Framework for the Supervision of Insurance Organizations, 6537-6549 [2022-02383]

Agencies

• FEDERAL RESERVE SYSTEM

[Federal Register Volume 87, Number 24 (Friday, February 4, 2022)]
[Notices]
[Pages 6537-6549]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-02383]


=======================================================================
-----------------------------------------------------------------------

FEDERAL RESERVE SYSTEM

[Docket No. OP-1765]


Framework for the Supervision of Insurance Organizations

AGENCY: Board of Governors of the Federal Reserve System (Board).

ACTION: Proposed guidance; request for comments.

-----------------------------------------------------------------------

SUMMARY: The Board is seeking comment on a new supervisory framework 
for depository institution holding companies significantly engaged in 
insurance activities, or supervised insurance organizations. The 
proposed framework would provide a supervisory approach that is 
designed specifically to reflect the differences between banking and 
insurance. Within the framework, the application of supervisory 
guidance and the assignment of supervisory resources would be based 
explicitly on a supervised insurance organization's complexity and 
individual risk profile. The proposed framework would formalize the 
ratings applicable to these firms with rating definitions that reflect 
specific supervisory requirements and expectations. It would also 
emphasize the Board's policy to rely to the fullest extent possible on 
work done by other relevant supervisors, describing, in particular, the 
way it will rely more fully on reports and other supervisory 
information provided by state insurance

[[Page 6538]]

regulators to minimize the burden associated with supervisory 
duplication.

DATES: Comments must be received no later than April 5, 2022.

ADDRESSES: You may submit comments, identified by Docket No. OP-1765, 
by any of the following methods:
    Agency website: https://www.federalreserve.gov. Follow the 
instructions for submitting comments at https://www.federalreserve.gov/apps/foia/proposedregs.aspx.
    Email: [email protected]. Include docket and RIN 
numbers in the subject line of the message.
    Fax: (202) 452-3819 or (202) 452-3102.
    Mail: Ann E. Misback, Secretary, Board of Governors of the Federal 
Reserve System, 20th Street and Constitution Avenue NW, Washington, DC 
20551.
    All public comments are available from the Board's website at 
https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as 
submitted, unless modified for technical reasons or to remove 
personally identifiable information at the commenter's request. 
Accordingly, comments will not be edited to remove any identifying or 
contact information. Public comments may also be viewed in-person in 
Room M-4365A, 2001 C St. NW, Washington, DC 20551, between 9:00 a.m. 
and 5:00 p.m. during federal business weekdays.

FOR FURTHER INFORMATION CONTACT: Thomas Sullivan, Senior Associate 
Director, (202) 475-7656; Matt Walker, Manager, (202) 872-4971; Brad 
Roberts, Lead Insurance Policy Analyst, (202) 452-2204; or Joan 
Sullivan, Senior Insurance Policy Analyst, (202) 912-4670, Division of 
Supervision and Regulation; or Charles Gray, Deputy General Counsel, 
(202) 872-7589; Andrew Hartlage, Senior Counsel, (202) 452-6483; or 
Christopher Danello, Senior Attorney, (202) 736-1960, Legal Division, 
Board of Governors of the Federal Reserve System, 20th and C Streets 
NW, Washington, DC 20551.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Background
II. Summary of the Proposal
III. Applicability, Timing, and Implementation
IV. Other Related Developments
V. Regulatory Analysis
VI. Proposed Text of the Framework
    A. Proportionality--Supervisory Activities and Expectations
    1. Complex and Noncomplex Supervised Insurance Organizations
    2. Supervisory Expectations
    a. Governance & Controls
    b. Capital Management
    c. Liquidity Management
    B. Supervisory Ratings
    C. Incorporating the Work of other Supervisors

I. Background

    The Board of Governors of the Federal Reserve System (Board) 
supervises and regulates companies that control one or more banks (bank 
holding companies) and companies that are not bank holding companies 
that control one or more savings associations (savings and loan holding 
companies, and together with bank holding companies, depository 
institution holding companies). Congress gave the Board regulatory and 
supervisory authority for bank holding companies through the enactment 
of the Bank Holding Company Act of 1956 (BHC Act).\1\ The Board's 
regulation and supervision of savings and loan holding companies began 
in 2011 when provisions of the Dodd-Frank Wall Street Reform and 
Consumer Protection Act (Dodd-Frank Act) \2\ transferring supervision 
and regulation of savings and loan holding companies from the Office of 
Thrift Supervision to the Board took effect.\3\ Upon this transfer, the 
Board became the federal supervisory agency for all depository 
institution holding companies, including a portfolio of savings and 
loan holding companies significantly engaged in insurance activities 
(supervised insurance organizations).\4\
---------------------------------------------------------------------------

    \1\ Ch. 240, 70 Stat. 133.
    \2\ Public Law 111-203, 124 Stat. 1376 (2010).
    \3\ Dodd-Frank Act tit. III, 124 Stat. at 1520-70.
    \4\ Although currently all supervised insurance organizations 
are savings and loan holding companies, the proposed framework would 
apply to any depository institution holding company that meets the 
criteria of a supervised insurance organization.
---------------------------------------------------------------------------

    The Board has a long-standing policy of supervising holding 
companies on a consolidated basis. Consolidated supervision encompasses 
all legal entities within a holding company structure and supports an 
understanding of the organization's complete risk profile and its 
ability to address financial, managerial, operational, or other 
deficiencies before they pose a danger to its subsidiary depository 
institution(s). The Board's current supervisory approach for 
noninsurance depository institution holding companies assesses holding 
companies whose primary risks are related to the business of banking. 
The risks arising from insurance activities, however, are materially 
different from traditional banking risks. The top-tier holding company 
for some supervised insurance organizations is an insurance 
underwriting company, which is subject to supervision and regulation by 
the relevant state insurance regulator as well as consolidated 
supervision from the Board; for all of these firms, the state insurance 
regulators supervise and regulate the business of insurance 
underwriting companies. Additionally, instead of producing consolidated 
financial statements based on generally accepted accounting principles, 
many of these firms only produce legal entity financial statements 
based on Statutory Accounting Principles (SAP) established by states 
through the National Association of Insurance Commissioners (NAIC).
    In view of these differences, the Board has sought to tailor its 
supervision and regulation of supervised insurance organizations. For 
example, in 2013, when the Board implemented the Basel III capital 
standard in the United States, the Board determined not to apply it to 
this group of companies, stating that it would ``explore further 
whether and how the proposed rule should be modified for these 
companies in a manner consistent with section 171 of the Dodd-Frank Act 
and safety and soundness concerns.'' \5\ In 2019, the Board invited 
comment on a proposal to establish a risk-based capital framework 
designed specifically for supervised insurance organizations, termed 
the Building Block Approach, that would adjust and aggregate existing 
legal entity capital requirements to determine an enterprise-wide 
capital requirement.\6\ In addition, in 2018, the Board did not apply 
to these firms the supervisory rating systems applicable to other 
depository institution holding companies.\7\ As described in the 
Supplementary Information, the proposed supervisory framework 
(proposal) represents a significant step in the continuation of the 
Board's tailored approach to supervision and regulation for supervised 
insurance organizations.
---------------------------------------------------------------------------

    \5\ Regulatory Capital Rules: Implementation of Basel III, 78 FR 
62017, 62027 (October 11, 2013).
    \6\ Regulatory Capital Rules: Risk-Based Capital Requirements 
for Depository Institution Holding Companies Significantly Engaged 
in Insurance Activities, 84 FR 57240 (October 24, 2019).
    \7\ See Large Financial Institution Rating System; Regulations K 
and LL, 83 FR 58724 (November 21, 2018); Application of the RFI/C(D) 
Rating System to Savings and Loan Holding Companies, 83 FR 56081 
(November 9, 2018).
---------------------------------------------------------------------------

II. Summary of the Proposal

    The proposal would establish a transparent framework for 
consolidated supervision of supervised insurance organizations. A 
depository institution holding company is considered to be a supervised 
insurance organization if it

[[Page 6539]]

is an insurance underwriting company or if over 25 percent of its 
consolidated assets are held by insurance underwriting subsidiaries. 
The proposed framework is designed specifically to account for the 
unique risks and business profiles of supervised insurance 
organizations resulting mainly from their insurance business. The 
framework consists of a risk-based approach establishing supervisory 
expectations, assigning supervisory resources, and conducting 
supervisory activities; the formalization of a supervisory rating 
system; and a description of how examiners would work with state 
insurance regulators to limit the burden associated with supervisory 
duplication.

