2016-23366. OCC Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Technical Amendments  

  • Start Preamble Start Printed Page 66791

    AGENCY:

    Office of the Comptroller of the Currency, Treasury.

    ACTION:

    Final rule and guidelines.

    SUMMARY:

    The Office of the Comptroller of the Currency (OCC) is adopting enforceable guidelines establishing standards for recovery planning by insured national banks, insured Federal savings associations, and insured Federal branches of foreign banks with average total consolidated assets of $50 billion or more (Final Guidelines). The OCC is issuing the Final Guidelines as an appendix to its safety and soundness standards regulations, and the Final Guidelines will be enforceable by the terms of the Federal statute that authorizes the OCC to prescribe operational and managerial standards for national banks and Federal savings associations. The OCC is also adopting technical changes to the safety and soundness standards regulations that are made necessary by the addition of the Final Guidelines.

    DATES:

    This final rule and guidelines are effective on January 1, 2017. The compliance dates for the Final Guidelines in Appendix E to part 30 vary, as specified below.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Lori Bittner, Large Bank Supervision—Resolution and Recovery, (202) 649-6093; Stuart Feldstein, Director, Andra Shuster, Senior Counsel, Karen McSweeney, Counsel, or Priscilla Benner, Attorney, Legislative & Regulatory Activities Division, (202) 649-5490; or Valerie Song, Assistant Director, Bank Activities and Structure Division, (202) 649-5500; or, for persons who are deaf or hard of hearing, TTY, (202) 649-5597, 400 7th Street SW., Washington, DC 20219.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    Background

    The financial crisis demonstrated the destabilizing effect that severe stress at large, complex, interconnected financial companies can have on the national economy, capital markets, and the overall financial stability of the banking system. Following the crisis, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act); [1] among other purposes, the Dodd-Frank Act was intended to strengthen the framework for the supervision and regulation of large U.S. financial companies in order to address the significant impact that these institutions can have on capital markets and the economy.

    One lesson learned from the crisis is the importance—especially in large, complex financial institutions—of a strong risk governance framework. In 2014, the OCC formally adopted heightened standards guidelines that address the risk governance of large, complex banks (Heightened Standards).[2] The Heightened Standards establish minimum standards for the design and implementation of a risk governance framework and for a bank's board of directors (board) in overseeing the framework's design and implementation. The OCC believes that these Heightened Standards further the goals of the Dodd-Frank Act by clarifying the OCC's expectation that its regulated institutions have robust practices in areas where the crisis revealed substantial weaknesses.

    Further, in the aftermath of the crisis, it became clear that many financial institutions had insufficient plans for identifying and responding rapidly to significant stress events that affected their financial condition and threatened their viability. As a result, many institutions were forced to take significant actions quickly without the benefit of a well-developed plan. In addition, recent large-scale events, such as destructive cyber attacks, demonstrate the need for institutions to plan how to respond to the financial effects of such occurrences. Therefore, the OCC believes that a large, complex institution should undertake recovery planning to be able to respond quickly to and recover from the financial effects of severe stress on the institution.[3] An institution's recovery planning should be a dynamic, ongoing process that complements its risk governance functions and supports its safe and sound operation. The process of developing and maintaining a recovery plan also should cause a covered bank's management and its board to enhance their focus on risk governance with a view toward lessening the negative impact of future events.

    In December 2015, the OCC invited public comment on proposed guidelines establishing minimum standards for recovery planning by insured national banks, insured Federal savings associations, and insured Federal branches of foreign banks (together, banks and each, a bank) with average total consolidated assets of $50 billion or more (together, covered banks and each, a covered bank).[4] After carefully considering the comments we received on the proposed guidelines, the OCC is adopting these Final Guidelines as a new Appendix E to part 30 of our regulations. The OCC, as the primary financial regulatory agency for the covered banks, believes that the Final Guidelines will assist these banks with their recovery planning efforts, thereby minimizing the negative impact of severe stress. We have set forth below a detailed description of the proposal, the significant comments we received, and the standards contained in the Final Guidelines.

    Summary of Comments on the Notice of Proposed Rulemaking

    The OCC received six comment letters on the proposed guidelines from Start Printed Page 66792national banks, trade associations, and individuals. To improve our understanding of the issues raised by commenters, the OCC had a meeting with two trade groups and a number of their member institutions, and a summary of this meeting is available on a public Web site.[5]

    The comments we received generally supported the proposed guidelines, acknowledging that recovery planning is an important part of risk management and that the use of guidelines, rather than regulations, provides both covered banks and the OCC with appropriate flexibility. However, the commenters asked the OCC to clarify various provisions in the proposal. For example, commenters requested that the OCC address the ability of a covered bank to leverage other processes in developing its recovery plan and to tailor its plan based on the size, risk profile, and complexity of the bank. They also asked the OCC to clarify the role of the board with respect to the plan. In addition, commenters suggested that the OCC consider tiered compliance dates. As discussed more fully below, the OCC has revised the Final Guidelines in response to the comments we received and has made other technical and clarifying changes.

    Enforcement of the Final Guidelines

    The OCC is adopting these Final Guidelines pursuant to section 39 of the Federal Deposit Insurance Act (FDIA).[6] Section 39 authorizes the OCC to prescribe safety and soundness standards in the form of a regulation or guidelines. The OCC currently has four sets of these guidelines that are appendices to part 30 of the OCC's regulations. Appendix A contains operational and managerial standards that relate to internal controls, information systems, internal audit systems, loan documentation, credit underwriting, interest rate exposure, asset growth, asset quality, earnings, compensation, fees, and benefits. Appendix B contains standards on information security, and Appendix C contains standards that address residential mortgage lending practices. Appendix D contains the Heightened Standards discussed above.

    Section 39 prescribes different consequences depending on whether an agency issues the standards by regulation or guideline. Pursuant to section 39, if a bank [7] fails to meet a standard prescribed by regulation, the OCC must require it to submit a plan specifying the steps it will take to comply with the standard. If a bank fails to meet a standard prescribed by guidelines, the OCC has the discretion to decide whether to require the submission of a plan.[8] The issuance of these standards as guidelines, rather than as regulations, provides the OCC with the flexibility to pursue the course of action that is most appropriate given the specific circumstances of a covered bank's noncompliance with one or more standards and the covered bank's self-corrective and remedial responses.

    The procedural rules implementing the supervisory and enforcement remedies prescribed by section 39 are contained in part 30 of the OCC's rules. Under these provisions, the OCC may initiate a supervisory or enforcement process when it determines, by examination or otherwise, that a bank has failed to meet the standards set forth in the Final Guidelines.[9] Upon making that determination, the OCC may request in writing that the bank submit a compliance plan to the OCC detailing the steps the institution will take to correct the deficiencies and the time within which it will take those steps. This request is termed a Notice of Deficiency. Upon receiving a Notice of Deficiency from the OCC, the bank must submit a compliance plan to the OCC for approval within 30 days.

    If a bank fails to submit an acceptable compliance plan or fails in any material respect to implement a compliance plan approved by the OCC, the OCC shall issue a Notice of Intent to Issue an Order pursuant to section 39 (Notice of Intent). The bank then has 14 days to respond to the Notice of Intent. After considering the bank's response, the OCC may issue the order, decide not to issue the order, or seek additional information from the bank before making a final decision. Alternatively, the OCC may issue an order without providing the bank with a Notice of Intent. In such a case, the bank may appeal after-the-fact to the OCC, and the OCC has 60 days to consider the appeal. Upon the issuance of an order, a bank is deemed to be in noncompliance with part 30. Orders are formal, public documents, and the OCC may enforce them in Federal district court. The OCC may also assess a civil money penalty, pursuant to 12 U.S.C. 1818, against any bank that violates or otherwise fails to comply with any final order and against any institution-affiliated party who participates in such violation or noncompliance.

