Agency Information Collection Activities: Information Collection Renewal; Comment Request; OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches, 48892-48895 [2017-22723]

Agencies

• Office of the Comptroller of the Currency
• DEPARTMENT OF THE TREASURY

[Federal Register Volume 82, Number 202 (Friday, October 20, 2017)]
[Notices]
[Pages 48892-48895]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-22723]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency


Agency Information Collection Activities: Information Collection 
Renewal; Comment Request; OCC Guidelines Establishing Heightened 
Standards for Certain Large Insured National Banks, Insured Federal 
Savings Associations, and Insured Federal Branches

AGENCY: Office of the Comptroller of the Currency (OCC), Treasury.

ACTION: Notice and request for comment.

-----------------------------------------------------------------------

SUMMARY: The OCC, as part of its continuing effort to reduce paperwork 
and respondent burden, invites the general public and other Federal 
agencies to take this opportunity to comment on a continuing 
information collection, as required by the Paperwork Reduction Act of 
1995 (PRA).
    In accordance with the requirements of the PRA, the OCC may not 
conduct or sponsor, and the respondent is not required to respond to, 
an information collection unless it displays a currently valid Office 
of Management and Budget (OMB) control number.
    The OCC is finalizing the renewal of its information collection 
titled, ``OCC Guidelines Establishing Heightened Standards for Certain 
Large Insured National Banks, Insured Federal Savings Associations, and 
Insured Federal Branches.'' The OCC is also giving notice that it has 
sent the collection to OMB for review.

DATES: Comments must be submitted on or before November 20, 2017.

ADDRESSES:  Because paper mail in the Washington, DC area and at the 
OCC is subject to delay, commenters are encouraged to submit comments 
by email, if possible. Comments may be sent to: Legislative and 
Regulatory Activities Division, Office of the Comptroller of the 
Currency, Attention: 1557-0321, 400 7th Street SW., Suite 3E-218, 
Washington, DC 20219. In addition, comments may be sent by fax to (571) 
465-4326 or by electronic mail to prainfo@occ.treas.gov. You may 
personally inspect and photocopy comments at the OCC, 400 7th Street 
SW., Washington, DC 20219. For security reasons, the OCC requires that 
visitors make an appointment to inspect comments. You may do so by 
calling (202) 649-6700 or, for persons who are deaf or hearing 
impaired, TTY, (202) 649-5597. Upon arrival, visitors will be required 
to present valid government-issued photo identification and submit to 
security screening in order to inspect and photocopy comments.
    All comments received, including attachments and other supporting 
materials, are part of the public record and subject to public 
disclosure. Do not include any information in your comment or 
supporting materials that you consider confidential or inappropriate 
for public disclosure.
    Additionally, please send a copy of your comments by mail to: OCC 
Desk Officer, 1557-0319, U.S. Office of Management and Budget, 725 17th 
Street NW., #10235, Washington, DC 20503, or by email to: 
oira_submission@omb.eop.gov.

FOR FURTHER INFORMATION CONTACT: Shaquita Merritt, OCC Clearance 
Officer, (202) 649-5490 or, for persons who are deaf or hearing 
impaired, TTY, (202) 649-5597, Legislative and Regulatory Activities 
Division, Office of the Comptroller of the Currency, 400 7th Street 
SW., Suite 3E-218, Washington, DC 20219.

