OCC will add "recovery plans" alongside big bank stress tests

With the Dodd-Frank Act, born from the ashes of the Financial Crisis, banks are forced to more closely consider their own mortality through stress tests, orderly resolution planning, and “living wills.” A proposal by the Office of the Comptroller of the Currency (OCC) would add a new layer to that process by broadening risk assessment demands to include a predictive analysis of what issues could lead to an institution’s catastrophic demise.

“In the aftermath of the crisis, it became clear that many financial institutions had insufficient plans for identifying and responding rapidly to significant stress events. As a result, many institutions were forced to take significant actions quickly without the benefit of a well-developed plan,” the proposal, undergoing a public comment process through Feb. 16, says.

The proposal carves out an expanded role for the OCC, which was not included as a party to the Dodd-Frank Act’s orderly resolution process. In a perfect world, the new guidelines will dovetail with risk management efforts already in place. There are concerns, however, about the added regulatory burden and lack of prescriptive rules that define bright lines between compliance and non-compliance.

The OCC seeks to establish enforceable guidelines for recovery planning by insured national banks, federal savings associations, and federal branches of foreign banks with consolidated assets of $50 billion or more. While resolution plans, orchestrated by the Federal Reserve and Federal Deposit Insurance Corporation, largely focus on liquidity and asset quality, the new proposal encompasses a variety of other risk factors and stress events, including business interruptions, cyber-security, and leadership succession.

OCC examiners will assess the appropriateness and adequacy of a bank’s recovery planning process and the integration of that process into its overall risk management and corporate governance functions. Examiners will also assess the “quality and reasonableness” of the recovery plan, including its documentation of stress scenarios, recovery options, impact assessments, execution strategies, and management and board responsibilities.

In greater detail, the OCC will require:

Developing a recovery plan appropriate for a bank’s individual risk profile

Establishing triggers—quantitative or qualitative indicators of severe stress that should always be escalated to management or the board of directors—and designing severe stress scenarios that would cause the bank to fail if one or more recovery options were not promptly implemented

Identifying a wide range of options to restore financial and operational strength and viability

Addressing escalation procedures, management reports, and communication procedures

Holding the bank’s board of directors (or an appropriate committee of the board) responsible for overseeing the framework’s design and implementation, reviewing it at least annually.

That management revise the plan, as needed, to reflect material changes in the bank’s risk profile, complexity, size, and activities, as well as changes in external threats

The OCC may initiate a supervisory or enforcement process when it determines that a bank failed to meet its standards. “Issuing these standards as guidelines rather than as a regulation provides the OCC with the flexibility to pursue the course of action that is most appropriate given the specific circumstances of a covered bank’s non-compliance with one or more standards and the covered bank’s self-corrective and remedial responses,” the proposal says. Compliance failures could ultimately lead to a monetary fine.

“A lot of focus over the past few years has been on the resolution plans, but regulators have also been focusing on recovery planning,” he says. “This is a statement by the OCC that it expects recovery planning to be just as important as resolution planning.”
David Gibbons, Managing Director, Financial Industry Advisory Services, Alvarez & Marsal

Shifting the focus of resolution and recovery planning toward “recovery” makes plenty of sense from the OCC’s perspective, says David Gibbons, managing director for Financial Industry Advisory Services at global professional services firm Alvarez & Marsal. He previously advised banks on risk management at Promontory Financial Group, was chief risk officer for HSBC Holdings in North America, and served in several senior-level positions at the OCC for 27 years.

“A lot of focus over the past few years has been on the resolution plans, but regulators have also been focusing on recovery planning,” he says. “This is a statement by the OCC that it expects recovery planning to be just as important as resolution planning.”

While Gibbons expects that bankers will take pause at the comprehensiveness of the expectations, most are in good position to meet them if they leverage risk management and contingency processes already in place, building upon foundational work already undertaken for their resolution plans. “Resolution planning is about risk management because you can’t plan for your death without knowing how it is going to play out,” he says, thematically connecting resolution and recovery planning. “Stress testing is as much about broadening the view of risk management as it is a capital exercise.”

The OCC’s proposal fits within the continuum of what it and other regulators are already asking banks to do, says John Beaty, partner at law firm Venable and former assistant general counsel at the FDIC. “The resolution planning process has given banks a way to manage the process of articulating a comprehensive overview of what could happen if certain scenarios occur,” he explains. Resolution planning is, however, a more strained effort than the recovery process could be because “many of the people in the resolution planning process believe that their banks are not going to fail and have a hard time coming up with rationales for why they could. Also, banks don’t want to signal to their regulators and shareholders that they have a particular weakness.”