    Detailed Description of the Proposed Guidelines, Comments Received, and Final Guidelines

    Like the proposal, the Final Guidelines consist of three sections. Section I explains the scope of the Final Guidelines, sets forth the applicable compliance dates, and defines key terms. Section II sets forth the standards for the design and execution of a covered bank's recovery plan. Section III describes the responsibilities of a covered bank's management and board in connection with the bank's recovery plan.

    Section I: Introduction

    Scope. As proposed, the guidelines would have applied to any bank with “average total consolidated assets” equal to or greater than $50 billion as of the effective date of the guidelines (calculated by averaging a bank's total consolidated assets, as reported on the bank's Consolidated Reports of Condition and Income (Call Reports), for the four most recent consecutive quarters). The preamble to the proposal noted that this threshold is consistent with the scope of Federal Deposit Insurance Corporation (FDIC) and Board of Governors of the Federal Reserve System (Board) regulations that require certain entities to prepare resolution plans.[10] We note that this threshold also is consistent with the Heightened Standards threshold, as well as the threshold used in section 165 of the Dodd-Frank Act for the application of enhanced prudential standards to bank holding companies and foreign banking organizations.

    The proposal provided that for any bank with average total consolidated assets less than $50 billion as of the effective date of the guidelines, whose average total consolidated assets subsequently reached $50 billion or greater, the guidelines would apply on the as-of date of the bank's most recent Call Report used in the calculation of the average total consolidated assets. Once a bank's average total consolidated assets had reached or exceeded the $50 billion threshold, the preamble explained that the bank would have had to comply with the guidelines, unless Start Printed Page 66793and until the OCC specifically determined that compliance was not required, even if the bank's average total consolidated assets subsequently fell below the $50 billion threshold.

    The OCC received no comments on these provisions and adopts them as proposed.

    Compliance date. Although the OCC did not propose a specific compliance date, several commenters requested a phased-in compliance period. Some commenters suggested a compliance date of 2017 for the largest, most complex covered banks and a subsequent compliance date of 2018 for the remaining covered banks. These commenters stated that the phase-in dates should account for the size, risk profile, and complexity of a covered bank. Other commenters requested an initial compliance date for all covered banks of no earlier than 2018. Another commenter suggested that the OCC use a flexible approach when setting a compliance date for banks that reach or exceed the $50 billion threshold after the effective date of the Final Guidelines.

    The OCC agrees that a phased-in compliance period is appropriate and adopts the compliance schedule set forth below, which we believe gives covered banks, including those likely to have the least experience with recovery planning, sufficient time to prepare their plans. Under this schedule, a covered bank with average total consolidated assets equal to or greater than $750 billion on the effective date of these Final Guidelines should comply within 6 months of the effective date. A covered bank with average total consolidated assets equal to or greater than $100 billion but less than $750 billion on the effective date should comply within 12 months of the effective date. A covered bank with average total consolidated assets equal to or greater than $50 billion but less than $100 billion on the effective date should comply within 18 months of the effective date. Finally, a bank with less than $50 billion in average total consolidated assets on the effective date, which subsequently becomes a covered bank, should comply with the Final Guidelines within 18 months of becoming a covered bank.

    Reservation of authority. In order to preserve supervisory flexibility, the proposed guidelines reserved the OCC's authority to apply the guidelines to a bank with average total consolidated assets of less than $50 billion if the agency determined that the bank's operations were highly complex or otherwise presented a heightened risk. The preamble explained that the OCC expected to use this authority infrequently and did not intend to apply the guidelines to community banks. The proposed guidelines also reserved the OCC's authority to determine that compliance with the guidelines was no longer required for a covered bank whose operations no longer were highly complex or otherwise no longer presented a heightened risk.

    In either case, when determining whether a bank's or covered bank's operations were highly complex or otherwise presented a heightened risk, the proposed guidelines stated that the OCC would consider an institution's size, risk profile, activities, and complexity, including the complexity of its organizational and legal entity structure. The guidelines also stated that, when exercising the authority reserved by this provision, the OCC would apply notice and response procedures consistent with those set out in 12 CFR 3.404.[11]

    Commenters had no substantive comments on this subsection. However, we have added “scope of operations” to the factors that we will consider in determining whether a bank's or covered bank's operations are highly complex or otherwise present a heightened risk. Otherwise, the OCC is adopting these provisions as proposed and reiterates that we expect to use this authority infrequently and do not intend to apply the Final Guidelines to community banks.

    Preservation of existing authority. The proposed guidelines stated that neither section 39 of the FDIA nor the OCC's part 30 rules in any way limited the authority of the OCC to address unsafe or unsound practices or conditions or other violations of law.[12] We received no comments on this provision, and we are adopting it as proposed.

    Definitions. The proposed guidelines included definitions of “average total consolidated assets,” “bank,” “covered bank,” “recovery,” “recovery plan,” and “trigger.” The proposal defined the term “recovery” to mean timely and appropriate action that a covered bank takes to remain a going concern when it is experiencing or is likely to experience considerable financial or operational distress and provided that a covered bank in recovery had not yet deteriorated to the point where liquidation or resolution is imminent. The proposal defined “recovery plan” as a plan that identified triggers and options for a covered bank to respond to a wide range of severe internal and external stress scenarios and to restore a covered bank that is in recovery to financial and operational strength and viability in a timely manner while maintaining the confidence of market participants. This definition further stated that neither the plan nor the options could assume or rely on any extraordinary government support.

    The proposal defined “trigger” as a “quantitative or qualitative indicator of the risk or existence of severe stress that should always be escalated to management or the board, as appropriate, for purposes of initiating a response.” It stated that the breach of any trigger should result in timely notice, accompanied by sufficient information, to enable management of the covered bank to take corrective action.

    The OCC received one comment regarding references to the “operational” effects of severe stress in the proposal. The commenter stated that a covered bank's recovery plan should address the effects of operational stress events (e.g., cyber events, natural disasters, unanticipated changes in senior management) only to the extent that such stress events affect the bank's financial strength and viability. The commenter noted that a covered bank addresses the operational effects of stress events in its other risk management plans (e.g., disaster recovery, business continuity). The commenter also stated that the Final Guidelines would be inconsistent with Board, Financial Stability Board, and European Banking Authority recovery planning provisions if they stated that a covered bank's recovery plan should address the operational effects of severe stress. The OCC agrees—a recovery plan should address the financial, not the operational, effects of severe stress.

    The proposal defined the term “recovery plan” to include restoring a covered bank's “financial and operational strength and viability.” The same commenter noted that the purpose of a recovery plan is to help a covered bank restore its financial, not its operational, strength and viability. The commenter stated that covered banks address the restoration of operational strength and viability in other risk Start Printed Page 66794management plans (e.g., disaster recovery, business continuity). The OCC agrees and has revised the definition of “recovery plan” by removing “and operational” to clarify that the purpose of a recovery plan is to help a covered bank restore its financial strength and viability. While a recovery plan might address operational stress scenarios and identify recovery options that are operational in nature, the triggers in the recovery plan should alert the bank to the possible or actual financial effects of stress, and the recovery options should be designed to restore the bank's financial strength and viability. We made conforming changes throughout the document to reflect this change.