A. Proportionality

    The proposed supervisory framework describes a supervisory approach 
that is proportional to the risks of each supervised insurance 
organization. This approach is designed to address the unique features 
of insurance activities and thereby not replicate the standards for the 
supervision of banking activities. The proposed supervisory framework 
would result in supervisory activities and the application of 
supervisory guidance that look beyond the size of the institution and 
instead focus on the material risks that could pose a threat to the 
organization's safety and soundness and, in particular, its ability to 
serve as a source of strength for its depository institution(s).
    To achieve this, Federal Reserve staff would first classify 
supervised insurance organizations as either complex or noncomplex 
based on their risk profile. Supervisory activities would vary based on 
this determination and also based on each firm's individual risk 
profile. Complex supervised insurance organizations have a higher level 
of risk and therefore require more frequent and intense supervisory 
attention. Noncomplex supervised insurance organizations, due to their 
lower risk profile, require less intense supervisory oversight. In 
making this classification, the Federal Reserve would consider at least 
the factors listed in the proposal, which include: quality and level of 
capital and liquidity, size of its depository institution(s), 
organizational structure, unregulated and/or unsupervised activities, 
international exposure, product and portfolio risks, supervisory 
ratings and opinions, and interconnectedness.
    Riskier firms would be classified as complex, which would result in 
the assignment of a dedicated team responsible for consolidated 
supervision of the organization. Complex firms would be subject to 
routine continuous monitoring and targeted examinations as necessary to 
properly understand and assess the firm. Less risky firms would be 
classified as noncomplex. Noncomplex firms would be subject to an 
annual examination to assess the firm and assign ratings. This approach 
make it possible for a firm with over $100 billion in total assets to 
be classified as noncomplex if, for example, most of those assets were 
a result of traditional insurance activities, it had a small depository 
institution, it had a history of maintaining relatively large capital 
and liquidity buffers, and it was viewed overall as well run with 
little risk to its depository institution. Supervisory activities would 
also be adapted among complex firms to reflect the actual risk profile 
of the firm and to focus on risks that are most likely to threaten the 
holding company's ability to act as a source of strength for its 
depository institution(s).
    Applicable practices, as described in supervisory guidance, that 
are consistent with the Board's expectations for organizations 
operating in a safe and sound manner, would also vary based on the 
complexity classification and based on each firm's risk profile. The 
firm's risk profile would be reassessed by the Federal Reserve annually 
and Federal Reserve examiners would inform the firm if different 
supervisory guidance had become more relevant as a result of a material 
change to the firm's risk profile.
    Question 1. What additional factors, if any, should the Board 
consider when considering the complexity of supervised insurance 
organizations?
    Question 2. What other considerations beyond those outlined in this 
proposal should be considered in the Board's assessment of whether a 
supervised insurance organization has sufficient financial and 
operational strength and resilience to maintain safe and sound 
operations?
    Question 3. What additional clarity, if any, is needed to describe 
the supervisory guidance related to the evaluation of a firm's 
governance and controls, capital management, and liquidity management 
under the proposed framework?
    Question 4. What additional differences exist between supervised 
insurance organization and bank holding companies that should be 
considered and reflected in the framework? What additional measures, if 
any, could the Board take to appropriately tailor its approach to 
supervising these firms?

B. Ratings

    Since 2011, supervised insurance organization have been assigned 
indicative ratings under the Board's RFIC/(D) framework (RFI 
framework).\8\ The proposal would establish a unique supervisory rating 
system that, if adopted, would replace the indicative RFI ratings for 
all supervised insurance organizations. Under the proposed framework, 
firms would be rated annually in each of three components: Capital 
Management, Liquidity Management, and Governance and Controls. Firms 
would be assigned one of four ratings for each of the three components. 
The ratings are Broadly Meets Expectations, Conditionally Meets 
Expectations, Deficient-1, and Deficient-2 and would reflect how 
consistent a firm's practices are with the Board's expectations for 
safe and sound operations. As described above, despite rating the same 
components for all supervised insurance organizations and using the 
same ratings, applicable supervisory guidance would be based on each 
firm's specific risk profile and would vary significantly between the 
smallest, least risky firms and the largest, riskiest firms. The 
proposed ratings are modeled after the LFI framework, although they 
have been modified in structure and application to support their use 
for supervised insurance organizations of all sizes and risk profiles. 
For example, instead of emphasizing in the rating components and 
definitions the importance of continuing to serve as a financial 
intermediary under stress, the proposal stresses the obligation that 
supervised insurance organizations operate in a safe and sound manner 
and serve as a source of financial and managerial strength for their 
depository institution(s).
---------------------------------------------------------------------------

    \8\ SR 19-4: Supervisory Ratings System for Holding Companies 
with Total Consolidated Assets Less Than $100 billion, https://
www.federalreserve.gov/supervisionreg/srletters/sr1904.htm.
---------------------------------------------------------------------------

    Question 5. What additional clarity, if any, is needed to describe 
the ratings process, including the ratings definitions?
    Question 6. Should the final framework include a composite rating?

C. Incorporating the Work of Other Supervisors

    Effective consolidated supervision requires collaborative 
relationships with all relevant supervisors and regulators. The Board 
respects the individual statutory authorities and responsibilities of 
other supervisors and regulators and works to develop appropriate 
information flows and coordination so

[[Page 6540]]

that each supervisor's responsibilities can be carried out effectively 
while limiting the burden associated with supervisory duplication. In 
developing its overall assessment of a supervised insurance 
organization, the proposed framework emphasizes the importance of these 
relationships and that Federal Reserve examiners rely to the fullest 
extent possible on information available from, and examination reports 
by, other relevant supervisors and regulators. Because supervised 
insurance organizations have material insurance business lines, the 
proposed framework describes how the Federal Reserve would leverage the 
work done by the state insurance regulators, including examples of 
specifics insurance supervisory reports that will be used as input into 
the Federal Reserve's assessment and ratings. With respect to the 
business of insurance, the Board specifically leaves to the state 
insurance regulators the oversight of pricing and reserving of 
insurance liabilities.
    Question 7. What additional measures, if any, should the Board take 
to fulfill its goal to rely to the fullest extent possible on work of 
other relevant supervisors, including the state insurance regulators?

III. Applicability, Timing, and Implementation

    Federal Reserve examiners would use the proposed framework as their 
basis for the supervision of insurance organizations. A depository 
institution holding company is considered to be a supervised insurance 
organization if it is an insurance underwriting company or if over 25 
percent of its consolidated assets are held by insurance underwriting 
subsidiaries. Other depository institution holding companies can also 
be designated as supervised insurance organizations if Federal Reserve 
staff decides, based on the firm's risk profile, that doing so would 
result in more effective supervision.
    The Board proposes that the Federal Reserve would classify 
supervised insurance organizations as complex or noncomplex and initial 
ratings during the calendar year in which the final framework becomes 
effective. Due to differences in the timing of supervisory cycles 
across the portfolio, firms may receive their initial ratings at 
different times during the year.
    Consistent with current Federal Reserve practice on the assignment 
and communication of supervisory ratings by examiners, ratings under 
the proposed framework would be assigned and communicated to firms on 
an annual basis, and more frequently as warranted. In accordance with 
the Board's regulations governing confidential supervisory information, 
ratings assigned under the proposed framework would be communicated by 
the Federal Reserve to the firm but not disclosed to other persons 
except in accordance with the Federal Reserve Act and the Board's Rules 
Regarding Availability of Information.\9\
---------------------------------------------------------------------------

    \9\ 12 U.S.C. 326; 12 CFR part 261.
---------------------------------------------------------------------------

    Question 10. What additional clarity, if any, is needed to describe 
which firms would be subject to the proposed framework?

IV. Regulatory Analysis

Paperwork Reduction Act

    There is no collection of information required by this proposal 
that would be subject to the Paperwork Reduction Act of 1995, 44 U.S.C. 
3501 et seq.