SUPPLEMENTARY INFORMATION: Under the PRA (44 U.S.C. 3501-3520), Federal 
agencies must obtain approval from OMB for each collection of 
information that they conduct or sponsor. ``Collection of information'' 
is defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency 
requests or requirements that members of the public submit reports, 
keep records, or provide information to a third party. Section 
3506(c)(2)(A) of title 44 requires Federal agencies to provide a 60-day 
notice in the Federal Register concerning each proposed collection of 
information, including each proposed extension of an existing 
collection of information, before submitting the collection to OMB for 
approval. To comply with this requirement, the OCC is publishing notice 
of the proposed collection of information set forth in this document.
    Title: OCC Guidelines Establishing Heightened Standards for Certain 
Large Insured National Banks, Insured Federal Savings Associations, and 
Insured Federal Branches.
    OMB Control No.: 1557-0321.
    Description: The OCC's guidelines codified in 12 CFR part 30, 
appendix D establish minimum standards for the design and 
implementation of a risk governance framework for insured national 
banks, insured Federal savings associations, and insured Federal 
branches of a foreign bank (bank). The guidelines apply to a bank with 
average total consolidated assets: (i) Equal to or greater than $50 
billion; (ii) less than $50 billion if that bank's parent company 
controls at least one insured national bank or insured Federal savings 
association that has average total consolidated assets of $50 billion 
or greater; or (iii) less than $50 billion, if the OCC determines such 
bank's operations are highly complex or otherwise present a heightened 
risk as to warrant the application of the guidelines (covered banks). 
The guidelines also establish minimum standards for a board of 
directors in overseeing the framework's design and implementation. 
These guidelines were finalized on September 11, 2014.\1\ The OCC 
proposed renewing the information collection associated with the 
guidelines on July 5, 2017.\2\ The OCC is now seeking OMB approval to 
renew the information collection associated with these guidelines.
---------------------------------------------------------------------------

    \1\ 79 FR 51518.
    \2\ 82 FR 31151.
---------------------------------------------------------------------------

    The standards contained in the guidelines are enforceable under 
section 39 of the Federal Deposit Insurance Act (FDIA),\3\ which 
authorizes the OCC to prescribe operational and managerial standards 
for insured national banks, insured Federal savings associations, and 
insured Federal branches of a foreign bank.
---------------------------------------------------------------------------

    \3\ 12 U.S.C. 1831p-1. Section 39 was enacted as part of the 
Federal Deposit Insurance Corporation Improvement Act of 1991, 
Public Law 102-242, section 132(a), 105 Stat. 2236, 2267-70 (Dec. 
19, 1991).
---------------------------------------------------------------------------

    The guidelines formalize the OCC's heightened expectations program. 
They also further the goal of the Dodd-Frank Wall Street Reform and 
Consumer Protection Act of 2010 \4\ to strengthen the financial system 
by focusing management and boards of directors on improving and 
strengthening risk management practices and governance, thereby 
minimizing the probability and impact of future financial crises.
---------------------------------------------------------------------------

    \4\ Public Law 111-203, 124 Stat. 1376 (2010).
---------------------------------------------------------------------------

    The standards for the design and implementation of the risk 
governance framework, which contain collections of information, are as 
follows:

[[Page 48893]]

Standards for Risk Governance Framework

    Covered banks should establish and adhere to a formal, written risk 
governance framework designed by independent risk management. It should 
include delegations of authority from the board of directors to 
management committees and executive officers as well as risk limits 
established for material activities. It should be approved by the board 
of directors or the board's risk committee and reviewed and updated at 
least annually by independent risk management.

Front Line Units

    Front line units should take responsibility and be held accountable 
by the Chief Executive Officer (CEO) and the board of directors for 
appropriately assessing and effectively managing all of the risks 
associated with their activities. In fulfilling this responsibility, 
each front line unit should, either alone or in conjunction with 
another organizational unit that has the purpose of assisting a front 
line unit: (i) Assess, on an ongoing basis, the material risks 
associated with its activities and use such risk assessments as the 
basis for fulfilling its responsibilities and for determining if 
actions need to be taken to strengthen risk management or reduce risk 
given changes in the unit's risk profile or other conditions; (ii) 
establish and adhere to a set of written policies that include front 
line unit risk limits (such policies should ensure risks associated 
with the front line unit's activities are effectively identified, 
measured, monitored, and controlled, consistent with the covered bank's 
risk appetite statement, concentration risk limits, and all policies 
established within the risk governance framework); (iii) establish and 
adhere to procedures and processes, as necessary to maintain compliance 
with the policies described in (ii); (iv) adhere to all applicable 
policies, procedures, and processes established by independent risk 
management; (v) develop, attract, and retain talent and maintain 
staffing levels required to carry out the unit's role and 
responsibilities effectively; (vi) establish and adhere to talent 
management processes; and (vii) establish and adhere to compensation 
and performance management programs.