    The proposal prohibited reliance on extraordinary government support in a recovery plan. The OCC received a comment asking it to clarify how this prohibition would apply when a foreign government controls a covered bank. While we have not changed the prohibition set forth in the definition of “recovery plan,” the OCC acknowledges that exceptions to this prohibition may exist with respect to support of a covered bank by a foreign government. We recommend that an affected covered bank discuss this situation with its OCC examiner.

    The OCC received no other comments on these definitions. We have clarified, however, several terms defined in the Final Guidelines. First, we revised the definition of “covered bank” to reflect the proposal's preamble statement that “covered bank” includes a bank with average total consolidated assets of less than $50 billion if it was previously a covered bank, unless the OCC determines otherwise. Second, we changed the word “distress” in the definition of “recovery” to “stress.” While the term “distress” can be used to describe either stress itself or the effect of stress, we intended in this context to refer to stress itself. Third, we revised the definition of “trigger” to clarify that the breach of a trigger, not the trigger itself, should be escalated and that the escalation should be to senior management. Finally, we have clarified that a trigger breach can be escalated to either the board or an appropriate committee of the board,[13] and we have made conforming changes throughout the document where necessary to address the role of an appropriate committee of the board. Except as otherwise noted above, we are adopting these definitions as proposed.

    Section II: Recovery Plan

    A. Recovery plan. Subsection A of the proposal stated that each covered bank should develop and maintain a recovery plan appropriate for its individual size, risk profile, activities, and complexity, including the complexity of its organizational and legal entity structure. In response to this statement, commenters requested that the OCC clarify its expectations with regard to the length and detail of recovery plans and asked that the Final Guidelines elaborate on a covered bank's ability to tailor its recovery plan to its particular operations.

    We note that a covered bank's recovery plan need only be as long and as detailed as is necessary to satisfy these Final Guidelines. The OCC does not have any expectations regarding a plan's length or detail, nor does it expect that recovery plans will mirror the length or detail of resolution plans. Further, the OCC agrees that a covered bank may tailor its recovery plan to its unique size, risk profile, activities, and complexity. Therefore, a smaller, less complex bank may have a shorter, less complex recovery plan. The stress scenarios, triggers, and recovery options appropriate for a covered bank that engages primarily in retail and commercial banking are likely to be different from those for a covered bank that engages in significant trading or capital market activities. Those appropriate for a covered bank that engages primarily in domestic activities are likely to be different from those for a covered bank with extensive foreign activities. For the sake of clarity, we have added language to this description stating that a recovery plan should be specific to the unique characteristics of each covered bank. We have otherwise adopted this subsection as proposed.

    B. Elements of recovery plan. Subsection B set forth the eight elements of a recovery plan.

    1. Overview of covered bank. The proposed guidelines stated that a recovery plan should include a detailed description of the covered bank's overall organizational and legal structure, including its material entities, critical operations, core business lines, and core management information systems. The proposal stated that this description should explain interconnections and interdependencies: (i) Across business lines within the covered bank; (ii) with affiliates in a bank holding company structure; (iii) between a covered bank and its foreign subsidiaries; and (iv) with critical third parties. As explained in the proposal's preamble, the OCC used the terms “interconnections” and “interdependencies” in a manner consistent with FDIC and Board resolution plan regulations. The preamble cited the following as examples of interconnections and interdependencies: (i) Relationships with respect to credit exposures, investments, or funding commitments; (ii) guarantees including an acceptance, endorsement, or letter of credit issued for the benefit of an affiliate during normal periods, as opposed to during a crisis; and (iii) payment services, treasury operations, collateral management, information technology (IT), human resources (HR), and other operational functions. It explained that the plan should address whether a disruption of these interconnections or interdependencies would materially affect the covered bank and, if so, how.

    Commenters asked the OCC to confirm in the Final Guidelines that other terms, including “material entities,” “critical operations,” and “core business lines,” may be interpreted consistent with the use of those terms elsewhere, such as resolution planning regulations and Heightened Standards. The OCC confirms that a covered bank may include in its recovery plan concepts and terms used elsewhere, provided the bank's resulting recovery plan is consistent with the Final Guidelines. In order to facilitate the OCC's understanding of a covered bank's recovery planning process, a bank's recovery plan should indicate which key terms are drawn from other sources and identify the sources. Otherwise, we adopt this element as proposed.

    2. Triggers. The proposal stated that a recovery plan should identify triggers that appropriately reflected a covered bank's particular vulnerabilities. As explained in the preamble, in order for a covered bank to identify such triggers, the bank should design severe stress scenarios that would threaten its critical operations or cause it to fail if the bank did not implement one or more recovery options in a timely manner. The preamble further explained that these scenarios should range from those that cause significant hardship to those that bring the covered bank close to default, but not into resolution.

    As explained in the proposal, in designing stress scenarios, a covered bank should consider a range of bank-specific and market-wide scenarios, individually and in the aggregate, that Start Printed Page 66795are immediate and prolonged. The proposal explained that a covered bank should design the stress scenarios to result in capital shortfalls, liquidity pressures, or other significant financial losses. The preamble included as examples of bank-specific stress scenarios: Fraud; a portfolio shock; a significant cyber attack [14] or other wide-scale operational event; an accounting and tax issue; an event that caused a reputational crisis and degraded customer or market confidence; and other key stresses that management identified. Although not mentioned in the proposal, another example of a covered bank-specific stress scenario is the failure of the bank's parent company or a significant affiliate.

    Examples of market-wide stress scenarios included: A disruption of domestic or global financial markets; a failure or impairment of systemically important financial industry participants, critical financial market infrastructure firms, and critical third-party relationships; significant changes in debt or equity valuations, currency rates, or interest rates; the widespread interruption of critical infrastructure that significantly degraded operational capability; [15] and other unfavorable economic conditions. It should also be noted that stress scenarios are important tools that a covered bank uses to determine areas of vulnerability and to help it identify the appropriate triggers. While they need not be included in the plan itself, they are a critical part of the planning process and should be documented for OCC examiners to consider and discuss with a covered bank as part of the agency's overall evaluation of a bank's plan.

    With respect to the development of stress scenarios, commenters requested that the Final Guidelines not require a covered bank to develop stress scenarios other than those required for supervisory stress tests (i.e., Comprehensive Capital Analysis and Review (CCAR) and Dodd-Frank Act Stress Testing (DFAST)). We recognize that the scenarios used to conduct supervisory stress tests may be appropriate for purposes of identifying triggers under these Final Guidelines. However, a covered bank should evaluate those scenarios in the context of these Final Guidelines and consider whether different or additional scenarios are appropriate, including whether these specific scenarios are sufficiently severe to cause the bank to be in recovery—i.e., scenarios that bring the bank to the brink of resolution.

    The proposal's discussion of the triggers that a covered bank should include in its recovery plan explained that these triggers should address a continuum of increasingly severe stress, ranging from triggers that provide a warning of the likely occurrence of severe stress to those that indicate the actual existence of severe stress. It stated that the number and nature of triggers should be appropriate for the covered bank's size, risk profile, activities, and complexity. As the proposal further explained, the nature of a trigger should inform the nature of the response. For example, the preamble stated that, in some situations, the appropriate response to the breach of a trigger should be enhanced monitoring; in other situations, the breach of a trigger should result in activating a more specific recovery option set forth in the plan or taking other corrective action. As the proposal noted, however, the breach of a particular trigger does not necessarily correspond to a single recovery option; instead, more than one option may be appropriate when a particular trigger is breached.