V. Proposed Text of the Supervisory Framework

    This framework describes the Federal Reserve's approach to 
consolidated supervision of supervised insurance organizations.\1\ The 
framework is designed specifically to account for the unique risks and 
business profiles of these firms resulting mainly from their insurance 
business. The framework consists of a risk-based approach to 
establishing supervisory expectations, assigning supervisory resources 
and conducting supervisory activities; a unique supervisory rating 
system; and a description of how Federal Reserve examiners will work 
with the state insurance regulators to limit the burden associated with 
supervisory duplication.
---------------------------------------------------------------------------

    \1\ In this framework, a ``supervised insurance organization'' 
is a depository institution holding company that is an insurance 
underwriting company, or that has over 25 percent of its 
consolidated assets held by insurance underwriting subsidiaries, or 
has been otherwise designated as a supervised insurance organization 
by Federal Reserve staff.
---------------------------------------------------------------------------

A. Proportionality--Supervisory Activities and Expectations

    Consistent with the Federal Reserve's approach to risk-based 
supervision, supervisory guidance will be applied and supervisory 
activities will be conducted in a manner that is proportionate to each 
firm's individual risk profile. This begins by classifying each 
supervised insurance organization as either complex or noncomplex based 
on their risk profile and continues with a tailored application of 
supervisory guidance and supervisory activities. Federal Reserve 
supervisory teams will conduct a risk assessment each year based on 
their current understanding of the firm's risks. Any change in the risk 
assessment will be communicated to the firm's board and senior 
management, along with potential implications to the relevance of 
certain expectations communicated through supervisory guidance.\2\ The 
risk assessment also drives supervisory activities, which will be 
focused on resolving supervisory knowledge gaps, monitoring the safety 
and soundness of the firm, and assessing the firm's management of risks 
that could potentially impact its ability to act as a source of 
managerial and financial strength for its depository institution(s).
---------------------------------------------------------------------------

    \2\ This could happen if a firm's risk profile changes 
significantly and typically follows a strategic change for the firm 
(a material acquisition, divestiture, or product offering change).
---------------------------------------------------------------------------

1. Complex and Noncomplex Supervised Insurance Organizations
    Each supervised insurance organization is classified by the Federal 
Reserve as either complex or noncomplex based on its risk profile. The 
classification serves as the basis for determining the level of 
supervisory resources dedicated to each firm, as well as the frequency 
and intensity of supervisory activities.
    Complex: Complex firms have a higher level of risk and therefore 
require more frequent and intense supervisory attention. Federal 
Reserve dedicated supervisory teams are assigned to execute approved 
supervisory plans led by a dedicated Central Point of Contact. The 
activities listed in the supervisory plans focus on understanding any 
of a firm's risks that could threaten the safety and soundness of the 
consolidated organization or a firm's ability to act as a source of 
strength for its depository institution(s). These activities typically 
include continuous monitoring, targeted topical examinations, 
coordinated reviews, and an annual roll-up assessment resulting in 
ratings for the three rating components. The focus, frequency, and 
intensity of supervisory activities are based on the firm's unique risk 
profile and, therefore, can vary among complex firms. The relevance of 
certain supervisory guidance also may vary among complex firms based on 
each firm's unique risk profile. Supervisory guidance targeted at 
smaller bank holding companies, for example, may be more relevant for 
complex supervised insurance organizations with limited inherent 
exposure to a certain risk.
    Noncomplex: Noncomplex firms, due to their lower risk profile, 
require less supervisory oversight relative to complex firms. The 
supervisory activities for these firms occur primarily

[[Page 6541]]

during an annual full-scope inspection resulting in the assignment of 
the three component ratings. The supervision of noncomplex firms relies 
more heavily on the reports and opinions of a firm's other relevant 
supervisors, although these firms are subject to continuous monitoring 
and coordinated reviews as appropriate. The focus and types of 
supervisory activities for noncomplex firms are also set based on the 
unique risks of each firm.
    Factors considered when classifying a supervised insurance 
organization as either complex or noncomplex include the organization's 
quality and level of capital and liquidity, the size of its depository 
institution, the complexity of its organizational structure, the nature 
and extent of any unregulated and/or unsupervised activities, any 
international exposure,\3\ its product and portfolio risks, ratings and 
opinions from its regulatory supervisors, and its potential 
interconnectedness with the broader financial system.
---------------------------------------------------------------------------

    \3\ Supervised insurance organizations designated by their 
Group-Wide Supervisor as an Internationally Active Insurance Group 
(IAIG) are classified as complex.
---------------------------------------------------------------------------

    For supervised insurance organizations that are new to Federal 
Reserve supervision, the classification as complex or noncomplex is 
done and communicated during the application phase after initial 
discussions with the firm. The firm's risk profile, including the 
characteristics listed above, and the proposed classification are 
vetted and decided by staff at the relevant Reserve Bank and the Board. 
Large, well-established, and financially strong supervised insurance 
organization with relatively small depository institutions can be 
classified as noncomplex if Federal Reserve staff considers the 
corresponding level of supervisory oversight sufficient to accomplish 
its objectives. Although the risk profile is the primary basis for 
determining a firm's classification, a firm is automatically classified 
as complex if its depository institution's average assets exceed $100 
billion.
2. Supervisory Expectations
    Supervised insurance organizations are expected to operate in a 
safe and sound manner, to comply with all applicable laws and 
regulations, and to possess sufficient financial and operational 
strength to serve as a source of strength for their depository 
institution(s) through a range of stressful yet plausible conditions. 
The management and risk management practices necessary to meet these 
expectations will vary based on a firm's specific risk profile and will 
vary significantly between the smallest, least risky firms and the 
largest, riskiest firms. Guidance describing supervisory expectations 
for safe and sound practices can be found in Supervision & Regulation 
(SR) letters published by the Board and other supervisory material. 
Supervisory guidance most relevant to a specific supervised insurance 
organization is driven by the unique risk profile of the firm. The 
firm's risk profile is reassessed by the Federal Reserve annually. 
Federal Reserve examiners will inform the firm if different supervisory 
guidance becomes more relevant as a result of a material change to the 
firm's risk profile. This is typically only the result of a significant 
business decision, like an acquisition, divestiture, or change to the 
firm's product offering or asset portfolio. This section describes 
general safety and soundness expectations and how the Board has adapted 
its supervisory expectations to reflect the unique characteristics of 
supervised insurance organization. The section is organized using the 
three rating components for--Governance and Controls, Capital 
Management, and Liquidity Management.
a. Governance and Controls
    The Governance and Controls rating is derived from an assessment of 
the effectiveness of a firm's (1) board and senior management 
effectiveness, and (2) independent risk management and controls. All 
firms are expected to align their strategic business objectives with 
their risk appetite and risk management capabilities; maintain 
effective and independent risk management and control functions 
including internal audit; promote compliance with laws and regulations; 
and remain a source of financial and managerial strength for their 
depository institution(s). When assessing governance and controls, 
Federal Reserve examiners consider a firm's risk management 
capabilities relative to its risk exposure within the following areas: 
Internal audit, credit risk, legal and compliance risk, market risk, 
model risk, and operational risk, including cybersecurity/information 
technology and third party risk.
Governance & Controls Expectations
     Despite differences in their business models and the 
products offered, insurance companies and banks are expected to have 
effective and sustainable systems of governance and controls to manage 
their respective risks. The G&C framework for a supervised insurance 
organization should:
    [cir] Clearly define roles and responsibilities throughout the 
organization;
    [cir] Include policies and procedures, limits, requirements for 
documenting decisions, and decision-making and accountability chains of 
command; and
    [cir] Provide timely information about risk and corrective action 
for non-compliance or weak oversight, controls, and management.
     The Board expects the sophistication of the G&C framework 
to be commensurate with the size, complexity, and risk profile of the 
firm. As such, G&C expectations for complex firms will be higher than 
that for noncomplex firms but will also vary based on each firm's 
unique risk profile.
     The enhanced prudential standards rule under Regulation YY 
\4\ is not applicable to supervised insurance organizations. Unlike 
large banking organizations, these firms are not required by regulation 
to maintain a risk committee that periodically reviews and approves the 
risk management policies of the firm's operations and oversees the 
operation of its risk management framework, nor are they required by 
regulation to have a chief risk officer. The Board expects supervised 
insurance organization to have a risk management and control framework 
that is commensurate with their structure, risk profile, complexity, 
activities, and size. For any chosen structure, the firm's board is 
expected to have the capacity, expertise, and sufficient information to 
discharge risk oversight and governance responsibilities in a safe and 
sound manner. The chief risk officer facilitates an enterprise-wide 
approach to the identification and management of all risks across the 
organization and while the designation of a chief risk officer is not 
required, most large insurance companies have found value in having an 
independent chief risk officer. The Board cautions boards that they may 
be susceptible to undue risk and responsibility without a truly 
independent chief risk officer, which may result in safety and 
soundness concerns, particularly with complex firms, for whom the Board 
may require the designation of an independent chief risk officer. Firms 
that do not have a designated chief risk officer should have sufficient 
compensating controls in place to ensure that the head of risk 
management has adequate independence and stature to provide effective 
challenge. Likewise, the Federal Reserve may require a firm's board to 
establish a risk committee if it is not clear that the current board

[[Page 6542]]

structure provides sufficient oversight of the firm's risk management 
framework and practices.
---------------------------------------------------------------------------

    \4\ 12 CFR part 252.
---------------------------------------------------------------------------

