FDIC Proposes Corporate Governance and Risk Management Guidelines for State Nonmember Banks: Four Things to Know

FDIC Proposes Corporate Governance and Risk Management Guidelines for State Nonmember Banks: Four Things to Know

October 23, 2023, Covington Alert

On October 3, 2023, the Board of Directors of the Federal Deposit Insurance Corporation (“FDIC”) approved a notice of proposed rulemaking that would create “Guidelines Establishing Standards for Corporate Governance and Risk Management for Covered Institutions with Total Consolidated Assets of $10 billion or More” (the “Proposed Guidelines”). The comment period for the Proposed Guidelines will close on December 11, 2023.

At a high level, the Proposed Guidelines are similar to the Guidelines Establishing Heightened Standards published by the Office of the Comptroller of the Currency (“OCC”) in 2014 (the “OCC Heightened Standards”).[1] Like the OCC Heightened Standards – but for FDIC-supervised institutions – the Proposed Guidelines would prescribe a structure for covered banks’ corporate governance and risk management programs, including a three lines of defense approach, an emphasis on written policies, and expectations for active board oversight. However, the Proposed Guidelines would apply to banks at a much smaller size threshold, and would be more prescriptive than the OCC Heightened Standards in key areas, including with regard to board composition and requirements for written policies.

1. The Proposed Guidelines would adopt a governance and risk management framework in the vein of the OCC Heightened Standards, but would apply to institutions significantly smaller in asset size.

The Proposed Guidelines are described in the preamble as a response to bank failures in 2008 and the spring of 2023 which, the FDIC explains, demonstrated that banks with poor corporate governance and risk management practices are at a higher risk of failure. The FDIC noted that its existing safety and soundness standards already contain general standards for governance and risk management by FDIC-supervised institutions, but that “[l]arger or more complex institutions should have more sophisticated and formal board and management structures and practices to ensure appropriate corporate governance.” The FDIC intends the Proposed Guidelines to address that need. In drafting the Proposed Guidelines, the FDIC considered the framework provided in the OCC Heightened Standards, as well as policies of the Board of Governors of the Federal Reserve System (the “Federal Reserve”) contained in Regulation YY and in various Supervision and Regulation Letters.[2]

The OCC Heightened Standards apply to any insured national bank, insured Federal savings association, or insured Federal branch of a foreign bank with total consolidated assets equal to or greater than $50 billion. The Proposed Guidelines, on the other hand, would apply to all insured state nonmember banks, insured state savings associations, and state-licensed insured branches of foreign banks with total consolidated assets equal to or greater than $10 billion.

As a result, the Proposed Guidelines would apply to a meaningful number of smaller banks in the $10 billion to $50 billion range that have not previously been subject to these types of prescriptive risk governance standards, which have typically been reserved for larger institutions. When the OCC promulgated its Heightened Standards in 2014, it noted in support of its chosen threshold that “the $50 billion asset criteria is a well understood threshold that the OCC and other Federal banking regulatory agencies have used to demarcate larger, more complex banking organizations from smaller, less complex banking organizations.” The FDIC, while noting that the OCC and Federal Reserve have tied heightened risk management expectations to the $50 billion threshold, justified its approach by stating that its “supervisory experience has shown that institutions with assets greater than $10 billion are larger, more complex, and present a higher risk profile.” This difference in approaches between the OCC and FDIC would result in an uneven playing field between national banks and state nonmember banks with total assets between $10 billion and $50 billion – state nonmember banks in that size range would be subject to significantly more prescriptive governance and risk management standards than their national bank counterparts.

Similarly to the OCC Heightened Standards, the Proposed Guidelines would also reserve to the FDIC the authority to identify banks under the size threshold that nonetheless “are highly complex or present a heightened risk that warrants the application” of the Proposed Guidelines.

2. The Proposed Guidelines would establish a risk governance framework that would be similar to the OCC Heightened Standards, but would differ in certain significant respects.

The framework contained in the Proposed Guidelines generally resembles the OCC Heightened Standards. Like the OCC Heightened Standards, the Proposed Guidelines would require covered institutions to follow the “three lines of defense approach” to risk management: frontline business units must assess their risk on an ongoing basis consistent with written policies, independent risk management is responsible for designing the overall risk management program and escalating any concerns to the CEO and the board of directors, and internal audit is responsible for maintaining an inventory of bank functions and associated risks and for developing written audit reports to be reviewed by the audit committee of the board of directors.

