent in existing FDIC guidance.

A former examiner’s perspective: Collectively, the escalation of reporting requirements imposed by the proposal could increase the likelihood of FDIC enforcement actions, even if issues identified are promptly remediated.
Enforceability:
Under Section 39 of the FDI Act, the FDIC can require institutions to submit a compliance plan if they fail to meet the prescribed standards.⁴

Conclusion

The FDIC poses multiple questions regarding the scope of banks that should be subject to the Proposed Guidelines. That includes whether FDIC-supervised institutions with $10 billion or more in total consolidated assets is an appropriate threshold and whether other financial institutions should fall under the definition of covered institutions. As mentioned previously, the comments are due by February 9, 2024.

The Proposed Guidelines represent a significant step by the FDIC to strengthen governance and risk management practices among large insured depository institutions. They reflect a concerted effort to learn from past failures and align with broader regulatory frameworks, albeit with some unique and more stringent requirements.

Notably, the release of these guidelines was met with dissent from two Republican Board members, FDIC Vice Chairman Travis Hill and Director Jonathan McKernan. Director McKernan expressed concerns about potential conflicts with state corporate law and regulatory expectations for parent companies.

The Proposed Guidelines are unclear on the issue of whether the would-be requirement of an audit committee can be satisfied by the audit committee of a covered institution’s bank holding company (as is permitted under certain circumstances by part 363).

As it currently stands, the FDIC’s Pocket Guide for Directors only indicates that the board should ensure a bank has certain policies, including a Code of Ethics; however, it does not explicitly require approval of such policies by the board unlike what the Proposed Guidelines are trying to establish.

The Proposed Guidelines and the Heightened Expectations share Section 39 as their basis for enforceability.