In Assigning a G&C Rating, Federal Reserve Examiners Evaluate
     Board and Senior Management Effectiveness--The firm's 
board is expected to exhibit certain attributes consistent with 
effectiveness, including: (i) Setting a clear, aligned, and consistent 
direction regarding the firm's strategy and risk appetite; (ii) 
directing senior management regarding board reporting; (iii) overseeing 
and holding senior management accountable; (iv) supporting the 
independence and stature of independent risk management and internal 
audit; and (v) maintaining a capable board and an effective governance 
structure. As the consolidated supervisor, the Board focuses on the 
board of the supervised insurance organization and its committees. 
Complex firms are expected to take into consideration the Board's 
guidance on board of directors' effectiveness.\5\ In assessing the 
effectiveness of a firm's senior management, Federal Reserve examiners 
consider the extent to which senior management effectively and 
prudently manages the day-to-day operations of the firm and provides 
for ongoing resiliency; implements the firm's strategy and risk 
appetite; identifies and manages risks; maintains an effective risk 
management framework and system of internal controls; and promotes 
prudent risk taking behaviors and business practices, including 
compliance with laws and regulations such as those related to consumer 
protection and the Bank Secrecy Act/Anti-Money Laundering and Office of 
Foreign Assets Control (BSA/AML and OFAC). Federal Reserve examiners 
evaluate how the framework allows management to be responsible for and 
manage all risk types, including emerging risks, within the business 
lines. Examiners rely to the fullest extent possible on insurance and 
bank supervisors' examination reports and information concerning risk 
and management in specific lines of business, including relying 
specifically on state insurance regulators to evaluate and assess how 
firms manage the pricing, underwriting, and reserving risk of their 
insurance operations.
---------------------------------------------------------------------------

    \5\ SR 21-3: Supervisory Guidance on Board of Directors' 
Effectiveness, https://www.federalreserve.gov/supervisionreg/srletters/SR2103.htm.
---------------------------------------------------------------------------

     Independent Risk Management and Controls--In assessing a 
firm's independent risk management and controls, Federal Reserve 
examiners consider the extent to which independent risk management 
effectively evaluates whether the firm's risk appetite framework 
identifies and measures all of the firm's risks; establishes 
appropriate risk limits; and aggregates, assesses and reports on the 
firm's risk profile and positions. Additionally, the firm is expected 
to demonstrate that its internal controls are appropriate and tested 
for effectiveness and sustainability.
     Internal Audit is an integral part of a supervised 
insurance organization's internal control system and risk management 
structure. An effective internal audit function plays an essential role 
by providing an independent risk assessment and objective evaluation of 
all key governance, risk management, and internal control processes. 
Internal audit is expected to effectively and independently assess the 
firm's risk management framework and internal control systems, and 
report findings to senior management and to the firm's audit committee. 
Despite differences in business models, the Board expects the largest, 
most complex supervised insurance organizations to have internal audit 
practices in place that are similar to those at banking organizations 
and as such, no modification to existing guidance is required for these 
firms.\6\ At the same time, the Board recognizes that firms should have 
an internal audit function that is appropriate to their size, nature, 
and scope of activities. Therefore, for noncomplex firms, Federal 
Reserve examiners will use the expectations in the insurance company's 
domicile state's Annual Financial Reporting Regulation (NAIC Model 
Audit Rule 205), or similar state regulation, to assess the 
effectiveness of a firm's internal audit function.
---------------------------------------------------------------------------

    \6\ Regulatory guidance provided in SR 03-05 Amended Interagency 
Guidance on the Internal Audit Function and its Outsourcing, https://www.federalreserve.gov/boarddocs/srletters/2003/sr0305.htm and SR 
13-1 Supplemental Policy Statement on the Internal Audit Function 
and Its Outsourcing, https://www.federalreserve.gov/supervisionreg/srletters/sr1301.htm, are applicable to complex supervised insurance 
organizations only.
---------------------------------------------------------------------------

    The principles of sound risk management described in the previous 
sections apply to the entire spectrum of risk management activities of 
a supervised insurance organization, including but not limited to:
     Credit risk, which arises from the possibility that a 
borrower or counterparty will fail to perform on an obligation. Fixed 
income securities, by far the largest asset class for insurance 
companies, is the largest source of credit risk. This is unlike banks, 
where loans generally make up the largest portion of balance sheet 
assets. Life insurer investment portfolios in particular are generally 
characterized by longer duration holdings compared to those of banks. 
Additionally, an insurance company's reinsurance recoverables/
receivables arising from the use of third-party reinsurance and 
participation in regulatory required risk-pooling arrangements expose 
the firm to additional counterparty credit risk. The Federal Reserve 
will scope examination work based on a firm's level of inherent credit 
risk. The level of inherent risk will be determined by analyzing the 
composition, concentration, and quality of the consolidated investment 
portfolio; the amount of a firm's reinsurance recoverables and the 
credit quality of the individual reinsurers; and credit exposures 
associated with derivatives, securities lending, or other activities 
that may also have off-balance sheet counterparty credit exposures. In 
determining the effectiveness of a firm's management of its credit 
risk, Federal Reserve examiners will rely, where possible, on the 
assessments made by other relevant supervisors for the bank and the 
insurance companies. In its own assessment, the Federal Reserve will 
determine whether the board and senior management have established an 
appropriate credit risk governance framework consistent with the firm's 
risk appetite; whether policies, procedures and limits are adequate and 
provide for ongoing monitoring, reporting and control of credit risk; 
the adequacy of management information systems as it relates to credit 
risk; and the sufficiency of internal audit and independent review 
coverage of credit risk exposure.
     Market risk, which arises from exposures to movements in 
market prices as a result of underlying changes in, for example, 
interest rates, equity prices, foreign exchange rates, commodity 
prices, or real estate prices. The Federal Reserve will scope 
examination work based on a firm's level of inherent market risk 
exposure, which is normally driven by the primary business line(s) in 
which the firm is engaged as well as the structure of the investment 
portfolio. While interest rate risk (IRR) differs between insurance 
companies and banks, the degree of IRR also differs based on the type 
of insurance products the firm offers. IRR is a more significant risk 
factor for life insurers than for property/casualty (P/C) insurers 
since life and annuity products are often spread-based, longer in 
duration, may include

[[Page 6543]]

embedded product guarantees, and can pose disintermediation risk. P/C 
insurers, especially property insurers, generally offer short-term 
contracts with the potential for frequent re-pricing, are subject to 
much less disintermediation risk. A firm may be exposed to inherent 
market risk due to its investment portfolio or as result of its product 
offerings, including variable and indexed life insurance and annuity 
products, or asset/wealth management business. Generally foreign 
exchange and commodity risk is low for supervised insurance 
organizations but could exist for some complex firms. Firms are 
expected to have sound risk management infrastructure that adequately 
identifies, measures, monitors, and controls any material or 
significant forms of inherent market risks to which it is exposed.
     Model risk is the potential for adverse consequences from 
decisions based on incorrect or misused model outputs and reports. 
Model risk can lead to financial loss, poor business and strategic 
decision-making, or damage to a firm's reputation. Supervised insurance 
organizations are often heavily reliant on models for product pricing 
and reserving, risk and capital management, strategic planning and 
other decision-making purposes. A sound model risk management framework 
helps manage this risk.\7\ Federal Reserve examiners will take into 
account the firm's size, nature, and complexity, as well as the extent 
of use and sophistication of its models when assessing its model risk 
management program. Examiners focus on the governance framework, 
policies and controls, and aggregated model risk management through a 
holistic evaluation of the firm's practices. The Federal Reserve's 
review of a firm's model risk management program complements the work 
of the firm's other relevant supervisors. A sound model risk management 
framework includes three main elements: (1) An accurate model inventory 
and an appropriate approach to model development, implementation, and 
use; (2) effective model validation and continuous model performance 
monitoring; and (3) a strong governance framework that provides 
explicit support and structure for model risk management through 
policies defining relevant activities, procedures that implement those 
policies, allocation of resources, and mechanisms for evaluating 
whether policies and procedures are being carried out as specified, 
including internal audit review. The Federal Reserve will rely on work 
already conducted by other relevant supervisors and appropriately 
collaborate with the state insurance regulators on their findings 
related to insurance models. With respect to the business of insurance, 
Federal Reserve examiners focus on the firm's adherence to its own 
policies and procedures and the comprehensiveness of model validation 
rather than technical specifications such as the appropriateness of the 
model, its assumptions or output. The Federal Reserve may request that 
firms provide model documentation or model validation reports for 
insurance and bank models when performing transaction testing.
---------------------------------------------------------------------------

    \7\ SR 11-7 Guidance on Model Risk Management is applicable to 
supervised insurance organizations.
---------------------------------------------------------------------------

     Legal risk arises from the potential that unenforceable 
contracts, lawsuits, or adverse judgments can disrupt or otherwise 
negatively affect the operations or financial condition of a supervised 
insurance organization. Compliance risk is the risk of regulatory 
sanctions, fines, penalties or losses resulting from failure to comply 
with laws, rules, regulations, or other supervisory requirements 
applicable to a firm. By offering multiple financial service products 
that may include insurance, annuity, banking, services provided by 
securities broker-dealers, and asset and wealth management products, 
provided through a diverse distribution network, supervised insurance 
organizations are inherently exposed to a significant amount of legal 
and compliance risk. As the consolidated supervisor, the Board expects 
firms to have an enterprise-wide legal and compliance risk management 
program that covers all business lines, legal entities, and 
jurisdictions of operation. Firms are expected to have compliance risk 
management governance, oversight, monitoring, testing, and reporting 
commensurate with their size and complexity, and to ensure compliance 
with applicable laws and regulations. The principles-based guidance in 
existing SR letters related to legal and compliance risk is applicable 
to supervised insurance organizations.\8\ For both complex and 
noncomplex firms, Federal Reserve examiners rely on the work of the 
firm's other supervisors. As described in section C, Incorporating the 
Work of Other Supervisors, the opinions, examination results, ratings, 
supervisory issues, and enforcement actions from other supervisors will 
be incorporated into a consolidated assessment of the enterprise-wide 
legal and compliance risk management framework.
---------------------------------------------------------------------------

