BOARD OF GOVERNORS
OF THE
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C. 20551 DIVISION OF BANKING
SUPERVISION AND REGULATION
SR 96-10 (SPE)
April 24, 1996
Revised February 26, 2021
Clarification on the Responsibilities of the Board of Directors February 26, 2021: As described in SR letter 21-4/ CA letter 21-2, "Inactive or Revised SR Letters Related to Federal Reserve Expectations for Boards of Directors," this SR letter was revised as of February 26, 2021 to better reflect the Federal Reserve's guidance for boards of directors in SR letter 21-3 / CA letter 21-1, "Supervisory Guidance on Board of Directors' Effectiveness," and SR letter 16-11, "Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $100 Billion." No other material changes were made to this letter.
TO THE OFFICER IN CHARGE OF SUPERVISION
AT EACH FEDERAL RESERVE BANK
SUBJECT: Risk-Focused Fiduciary Examinations Recent changes in the nature and complexity of fiduciary activities, both in the United States and abroad, have underscored the need to revise the focus and emphasis of fiduciary examinations in order to assess better a banking organization's ability to manage effectively the risks associated with fiduciary activities and ensure the prudent conduct of those activities. The changes include rapid growth in fee-based products and service globalization, the increasing dependence on new information systems and communications technologies, whether developed in-house or outsourced, and the heightened demand in the fiduciary area for more sophisticated investment products. These changes have, to some extent, diminished the line separating commercial banking and fiduciary activities.
The Federal Reserve's fiduciary examinations have traditionally focused on risks associated with compliance, financial management and operations, and the fiduciary's duty of undivided loyalty to the trust beneficiaries. Much of the examination was oriented to specific transactions and their compliance with statutory or regulatory requirements where noncompliance could result in defined penalties such as those authorized by ERISA and the Internal Revenue Code. The financial management and operations review focused on activities associated with possible financial losses that occur due to error, omission, fraud or accident that result from lost securities, misappropriation of funds, and mispostings, for example. Some fiduciary risk arises from the potential that a fiduciary could violate its duty of loyalty to the trust's principals or beneficiaries resulting in possible losses to the fiduciary from settlements and litigation. For example, the improper use of trust assets, possibly for personal gain, and improper or unsuitable investment decisions can expose the fiduciary to material loss or litigation.
Given the changes in the industry noted above, the Federal Reserve's fiduciary examination current focus is being expanded to look more intensively at risk management practices and related aspects of a banking organization's trust activities. This will result in, among other things, (1) greater use of a more diversified examiner population including those with capital markets, information systems, and safety and soundness experience1, (2) a stronger emphasis on an assessment of the individual organization's unique risk profile, and (3) a thorough review of risk identification, measurement, monitoring and control. This enhanced focus is consistent with the guidance provided to examiners and distributed to state member banks and bank holding companies in SR 95-51, issued November 14, 1995, "Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies." The letter calls for the rating of a bank's risk management practices taking into consideration credit, market, liquidity, operational, legal and reputational risks, all of which are pertinent to fiduciary activities as well. The attachment to that letter indicates that a bank's "...risk management systems should also encompass the organization's trust and fiduciary activities..."2.
Based on the need to enhance the examination process in order to adapt to these changes, a System Task Force on Reengineering Trust Supervision has developed a fiduciary examination approach that is more intensively focused on evaluating risk, assessing management's internal controls to limit risk, and integrating both the pre-planning, assessment stage and the on-site findings into the overall safety and soundness evaluation of a banking organization. In designing this approach, particular attention was directed to ensuring that examiners continue to emphasize the unique nature of the risks inherent in fiduciary activities as they relate to the fiduciary's "duty of undivided loyalty" to the trust customer which requires placing the interests of the customer above those of the institution.