Independent Risk Management

    Independent risk management should oversee the covered bank's risk-
taking activities and assess risks and issues independent of the front 
line units by: (i) Designing a comprehensive written risk governance 
framework commensurate with the size, complexity, and risk profile of 
the covered bank; (ii) identifying and assessing, on an ongoing basis, 
the covered bank's material aggregate risks and using such risk 
assessments as the basis for fulfilling its responsibilities and for 
determining if actions need to be taken to strengthen risk management 
or reduce risk given changes in the covered bank's risk profile or 
other conditions; (iii) establishing and adhering to enterprise 
policies that include concentration risk limits; (iv) establishing and 
adhering to procedures and processes to ensure compliance with policies 
in (iii); (v) identifying and communicating to the CEO and board of 
directors or board's risk committee material risks and significant 
instances where independent risk management's assessment of risk 
differs from that of a front line unit, and significant instances where 
a front line unit is not adhering to the risk governance framework; 
(vi) identifying and communicating to the board of directors or the 
board's risk committee material risks and significant instances where 
independent risk management's assessment of risk differs from the CEO, 
and significant instances where the CEO is not adhering to, or holding 
front line units accountable for adhering to, the risk governance 
framework; and (vii) developing, attracting, and retaining talent and 
maintaining staffing levels required to carry out the unit's role and 
responsibilities effectively while establishing and adhering to talent 
management processes and compensation and performance management 
programs.

Internal Audit

    Internal audit should ensure that the covered bank's risk 
governance framework complies with the Guidelines and is appropriate 
for the size, complexity, and risk profile of the covered bank. It 
should maintain a complete and current inventory of all of the covered 
bank's material processes, product lines, services, and functions, and 
assess the risks, including emerging risks, associated with each, which 
collectively provide a basis for the audit plan. It should establish 
and adhere to an audit plan, which is periodically reviewed and 
updated, that takes into account the covered bank's risk profile, 
emerging risks, issues, and establishes the frequency with which 
activities should be audited. The audit plan should require internal 
audit to evaluate the adequacy of and compliance with policies, 
procedures, and processes established by front line units and 
independent risk management under the risk governance framework. 
Significant changes to the audit plan should be communicated to the 
board's audit committee. Internal audit should report in writing, 
conclusions and material issues and recommendations from audit work 
carried out under the audit plan to the board's audit committee. 
Reports should identify the root cause of any material issues and 
include: (i) A determination of whether the root cause creates an issue 
that has an impact on one organizational unit or multiple 
organizational units within the covered bank; and (ii) a determination 
of the effectiveness of front line units and independent risk 
management in identifying and resolving issues in a timely manner. 
Internal audit should establish and adhere to processes for 
independently assessing the design and ongoing effectiveness of the 
risk governance framework on at least an annual basis. The independent 
assessment should include a conclusion on the covered bank's compliance 
with the standards set forth in the Guidelines. Internal audit should 
identify and communicate to the board's audit committee significant 
instances where front line units or independent risk management are not 
adhering to the risk governance framework. Internal audit should 
establish a quality assurance program that ensures internal audit's 
policies, procedures, and processes comply with applicable regulatory 
and industry guidance, are appropriate for the size, complexity, and 
risk profile of the covered bank, are updated to reflect changes to 
internal and external risk factors, emerging risks, and improvements in 
industry internal audit practices, and are consistently followed. 
Internal audit should develop, attract, and retain talent and maintain 
staffing levels required to effectively carry out its role and 
responsibilities. Internal audit should establish and adhere to talent 
management processes and compensation and performance management 
programs that comply with the guidelines.