In addition, both the Proposed Guidelines and the OCC Heightened Standards hold independent risk management responsible for maintaining a written risk management program. Both also require that covered banks develop a risk appetite statement as well as processes for identifying and escalating breaches of that statement. Finally, both sets of standards envision active oversight of a bank’s risk management by the board, including through regular review of key written policies.

However, compared to the OCC Heightened Standards, the Proposed Guidelines would be more prescriptive as to the board composition, board activities, and written policies of covered banks: 

• Majority of Independent Directors. Most notably, the Proposed Guidelines would require that a majority of a bank’s board of directors be made up of independent directors – in comparison, the OCC Heightened Standards require only two independent directors. If the Proposed Guidelines were finalized as-is, we expect that a number of covered banks would be forced to alter their board composition and search for additional independent directors.
• Stricter Independence Standards. In addition, under the Proposed Guidelines, a director would not be considered independent if he or she also serves on the board of directors of the bank’s holding company, unless that holding company conducts limited or no additional business outside the bank. In other words, the Proposed Guidelines would prohibit the use of majority-overlapping boards of directors at the bank and holding company level for many banking organizations. The subjectivity of the “limited or no additional business operations” standard would give the FDIC significant discretion to determine whether an institution can have majority-overlapping boards at the bank and holding company levels.
• Setting Tone From the Top. The Proposed Guidelines would require that the board of directors “set an appropriate tone,” that is, “establish a corporate culture and work environment that promotes responsible, ethical behavior” and that does not “condone or encourage imprudent risk-taking, unethical behavior, or violations of law, regulation, or policy in pursuit of profit or other business objectives.” While this concept of “setting the tone” does appear in the OCC’s Comptroller’s Handbook: Corporate and Risk Governance, it is not included in the OCC Heightened Standards. As a guidance document, the Comptroller’s Handbook may signal OCC enforcement priorities, but it is not itself enforceable, whereas the OCC Heightened Standards – and the Proposed Guidelines – are enforceable guidelines under the Federal Deposit Insurance Act.
• Documentation and Self-Reporting of Violations of Law. The Proposed Guidelines would require a board to establish processes to document all violations of law – no matter how technical or immaterial – and report them to the appropriate enforcement authority. This requirement would appear to be the first of its kind in federal banking law and does not have precedent in the historical approach of the FDIC or of the other federal banking agencies.
• Required Board Committees. The Proposed Guidelines would mandate that a covered bank’s board of directors establish certain committees, and identify the core responsibilities of these committees. Covered banks would be required to have a risk committee, an audit committee, a compensation committee, and a trust committee if the bank has trust powers. The OCC Heightened Standards (and the Comptroller’s Handbook), in contrast, only require an audit committee, and explicitly provide covered banks with the option to have the full board of directors undertake responsibilities that could be delegated to a risk committee, such as approving the appointment of a chief risk officer.
• Written Code of Ethics. The Proposed Guidelines would require that the board of directors of a covered bank establish a written code of ethics that covers directors, management, and employees, and addresses areas including conflicts of interest, integrity of financial recordkeeping, compliance with laws and regulations, and the bank’s whistleblower policy. The board of directors would be required to review the code of ethics at least annually. The Comptroller’s Handbook notes that the board of directors should adopt a written code of ethics, but this is not an explicit requirement in the OCC Heightened Standards.
• Review of All Written Policies. The Proposed Guidelines also contain a catch-all “Approve Policies” provision that would require the board to review, on an annual basis, all “policies that govern and guide the operations of the covered institution in accordance with its risk profile and as required by law and regulation.” As examples, the Proposed Guidelines would identify internal controls policies, loan and credit policies, asset and liability management policies, AML/CFT policies, consumer protection compliance policies, and Community Reinvestment Act policies. The Comptroller’s Handbook notes that reviewing and approving relevant policies is a responsibility of the board of directors, and provides a list of policies that are statutorily required to be approved by the board, but neither it nor the OCC Heightened Standards impose such a broad requirement of approving policies, and in fact, many institutions do not seek board approval for less significant policies.
• Strategic Plan and Risk Appetite Statement. Like the OCC Heightened Standards, the Proposed Guidelines would require the development of a written strategic plan, as well as a written risk appetite statement including both qualitative components and quantitative limits. However, the Proposed Guidelines would require quarterly review of the risk appetite statement, whereas the OCC Heightened Standards prescribe review annually, or more frequently as necessary based on the size and volatility of risks faced by a bank.
• Consideration of Non-Shareholder Constituencies. The Proposed Guidelines would provide that the “[t]he board . . . should consider the interests of all its stakeholders, including shareholders, depositors, creditors, customers, regulators, and the public.” While the FDIC has articulated similar principles in prior guidance, such an uncabined obligation would introduce substantial uncertainty into board oversight processes designed to satisfy the fiduciary duties owed by the board.