Risk Profile of Fiduciary Activities
The risk-focused fiduciary examination and supervision process centers around the preparation and upkeep of individualized risk profiles by the Reserve Bank for organizations that engage in a significant volume of fiduciary activities3. The appropriate scope of the fiduciary examination, particularly for the largest banking organizations, would be influenced by an assessment of the information contained in the risk profiles4. Where appropriate, coordinated interdistrict examiner pooling arrangements or other System initiatives would be used to provide the most effective resources to address the particular fiduciary risks and safety and soundness risks within the banking organization. Examinations would focus resources on the activities that pose the most substantive risk as detailed in each institution's profile and would be influenced by prior examination findings as well. In this way, it is expected that a more thorough understanding of each institution's unique risks and risk controls will develop.
The banking organization's efforts to identify, measure, monitor and control risk through implementation of specific policies, procedures, internal controls and management information systems will then be assessed and tested during the examination. Conclusions should be discussed with bank management, and, in the case of the more complex institutions at a minimum, should be incorporated into the safety and soundness report of examination.
As indicated in SR 95-51, and consistent with the greater emphasis given to risk management in Federal Reserve examination and supervisory policy statements, System examiners have been asked to assign a rating for risk management practices and assign that rating significant weight when evaluating the banking organization's management. Similarly, effective with the commencement of new examinations, trust examiners are instructed to assign a formal supervisory rating to an institution's risk management processes including its internal controls pertaining to fiduciary activities5. The specific rating of risk management and internal controls should be given significant weight when evaluating the "Supervision and Organization" component as part of the overall trust rating6.
Risk Focus
With the adoption of the System's risk-focused examination approach for fiduciary activities, it is anticipated that in a complex institution, fiduciary examiners will direct more of their attention to assessing the organization's functions and its ability to identify, measure, monitor and control fiduciary, market, credit and operational risks. In particular, examiners should assess risks that result from the fiduciary's investment management, investment advisory, mutual funds, global custody, and securities lending and processing activities, and any other activities that are subject to adverse movements in market rates or prices, or to operating problems associated with processing a large volume of securities. These fiduciary activities could result in material losses to trust customers and, in turn, expose the institution to financial losses and litigation if not conducted in a manner consistent with the fiduciary's duty of loyalty and the investor's stated objectives. Recently, some of these fiduciary activities conducted at several large banking organizations have led to actual or potential customer losses and, rather than risking litigation or potentially exposing the organization to business reputation impairment, these banking organizations elected to absorb the losses directly.
A review of internal controls and policies and procedures will continue to be an integral part of the examination program. Greater attention to management competence and accountability, to management's review of risks associated with the introduction of new products and services and to its overall risk awareness will constitute other significant facets of the examination.
This emphasis on risk assessment and control parallels the guidelines and procedures pertaining to state member bank examinations and bank holding company inspections that are contained in SR 95-51, and recognizes the efforts of many progressive institutions in establishing fiduciary risk assessment and control initiatives of their own. Along these lines, when rating the quality of risk management of fiduciary activities, examiners should place primary consideration on findings relating to the following elements of a sound risk management system: (1) role of senior management, (2) adequate policies, procedures, and limits, (3) adequate risk measurement, monitoring and management information systems, and (4) comprehensive internal controls. Each of these elements is described further below, along with a list of considerations relevant to assessing the adequacy of each element.
Role of Senior Management
Firms should establish and implement business strategies in a way that will limit fiduciary risks and ensure compliance with laws and regulations. Senior management should understand the nature of significant fiduciary risks and take appropriate steps to identify, measure, monitor, and control these risks. Senior management should have sufficient knowledge of all fiduciary business lines to ensure that necessary policies, controls and risk monitoring systems are in place and that accountability and lines of authority are clearly set forth.
Senior management has the responsibility for implementing approved strategies in a way that will limit fiduciary risks and ensure compliance with laws and regulations. Senior management should, therefore, be fully involved in the fiduciary activities of their institution and have sufficient knowledge of all fiduciary business lines to ensure that necessary policies, controls and risk monitoring systems are in place and that accountability and lines of authority are clearly set forth.