    \8\ SR 08-8 Compliance Risk Management Programs and Oversight at 
Large Banking Organizations with Complex Compliance Profiles, 
https://www.federalreserve.gov/boarddocs/srletters/2008/SR0808.htm, 
is applicable to complex supervised insurance organizations. For 
noncomplex firms, the Federal Reserve will assess legal and 
compliance risk management based on the guidance in SR 16-11 
Supervisory Guidance for Assessing Risk Management at Supervised 
Institutions with Total Consolidated Assets Less than $50 Billion, 
https://www.federalreserve.gov/supervisionreg/srletters/sr1611.htm.
---------------------------------------------------------------------------

    [cir] Money laundering, terrorist financing and other illicit 
financial activity risk is the risk of providing criminals access to 
the legitimate financial system and thereby being used to facilitate 
financial crime. This financial crime includes laundering criminal 
proceeds, financing terrorism, and conducting other illegal activities. 
Money laundering and terrorist financing risk is associated with a 
financial institution's products, services, customers, and geographic 
locations. This and other illicit financial activity risks can impact a 
firm across business lines, legal entities, and jurisdictions. A 
reasonably designed compliance program generally includes a structure 
and oversight that mitigates these risks and supports regulatory 
compliance with both Bank Secrecy Act/Anti-Money Laundering (BSA/AML) 
and Office of Foreign Assets Control (OFAC) requirements. Although OFAC 
regulations are not part of the BSA, OFAC compliance programs are 
frequently assessed in conjunction with BSA/AML. Supervised insurance 
organizations are not defined as financial institutions under the BSA 
and, therefore, are not required to have an AML program, unless the 
firm is directly selling certain insurance products. However, certain 
subsidiaries and affiliates of supervised insurance organizations, such 
as insurance companies and banks, are defined as financial institutions 
under 31 U.S.C. 5312(a)(2) and must develop and implement a written 
BSA/AML compliance program as well as comply with other BSA regulatory 
requirements. Unlike banks, insurance companies' BSA/AML obligations 
are limited to certain products, referred to as covered insurance 
products.\9\ The volume of

[[Page 6544]]

covered products, which the Financial Crimes Enforcement Network 
(FinCEN) has determined to be of higher risk, is an important driver of 
supervisory focus. In addition, as U.S. persons, all supervised 
insurance organizations (including their subsidiaries and affiliates) 
are subject to Office of Foreign Assets Control (OFAC) regulations. 
Federal Reserve examiners assess all material risks that each firm 
faces, extending to whether business activities across the consolidated 
organization, including within its individual subsidiaries or 
affiliates, comply with the legal requirements of BSA and OFAC 
regulations. In keeping with the principles of a risk-based framework 
and proportionality, Federal Reserve supervision for BSA/AML and OFAC 
primarily focuses on oversight of compliance programs at a consolidated 
level and relies on work by other relevant supervisors to the fullest 
extent possible. In the evaluation of a firm's risks and BSA/AML and 
OFAC compliance program, however, it may be necessary for examiners to 
review compliance with BSA/AML and OFAC requirements at individual 
subsidiaries or affiliates in order to fully assess material risks of 
the supervised insurance organization.
---------------------------------------------------------------------------

    \9\ ``Covered products'' means: A permanent life insurance 
policy, other than a group life insurance policy; an annuity 
contract, other than a group annuity contract; or any other 
insurance product with features of cash value or investment.
    ``Permanent life insurance policy'' means an agreement that 
contains a cash value or investment element and that obligates the 
insurer to indemnify or to confer a benefit upon the insured or 
beneficiary to the agreement contingent upon the death of the 
insured. ``Annuity contract'' means any agreement between the 
insurer and the contract owner whereby the insurer promises to pay 
out a fixed or variable income stream for a period of time.
---------------------------------------------------------------------------

     Operational risk is the risk of loss resulting from 
inadequate or failed internal processes, people, and systems, or from 
external events. Operational resilience is the ability to maintain 
operations, including critical operations and core business lines, 
through a disruption from any hazard. It is the outcome of effective 
operational risk management combined with sufficient financial and 
operational resources to prepare, adapt, withstand, and recover from 
disruptions. A firm that operates in a safe and sound manner is able to 
identify threats, respond and adapt to incidents, and recover and learn 
from such threats and incidents so that it can prioritize and maintain 
critical operations and core business lines, along with other 
operations, services and functions identified by the firm, through a 
disruption.
    [cir] Cybersecurity/information technology risks are a subset of 
operational risk and arise from operations of a firm requiring a strong 
and robust internal control system and risk management oversight 
structure. Information Technology (IT) and Cybersecurity (Cyber) 
functions are especially critical to firms' operations. Examiners of 
financial institutions, including supervised insurance organizations, 
find detailed guidance on mitigating these risks in the Federal 
Financial Institutions Examination Council's (FFIEC) IT Handbooks. In 
assessing IT/Cyber risks, Federal Reserve examiners will assess a 
firm's board and senior management for effective oversight and support 
of IT management; information/cyber security program for strong board 
and senior management support, integration of security activities and 
controls through business processes, and establishment of clear 
accountability for security responsibilities; IT operations for 
sufficient personnel, system capacity and availability, and storage 
capacity adequacy to achieve strategic objectives and appropriate 
solutions: Development and acquisition processes' ability to identify, 
acquire, develop, install, and maintain effective IT to support 
business operations; and appropriate business continuity management 
processes to effectively oversee and implement resilience, continuity, 
and response capabilities to safeguard employees, customers, assets, 
products, and services. Complex and noncomplex firms will be assessed 
in these areas. All supervised insurance organizations are expected to 
notify the Federal Reserve of any security breaches involving sensitive 
customer information, whether or not the institution notifies its 
customers.\10\
---------------------------------------------------------------------------

    \10\ SR 05-23, Interagency Guidance on Response Programs for 
Unauthorized Access to Customer Information and Customer Notice, 
applies to all supervised insurance organizations.
---------------------------------------------------------------------------

    [cir] Third party risk is also a subset of operational risk and 
arises from a firm's use of service providers to perform operational or 
service functions. These risks may be inherent to the outsourced 
activity or be introduced with the involvement of the service provider. 
When assessing effective third party risk management, Federal Reserve 
examiners will evaluate eight areas: (1) Third party risk management 
governance, (2) risk assessment framework, (3) due diligence in the 
selection of a service provider, (4) a review of any incentive 
compensation embedded in a service provider contract, (5) management of 
any contract or legal issues arising from third party agreements, (6) 
ongoing monitoring and reporting of third parties, (7) business 
continuity and contingency of the third party for any service 
disruptions, and (8) effective internal audit program to assess the 
risk and controls of the firm's third party risk management 
program.\11\
---------------------------------------------------------------------------

    \11\ SR Letter 13-19, Guidance on Managing Outsourcing Risk, 
https://www.federalreserve.gov/supervisionreg/srletters/sr1319.htm, 
applies to complex and noncomplex supervised insurance 
organizations.
---------------------------------------------------------------------------

b. Capital Management
    The Capital Management rating is derived from an assessment of a 
firm's current and stressed level of capitalization, and the quality of 
its capital planning and stress testing. A capital management program 
should be commensurate with a supervised insurance organization's 
complexity and unique risk profile. In assigning this rating, the 
Federal Reserve evaluates the extent to which a firm maintains sound 
capital planning practices through effective governance and oversight, 
effective risk management and controls, maintenance of updated capital 
policies and contingency plans for addressing potential shortfalls, and 
incorporation of appropriately stressful conditions into capital 
planning and projections of capital positions. The extent to which a 
firm's capital is sufficient to comply with regulatory requirements, to 
support the firm's ability to meet its obligations, and to enable the 
firm to remain a source of strength to its depository institution(s) in 
a range of stressful, but plausible, economic and financial 
environments is also evaluated.
    Insurance company balance sheets are typically quite different from 
those of most banking organizations. For insurance companies, 
investment strategies focus on cash flow matching to reduce interest 
rate risk and provide liquidity to support their liabilities, while for 
traditional banks, deposits (liabilities) are attracted to support 
investment strategies. Additionally, for insurers, capital provides a 
buffer for policyholder claims and creditor obligations, helping the 
firm absorb adverse deviations in expected claims experience, and other 
drivers of economic loss. The Board recognizes that the capital needs 
for insurance activities are materially different from those of banking 
activities. Insurers also often face capital fungibility constraints 
not faced by banks.
    In assessing a supervised insurance organization's capital 
management, the Federal Reserve relies to the fullest extent possible 
on information provided by the state insurance regulators, including 
the firm's ORSA and the state insurance regulator's written assessment 
of the ORSA. An ORSA is an internal process undertaken by an insurance 
group to assess the adequacy of its risk management and current and 
prospective capital position under normal and severe stress scenarios. 
As part of the ORSA, insurance groups are required to analyze all 
reasonably foreseeable and relevant material risks