    The preamble to the proposal stated that quantitative triggers included changes in covered bank-specific indicators that reflect the covered bank's capital or liquidity position. The proposal stated that a covered bank should also consider quantitative triggers other than capital or liquidity that may have an impact on its condition, such as a rating downgrade; access to credit and borrowing lines; equity ratios; profitability; asset quality; or other macroeconomic indicators. It also noted that a covered bank should be prepared to act if it is at risk, regardless of whether a trigger has been breached or the recovery plan includes options that specifically addressed the problems the bank faced.

    The proposal also stated that qualitative triggers would include the unexpected departure of senior leadership; the erosion of reputation or market standing; the impact of an adverse legal ruling; and a material operational event that affects the covered bank's ability to access critical services or to deliver products or services to its customers for a material period of time. In retrospect, we believe these scenarios more accurately describe stress events that may affect a covered bank's financial strength and viability than triggers that indicate the stress. However, while we anticipate that most triggers will be quantitative indicators, we have retained the reference to qualitative indicators that have a financial effect on a bank to allow for those that a bank may identify.

    The proposal noted that a covered bank should review and update its triggers, as necessary, to take into account changes in laws and regulations and other material events. In addition, it stated that a covered bank should consider any regulatory or legal consequences resulting from the breach of a particular trigger. We made no changes to this element and adopt it as proposed.

    3. Options for recovery. The proposed guidelines stated that a recovery plan should identify a wide range of credible options that a covered bank could undertake to restore its financial and operational strength and viability, thereby allowing the bank to continue to operate as a going concern and avoid liquidation or resolution. The proposed guidelines further provided that a recovery plan should explain how the covered bank would carry out each recovery option, describe the timing for each option, and identify options that require regulatory or legal approval.

    The preamble to the proposal explained that the recovery plan should include a description of the decision-making process for implementing each option, outline the steps the bank will follow, identify the critical parties to carry out each option, and address timing considerations. It also stated that a recovery plan should identify obstacles to executing an option and set out mitigation strategies to address these obstacles. Finally, the preamble provided that the plan should identify those options that would require regulatory or legal approval and, consistent with the proposal's definition of “recovery plan,” that neither the plan nor the options may assume or rely on any extraordinary government support.[16]

    The preamble noted that a covered bank should be able to execute plan options within time frames that would allow the options to be effective during periods of stress. It also provided examples of recovery options, including the conservation or restoration of liquidity and capital; the sale, transfer, or disposal of significant assets, portfolios, or business lines; steps that reduce the covered bank's risk profile; Start Printed Page 66796the restructuring of liabilities; the activation of emergency protocols; organizational restructuring, including divesting legal entities in order to simplify the covered bank's structure; and implementing succession planning. To facilitate an understanding of how the stress scenarios, triggers, and options relate to each other, the proposal included the following chart:

    Examples of severe stress scenariosPossible triggersPossible options in response to triggers
    Idiosyncratic stress: Trading losses caused by a rogue trader• Tier 1 capital falls below 6%. • Liquidity falls below internal bank policy requirements• Issue new capital. • Sell nonstrategic assets or businesses. • Reduce loan originations or commitments.
    Systemic stress: Significant decline in U.S. gross domestic product, coupled with an increase in the U.S. unemployment rate and a deterioration in U.S. residential housing market• Short-term credit rating falls below A-3. • Nonperforming loans rise above a specified percentage • Market capitalization falls below a specific limit for a certain period of time• Sell strategic assets or businesses. • Reduce expenses (e.g., business contractions). • Access the Board's Discount Window.

    As discussed above, the OCC has clarified that the recovery options detailed in a recovery plan are those that respond to the financial effects of severe stress. To effect this clarification in this element of the plan, we have removed “and operational” from the description of the options for recovery in the Final Guidelines. We otherwise adopt this element as proposed. The OCC also notes that a covered bank should not view the options in its plan as exclusive or a specific trigger as necessitating the execution of a particular option. Rather, a covered bank should use its judgment to determine the most appropriate options for the bank to take during a period of severe stress.

    4. Impact assessments. The proposed guidelines provided that, for each recovery option, a covered bank should assess and describe how the option would affect the covered bank. The guidelines stated that this impact assessment and description should specify the procedures the covered bank would use to maintain the financial and operational strength and viability of its material entities, critical operations, and core business lines for each recovery option. For each option, the recovery plan's impact assessment should address: (i) The effect on the covered bank's capital, liquidity, funding, and profitability; (ii) the effect on its material entities, critical operations, and core business lines, including reputational impact; and (iii) any legal or market impediment or regulatory requirement that the bank would need to address or satisfy to implement the option.[17]

    As the preamble explained, the assessment should analyze the effect each option would have on the covered bank, including its internal operations (e.g., IT systems, suppliers, HR operations) and its access to market infrastructure (e.g., clearing and settlement facilities, payment systems, additional collateral requirements). The OCC received no comments on this provision. Consistent with the discussion above, however, we have removed “and operational.” Otherwise, we make no material changes to this element as proposed.

    5. Escalation procedures. The proposed guidelines stated that a recovery plan should clearly outline the process for escalating decision-making to senior management or the board, as appropriate, in response to the breach of a trigger. The proposal also stated that the plan should identify the departments and persons responsible for making and executing these decisions and describe the process for informing stakeholders (e.g., shareholders, counsel, accountants, regulators) when necessary. As the preamble explained, at a minimum, the escalation procedures should result in the covered bank taking action before remedial supervisory action is necessary.

    The OCC received no substantive comments on this element of the plan. However, we have clarified that the breach of any trigger should be escalated, which is consistent with the definition of “trigger.” In addition, we have clarified that the recovery plan should identify the departments and persons responsible for executing the decisions of senior management or the board (or an appropriate committee of the board). Otherwise, we have adopted this element as proposed.

    6. Management reports. The proposed guidelines stated that a recovery plan should require reports that provide management or the board with sufficient data and information to make timely decisions regarding the appropriate actions necessary to respond to the breach of a trigger. As explained in the preamble, the reports to management or the board should allow them to monitor the covered bank's progress in response to the actions taken under the recovery plan. The OCC received no comments on this element of the plan. As a clarification, however, the OCC has amended the Final Guidelines to state that reports should be made to senior management. Otherwise, we adopt the language as proposed.

    7. Communication procedures. As provided in the proposed guidelines, a recovery plan should provide that the covered bank notify the OCC of any significant breach of a trigger and any action taken or to be taken in response to such breach and explain the process for deciding when a breach of a trigger is significant. The preamble noted that a covered bank should work closely with the OCC when executing its recovery plan.

    The proposal also stated that a recovery plan should address when and how the covered bank will notify persons within the organization and other external parties of its actions under the recovery plan. This notice is to ensure that all stakeholders are informed in a timely manner of how the covered bank has responded or is responding to a breach of a trigger. In addition, the proposed guidelines stated that the recovery plan should identify how the covered bank would obtain required regulatory or legal approvals, in order to ensure that the bank receives such approval(s) in a timely manner. The OCC received no comments on this element of a recovery plan, and we adopt it as proposed.

    8. Other information. As set forth in the proposed guidelines, a recovery plan should include any other information that the OCC communicates in writing directly to the covered bank regarding the bank's recovery plan. The preamble also stated that a well-developed recovery plan should consider relevant information included in other written Start Printed Page 66797OCC or Federal Financial Institutions Examination Council material. The OCC received no comments on this element of a recovery plan, and we adopt it as proposed.