In assessing the quality of governance over fiduciary risks, examiners should consider whether these conditions exist:
Senior management has a clear understanding and working knowledge of the types of fiduciary activities performed by the institution and the risks inherent in them. They have approved appropriate policies, procedures, recordkeeping systems and reporting systems to support the fiduciary activities and to help measure and monitor risks. They have established procedures to keep them informed about changes in fiduciary activities and the associated risks.
Management at all levels provides adequate supervision of employees to ensure that its lines of fiduciary business are managed and staffed by persons with knowledge, experience, and expertise consistent with the nature and scope of the organization's fiduciary activities.
Before offering new services or introducing new products, management identifies the fiduciary risks associated with them and ensures that internal controls are in place to manage the service or product and the accompanying risk.
Adequate Policies, Procedures and Limits
An institution should establish fiduciary and fiduciary risk management policies and procedures commensurate with the types of activities the institution conducts. The policies and procedures should provide enough detailed guidance to ensure that all material areas of fiduciary activity and risk are addressed. They should also be modified when necessary to respond to changes in the organization's activities. A smaller, less complex institution that has effective management which is heavily involved in daily operations generally would be expected to have more basic policies addressing the significant areas of its activities and setting forth a limited but appropriate set of requirements and procedures. In a larger institution, where senior management must rely on a widely-dispersed staff to implement strategies in a wide range of complex situations, far more detailed policies and related procedures would be expected.
In assessing the adequacy of an institution's fiduciary and fiduciary risk management policies and procedures, examiners should consider whether these conditions exist:
The institution's policies and procedures adequately address the fiduciary activities performed and are consistent with management's experience level and the institution's stated goals and objectives.
The institution's policies and procedures provide for adequate identification, measurement, monitoring and control of the risks posed by its fiduciary activities.
Policies clearly establish accountability and set forth lines of authority.
Policies provide for review of new fiduciary services and activities to ensure that they are suitable and consistent with fiduciary customer objectives, and that the systems necessary to identify, measure, monitor and control risks associated with new services and activities are in place before the activity is initiated.
Adequate Risk Monitoring and Management Information Systems
Risk monitoring requires institutions to identify and measure all areas of material fiduciary risk on a continuous basis. To do so effectively, risk monitoring activities must be supported by information systems that provide senior management with timely reports on financial condition, operating performance, marketing efforts, new products and services, pending or threatened litigation and risk exposure arising from fiduciary activities. They also must provide regular and more detailed reports for managers engaged in the daily management of the institution's activities.
The sophistication of risk monitoring and control information systems should be commensurate with the complexity of the institution's fiduciary operations. Less complex institutions may require only a limited number of management reports to support risk monitoring activities. Larger, more complex institutions, however, would be expected to have much more comprehensive reporting and monitoring systems. These systems would allow for more frequent reporting and closer monitoring of complex activities.
In assessing the adequacy of an institution's measurement and monitoring of fiduciary risk, examiners should consider whether these conditions exist:
The institution's fiduciary risk monitoring practices and reports encompass all of its business lines and activities, and are structured to monitor exposures consistent with established goals, limits and objectives.
Key assumptions, data sources, and procedures used in identifying, measuring and monitoring fiduciary risk are appropriate for the activities performed by the institution and are adequately documented and tested for reliability on a continuous basis.
Reports to management are accurate and timely and contain sufficient information for policy and decision makers to identity any adverse trends and any potential or real problems. The reports must be adequate for them to evaluate the level of fiduciary risk faced by the institution.
Adequate Internal Controls
A comprehensive internal control structure is critical to the safe and sound functioning of an institution and its fiduciary risk management system. Establishing and maintaining a system of internal controls that sets forth official lines of authority and appropriate segregation of duties is one of management's most important responsibilities.