[[Page 6545]]

that could have an impact on their ability to meet obligations.
    The Board expects supervised insurance organizations to have sound 
governance over their capital planning process.\12\ A firm should 
establish capital goals that are approved by the board of directors, 
and that reflect the potential impact of legal and/or regulatory 
restrictions on the transfer of capital between legal entities. In 
general, senior management should establish the capital planning 
process, which should be reviewed and approved periodically by the 
board. The board should require senior management to provide clear, 
accurate, and timely information on the firm's material risks and 
exposures to inform board decisions on capital adequacy and actions. 
The capital planning process should clearly reflect the difference 
between the risk profiles and associated capital needs of the insurance 
and banking businesses.
---------------------------------------------------------------------------

    \12\ SR 15-19: Federal Reserve Supervisory Assessment of Capital 
Planning and Positions for Firms Subject to Category II and III 
Standards, https://www.federalreserve.gov/supervisionreg/srletters/sr1519.htm, is applicable to complex supervised insurance 
organizations, however, Federal Reserve focuses on the sections most 
relevant for these firms. For example, references to pre-provision 
net revenue (PPNR) modeling and risk-weighted asset (RWA) 
projections are not applicable to supervised insurance 
organizations.
---------------------------------------------------------------------------

    A firm should have a risk management framework that appropriately 
identifies, measures, and assesses material risks and provides a strong 
foundation for capital planning. This framework should be supported by 
comprehensive policies and procedures, clear and well-established roles 
and responsibilities, strong internal controls, and effective reporting 
to senior management and the board. In addition, the risk management 
framework should be built upon sound management information systems.
    As part of capital management, a firm should have a sound internal 
control framework that helps ensure that all aspects of the capital 
planning process are functioning as designed and result in accurate 
assessments of the firm's capital needs. The framework should include 
an independent internal audit function as well as other review 
functions with appropriate staff expertise, experience, and stature in 
the organization to monitor the adequacy of capital risk measurement 
and management processes.
    The governance and oversight framework should include a written 
assessment of the principles and guidelines used for capital planning, 
issuance, and usage, including internal post-stress capital goals and 
targeted capital levels; guidelines for dividend payments and stock 
repurchases; strategies for addressing capital shortfalls; and internal 
governance responsibilities and procedures for the capital policy. The 
capital policy should reflect the unique capital needs of the insurance 
and banking businesses based on their risks, be approved by the firm's 
board of directors or a designated committee of the board, and be re-
evaluated periodically and revised as necessary.
    A strong capital management program will incorporate appropriately 
stressful conditions and events that could adversely affect the firm's 
capital adequacy and capital planning. As part of its capital plan, a 
firm should use at least one scenario that stresses the specific 
vulnerabilities of the firm's activities and associated risks, 
including those related to the firm's insurance activities and its 
banking activities.
    Supervised insurance organizations should employ estimation 
approaches that allow them to project the impact on capital positions 
of various types of stressful conditions and events, and that are 
independently validated. A firm should estimate losses, revenues, 
expenses, and capital using a sound method that incorporates 
macroeconomic and other risk drivers. The robustness of a firm's 
capital stress testing processes should be commensurate with the to its 
capital position.
c. Liquidity Management
    The Liquidity Management rating is derived from an assessment of 
the supervised insurance organization's liquidity position and the 
quality of its liquidity risk management program. Each firm's liquidity 
risk management program should be commensurate with its complexity and 
unique risk profile.
    The Board recognizes that insurance companies are typically less 
exposed to traditional liquidity risk than are banks. Traditional 
banking activity involves a liquidity transformation of liquid demand 
deposits into an asset on a banking organization's balance sheet, 
notably from the perspective of liquidity risk, illiquid bank loans. In 
traditional insurance business, the fact that an occurrence of an 
insured event is required for a claim payment, helps reduce liquidity 
risk. Insurers minimize liquidity risk by attempting to match expected 
asset cash flows against expected claims payments. The Board's 
expectations for supervised insurance organizations recognize and 
reflect this difference in inherent liquidity risk.
    The Board, however, does expect all depository institution holding 
companies, including supervised insurance organizations, to adhere to 
basic principles for managing liquidity risk.\13\
---------------------------------------------------------------------------

    \13\ For an explanation of these principles, see SR Letter 10-6, 
Interagency Policy Statement on Funding and Liquidity Risk 
Management, https://www.federalreserve.gov/boarddocs/srletters/2010/sr1006.htm.
---------------------------------------------------------------------------

    The Federal Reserve's supervision of supervised insurance 
organizations focuses on the sections of SR 10-6 that are most relevant 
to the liquidity characteristics of these firms. For example, guidance 
on intra-day liquidity management would only be applicable for 
supervised insurance organizations with material intra-day liquidity 
risks. Additionally, specific references to liquid assets in SR 10-6 
may be more broadly interpreted to include other asset classes such as 
certain investment-grade corporate bonds.
    The intensity of the Federal Reserve's supervisory focus on 
liquidity risk is influenced by each firm's individual risk profile. 
Traditional property and casualty insurance products are typically 
short duration liabilities backed by short-duration, liquid assets. 
Because of this, they typically present less liquidity risk than 
traditional banking products. However, some non-traditional life 
insurance and retirement products create liquidity risk through 
features that allow payments at the request of policyholders without 
the occurrence of an insured event. Risks of certain other insurance 
products are often mitigated using derivatives. Any differences between 
collateral requirements related to hedging and the related liability 
cash flows can also create liquidity risk. The Board expects firms 
significantly engaged in these types of insurance activities to have 
correspondingly more sophisticated liquidity risk management programs.
    A strong liquidity risk management program includes comprehensive 
cash flow forecasting with appropriate granularity, preferably for each 
major legal entity as well as for the consolidated enterprise. The 
firm's suite of quantitative metrics should effectively inform senior 
management and the board of directors of the firm's unique liquidity 
risk profile and identify liquidity events or stresses that could 
detrimentally affect the firm. The metrics used to measure a firm's 
liquidity position may vary by type of business.
    Federal Reserve examiners rely to the fullest extent possible on 
each firm's ORSA, which requires all firms to include a discussion of 
the risk management framework and assessment

[[Page 6546]]

of material risks, including liquidity risk.
    Supervised insurance organizations are expected to perform 
liquidity stress testing at least annually and more frequently if 
necessary, based on their risk profile. The scenarios used should 
reflect the firm's specific risk profile and include both idiosyncratic 
and system-wide stress events. Stress testing should inform the firm on 
the amount of liquid assets necessary to meet net cash outflows over 
relevant time periods, including at least a one-year time horizon. 
Firms should hold a liquidity buffer comprised of highly liquid assets 
to meet stressed net cash outflows. The liquidity buffer should be 
measured using appropriate haircuts based on asset quality, duration, 
and expected market illiquidity based on the stress scenario 
assumptions. Stress testing should reflect the expected impact on 
collateral requirements.
    Fungibility of liquidity is often limited between an insurance 
group's legal entities. Large insurance groups can operate with a 
significant number of legal entities and many different regulatory and 
operational barriers to transferring funds among them. Regulations 
designed to protect policyholders of insurance operating companies can 
limit the transferability of funds from an insurance company to other 
legal entities within the group, including to other insurance operating 
companies. Supervised insurance organizations should carefully consider 
these limitations in their stress testing and liquidity risk management 
framework. Effective liquidity stress testing should include stress 
testing at the legal entity level with consideration for intercompany 
liquidity fungibility. Furthermore, the firm should be able to measure 
and provide an assessment of liquidity at the top-tier depository 
institution holding company in a manner that incorporates fungibility 
constraints.
    The enterprise-wide governance and oversight framework should be 
consistent with the firm's liquidity risk profile and include policies 
and procedures on liquidity risk management. Policies and procedures 
should detail the oversight of liquidity risk through a specific 
document such as a Liquidity Policy. Policies and procedures should 
include the frequency of liquidity reporting and stress testing. Stress 
testing results should be communicated clearly and regularly to senior 
management and the board. A comprehensive contingency funding plan, 
commensurate with the firm's categorization and liquidity risk profile, 
should be maintained to manage liquidity stress events. The contingency 
funding plan should detail specific policies, procedures, and actions 
for addressing liquidity stress events or breaches of liquidity risk 
limits.
    Supervised insurance organizations should also have an enterprise-
wide approach for the control and oversight of liquidity risk. This 
should include management committee reporting of liquidity risk, 
governance, and assumptions for key elements of liquidity risk 
management such as stress testing and the firm's liquidity risk 
appetite, among others. The risk appetite statement, which should be 
approved by the board of directors, should detail and define the level 
of impact of a liquidity event or stress that the firm can. 
Additionally, the governance framework should detail the process and 
policies around liquidity risk identification, measurement, and risk-
mitigating actions.

