FDIC Proposal Would Create Supervisory Guidelines for Corporate Governance and Risk Management; Non-Compliance Would be Subject to Agency's Enforcement Authority

The Federal Deposit Insurance Corporation (the “FDIC”) has proposed formal corporate governance and risk management standards for banks with assets of $10 billion or more that are subject to FDIC supervision.  The detailed requirements would impose a significant compliance obligation on bank boards and management, and the proposal specifically notes that noncompliance would be subject to the agency’s enforcement authority under Section 39 of the Federal Deposit Insurance Act.  The proposal is the latest effort by bank regulators to address the serious corporate governance and risk management deficiencies that were identified at the large banks (Silicon Valley Bank, Signature Bank and First Republic Bank) that failed earlier this year.  While the proposed rules are generally similar to guidance issued by the Office of the Comptroller of the Currency and the Federal Reserve Board for institutions with assets of $50 billion or more, the FDIC determined that institutions with assets of $10 billion or more present a level of complexity and a sufficiently higher risk profile to require compliance with more prescriptive standards.  There are currently 57 institutions that would be subject to the new standards.  The proposal is subject to comment through December 11, 2023.

Under the proposal, banks that cross the $10 billion asset threshold would have a two-quarter
“on ramp” to bring their corporate governance and risk management structure into compliance.  However, banks approaching the $10 billion threshold would be expected to develop a compliance program in advance or reduce their assets below their threshold.  Banks that drop below the threshold for four consecutive quarters would not be subject to the standards.

Perhaps the most notable aspect to the proposed standards is that the covered institutions and their board of directors and senior management would be subject to the agency’s enforcement authority under Section 39 of the Federal Deposit Insurance Act in the event of noncompliance.  By issuing the rules under the FDIC’s safety and soundness authority, the agency preserved the full range of enforcement sanctions if covered institutions fail to comply with the standards.  The weight of this authority is likely to a fall most heavily on the board of directors, the chief risk officer and the chief audit officer, all of whom are singled out for heightened scrutiny by the proposed standards.

Much of the guidance included in the proposed standards is familiar to larger banks that have already deployed a “three-lines-of-defense” approach to corporate governance and risk management.  However, the standards adopt a specific requirement that covered institutions implement a three-lines-of-defense structure.  The structure begins with the responsibility of front-line business units to ensure that their activities do not create excessive risk for the institution.  At the second line, an independent risk management unit under the direction the chief risk officer is charged with identifying, assessing and overseeing risk-taking activities on an ongoing basis.  Finally, the third line of defense rests with internal audit, under the direction of a chief audit officer, which ensures that the institution complies with applicable laws and regulation and that business units are actually meeting risk management expectations.

The proposed standards identify a broad range of responsibilities for a covered bank’s board of directors.  The standards mandate an “appropriately sized, diverse board of directors,” focusing on the development of a board with diverse demographics, opinions, experience and ownership levels.  A board that lacks these characteristics, the proposal notes, “may result in a lack of creativity or individual responsibility for decisions or gaps in knowledge or experience,” resulting in increased risk for the institution.

The proposal outlines a series of specific governance responsibilities for the board of directors, including, among other things, the following:

  • The board is responsible for setting the “tone at the top” by creating a culture and environment that does not condone excessive risk-taking, unethical behavior, or violations of law in the pursuit of profit or other business strategies.
  • The board is charged with responsibility for adopting a written code of ethics that addresses conflicts of interest, proper use of the bank’s assets, integrity of financial recordkeeping, and compliance with law and regulation.
  • The board must maintain active oversight of management, including all material risk-taking activities.Management must be held accountable for adhering to the bank’s strategic plan.
  • Each board member must exercise independent judgment, and boards must avoid the situation where a dominant board member or senior executive exercises excessive influence over the board.
  • The board must establish, and review on an annual basis, compensation and performance management programs to ensure that incentive arrangements are properly structured to avoid safety and soundness risks.
  • The board of every covered institution must establish an audit committee consisting of independent directors, and institutions with trust powers must establish a separate trust committee.

The board and management share a number of governance responsibilities:

  • Develop and review on a quarterly basis the institution’s risk appetite statement.
  • Develop a comprehensive program that covers a broad range of operational risk considerations including credit risk, interest rate risk, liquidity risk, AML/CFT risk, and vendor risk.The program must include defined policies and procedures for risk management governance and the risk control environment for business operations.
  • Develop a structure whereby each of the three lines of defense may be held accountable by the CEO and the board for monitoring and reporting on compliance with the institution’s risk management program.The tasks must be performed as frequently as necessary based on the nature of the risks and in the event of a material change to the institution’s business model, strategy, risk profile, or market conditions.
  • Establish a process for identifying risk limit breaches that distinguishes breaches based on their severity and a procedure that provides notice to the FDIC in the event of risk limit breach, including an assessment of the impact of the breach and a proposed remediation plan.
  • Establish a process for identifying violations of law and regulations, including reporting of all violations to the agency with oversight responsibility.

The proposal seeks comment on several aspects of the proposed standards, including the following:

  • Does the proposal create adequate corporate governance and risk management standards?
  • Is the $10 billion asset threshold appropriate or should it be higher of lower?
  • Should the standards be differentiated to address specific concerns relative to institutions with assets of $50 billion or more?
  • Should an application process be implemented to allow for exemptions from the standards?
  • Should the depositary institution and its holding company have separate risk management staff?
  • Should the chief risk officer and chief audit officers report to the full board or to board committees?

The proposal is not free from controversy among FDIC board members. Vice Chairman Travis Hill declined to support the proposal, suggesting that FDIC supervision should focus less on process and more on core safety and soundness risks.  Hill urged his fellow FDIC board members to redirect their energies to oversight of an institution’s core financial condition rather than “micromanaging” governance.  Similarly, FDIC board member Jonathan McKernan voted against the proposal, citing a number of areas where the FDIC proposal deviated from the similar OCC guidance to the detriment of safety and soundness compliance.  Specifically, McKernan noted that the proposal shifted a number of key responsibilities to the board that should be assigned to senior management, including the responsibility to ensure compliance with law and regulations.  McKernan was also critical of the proposal’s statements regarding board composition, which, he opined, “could be construed as setting a regulatory expectation with respect to racial, ethnic, gender, and other diversity on the board.”

The proposed standards are certain to generate significant comment and controversy although many covered banks, and particularly those banks in the $50 billion and above asset class, have already adopted governance and risk management structures that come very close to the proposed standards.  However, it is reasonable to assume that the guidance is unlikely to survive exactly as proposed.  There are a number of areas where a lack of clarity and precision in the scope of the requirements could impose burdens on a covered institution that are out of proportion to the perceived safety and soundness risks.  This concern is particularly acute where such institutions are required to report events like risk limit breaches or violations of law and regulations to regulatory bodies. Such micromanaging is likely to divert the attention of the board and management from more pressing operational concerns.  Nevertheless, the proposal bears watching, and covered institutions should review their existing governance and risk management structure to identify areas where current practices may be at odds with the broad intent of the proposed standards.

Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their