A well-structured system of internal controls promotes effective fiduciary operations and reliable reporting, safeguards assets, and helps to ensure compliance with laws, regulations, and institutional policies. Controls should be periodically tested by an independent party (preferably the auditor, or at least an individual not involved in the process being reviewed). Given the importance of appropriate internal controls to organizations of all sizes and risk profiles, the results of these reviews should be adequately documented, as should management's responses to them.
In evaluating the adequacy of an institution's internal controls as they relate to fiduciary activities, examiners should consider whether these conditions exist:
The system of internal controls is appropriate to the type and level of fiduciary activities.
The institution's organizational structure establishes clear lines of authority and responsibility.
Reporting lines provide sufficient independence of the control areas from the business lines and adequate separation of duties throughout the institution.
Financial, operational, and regulatory reports are reliable, accurate, and timely.
Adequate procedures exist for ensuring compliance with laws and regulations.
Internal audit or other control review practices provide for independence and objectivity.
Internal controls and information systems are adequately tested and reviewed with findings documented and weaknesses given appropriate and timely attention.
The fiduciary risk assessment and control categories and tools listed above are not meant to be all inclusive but are guidelines for use by the fiduciary examiner and the fiduciary activities management in their risk assessment and control efforts. It is expected that adjustments to the list will be made as the risk- oriented examination approach continues to develop and be utilized. It is also expected that the examination of each individual institution may require some modification depending upon its organization and the complexity of the products and services offered.
Other Initiatives
The Task Force is also reviewing fiduciary examination frequency guidelines to see if they need to be modified. In addition, the trust examination handbook will be changed as necessary to reflect the risk-focused examination approach.
Should you have any comments or questions regarding this letter, please contact Howard Amer (ext. 2958) or Don Vinnedge (ext. 2717) at the Board.
James I. Garner
Deputy Associate Director
Cross reference:
SR 95-51, Rating the Adequacy of Risk Management
SR 95-22, Supervising Foreign Banking Organizations
SR 95-17, Evaluating Risk Management in Nontrading Activities
SR 94-53, Investment Adviser Activities
SR 93-69, Evaluating Risk Management in Trading Activities
SR 82-28, Trust Rating System
Footnotes
1. Consistent with the intent of SR 94-31, which provides state member banks the opportunity to have their fiduciary activities examined on a coordinated basis with the safety and soundness examination of the bank, the proposed increased use of a variety of examiners with various specializations during complex fiduciary examinations is meant to enhance the overall examination process. Return to text
2. This initiative is also consistent with guidance previously provided to examiners that was contained in SR 93-69 (Examining Risk Management and Internal Controls for Trading Activities of Banking Organizations), SR 94-53 (Investment Adviser Activities), SR 95-17 (Evaluating the Risk Management and Internal Controls of Securities and Derivatives Contracts Used in Nontrading Activities) and SR 95-22 dealing with ratings for U.S. offices of foreign banks. Return to text
3. Significant volume can be measured in relation to the bank's overall size or in relation to the volume of business conducted by the largest banking organizations. Return to text
4. The Task Force is also developing comparable guidance for use in supervising small banking organizations with noncomplex fiduciary activities. Return to text
5. Consistent with SR 95-51, the assignment of a specific risk management rating of from 1 to 5 should be included on the Examiner's Comments page of the confidential section when using the trust examination report. Comments, conclusions and criticisms relating to risk management should be brought to the attention of management and should be presented in the open section on the "Supervision and Organization" page and, if warranted, on the open section Examiner's Comments page.
In those cases where the findings pertaining to fiduciary activities are integrated into a safety and soundness examination or inspection report of a state member bank, bank holding company or U.S. branch or agency of a foreign bank, the risk management comments and rating for fiduciary activities should be included on the respective open and closed section pages that pertain to fiduciary activities and should also be considered and referenced when presenting the comparable subject matter for the overall organization. Return to text6. The Uniform Interagency Trust Rating System (UITRS) is contained in SR 82-28 along with the Federal Reserve's Implementing Guidelines. In assigning risk management rating, no new component will be added to UITRS. Return to text