    C. Relationship to other processes; coordination with other plans. The proposed guidelines stated that a covered bank should integrate its recovery plan into its corporate governance and risk management functions and coordinate its recovery planning with its strategic; operational (including business continuity); contingency; capital (including stress testing); liquidity; and resolution planning. As the OCC explained in the preamble, in many cases, these plans may be interconnected and require the covered bank to coordinate among them.

    The proposed guidelines also stated that, to the extent possible, a covered bank should align its recovery plan with any recovery and resolution planning efforts by the covered bank's holding company, so that the plans are consistent with and do not contradict each other. As the OCC stated in the preamble, some inconsistencies may be unavoidable because recovery planning and resolution planning differ: Recovery planning addresses a bank as a going concern; resolution planning starts from the point of an entity's non-viability. In addition, the preamble noted that covered banks are an integral part of bank holding company recovery and resolution plans; as a result, it stated that a covered bank might be able to leverage certain elements in these other plans. As an example, the proposal referenced resolution plans, which typically require a bank to map its critical operations. It noted that this mapping exercise might be useful to the bank's recovery plan description of interconnections and interdependencies.

    The OCC received several comments on this element of the plan requesting the OCC to confirm that covered banks are permitted to leverage existing processes, such as those for stress testing, resolution planning, contingency planning, risk governance, and holding company recovery plans, when developing recovery plans. One commenter requested that the Final Guidelines permit a covered bank to use its holding company's recovery plan to satisfy its obligations under the Final Guidelines, if the risk profiles of both entities are substantially the same. Another commenter asserted that a covered bank should be permitted to leverage its existing governance structure to satisfy its management and board responsibilities under these Final Guidelines.

    As explained in the preamble to the proposal, the OCC recognizes that many covered banks already engage in significant planning, including planning responses to cyber attacks, business interruptions, and leadership vacancies. Some banks also undertake a range of other planning, including strategic, contingency, capital (including stress testing), liquidity, and resolution. The same is true for their parent holding companies or affiliates. As also noted in the proposal, we do not intend for the recovery planning described in these Final Guidelines to be needlessly burdensome or duplicative of these other planning processes. The OCC expects, however, that a covered bank's recovery plan will identify the recovery strategies that are specific to that bank and, as appropriate, distinguishable from the recovery strategies of its holding company or affiliates. Furthermore, while we encourage covered banks to leverage their existing processes, including by incorporating or cross-referencing portions or elements of relevant plans, in most cases, it is unlikely that a covered bank will be able to use a plan prepared for another purpose or entity to satisfy the Final Guidelines.[18] As we have noted previously, the purpose of these Final Guidelines is to provide a comprehensive framework for evaluating how severe stress would financially affect a covered bank specifically and the recovery options that would allow that bank to remain viable under such stress.

    The OCC is making several changes to this provision as proposed. First, we have revised this subsection so that the Final Guidelines themselves state that a covered bank's recovery plan should be specific to the unique characteristics of that bank. Second, we are clarifying that the other plans identified in the proposed guidelines with which a covered bank should coordinate its recovery planning is not an exclusive list. Instead, these are examples of other types of plans. Third, we are replacing the phrase “risk management and corporate governance” with “risk governance,” which we believe incorporates the concepts of both risk management and corporate governance as it relates to risk management. Other than these and other minor changes, we adopt this provision as proposed.

    Section III: Management's and the Board's Responsibilities

    Section III of the proposed guidelines addressed the responsibilities of a covered bank's management and board with respect to the recovery plan and stated that these responsibilities should be included in the bank's recovery plan.

    The proposed guidelines provided that management should review its bank's recovery plan at least annually and in response to a material event. It further stated that management should revise the plan as necessary to reflect material changes in the covered bank's size, risk profile, activities, and complexity, as well as changes in external threats. The preamble explained that during this review, management should consider the ongoing relevance and applicability of the stress scenarios used to identify the plan's triggers and revise the recovery plan as needed.

    The proposed guidelines also stated that management's review should include evaluating the covered bank's organizational structure and its effectiveness in facilitating recovery. The preamble explained that this review should include its legal structure, number of entities, geographical footprint, booking practices (e.g., guarantees, exposures), and servicing arrangements. The preamble stated that both management and the board should provide justification for the covered bank's organizational and legal structures and outline changes that would enhance their ability to oversee the covered bank in times of stress. As explained in the preamble, a more rational legal structure can provide a clearer path to recovery and the operational flexibility necessary to implement a recovery plan.

    Several commenters requested that the OCC recognize the need for a covered bank to have flexibility regarding the timing of management's annual review of its recovery plan. These commenters explained that this flexibility would facilitate a covered bank's ability to meet deadlines associated with other requirements, such as stress testing. The OCC agrees that management should have flexibility to conduct its annual reviews on its preferred schedule. As noted in the proposal, OCC examiners will assess the appropriateness and adequacy of the covered bank's ongoing recovery planning process as part of the agency's regular supervisory activities, which we believe will provide covered banks with the flexibility they need.

    Commenters also requested the OCC to clarify that it is not necessary for Start Printed Page 66798management to recommend changes to a covered bank's organizational and legal entity structure as part of every annual review of the bank's recovery plan. The OCC agrees that a covered bank's management should only recommend changes to a bank's organizational and legal entity structure when such changes are necessary or appropriate.

    The proposed guidelines also stated that the board is responsible for overseeing the covered bank's recovery planning process. As part of this oversight, the preamble explained that the board should work closely with the bank's senior management in developing and executing the recovery plan. The proposed guidelines also stated that a covered bank's board, or an appropriate committee of the board, should review and approve the bank's recovery plan at least annually and as needed to address any changes made by management.

    A number of commenters expressed concern that the preamble's use of “developing and executing” to describe a covered bank board's role with respect to a recovery plan is inconsistent with a board's traditional oversight role. It is not the OCC's intent to expand the board's role, and we note that the regulatory text in both the proposal and Final Guidelines describe the role of the board as “oversight.”

    Commenters also asked the OCC to clarify that a covered bank's board need only review and approve a bank's plan yearly, and as necessary to address significant, as opposed to all, changes to a plan. We have amended the Final Guidelines to reflect this and otherwise adopt this section as proposed.

    Description of Technical Amendments to Part 30

    We also are including with these Final Guidelines technical and conforming amendments to the part 30 regulations to add references to new Appendix E, which contains the Final Guidelines, where appropriate.

    Regulatory Analysis

    Paperwork Reduction Act

    The OCC has determined that the Final Guidelines include collections of information pursuant to the provisions of the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501 et seq.). In accordance with PRA, the OCC may not conduct or sponsor, and an organization is not required to respond to, an information collection unless the information collection displays a currently valid Office of Management and Budget (OMB) control number. The OCC submitted the information collections contained in the proposed guidelines to OMB for review and approval, pursuant to 44 U.S.C. 3506 and section 1320.11 of the OMB implementing regulations (5 CFR part 1320). OMB instructed the OCC to examine any public comments it received in response to the proposed PRA estimate and to describe in the supporting statement of its next collection any relevant comments, as well as the OCC's response to such comments. The OCC has re-submitted the information collections to OMB in connection with the final rule.