3. The Proposed Guidelines would create the potential for more severe enforcement consequences more quickly than under the OCC Heightened Standards or Federal Reserve regulation and guidance.

Because the Proposed Guidelines incorporate a level of prescriptive detail that would typically be reflected in nonbinding agency guidance (such as the OCC’s Comptroller’s Handbook), the FDIC would have more avenues to take enforcement action against a bank for corporate governance and risk management deficiencies identified during examinations.

Both the OCC Heightened Standards and the FDIC’s Proposed Guidelines are based on Section 39 of the Federal Deposit Insurance Act, which authorizes the federal banking agencies to establish safety and soundness standards for insured depository institutions.[3] Section 39 contains a specific, non-exclusive enforcement mechanism under which an institution that fails to comply with a “guideline” may be required to submit a compliance plan. The institution’s failure to do so, or its material failure to comply with such a plan, can subject it to additional agency action, including the issuance of an order imposing growth restrictions or increased capital requirements. If such an order is violated, the relevant agency may bring an enforcement action in federal district court, bypassing the administrative hearing process, and may seek a civil money penalty for each day of the violation.[4]

In contrast, if an agency issues guidance containing additional detail that builds out the requirements in its binding guidelines – as the OCC has done with the Comptroller’s Handbook and the Federal Reserve has done with Supervision and Regulation Letters – the guidance is not itself enforceable. Failure to comply with guidance may be evidence of an unsafe or unsound practice, and the agency would typically write up one or more “matters requiring attention” or a “matters requiring immediate attention” following an examination that revealed deficiencies measured against the expectations established in the guidance. Failure to remediate the deficiencies could lead to escalated agency action, including enforcement actions such as the imposition of a consent order. A bank’s failure to comply with the terms of an order could trigger an administrative process that the bank could contest, including through a hearing before an administrative law judge, who would recommend a decision to the appropriate agency head. After the agency head has issued a final decision, the bank could then seek federal court review. In sum, while banks do typically comply with requirements outlined in guidance documents, agencies have stronger authority for enforcing binding regulations and guidelines, and, in particular, may impose civil money penalties and bring binding enforcement actions more quickly. As such, the greater level of detail in the Proposed Guidelines compared to the OCC Heightened Standards (which are supplemented by the Comptrollers Handbook) would enable the FDIC to take more aggressive enforcement action when it believes a bank’s conduct is inconsistent with its corporate governance and risk management standards.

4. If the Proposed Guidelines are adopted as proposed, a state nonmember bank would be subject to them only two quarters after it crosses the $10 billion asset threshold.

In addition to covering banks at a lower size threshold than the OCC Heightened Standards, the Proposed Guidelines would give banks crossing that threshold less time to comply with the Proposed Guidelines (or to seek to decrease total assets below the threshold). Under the Proposed Guidelines, a bank would be covered if its total consolidated assets have been $10 billion or greater in its two most recent quarterly call report filings, whereas the OCC Heightened Standards do not apply to a bank until its average total consolidated assets across the past four quarterly call report filings meets or exceeds the $50 billion threshold. And once a bank is covered under the Proposed Guidelines, it would remain covered until it reports total consolidated assets below $10 billion for four consecutive quarters. As a result, a bank that slightly exceeds the $10 billion threshold for two quarters would be subject to the Proposed Guidelines for at least one year, even if its total consolidated assets immediately fell back below $10 billion and/or its four quarter average assets never met or exceeded $10 billion.