Strategic Plan

    The CEO, with input from front line units, independent risk 
management, and internal audit, should be responsible for the 
development of a written strategic plan that should cover, at a 
minimum, a three-year period. The board of directors should evaluate 
and approve the plan and monitor management's efforts to implement the 
strategic plan at least annually. The plan should include a 
comprehensive assessment of risks that impact the covered bank, an 
overall mission

[[Page 48894]]

statement and strategic objectives, an explanation of how the covered 
bank will update the risk governance framework to account for changes 
to its risk profile projected under the strategic plan, and be 
reviewed, updated, and approved due to changes in the covered bank's 
risk profile or operating environment that were not contemplated when 
the plan was developed.

Risk Appetite Statement

    A covered bank should have a comprehensive written statement that 
articulates its risk appetite that serves as the basis for the risk 
governance framework. It should contain qualitative components that 
describe a safe and sound risk culture and how the covered bank will 
assess and accept risks and quantitative limits that include sound 
stress testing processes and address earnings, capital, and liquidity.

Risk Limit Breaches

    A covered bank should establish and adhere to processes that 
require front line units and independent risk management to: (i) 
Identify breaches of the risk appetite statement, concentration risk 
limits, and front line unit risk limits; (ii) distinguish breaches 
based on the severity of their impact; (iii) establish protocols for 
disseminating information regarding a breach; (iv) provide a written 
description of the breach resolution; and (v) establish accountability 
for reporting and resolving breaches.

Concentration Risk Management

    The risk governance framework should include policies and 
supporting processes appropriate for the covered bank's size, 
complexity, and risk profile for effectively identifying, measuring, 
monitoring, and controlling the covered bank's concentrations of risk.

Risk Data Aggregation and Reporting

    The risk governance framework should include a set of policies, 
supported by appropriate procedures and processes, designed to provide 
risk data aggregation and reporting capabilities appropriate for the 
covered bank's size, complexity, and risk profile and to support 
supervisory reporting requirements. Collectively, these policies, 
procedures, and processes should provide for: (i) The design, 
implementation, and maintenance of a data architecture and information 
technology infrastructure that support the covered bank's risk 
aggregation and reporting needs during normal times and during times of 
stress; (ii) the capturing and aggregating of risk data and reporting 
of material risks, concentrations, and emerging risks in a timely 
manner to the board of directors and the OCC; and (iii) the 
distribution of risk reports to all relevant parties at a frequency 
that meets their needs for decision-making purposes.

Talent and Compensation Management

    A covered bank should establish and adhere to processes for talent 
development, recruitment, and succession planning. The board of 
directors or appropriate committee should review and approve a written 
talent management program. A covered bank should also establish and 
adhere to compensation and performance management programs that comply 
with any applicable statute or regulation.

Board of Directors Training and Evaluation

    The board of directors of a covered bank should establish and 
adhere to a formal, ongoing training program for all directors. The 
board of directors should also conduct an annual self-assessment.