B. Supervisory Ratings

    Supervised insurance organizations are expected to operate in a 
safe and sound manner, to comply with all applicable laws and 
regulations, and to possess sufficient financial and operational 
strength to serve as a source of strength for their depository 
institution(s) through a range of stressful yet plausible conditions. 
Supervisory ratings and supervisory findings are used to communicate 
the assessment of a firm. Each year, the Federal Reserve examiners 
assign one of four ratings to each of the three rating components used 
to assess supervised insurance organizations. The rating components are 
Capital Management, Liquidity Management, and Governance & Controls. 
The four potential ratings are Broadly Meets Expectations, 
Conditionally Meets Expectations, Deficient-1, and Deficient-2. To be 
considered ``well managed,'' a firm must receive a rating of 
Conditionally Meets Expectations or better in each of the three rating 
components. Each rating is defined specifically for supervised 
insurance organizations with particular emphasis on the obligation that 
firms serve as a source of financial and managerial strength for their 
depository institution(s). High-level definitions for each rating are 
below, followed by more specific rating definitions for each component.
    Broadly Meets Expectations: The supervised insurance organization's 
practices and capabilities broadly meet supervisory expectations. The 
holding company effectively serves as a source of managerial and 
financial strength for its depository institution(s) and possesses 
sufficient financial and operational strength and resilience to 
maintain safe-and-sound operations through a range of stressful yet 
plausible conditions. The firm may have outstanding supervisory issues 
requiring corrective actions, but these are unlikely to present a 
threat to its ability to maintain safe-and-sound operations and 
unlikely to negatively impact its ability to fulfill its obligation to 
serve as a source of strength for its depository institution(s). These 
issues are also expected to be corrected on a timely basis during the 
normal course of business.
    Conditionally Meets Expectations: The supervised insurance 
organization's practices and capabilities are generally considered 
sound. However, certain supervisory issues are sufficiently material 
that if not resolved in a timely manner during the normal course of 
business, may put the firm's prospects for remaining safe and sound, 
and/or the holding company's ability to serve as a source of managerial 
and financial strength for its depository institution(s), at risk. A 
firm rated ``Conditionally Meets Expectations'' has the ability, 
resources, and management capacity to resolve its issues and has 
developed a sound plan to address the issue(s) in a timely manner. 
Examiners will work with the firm to develop an appropriate timeframe 
during which it will be required to resolve that supervisory issue(s) 
leading to this rating.
    Deficient-1: Financial or operational deficiencies in a supervised 
insurance organization's practices or capabilities put its prospects 
for remaining safe and sound, and/or the holding company's ability to 
serve as a source of managerial and financial strength for its 
depository institution(s), at significant risk. The firm is unable to 
remediate these deficiencies in the normal course of business, and 
remediation would typically require it to make material changes to its 
business model or financial profile, or its practices or capabilities. 
A firm with a Deficient-1 rating is required to take timely action to 
correct financial or operational deficiencies and to restore and 
maintain its safety and soundness and compliance with laws and 
regulation. Supervisory issues that place the firm's safety and 
soundness at significant risk, and where resolution is likely to 
require steps that clearly go beyond the normal course of business--
such as issues requiring a material change to the firm's business model 
or financial profile, or its governance, risk management or internal 
control structures or practices--would generally warrant assignment of 
a Deficient-1 rating. There is a strong presumption that a firm with a

[[Page 6547]]

Deficient-1 rating will be subject to an enforcement action.
    Deficient-2: Financial or operational deficiencies in a supervised 
insurance organization's practices or capabilities present a threat to 
its safety and soundness, have already put it in an unsafe and unsound 
condition, and/or make it unlikely that the holding company will be 
able to serve as a source of financial and managerial strength to its 
depository institution(s). A firm with a Deficient-2 rating is required 
to immediately implement comprehensive corrective measures and 
demonstrate the sufficiency of contingency planning in the event of 
further deterioration. There is a strong presumption that a firm with a 
Deficient-2 rating will be subject to a formal enforcement action.
Definitions for the Capital Management Component Rating
    Broadly Meets Expectations: Despite the potential existence of 
outstanding supervisory issues, the supervised insurance organization's 
capital management broadly meets supervisory expectations, supports 
maintenance of safe-and-sound operations, and supports the holding 
company's ability to serve as a source of financial strength for its 
depository institution(s). Specifically:
     The firm's current and projected capital positions on a 
consolidated basis and within each of its material business lines/legal 
entities comply with regulatory requirements and support its ability to 
absorb potential losses, meet obligations, and continue to serve as a 
source of financial strength for its depository institution(s);
     Capital management processes are sufficient to give 
credibility to stress testing results and the firm is capable of 
producing sound assessments of capital adequacy through a range of 
stressful yet plausible conditions; and
     Potential capital fungibility issues are effectively 
mitigated, and capital contingency plans allow the holding company to 
continue to act as a source of financial strength for its depository 
institution(s) through a range of stressful yet plausible conditions.
    Conditionally Meets Expectations: Capital adequacy meets regulatory 
minimums, both currently and on a prospective basis. Supervisory issues 
exist but these do not threaten the holding company's ability to act as 
a source of financial strength for its depository institution(s) 
through a range of stressful yet plausible conditions. Specifically, if 
left unresolved, these issues:
     May threaten the firm's ability to produce sound 
assessments of capital adequacy through a range of stressful yet 
plausible conditions; and/or
     May result in the firm's projected capital positions being 
insufficient to absorb potential losses, comply with regulatory 
requirements, and support the holding company's ability to meet current 
and prospective obligations and continue to serve as a source of 
financial strength to its depository institution(s).
    Deficient-1: Financial or operational deficiencies in a supervised 
insurance organization's capital management put its prospects for 
remaining safe and sound through a range of plausible conditions at 
significant risk. The firm is unable to remediate these deficiencies in 
the normal course of business, and remediation would typically require 
a material change to the firm's business model or financial profile, or 
its capital management processes.
    Examples of issues that may result in a Deficient-1 rating include, 
but are not limited to:
     Capital adequacy currently meets regulatory minimums 
although there may be uncertainty regarding the firm's ability to 
continue meeting regulatory minimums.
     Fungibility concerns may exist that could challenge the 
firm's ability to contribute capital to its depository institutions 
under certain stressful yet plausible scenarios.
     Supervisory issues may exist that undermine the 
credibility of the firm's current capital adequacy and/or its stress 
testing results.
    Deficient-2: Financial or operational deficiencies in a supervised 
insurance organization's capital management present a threat to the 
firm's safety and soundness, a threat to the holding company's ability 
to serve a source of financial strength for its depository 
institution(s), or have already put the firm in an unsafe and unsound 
condition.
    Examples of issues that may result in a Deficient-2 rating include, 
but are not limited to:
     Capital adequacy may currently fail to meet regulatory 
minimums or there is significant concern that the firm will not meet 
capital adequacy minimums prospectively.
     Supervisory issues may exist that significantly undermine 
the firm's capital adequacy metrics either currently or prospectively.
     Significant fungibility constraints may exist that would 
prevent the holding company from contributing capital to its depository 
institution(s) and fulfilling its obligation to serve as a source of 
financial strength.
     The holding company may have failed to act as source of 
financial strength for its depository institution when needed.
Definitions for the Liquidity Management Component Rating
    Broadly Meets Expectations: Despite the potential existence of 
outstanding supervisory issues, the supervised insurance organization's 
liquidity management broadly meets supervisory expectations, supports 
maintenance of safe-and-sound operations, and supports the holding 
company's ability to serve as a source of financial strength for its 
depository institutions(s). The firm generates sufficient liquidity to 
meet its short-term and long-term obligations currently and under a 
range of stressful yet plausible conditions. The firm's liquidity 
management processes, including its liquidity contingency planning, 
support its obligation to act as a source of financial strength for its 
depository institution(s). Specifically:
     The firm is capable of producing sound assessments of 
liquidity adequacy through a range of stressful yet plausible 
conditions; and
     The firm's current and projected liquidity positions on a 
consolidated basis and within each of its material business lines/legal 
entities comply with regulatory requirements and support the holding 
company's ability to meet obligations and to continue to serve as a 
source of financial strength for its depository institution(s).
    Conditionally Meets Expectations: Certain material financial or 
operational weaknesses in a supervised insurance organization's 
liquidity management place its prospects for remaining safe and sound 
through a range of stressful yet plausible conditions at risk if not 
resolved in a timely manner during the normal course of business.
    Specifically, if left unresolved, these weaknesses:
     May threaten the firm's ability to produce sound 
assessments of liquidity adequacy through a range of conditions; and/or
     May result in the firm's projected liquidity positions 
being insufficient to comply with regulatory requirements and support 
the firm's ability to meet current and prospective obligations and to 
continue to serve as a source of financial strength to its depository 
institution(s).
    Deficient-1: Financial or operational deficiencies in a supervised 
insurance organization's liquidity management put the firm's prospects 
for remaining safe and sound through a range of stressful yet plausible 
conditions at significant risk. The firm is unable to remediate these 
deficiencies in the normal course of business, and remediation would

