Is Your Enterprise Risk Management Keeping Up with Recent Regulatory Changes?
For enterprise risk managers, ensuring that all the firm’s various risk management structures and frameworks are keeping up with ever-changing regulatory guidance can be a daunting task. Regulatory updates take on particular importance for model risk managers. MRM is required not only to understand and comply with the regulatory guidance specific to model risk management itself, but also to understand the regulatory ramifications of the risk models they validate.
This post focuses on recent updates to eight ERM areas that can sometimes seem like a moving target when it comes to risk compliance.
The timeline below illustrates the extensive variability that can exist from regulator to regulator when it comes to which ERM components are of most concern and the nature and speed of adoption. To take one example, model risk management guidance was issued in 2011 and all Fed- and OCC-regulated institutions were in general compliance with it by 2014. The FDIC, however, did not issue the same guidance until 2017 and enforcement varies considerably. Although every FDIC-regulated institution is technically required to be in compliance with the MRM guidance, several have yet to undergo even their first MRM exam. Things get even cloudier for credit unions as the NCUA has not issued any guidance or regulation pertaining to MRM. The NCUA requires MRM practices to be observed during Capital Planning and Stress Testing (per its 2019 capital planning guide). But this narrow definition allows most credit unions to skirt regulator-required MRM entirely.
Because it can be difficult to stay on top of which regulator is requiring what and when, here is a quick summary of recent updates, organized by risk area.
Bank Secrecy Act (BSA) / Anti Money Laundering (AML)
The past year has seen five guidance updates pertaining to BSA/AML. Most of these seek to increase the effectiveness, predictability, and transparency of BSA/AML regulatory exams. Other updates clarify specific aspects of BSA/AML risk.
- Updated Sections of the FFIEC BSA/AML Examination Manual (OCC 2021-10/SR 21-9 & OCC 2021-28). The updated sections:
-
- Reinforce the risk-focused approach to BSA/AML examinations, and
- Clarify regulatory requirements and include updated information for examiners regarding transaction testing, including examples.
- Interagency Statement on Model Risk Management for Bank Systems Supporting BSA/AML Compliance and Request for Information (OCC 2021-19/SR 21-8) as of April 12, 2021. This guidance:
-
- Outlines the importance of MRM governance to AML exams,
- Is designed to be flexible when applying MRM principals to BSA/AML models,
- Updates MRM principles and validation to be more responsive,
- Seeks not to apply a single industry-wide approach, and
- Directs validators to consider third-party documentation when reviewing AML models.
- Answers to Frequently Asked Questions Regarding Suspicious Activity Reporting and Other AML Considerations (OCC 2021-4) as of January 21, 2021. These include instructions around:
-
- Requests by law enforcement for financial institutions to maintain accounts,
- Receipt of grand jury subpoenas/law enforcement inquiries and suspicious activity report (SAR) filing,
- Maintaining a customer relationship following the filing of a SAR or multiple SARs,
- SAR filing on negative news identified in media searches,
- SAR monitoring on multiple negative media alerts,
- Information in data fields and narrative, and
- SAR character limits.
- Joint Statement on Bank Secrecy Act Due Diligence Requirements for Customers Who May Be Considered Politically Exposed Persons (OCC 2020-77/SR 20-19) as of August 21, 2020. This statement:
-
- Explains that the BSA/AML regulations do not define what constitutes a politically exposed person (PEP),
- Clarifies that the customer due diligence rule does not create a regulatory requirement and that there is no supervisory expectation for banks to have unique, additional due diligence steps for PEPs,
- Clarifies how banks can apply a risk-based approach to customer due diligence in developing risk profiles for their customers, and
- Discusses potential risk factors, levels and types of due diligence.
- OCC-Proposed Rule Regarding Exemptions to Suspicious Activity Report Requirements as of December 17, 2020:
-
- The proposed rule would amend the agency’s SAR regulations to allow the OCC to issue exemptions from the requirements of those regulations on when and how to file suspicious activity reports (SARs).