Response to Comments

    The OCC received one comment from an individual in response to the 
proposed renewal. The commenter suggested that the OCC rescind and not 
renew the information collection associated with appendix D of 12 CFR 
part 30 for a number of reasons.
    The commenter suggested that almost one half of the banks subject 
to appendix D have total assets that are significantly less than $50 
billion but the narrative surrounding ``heightened standards'' leads 
the public to believe that the guidelines are only applicable to the 
largest banks or banks that are highly complex or present a heightened 
risk. Appendix D applies to 34 OCC-supervised banks.\5\ Ten of these 34 
banks have less than $50 billion in average total consolidated assets. 
Appendix D applies to banks with less than $50 billion in average total 
consolidated assets if a bank's parent company controls at least one 
other bank with average total consolidated assets equal to or greater 
than $50 billion or if the OCC determines such bank's operations are 
highly complex or otherwise present a heightened risk as to warrant the 
application of appendix D. Of the 10 banks covered by appendix D that 
have less than $50 billion in average total consolidated assets, eight 
are covered because their parent companies control another bank with 
average total consolidated assets equal to or greater than $50 
billion.\6\ One of the two remaining banks is a covered bank because 
the OCC exercised its reservation of authority to apply appendix D to 
the bank.\7\ The other remaining bank is covered because that bank 
previously had average total consolidated assets equal to or greater 
than $50 billion. Appendix D applies to a bank with less than $50 
billion in average total consolidated assets when that bank's parent 
company controls at least one bank with average total consolidated 
assets equal to or greater than $50 billion because, in some instances, 
the OCC has observed that a covered bank's parent company does not pay 
sufficient attention to the operations of these smaller entities in a 
holding company structure. Appendix D covers these entities because the 
OCC believes that a covered bank's parent company should devote 
adequate attention to assessing and managing the risk associated with 
these entities' activities. These smaller covered banks are affiliates 
of large banking organizations, which should have the compliance 
resources to cover all of their bank charters.
---------------------------------------------------------------------------

    \5\ In the July 5, 2017, Federal Register notice proposing a 
renewal of the information collection associated with appendix D to 
12 CFR part 30, the OCC calculated that 41 OCC-supervised entities 
were subject to appendix D. The calculation has been updated. This 
reduced number of respondents is due in part to the fact that 
certain large banking organizations have consolidated the number of 
bank charters within their holding company structure.
    \6\ The commenter requested that the OCC disclose the number of 
banks with less than $10 billion in total assets that are subject to 
appendix D. There are five covered banks with average total 
consolidated assets less than $10 billion, all of which are covered 
banks because their parent companies control another bank with 
average total consolidated assets equal to or greater than $50 
billion.
    \7\ https://www.occ.gov/news-issuances/news-releases/2015/nr-occ-2015-105a.pdf.
---------------------------------------------------------------------------

    The commenter also indicated that the OCC's annual burden estimate 
for appendix D was excessive, particularly for institutions that have 
less than $10 billion in total assets and that appendix D should be 
rescinded and revised to reduce the excessive costs. As discussed 
above, appendix D applies primarily to larger banks. The only covered 
banks that have less than $10 billion in average total consolidated 
assets are covered banks because their parent companies control another 
bank with average total consolidated assets equal to or greater than 
$50 billion. The OCC believes that the burden estimate is reasonable 
and that it is appropriate for these banks to devote sufficient 
resources to risk governance and the standards necessary to manage and 
control risk-taking activities. The burden on these smaller covered 
banks is not excessive because they have the resources of a larger 
affiliate bank to rely

[[Page 48895]]

on. Also, while the commenter recommended that the OCC rescind appendix 
D, the OCC cannot rescind regulations or guidelines through the PRA 
renewal process.
    The commenter also stated that the collection of information for 
appendix D is unnecessary and of little utility because appendix D has 
been ineffectual in fostering enterprise risk governance over large 
complex financial institutions since almost seven years after the 
introduction of the OCC's ``heightened expectations'' and three years 
after the issuance of appendix D, the OCC continues to identify 
enterprise risk governance as a key risk facing large banks in the 
OCC's spring 2017 Semiannual Risk Perspective.\8\ However, while 
appendix D is intended to promote enterprise risk governance, the OCC 
recognizes that appendix D cannot eliminate the possibility of all 
enterprise risk governance weaknesses. The OCC believes that appendix D 
is a valuable mechanism for promoting sound enterprise risk governance 
and has observed significant improvement in risk governance since the 
adoption of appendix D. However, we also realize that risk governance 
weaknesses may remain and can be a risk to the safety and soundness of 
banks.
---------------------------------------------------------------------------