[[Page 6548]]

typically require a material change to the firm's business model or 
financial profile, or its liquidity management processes.
    Examples of issues that may result in a Deficient-1 rating include, 
but are not limited to:
     The firm is currently able to meet its obligations but 
there may be uncertainty regarding the firm's ability to do so 
prospectively.
     The holding company's liquidity contingency plan may be 
insufficient to support its obligation to act as a source of financial 
strength for its depository institution(s).
     Supervisory issues may exist that undermine the 
credibility of the firm's liquidity metrics and stress testing results.
    Deficient-2: Financial or operational deficiencies in a supervised 
insurance organization's liquidity management present a threat to its 
safety and soundness, a threat to the holding company's ability to 
serve as a source of financial strength for its depository 
institution(s), or have already put the firm in an unsafe and unsound 
condition.
    Examples of issues that may result in a Deficient-2 rating include, 
but are not limited to:
     Liquidity shortfalls may exist within the firm that have 
prevented the firm, or are expected to prevent the firm, from 
fulfilling its obligations, including the holding company's obligation 
to act as a source of financial strength for its depository 
institution(s).
     Liquidity adequacy may currently fail to meet regulatory 
minimums or there is significant concern that the firm will not meet 
liquidity adequacy minimums prospectively for at least one of its 
regulated subsidiaries.
     Supervisory issues may exist that significantly undermine 
the firm's liquidity metrics either currently or prospectively.
     Significant fungibility constraints may exist that would 
prevent the holding company from supporting its depository 
institution(s) and fulfilling its obligation to serve as a source of 
financial strength.
     The holding company may have failed to act as source of 
financial strength for its depository institution when needed.
Definitions for the Governance and Controls Component Rating
    Broadly Meets Expectations: Despite the potential existence of 
outstanding supervisory issues, the supervised insurance organization's 
governance and controls broadly meet supervisory expectations, supports 
maintenance of safe-and-sound operations, and supports the holding 
company's ability to serve as a source of financial and managerial 
strength for its depository institutions(s). Specifically, the firm's 
practices and capabilities are sufficient to align strategic business 
objectives with its risk appetite and risk management capabilities, 
maintain effective and independent risk management and control 
functions, including internal audit; promote compliance with laws and 
regulations; and otherwise provide for the firm's ongoing financial and 
operational resiliency through a range of conditions. The firm's 
governance and controls clearly reflect the holding company's 
obligation to act as a source of financial and managerial strength for 
its depository institution(s).
    Conditionally Meets Expectations: Certain material financial or 
operational weaknesses in a supervised insurance organization's 
governance and controls practices may place the firm's prospects for 
remaining safe and sound through a range of conditions at risk if not 
resolved in a timely manner during the normal course of business. 
Specifically, if left unresolved, these weaknesses may threaten the 
firm's ability to align strategic business objectives with its risk 
appetite and risk-management capabilities; maintain effective and 
independent risk management and control functions, including internal 
audit; promote compliance with laws and regulations; or otherwise 
provide for the firm's ongoing resiliency through a range of 
conditions. Supervisory issues may exist related to the firm's internal 
audit function, but internal audit is still regarded as effective.
    Deficient-1: Deficiencies in a supervised insurance organization's 
governance and controls put its prospects for remaining safe and sound 
through a range of conditions at significant risk. The firm is unable 
to remediate these deficiencies in the normal course of business, and 
remediation would typically require a material change to the firm's 
business model or financial profile, or its governance, risk management 
or internal control structures or practices.
    Examples of issues that may result in a Deficient-1 rating include, 
but are not limited to:
     The firm may be currently subject to, or expected to be 
subject to, informal or formal enforcement action(s) by the Federal 
Reserve or another regulator tied to violations of laws and 
regulations.
     Significant legal issues may have or be expected to impede 
the holding company's ability to act as a source of financial strength 
for its depository institution(s).
     The firm may have engaged in intentional misconduct.
     Deficiencies within the firm's governance and controls may 
limit the credibility of the firm's financial results, limit the board 
or senior management's ability to make sound decisions, or materially 
increase the firm's risk of litigation.
     The firm's internal audit function may be considered 
ineffective.
     Deficiencies in the firm's governance and controls may 
have limited the holding company's ability to act as a source of 
financial and/or managerial strength for its depository institution(s).
    Deficient-2: Financial or operational deficiencies in a supervised 
insurance organization's governance and controls present a threat to 
its safety and soundness, a threat to the holding company's ability to 
serve as a source of financial strength for its depository 
institution(s), or have already put the firm in an unsafe and unsound 
condition.
    Examples of issues that may result in a Deficient-2 rating include, 
but are not limited to:
     The firm is currently subject to, or expected to be 
subject to, formal enforcement action(s) by the Federal Reserve or 
another regulator tied to violations of laws and regulations.
     Significant legal issues may be impeding the holding 
company's ability to act as a source of financial strength for its 
depository institution(s).
     The firm may have engaged in intentional misconduct.
     The holding company may have failed to act as a source of 
financial and/or managerial strength for its depository institution(s) 
when needed.
     The firm's internal audit function is regarded as 
ineffective.

C. Incorporating the Work of Other Supervisors

    Similar to the approach taken by the Federal Reserve in its 
consolidated supervision of other firms, the supervision of supervised 
insurance organizations relies, to the fullest extent possible, on work 
done by other relevant supervisors. The Federal Reserve collaboratively 
coordinates with, communicates with, and leverages the work of the 
Office of the Comptroller of the Currency (OCC), Federal Deposit 
Insurance Corporation (FDIC), Financial Crimes Enforcement Network 
(FinCEN), Internal Revenue Service (IRS), applicable state insurance 
regulators, and other relevant supervisors to achieve its supervisory

[[Page 6549]]

objectives and eliminate unnecessary burden.
    Existing statutes specifically require the Board to coordinate 
with, and to rely to the fullest extent possible on work by the state 
insurance regulators. The Board and all state insurance regulators have 
entered into Memorandums of Understanding (MOU) allowing supervisors to 
freely exchange information relevant for the effective supervision of 
supervised insurance organizations. Federal Reserve examiners take the 
actions below with respect to state insurance regulators to support 
accomplishing the objective of minimizing supervisory duplication and 
burden, without sacrificing effective oversight:
     Routine discussions with state insurance regulatory staff 
with greater frequency during times of stress;
     Discussions around the annual supervisory plan, including 
how best to leverage work done by the state and potential participation 
by state insurance regulatory staff on relevant supervisory activities;
     Consideration of the opinions and work done by the state 
when scoping relevant examination activities;
     Documenting any input received from the state and 
consideration given to the opinions and work done by the state for 
relevant supervisory activities;
     Sharing and discussing with the state the annual ratings 
and relevant conclusion documents from supervisory activities;
     Collaboratively working with the states and the National 
Association of Insurance Commissioners (NAIC) on the development of 
policies that affect insurance depository institution holding 
companies; and
     Participating in supervisory colleges.
    The Federal Reserve relies on the state insurance regulators to 
participate in the activities above and to share proactively their 
supervisory opinions and relevant documents. These documents include 
the annual Own Risk Solvency Assessment (ORSA),\14\ the state insurance 
regulator's written assessment of the ORSA, results from its 
examination activities, the Corporate Governance Annual Disclosure, and 
other state supervisory material. If the Federal Reserve determines 
that it is necessary to perform supervisory activities related to 
aspects of the supervised insurance organization that also fall under 
the jurisdiction of the state insurance regulator, it will communicate 
the rationale and result of these activities to the state insurance 
regulator.
---------------------------------------------------------------------------

    \14\ Nat'l Ass'n of Ins. Comm'rs, Own Risk and Solvency 
Assessment (ORSA) Guidance Manual 9 (December 2017), https://www.naic.org/store/free/ORSA_manual.pdf.

    By order of the Board of Governors of the Federal Reserve 
System.
Ann Misback,
Secretary of the Board.
[FR Doc. 2022-02383 Filed 2-3-22; 8:45 am]
BILLING CODE 6210-01-P