Allowance for Loan and Lease Losses (ALLL)/ Current Expected Credit Losses (CECL)
Current Expected Credit Losses: Final Rule (OCC 2020-85/SR 19-8/FIL-7-2021) as of October 1, 2020. The rule:
-
- Applies to all community banks that adopted CECL in 2020 per GAAP requirements,
- Exempts all other institutions until 2023,
- Adopts all of the 2020 CECL IFR, and
- Clarifies that a banking organization is not required to use the transition during fiscal quarters in which it would not generate a regulatory capital benefit.
Asset Liability Management (ALM) and Liquidity Risk Management
Four important updates to ALM and liquidity risk guidance were issued in the past year.
- Net Stable Funding Ratio: Final Rule (OCC 2021-9) as of February 24, 2021. The rule:
-
- Implements a minimum stable funding requirement designed to reduce the likelihood that disruptions to a covered company’s regular sources of funding will compromise its liquidity position,
- Requires the maintenance a ratio of “available stable funding” to “required stable funding” of at least 1.0 on an ongoing basis,
- Defines “available stable funding” as the stability of a banking organization’s funding sources,
- Defines “required stable funding” as the liquidity characteristics of a banking organization’s assets, derivatives, and off-balance-sheet exposures,
- Requires notification of a shortfall, realized or potential within 10 business days, and
- Provides public disclosure rules for a consolidated NSFR.
- Volcker Rule Covered Funds: Final Rule (OCC 2020-71) as of July 41, 2020. The rule:
-
- Permits the activities of qualifying foreign excluded funds,
- Revises the exclusions from the definition of “covered fund,”
- Creates new exclusions from the definition of covered fund for credit funds, qualifying venture capital funds, family wealth management vehicles, and customer facilitation vehicles, and
- Modifies the definition of “ownership interest.”
- Interest Rate Risk: Revised Comptroller’s Handbook Booklet (OCC 2020-26) as of March 26, 2020. The updated Handbook:
-
- Expands discussions on MRM expectations for reviewing and testing model assumptions,
- Addresses funds transfer pricing (FTP), and
- Adds guidelines for advanced approaches to interest rate risk management consistent with the Pillar 2 supervisory approach.
- Capital and Liquidity Treatment for Money Market Liquidity Facility and Paycheck Protection Program: Final Rule (OCC 2020-96) as of November 3, 2020. This rule:
-
- Permits a zero-percent risk weight for PPP loans,
- Eliminates the regulatory capital impact and liquidity rule provisions for participating in the PPP and Money Market Liquidity Facility.
Artificial Intelligence (AL)/ Machine Learning (ML)
The only recent regulatory update pertaining to AI/Machine Learning has been a request for comment related to usage, controls, governance, and risk. At present, there is no formal guidance specifically related to AI or ML models. The OCC’s semi-annual risk perspectives includes just a couple of sentences stating that users of ML models should be able to defend and explain their risks. The Fed’s feedback has been similarly broad. Movement seems afoot to issue more detailed guidance on how ML models should be governed and monitored. But this is likely to be limited to specific applications and not to the ML models themselves.
The Request for Information and Comment on Financial Institutions’ Use of Artificial Intelligence, Including Machine Learning (OCC 2021-17) as of March 31, 2021, seeks respondents’ views on appropriate governance, risk management, and controls over artificial intelligence, and any challenges in developing, adopting, and managing artificial intelligence approaches.
Capital Risk
We focus on the two items of capital risk guidance issued in the past year. The rule applies to community banks with total assets of less than $10 billion as of December 31, 2019.
- Temporary Asset Thresholds: Interim Final Rule (OCC 2020-107) as of December 2, 2020:
-
- The rule allows these institutions to use asset data as of December 31, 2019, to determine the applicability of various regulatory asset thresholds during calendar years 2020 and 2021.