    The collections of information that are subject to the PRA in these Final Guidelines are found in 12 CFR part 30, appendix E, sections II.B., II.C., and III. Section II.B. of this appendix specifies the elements of the recovery plan, including an overview of the covered bank; triggers; options for recovery; impact assessments; escalation procedures; management reports; and communication procedures. Section II.C. of this appendix addresses the relationship of the plan to other covered bank processes and coordination with other plans, including the processes and plans of its bank holding company. Section III of this appendix outlines management's and the board's responsibilities.

    We received one comment on our proposed information collection from an individual, which addressed all four of the questions below. First, the commenter argued that a stress event that threatens the viability of a covered bank is the result of either an event that the bank could not have foreseen or failed prudential supervision by the OCC. In either case, the commenter argued, a recovery plan will be useless. In addition, this commenter argued that if a covered bank treats its recovery plan like a prescriptive playbook, the plan will fail and, alternatively, if a recovery plan only provides guidelines, the plan will have no practical utility.

    In response, as noted above, the OCC believes that stress scenarios are important tools that a covered bank uses to determine areas of vulnerability and help it identify the appropriate triggers. The OCC understands that a covered bank's recovery planning process will not result in a plan that identifies every trigger and option for every possible scenario—but we do believe that the processes of recovery planning and codification of a plan will help a covered bank manage the stresses it encounters. With respect to the role of a recovery plan during a period of severe stress, as noted above, a covered bank should use its judgment to determine the most appropriate options for the bank to take to preserve its financial strength and viability.

    The commenter also stated that the OCC's burden estimate was too low. The OCC believes that its original estimate was realistic given the requirements of the proposed guidelines and has included the same estimate in the Final Guidelines. We have adjusted, however, the estimate of respondents to reflect the most recent data available.

    In addition, the commenter stated that the agency could enhance the quality and utility of the information collection by requiring only triggers and response options in its plans. In response, as noted above, the OCC believes that stress scenarios are important tools that a covered bank uses to determine areas of vulnerability and identify appropriate triggers. We include the overview of the covered bank as a plan element because a covered bank's organizational and legal entity structure is likely to change often; its inclusion will both ensure that the bank consider the entire organization in the development of its plan and assist the bank in understanding the recovery plan's relationship with its other planning efforts.

    The commenter also stated that the proposed information collection is duplicative of and redundant to information that the OCC currently collects. In response, the OCC recognizes that some information necessary for recovery planning may have been compiled or provided to the OCC for other purposes. However, we believe that it is necessary for a covered bank to assemble this information in the context of recovery planning in order to develop an appropriate plan to respond to future stresses. We encourage, however, covered banks to leverage, including by cross-referencing if appropriate, this prior work. Finally, the commenter argued that it is burdensome to ask a covered bank to connect its recovery plan with its other plans. In response, the OCC notes that a covered bank's various plans are not intended to operate in a vacuum and must be compatible with each other in order to be effective.

    Title: OCC Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches

    OMB Control No.: To be assigned by OMB.

    Frequency of Response: On occasion.

    Affected Public: Businesses or other for-profit organizations.

    Burden Estimates:

    Total Number of Respondents: 25.Start Printed Page 66799

    Total Burden per Respondent: 7,543 hours.

    Total Burden for Collection: 188,575 hours.

    Comments should be submitted as provided below and continue to be invited on: (1) Whether the proposed collection of information is necessary for the proper performance of the OCC's functions, including whether the information has practical utility; (2) the accuracy of the OCC's estimate of the burden of the proposed information collection, including the cost of compliance; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) ways to minimize the burden of information collection on respondents, including through the use of automated collection techniques or other forms of IT.

    Because paper mail may be subject to delay, commenters are encouraged to submit comments by email to regs.comments@occ.treas.gov, if possible. Alternatively, comments may be mailed to Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency, Attention: 1557-0321, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-11, Washington, DC 20219 or faxed to (571) 465-4326. Additionally, commenters should send a copy of their comments to the OCC's OMB desk officer by: mail to Office of Information and Regulatory Affairs, U.S. Office of Management and Budget, New Executive Office Building, Room 10235, 725 17th Street NW., Washington, DC 20503; fax to (202) 395-6974; or email to oira.submission@omb.eop.gov.

    You may personally inspect and photocopy comments at the OCC, 400 7th Street SW., Washington, DC 20219. For security reasons, the OCC requires that visitors make an appointment to inspect comments. You may do so by calling (202) 649-6700. Upon arrival, visitors will be required to present valid government-issued photo identification and submit to a security screening.

    All comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not enclose any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure.

    You may request additional information on the collection from Shaquita Merritt, Program Specialist, at (202) 649-6302 or, for persons who are deaf or hard of hearing, TTY, (202) 649-5597, Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-11, Washington, DC 20219.

    Regulatory Flexibility Analysis

    Pursuant to section 605(b) of the Regulatory Flexibility Act, 5 U.S.C. 605(b) (RFA), the regulatory flexibility analysis otherwise required under section 603 of the RFA is not required if the agency certifies that a rule will not have a significant economic impact on a substantial number of small entities (defined for purposes of the RFA to include commercial banks and savings institutions with assets less than or equal to $550 million and trust companies with assets less than or equal to $38.5 million) and publishes this certification and a short, explanatory statement in the Federal Register with the rule. The OCC has determined that the Final Guidelines will have no impact on small entities. The Final Guidelines apply only to insured national banks, insured Federal savings associations, and insured Federal branches of foreign banks with $50 billion or more in average total consolidated assets. Although the Final Guidelines reserve the OCC's authority to apply them to an insured national bank, insured Federal savings association, or insured Federal branch of a foreign bank with less than $50 billion in average total consolidated assets if the OCC determines such entity is highly complex or otherwise presents a heightened risk, the OCC does not expect to determine any small entities to be highly complex or otherwise to present a heightened risk. Therefore, the OCC certifies that these Final Guidelines will not have a significant economic impact on a substantial number of small entities.

    Unfunded Mandates Reform Act Analysis

    In accordance with section 202 of the Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1532), the OCC prepares a budgetary impact statement before promulgating any rule that includes a Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year (adjusted annually for inflation). The OCC has determined that these Final Guidelines will not result in expenditures by State, local, and tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year (adjusted annually for inflation). Accordingly, the OCC has not prepared a budgetary impact statement.

    Consideration of Administrative Burdens and Benefits and Effective Date

    Section 302(a) of the Riegle Community Development and Regulatory Improvement Act of 1994 (CDRI) (12 U.S.C. 4802(a)) requires the OCC, in determining the effective date and administrative compliance requirements for new regulations that impose additional reporting, disclosure, or other requirements on insured depository institutions, to consider, consistent with the principles of safety and soundness and the public interest, (1) any administrative burdens that such regulations would place on depository institutions, including small depository institutions and customers of depository institutions; and (2) the benefits of such regulations. In determining the effective date and administrative compliance requirements for these Final Guidelines, the OCC has considered these burdens and benefits, including the requests of commenters for a phased-in compliance period. To this end, the Final Guidelines include phased-in compliance dates and recognize the need for flexibility with respect to the timing of management's annual recovery plan review.

    Section 302(b) of CDRI (12 U.S.C. 4802(a)) requires that new OCC regulations, which impose additional reporting, disclosures, or other new requirements on insured depository institutions, take effect on the first day of a calendar quarter which begins on or after the date on which the regulations are published in final form, subject to certain exceptions not relevant here. This is in addition to the requirement in section 553(d) (5 U.S.C. 553(d)) of the Administrative Procedure Act, which requires that a substantive rule be effective no fewer than 30 days after its publication, subject to certain exceptions not relevant here. The effective date of these Final Guidelines is consistent with these requirements.