ANOTHER APPROACH TO RISK MANAGEMENT

The following are excerpts from the Office of the Comptroller of the Currency’s proposed guidelines requiring that banks with greater than $50 billion in assets develop and maintain a recovery plan. Each covered bank should develop and maintain a recovery plan appropriate for its individual risk profile, size, activities, and complexity, including the complexity of its organizational and legal entity structure.
It is important that a recovery plan provide a detailed description of the covered bank’s overall organizational and legal structure, including its material entities, critical operations, core business lines, and core management information systems. The description should explain interconnections and interdependencies (i) across business lines within the covered bank, (ii) with affiliates in a bank holding company structure, (iii) between a covered bank and its foreign subsidiaries, and (iv) with critical third parties.
The description should address whether a disruption of these interconnections or interdependencies would materially affect the funding or operations of the covered bank and, if so, how. Examples include relationships with respect to credit exposures, investments, or funding commitments; guarantees including an acceptance, endorsement, or letter of credit issued for the benefit of an affiliate during normal periods, as opposed to during a crisis; and payment services, treasury operations, collateral management, information technology (IT), human resources (HR), or other operational functions. This overview is an essential part of the recovery plan.
A recovery plan should include both quantitative and qualitative triggers.
Quantitative triggers include changes in covered bank-specific indicators that reflect the covered bank’s capital or liquidity position. While capital or liquidity triggers may be the most critical, a covered bank should also consider other quantitative triggers that may have an impact on its condition, such as a rating downgrade; access to credit and borrowing lines; equity ratios; profitability; asset quality; or other macroeconomic indicators. Of course, a covered bank should be prepared to act to preserve the financial and operational strength and viability of the bank if it is at risk, regardless of whether a trigger has been breached or the recovery plan includes options to specifically address the problems the bank faces.
Qualitative triggers include the unexpected departure of senior leadership; the erosion of reputation or market standing; the impact of an adverse legal ruling; and a material operational event that affects the covered bank’s ability to access critical services or to deliver products or services to its customers for a material period of time. It is important to note that the covered bank should review and update both qualitative and quantitative triggers, as necessary, to take into account changes in laws and regulations and other material events. In addition, a covered bank should consider the regulatory or legal consequences that may be associated with the breach of a particular trigger.
Source: Office of the Comptroller of the Currency

Recovery planning is easier “because you are constantly modeling and trying to develop plans for things that could be anticipated,” Beaty says. Nevertheless, “it does add a layer of complexity and effort and burden if you are already addressing all of the issues that fit into a recovery plan.”

“At what point are you just spending so many resources to develop plans that you stop being able to do the work? You have a board of directors with so many chiefs reporting directly to it instead of the CEO that it is making organizations more unwieldy and increasing risk,” he adds. The proposed process adds yet another layer of uncertainty for the board: “When have we done enough and are we going to have to wait to be criticized in an exam to know whether we have done enough?”

Beaty expects that many banks will consider using the same team for both recovery and resolution planning. “It makes so little sense to have two teams, because you are talking to the same people, are getting the same information, and are focused on the same organizational structure,” he says. The challenge will be ensuring that personnel are not overloaded, especially when annual stress tests roll around each year. 

“Plan to spend some resources,” he adds. “It is a budgeting process. You need to factor in that this will be a difficult document to generate. Coordination among different parts of the bank requires some very senior-level commitment. Make sure whoever is running the project has sufficient authority to get attention from other senior management officials. It could be someone reporting to the CEO or the senior management committee, but it can’t be someone much lower or they are not going to get the resources they need.”

The approach taken, of enforceable guidance rather than prescriptive rules and checklists, may prove to be “more desirable” for banks, says Cliff Stanford, chairman of the law firm Alston & Bird’s bank regulatory group and former assistant general counsel for the Federal Reserve Bank of Atlanta. In his view, the OCC doesn’t seem to be layering on burdens that a bank should not have already raised or taken on. He draws comparisons to the agency’s 2010 guidance on liquidity risk and its semi-annual risk perspectives.

“Arguably, there is a gap in terms of enforceable guidelines that address operational risk concerns,” Stanford says. “If you think about those other guidelines, they address the governance risk management and, built-in, there is certainly some signaling about contingency plans and recovery planning without specifically addressing that topic. This fills that gap.”