In wake of bank failures, FDIC doubles down on corporate governance

Following the bank failures that happened in the first half of 2023, the Federal Deposit Insurance Corp. has issued a proposal to create enforceable guidelines on corporate governance and risk management practices for banks with $10 billion or more in assets.

In the proposal—issued Oct. 5—the FDIC describes the importance of corporate governance and risk management practices and their role in helping banks’ governance and risk functions keep pace with growth. The FDIC also highlights governance and risk management failures as factors contributing to recent bank failures; thus, the enhancement of such standards is intended to further protect the banking system.

The proposal would require banks of the requisite size to address diversity in their board of directors, ensure appropriate committees are in place and implement an independent risk management program, to name just a few points. The guidelines represent one of the most significant, prescriptive additions to safety and soundness rules for banking organizations in this asset size range in recent history.

“The FDIC’s supervisory experience has shown that institutions with assets greater than $10 billion are larger, more complex and present a higher risk profile,” the agency says in its proposal. “The proposed guidelines are intended to raise the FDIC’s standards for corporate governance, risk management and control to help ensure these larger institutions effectively anticipate, evaluate and mitigate the risks they face.”

Proposed guidelines

The proposed guidelines, if adopted, would be issued as a new Appendix C in Part 364 of the FDIC’s standards for safety and soundness. The guidelines include actions that some banks may already be taking, but the agency’s aim is to spell out more precisely how boards and committees should focus their time and accountability efforts.

Here are some of the key areas that would be affected:

Board of directors: The guidelines would require the board to be made up of a majority of independent directors who have a “diversity of demographic representation, opinion, experience and ownership level” that can provide a range of input in governing decisions or risk-related issues.

The board should carry responsibility for key bank activities, including:

• The strategic plan and direction of the bank
• Establishment of sound banking policies and procedures
• Development of a code of ethics
• Selection and appointment of qualified executive officers

The board is also responsible for providing directors with appropriate ongoing training and performing regular assessments to monitor compliance with the proposed guidelines. 

Committees of the board: Under the proposal, the board would need to ensure appropriate committees are in place to divide responsibilities for management and bank oversight. Examples of such committees include:

• Audit committee
• Compensation committee
• Risk committee
• Trust committee (if applicable)

The proposed guidance also notes that banks should form other committees as appropriate to support the board in its governance duties.

For banks meeting the asset size thresholds in Part 363 of the FDIC’s regulations, the establishment of an audit committee is not a new requirement. In the proposed guidance the FDIC points to the distinction in responsibilities between the audit and risk functions, hence driving the requirement to establish separate committees. For institutions that have operated with a combined audit and risk committee, this will be a key change.

Risk management program: The board should establish a risk management program, complete with an independent risk management function, that sets written limits for risk-taking activities of the bank across the front lines of the organization. On at least an annual basis, or more frequently as the risk profile of the institution changes, the risk management function should review and update the risk management program.

The risk management program should include the following risk categories, as applicable:

• Credit
• Concentration
• Interest rate
• Liquidity
• Price
• Model
• Operational (including, but not limited to, conduct, information technology, cybersecurity, anti-money laundering/countering the financing of terrorism compliance, and the use of third parties to perform or provide services or materials for the institution)
• Strategic
• Legal

The board has responsibility to ensure the bank operates using three lines of defense—front-line units, independent risk management and internal audit—that are held accountable for risk-taking activities and the monitoring of these activities.

The board should establish processes governing instances when the risk tolerance of the bank is breached and violations of laws or regulations occur. These processes should include notification protocols to internal stakeholders and external stakeholders, such as the FDIC, and how organizations will hold people accountable for reporting and resolution of breaches. 

Timing and applicability

The FDIC’s proposal describes the “on-ramp” approach to compliance with the proposed guidelines. Banks with consolidated assets over $10 billion as reported on their call reports will have two consecutive quarters from the effective date of the final guidelines to comply. The proposal is open for comment for 60 days from its release by the FDIC and will close in December 2023.

Banks that only temporarily exceed the $10 billion threshold during one quarter and reduce their assets below the threshold in the second quarter will not have to comply with the guidelines. Further, should a bank’s total consolidated assets drop below $10 billion for four consecutive quarters, the guidelines would no longer apply.

The takeaway

The FDIC’s proposal is considered a more onerous version of the Office of the Comptroller of the Currency and the Federal Reserve’s heightened standards for banks with consolidated assets of $50 billion or more. The guidelines would add significant requirements to banking organizations that—at the $10 billion threshold—are already dealing with significant changes in regulatory oversight and operational parameters.

While the FDIC may update the proposal upon review of comments received, given the FDIC’s perspective that such guidelines will benefit banks by “reducing magnitude of losses and likelihood of failure,” we anticipate the prospect of banks needing to comply in the future is high.