    Start List of Subjects

    List of Subjects in 12 CFR Part 30

    • Banks
    • Banking
    • Consumer protection
    • National banks
    • Privacy
    • Safety and soundness
    • Reporting and recordkeeping requirements
    End List of Subjects

    For the reasons set forth in the preamble, and under the authority of 12 U.S.C. 93a, chapter I of title 12 of the Code of Federal Regulations is amended as follows:

    Start Part

    PART 30—SAFETY AND SOUNDNESS STANDARDS

    End Part Start Amendment Part

    1. The authority citation for part 30 continues to read as follows:

    End Amendment Part Start Authority

    Start Printed Page 66800 Authority: 12 U.S.C. 1, 93a, 371, 1462a, 1463, 1464, 1467a, 1818, 1828, 1831p-1, 1881-1884, 3102(b) and 5412(b)(2)(B); 15 U.S.C. 1681s, 1681w, 6801, and 6805(b)(1).

    End Authority
    [Amended]
    Start Amendment Part

    2. Section 30.1 is amended by removing, in paragraph (a), “appendices A, B, C, and D” and adding in its place “appendices A, B, C, D, and E”.

    End Amendment Part Start Amendment Part

    3. Section 30.2 is amended by adding a sentence at the end of the paragraph to read as follows:

    End Amendment Part
    Purpose.

    * * * The OCC Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches are set forth in appendix E to this part.

    [Amended]
    Start Amendment Part

    4. Section 30.3 is amended in paragraph (a) by removing “the OCC Guidelines Establishing Standards for Residential Mortgage Lending Practices set forth in appendix C to this part, or the OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches set forth in appendix D to this part” and adding in its place “the OCC Guidelines Establishing Standards for Residential Mortgage Lending Practices set forth in appendix C to this part, the OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches set forth in appendix D to this part, or the OCC Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches set forth in appendix E to this part”.

    End Amendment Part Start Amendment Part

    5. Appendix E is added to part 30 to read as follows:

    End Amendment Part

    Appendix E to Part 30—OCC Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches

    Table of Contents

    I. Introduction

    A. Scope

    B. Compliance date

    C. Reservation of authority

    D. Preservation of existing authority

    E. Definitions

    II. Recovery Plan

    A. Recovery plan

    B. Elements of recovery plan

    1. Overview of covered bank

    2. Triggers

    3. Options for recovery

    4. Impact assessments

    5. Escalation procedures

    6. Management reports

    7. Communication procedures

    8. Other information

    C. Relationship to other processes; coordination with other plans

    III. Management's and Board of Directors' Responsibilities

    A. Management

    B. Board of directors

    I. Introduction

    A. Scope. This appendix applies to a covered bank, as defined in paragraph I.E.3. of this appendix.

    B. Compliance date.

    1. A covered bank with average total consolidated assets, calculated according to paragraph I.E.1. of this appendix, equal to or greater than $750 billion as of January 1, 2017 should comply with this appendix within 6 months from January 1, 2017.

    2. A covered bank with average total consolidated assets, calculated according to paragraph I.E.1. of this appendix, equal to or greater than $100 billion but less than $750 billion as of January 1, 2017 should comply with this appendix within 12 months from January 1, 2017.

    3. A covered bank with average total consolidated assets, calculated according to paragraph I.E.1. of this appendix, equal to or greater than $50 billion but less than $100 billion as of January 1, 2017 should comply with this appendix within 18 months from January 1, 2017.

    4. A bank with average total consolidated assets, calculated according to paragraph I.E.1. of this appendix, of less than $50 billion as of January 1, 2017 but which subsequently becomes a covered bank should comply with this appendix within 18 months of becoming a covered bank.

    C. Reservation of authority.

    1. The OCC reserves the authority:

    a. To apply this appendix, in whole or in part, to a bank that has average total consolidated assets of less than $50 billion, if the OCC determines such bank is highly complex or otherwise presents a heightened risk that warrants the application of this appendix; or

    b. To determine that compliance with this appendix should not be required for a covered bank. The OCC will generally make this determination if a covered bank's operations are no longer highly complex or no longer present a heightened risk.

    2. In determining whether a bank or covered bank is highly complex or presents a heightened risk, the OCC will consider the bank's size, risk profile, scope of operations, activities, and complexity, including the complexity of its organizational and legal entity structure. Before exercising the authority reserved by paragraph I.C.1. of this appendix, the OCC will apply notice and response procedures in the same manner and to the same extent as the notice and response procedures in 12 CFR 3.404.

    D. Preservation of existing authority. Neither section 39 of the Federal Deposit Insurance Act (12 U.S.C.1831p-1) nor this appendix in any way limits the authority of the OCC to address unsafe or unsound practices or conditions or other violations of law. The OCC may take action under section 39 and this appendix independently of, in conjunction with, or in addition to any other enforcement action available to the OCC.

    E. Definitions.

    1. Average total consolidated assets means the average total consolidated assets of the bank or the covered bank, as reported on the bank's or the covered bank's Consolidated Reports of Condition and Income for the four most recent consecutive quarters.

    2. Bank means any insured national bank, insured Federal savings association, or insured Federal branch of a foreign bank.

    3. Covered bank means any bank:

    a. With average total consolidated assets equal to or greater than $50 billion;

    b. With average total consolidated assets of less than $50 billion if the bank was previously a covered bank, unless the OCC determines otherwise; or

    c. With average total consolidated assets less than $50 billion, if the OCC determines that such bank is highly complex or otherwise presents a heightened risk as to warrant the application of this appendix pursuant to paragraph I.C.1.a. of this appendix.

    4. Recovery means timely and appropriate action that a covered bank takes to remain a going concern when it is experiencing or is likely to experience considerable financial or operational stress. A covered bank in recovery has not yet deteriorated to the point where liquidation or resolution is imminent.

    5. Recovery plan means a plan that identifies triggers and options for responding to a wide range of severe internal and external stress scenarios to restore a covered bank that is in recovery to financial strength and viability in a timely manner. The options should maintain the confidence of market participants, and neither the plan nor the options may assume or rely on any extraordinary government support.Start Printed Page 66801

    6. Trigger means a quantitative or qualitative indicator of the risk or existence of severe stress, the breach of which should always be escalated to senior management or the board of directors (or appropriate committee of the board of directors), as appropriate, for purposes of initiating a response. The breach of any trigger should result in timely notice accompanied by sufficient information to enable management of the covered bank to take corrective action.

    II. Recovery Plan

    A. Recovery plan. Each covered bank should develop and maintain a recovery plan that is specific to that covered bank and appropriate for its individual size, risk profile, activities, and complexity, including the complexity of its organizational and legal entity structure.

    B. Elements of recovery plan. A recovery plan under paragraph II.A. of this appendix should include the following elements:

    1. Overview of covered bank. A recovery plan should describe the covered bank's overall organizational and legal entity structure, including its material entities, critical operations, core business lines, and core management information systems. The plan should describe interconnections and interdependencies (i) across business lines within the covered bank, (ii) with affiliates in a bank holding company structure, (iii) between a covered bank and its foreign subsidiaries, and (iv) with critical third parties.

    2. Triggers. A recovery plan should identify triggers that appropriately reflect the covered bank's particular vulnerabilities.