- Regulatory Capital Rule: Eligible Retained Income: Final Rule (OCC 2020-87) as of October 8, 2020:
The final rule revises the definition of eligible retained income to the greater of:
-
- Net income for the four preceding calendar quarters, net of any distributions and associated tax effects not already reflected in net income, and
- The average of a Bank’s net income over the preceding four quarters.
Fair Lending
- Community Reinvestment Act: Key Provisions of the June 2020 CRA Rule and Frequently Asked Questions (OCC 2020-99) as of November 9, 2020:
The rule establishes new criteria for designating bank assessment areas, including:
-
- Facility-based assessment areas based on the location of a bank’s main office and branches and, at a bank’s discretion, on the location of the bank’s deposit-taking automated teller machines, and
- Deposit-based assessment areas, which apply to a bank with 50 percent or more of its retail domestic deposits outside its facility-based assessment areas.
- Community Reinvestment Act: Implementation of the June 2020 Final Rule (OCC 2021-24) as of May 18, 2021. The OCC has determined that it will reconsider its June 2020 rule. While this reconsideration is ongoing, the OCC will not implement or rely on the evaluation criteria in the June 2020 rule pertaining to:
-
- Quantification of qualifying activities
- Assessment areas
- General performance standards
- Data collection
- Recordkeeping
- Reporting
Market Risk
- Libor Transition: Self-Assessment Tool for Banks (OCC 2021-7) as of February 10, 2021. The self-assessment tool can be used to assess the following:
-
- Five primary topics: Assets and contracts; LIBOR risk exposure; Fallback language; Consumer impact; Third-party service provider
- The appropriateness of a bank’s Libor transition plan
- Bank management’s execution of the bank’s transition plan
- Related oversight and reporting
- Standardized Approach for Counterparty Credit Risk; Correction: Final Rule (OCC 2020-82) as of September 21, 2020. The issuance corrects errors in the standardized approach for counterparty credit risk (SA-CCR) rule:
-
- Clarifying that a Bank that uses SA-CCR will be permitted to exclude the future exposure of all credit derivatives
- Revising the number of outstanding margin disputes
- Correcting the calculation of the hypothetical capital requirement of a qualifying central counterparty (QCCP)
- Agencies Finalize Amendments to Swap Margin Rule (News Release 2020-83) as of June 25, 2020:
-
- Swap entities that are part of the same banking organization will no longer be required to hold a specific amount of initial margin for uncleared swaps with each other, known as inter-affiliate swaps.
- Final rule allows swap entities to amend legacy swaps to replace the reference to LIBOR or other reference rates that are expected to end without triggering margin exchange requirements.
Operations Risk
- Corporate and Risk Governance. Revised and New Publications in the Director’s Toolkit (OCC 2020-97) as of November 5, 2020:
-
- Defines permissible derivatives activities,
- Allows engagement in certain tax equity finance transactions,
- Expands the ability to choose corporate governance provisions under state law,
- Includes OCC interpretations relating to capital stock issuances and repurchases, and
- Applies rules relating to finder activities, indemnification, equity kickers, postal services, independent undertakings, and hours and closings to FSAs.
- Activities and Operations of National Banks and Federal Savings Associations: Final Rule (OCC 2020-111) as of December 23, 2020:
-
- Focuses on key areas of planning, operations, and risk management,
- Outlines directors’ responsibilities as well as management’s role,
- Explains basic concepts and standards for safe and sound operation of banks, and
- Delineates laws and regulations that apply to banks.
- Operational Risk: Sound Practices to Strengthen Operational Resilience (OCC 2020-94) as of October 10, 2020:
-
- Outlines standards for operational resilience set forth in the agencies’ rules and guidance,
- Promotes a principles-based approach for effective governance, robust scenario analysis, secure and resilient information systems, and thorough surveillance and reporting,
- Introduces sound practices for managing cyber risk.