    \8\ https://www.occ.gov/publications/publications-by-type/other-publications-reports/semiannual-risk-perspective/semiannual-risk-perspective-spring-2017.pdf.
---------------------------------------------------------------------------

    The commenter also indicated that there is a disconnect between the 
specific risks identified in the OCC's Semiannual Risk Perspectives and 
the ``abstract generalized'' standards in appendix D. According to the 
commenter, appendix D does not provide standards addressing the 
specific risks identified in the Semiannual Risk Perspectives, such as 
cyber security and Bank Secrecy Act (BSA) and Anti-Money Laundering 
risks (AML). The standards in appendix D are not intended to 
exhaustively address all of the risks facing OCC-regulated banks. 
Indeed, there is a separate appendix to 12 CFR part 30, appendix B that 
contains standards addressing information security. Banks are also 
subject to separate BSA and AML requirements.\9\
---------------------------------------------------------------------------

    \9\ See 12 CFR part 21.
---------------------------------------------------------------------------

    The commenter also expressed the opinion that the standards in 
appendix D are not actually heightened or more robust than the 
standards the OCC applies to many banks with $1 billion or more in 
total assets and that the reality is the OCC applies the standards in 
appendix D to many midsize and community banks. The commenter pointed 
specifically to the Comptroller's Handbook on Corporate and Risk 
Governance (handbook), suggesting that OCC examiners use this handbook 
for all OCC supervised banks.\10\ Appendix D only applies to banks with 
average total consolidated assets equal to or greater than $50 billion, 
banks with average total consolidated assets less than $50 billion when 
a bank's parent company controls at least one other bank with average 
total consolidated assets equal to or greater than $50 billion, and 
banks with average total consolidated assets less than $50 billion if 
the OCC determines that a bank's operations are highly complex or 
otherwise present a heightened risk. The handbook referenced by the 
commenter specifically notes that only banks with average total 
consolidated assets of $50 billion or greater (or banks that are 
otherwise included as covered banks in appendix D) should adhere to the 
standards in appendix D. The handbook includes separate and specific 
criteria for the covered banks subject to appendix D. Appendix D 
contains various standards that are not applied to smaller banks. For 
example, appendix D specifically provides that at least two members of 
a covered bank's board of directors should qualify as independent and 
provides that boards should establish and adhere to a formal, ongoing 
training program. Appendix D also imposes specific requirements on 
covered banks' independent risk management that are not applied to all 
OCC-regulated banks, including requiring that banks covered by appendix 
D have written risk appetite statements that include quantitative 
limits. Additionally, the standards in appendix D are legally different 
than the standards contained in the handbook. The standards in Appendix 
D are legally enforceable standards adopted pursuant to section 39 of 
the FDIA while the handbook is a guidance document.
---------------------------------------------------------------------------

    \10\ https://www.occ.treas.gov/publications/publications-by-type/comptrollers-handbook/corporate-risk-governance/pub-ch-corporate-risk.pdf
---------------------------------------------------------------------------

    Type of Review: Regular review.
    Affected Public: Businesses or other for-profit.
    Estimated Number of Respondents: 34.
    Estimated Burden per Respondent: 3,776 hours.
    Estimated Total Annual Burden: 128,384 hours.
    Comments: Comments continue to be invited on:
    (a) Whether the collection of information is necessary for the 
proper performance of the functions of the OCC, including whether the 
information has practical utility;
    (b) The accuracy of the OCC's estimate of the burden of the 
information collection;
    (c) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (d) Ways to minimize the burden of the collection on respondents, 
including through the use of automated collection techniques or other 
forms of information technology; and
    (e) Estimates of capital or start-up costs and costs of operation, 
maintenance, and purchase of services to provide information.

    Dated: October 16, 2017.
Karen Solomon,
Deputy Chief Counsel, Office of the Comptroller of the Currency.
[FR Doc. 2017-22723 Filed 10-19-17; 8:45 am]
 BILLING CODE 4810-33-P