    3. Options for recovery. A recovery plan should identify a wide range of credible options that a covered bank could undertake to restore financial strength and viability, thereby allowing the bank to continue to operate as a going concern and to avoid liquidation or resolution. A recovery plan should explain how the covered bank would carry out each option and describe the timing required for carrying out each option. The recovery plan should specifically identify the recovery options that require regulatory or legal approval.

    4. Impact assessments. For each recovery option, a covered bank should assess and describe how the option would affect the covered bank. This impact assessment and description should specify the procedures the covered bank would use to maintain the financial strength and viability of its material entities, critical operations, and core business lines for each recovery option. For each option, the recovery plan's impact assessment should address the following:

    a. The effect on the covered bank's capital, liquidity, funding, and profitability;

    b. The effect on the covered bank's material entities, critical operations, and core business lines, including reputational impact; and

    c. Any legal or market impediment or regulatory requirement that must be addressed or satisfied in order to implement the option.

    5. Escalation procedures. A recovery plan should clearly outline the process for escalating decision-making to senior management or the board of directors (or an appropriate committee of the board of directors), as appropriate, in response to the breach of any trigger. The recovery plan should also identify the departments and persons responsible for executing the decisions of senior management or the board of directors (or an appropriate committee of the board of directors).

    6. Management reports. A recovery plan should require reports that provide senior management or the board of directors (or an appropriate committee of the board of directors) with sufficient data and information to make timely decisions regarding the appropriate actions necessary to respond to the breach of a trigger.

    7. Communication procedures. A recovery plan should provide that the covered bank notify the OCC of any significant breach of a trigger and any action taken or to be taken in response to such breach and should explain the process for deciding when a breach of a trigger is significant. A recovery plan also should address when and how the covered bank will notify persons within the organization and other external parties of its action under the recovery plan. The recovery plan should specifically identify how the covered bank will obtain required regulatory or legal approvals.

    8. Other information. A recovery plan should include any other information that the OCC communicates in writing directly to the covered bank regarding the covered bank's recovery plan.

    C. Relationship to other processes; coordination with other plans. The covered bank should integrate its recovery plan into its risk governance functions. The covered bank also should align its recovery plan with its other plans, such as its strategic; operational (including business continuity); contingency; capital (including stress testing); liquidity; and resolution planning. The covered bank's recovery plan should be specific to that covered bank. The covered bank also should coordinate its recovery plan with any recovery and resolution planning efforts by the covered bank's holding company, so that the plans are consistent with and do not contradict each other.

    III. Management's and Board of Directors' Responsibilities

    The recovery plan should address the following management and board responsibilities:

    A. Management. Management should review the recovery plan at least annually and in response to a material event. It should revise the plan as necessary to reflect material changes in the covered bank's size, risk profile, activities, and complexity, as well as changes in external threats. This review should evaluate the organizational structure and its effectiveness in facilitating a recovery.

    B. Board of directors. The board is responsible for overseeing the covered bank's recovery planning process. The board of directors (or an appropriate committee of the board of directors) of a covered bank should review and approve the recovery plan at least annually, and as needed to address significant changes made by management.

    Start Signature

    Dated: September 21, 2016.

    Thomas J. Curry,

    Comptroller of the Currency.

    End Signature End Supplemental Information

    Footnotes

    1.  Public Law 111-203, 124 Stat. 1376 (July 21, 2010).

    Back to Citation

    2.  79 FR 54518 (Sept. 11, 2014) (OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; Integration of Regulations).

    Back to Citation

    3.  While the Dodd-Frank Act addresses resolution planning, it does not specifically address recovery planning.

    Back to Citation

    4.  80 FR 78681 (Dec. 17, 2015).

    Back to Citation

    7.  Section 39 of the FDIA applies to “insured depository institutions,” which, as defined in 12 U.S.C. 1813, includes insured Federal branches of foreign banks. While we do not specifically refer to these entities in this discussion of the enforcement of the Final Guidelines, it should be read to include them.

    Back to Citation

    9.  The procedures governing the determination and notification of failure to satisfy a standard prescribed pursuant to section 39; the filing and review of compliance plans; and the issuance of orders, if necessary, are set forth in the OCC's regulations at 12 CFR 30.3, 30.4, and 30.5.

    Back to Citation

    10.  See 12 CFR 381.2(f) and 243.2(f), respectively. See also 12 CFR 360.10.

    Back to Citation

    11.  As explained in the proposal, these procedures require the OCC to provide a bank or covered bank, as appropriate, with written notice of its determination to use its reservation of authority, and the bank or covered bank would have 30 days to respond in writing. The proposal provided that the OCC would consider the failure of a bank or covered bank to respond within this 30-day period to be a waiver of any objections. At the conclusion of the 30 days, the proposed guidelines stated that the OCC would issue a written notice of its final determination.

    Back to Citation

    12.  Section 39 preserves all authority otherwise available to the OCC, stating “The authority granted by this section is in addition to any other authority of the Federal banking agencies.” See 12 U.S.C. 1831p-1(g).

    Back to Citation

    13.  We received a comment requesting that the OCC be flexible in applying provisions of the Final Guidelines referencing the board or an appropriate committee of the board to Federal branches, which do not have boards of directors. In applying the Final Guidelines to insured Federal branches that are covered banks, OCC examiners will consult with the branch to determine the appropriate person or committee to undertake the responsibilities assigned to the board of directors or an appropriate committee of the board under the Final Guidelines.

    Back to Citation

    14.  As explained in the proposal, a significant cyber attack includes an event that has an impact on a covered bank's computer network(s) or the computer network(s) of one of its third-party service providers and that significantly undermines the covered bank's data or processes.

    Back to Citation

    15.  As explained in the proposal, an example of this type of interruption includes a disruption to a payment, clearing, or settlement system that significantly affects the covered bank's ability to access that system.

    Back to Citation

    16.  The role of extraordinary governmental support in the recovery plans of covered banks that are controlled by a foreign government is discussed above.

    Back to Citation

    17.  Although not mentioned in the proposal, we note that a covered bank's assessment of the legal or market impediments or regulatory requirements relevant to its recovery options should address any timing issues presented by these impediments or requirements.

    Back to Citation

    18.  When a covered bank comprises a substantial percentage of its holding company's assets (i.e., 95%), the holding company's recovery plan, if any, may serve as the bank's recovery plan, provided that such plan satisfies these Final Guidelines.

    Back to Citation

    [FR Doc. 2016-23366 Filed 9-28-16; 8:45 am]

    BILLING CODE 4810-33-P

Document Information

Effective Date:
1/1/2017
Published:
09/29/2016
Department:
Comptroller of the Currency
Entry Type:
Rule
Action:
Final rule and guidelines.
Document Number:
2016-23366
Dates:
This final rule and guidelines are effective on January 1, 2017. The compliance dates for the Final Guidelines in Appendix E to part 30 vary, as specified below.
Pages:
66791-66801 (11 pages)
Docket Numbers:
Docket ID OCC-2015-0017
RINs:
1557-AD96: Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches
RIN Links:
https://www.federalregister.gov/regulations/1557-AD96/guidelines-establishing-standards-for-recovery-planning-by-certain-large-insured-national-banks-insu
Topics:
Banks, banking, Banks, banking, Banks, banking, Banks, banking, Consumer protection, National banks, Privacy, Reporting and recordkeeping requirements
PDF File:
2016-23366.pdf
Supporting Documents:
» Meeting with The Clearing House, SIFMA, and banking representatives 02-02-16
CFR: (3)
12 CFR 30.1
12 CFR 30.2
12 CFR 30.3