BOARD OF GOVERNORS
OF THE
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C. 20551 DIVISION OF BANKING
SUPERVISION AND REGULATION
SR 96-14 (SUP)
May 24, 1996
TO THE OFFICER IN CHARGE OF SUPERVISION
AT EACH FEDERAL RESERVE BANK
SUBJECT: Risk-focused Safety and Soundness Examinations and Inspections
Introduction
Keeping pace with technological advances in the banking industry, financial product innovation, and improvements in management systems and techniques requires that supervisory procedures constantly evolve, especially with respect to the assessment of risk management processes and internal controls. To meet this requirement, over the last several years, the Federal Reserve has taken a number of steps to enhance the effectiveness of its examinations and inspections by sharpening its focus on the areas of greatest risk to the soundness of banking organizations. These efforts have been directed at adapting examination and inspection processes so that they remain responsive to changing market realities, while retaining those practices that have proven most successful in supervising institutions under a variety of economic circumstances and industry conditions. The purpose of this letter is to summarize and place in context these changes and suggest those broad areas where further changes will occur.
Recent enhancements to the examination and inspection process stemming from such initiatives include the development of guidance for the evaluation of the key risks of complex trading and derivatives activities; the implementation of formal supervisory ratings for risk management processes, including internal controls; and the initiation of a risk-based framework for the assessment of U.S. branches and agencies of foreign banking organizations.1 In addition, the Federal Reserve has initiated a number of projects discussed below to further refine examination and inspection processes.
One such project was the formation under the aegis of the Strategic Plan Steering Committee of the Rx21 Committee in May 1995. This Committee, which is comprised of senior officials from Reserve Banks and the Board, has as its objective the review of the examination process in order to identify near- and long-term opportunities to enhance effectiveness, efficiency, and responsiveness to the changing and ever more complex banking and financial environment. This group has made a number of recommendations consistent with current System efforts to provide a more risk-focused approach to the examination of banking organizations. Many of these recommendations are reflected in this SR letter.
This letter sets forth the various techniques that have been adopted in recent years to sharpen the focus on risk in the Federal Reserve's examinations and inspections of state member banks, bank holding companies, and U.S. branches and agencies of foreign banking organizations. Risk-focused supervisory reviews emphasize effective planning and scoping in order to customize examinations and inspections to suit the size and activities of financial institutions and to concentrate examiner resources on areas that expose an institution to the greatest degree of risk. In addition, under a risk-focused approach, the resources directed to assessing a banking organization's management processes are generally increased, while the degree of transaction testing that is conducted during an examination or inspection is adjusted depending on the quality of management practices and the materiality of the activities or functions being reviewed. This approach results in comprehensive examinations and inspections that minimize supervisory burdens by better focusing transaction testing activities.2 An appropriate level of transaction testing, nonetheless, is still performed to verify: (i) the adequacy of, and adherence to, internal policies, procedures, and limits; (ii) the accuracy and completeness of management reports and financial records; and (iii) the adequacy and reliability of internal control systems.
Overview of Examinations and Inspections
In its supervisory capacity, the Federal Reserve is responsible for promoting the safe and sound operation of banking organizations and for ensuring stability in the overall financial system. The System fulfills these responsibilities through a wide range of activities, including the distribution of supervisory guidance to financial institutions' management and directors, the review and approval of regulatory applications filed by banking organizations, the monitoring and surveillance of banking activities, the conduct of on-site examinations and inspections, the holding of meetings with the management and directors of financial organizations, and, when warranted, the initiation of formal and informal enforcement actions to require corrective actions by individual institutions. Most important among these activities, however, are on-site safety and soundness examinations of state member banks, U.S. branches and agencies of foreign banking organizations, and Edge and Agreement corporations, and on-site inspections of bank holding companies and nonbank subsidiaries. Examinations and inspections are intended primarily to evaluate the condition, management processes, and prospects of financial institutions; to identify deficiencies that may threaten their soundness; to assess compliance with applicable laws and regulations; and, when necessary, to develop recommendations for corrective action.
Full-scope examinations and inspections under a risk-focused approach are not comprised of a fixed set of routine procedures. Rather, the procedures that must be performed to fulfill the objectives of a full-scope examination or inspection must be adjusted depending on the circumstances of the institution being evaluated. At a minimum, however, full-scope examinations conducted by the Federal Reserve should include sufficient procedures to reach an informed judgment on the financial, managerial, operational, and compliance factors rated under the CAMEL and ROCA rating systems, while full-scope inspections should include sufficient procedures to assign ratings to the factors addressed by the BOPEC rating system. The business of banking is fundamentally predicated on taking risks and the components of the CAMEL, ROCA, and BOPEC rating systems are strongly influenced by risk exposure. Consequently, the procedures of full-scope examinations and inspections focus to a large degree on assessing the types and extent of risks to which a banking organization is exposed, evaluating the organization's methods of managing and controlling its risk exposures, and ascertaining whether management and directors fully understand and are actively monitoring the organization's exposure to these risks. Given the Federal Reserve's responsibility for assuring compliance with banking laws and regulations, examinations and inspections also include an appropriate level of compliance testing.
Evolution of Examinations and Inspections
Historically, Federal Reserve examinations and inspections have placed significant reliance on transaction testing procedures. For example, to evaluate the adequacy of the credit administration process, assess the quality of loans, and ensure the adequacy of the allowance for loan and lease losses (ALLL), a high percentage of commercial and industrial (C&I) and commercial real estate loans traditionally have been individually reviewed. Similarly, the assessment of the accuracy of regulatory reporting often has involved extensive review of reconciliations of a banking organization's general ledger to the Call Report, Y-9C report, or FFIEC 002 report. Other similar procedures typically have been completed to ascertain compliance with applicable laws and regulations, to determine whether institutions are following their internal policies and procedures, and to evaluate the adequacy of internal control systems.
Transaction testing remains a reliable and essential examination technique for use in the assessment of a banking organization's condition and the verification of its adherence to internal policies, procedures, and controls. In a highly dynamic banking market, however, such testing by itself is not sufficient for assuring the continued safe and sound operation of financial institutions. Indeed, as evolving financial instruments and markets have enabled banking organizations to rapidly reposition their portfolio risk exposures, it has become clear that periodic assessments of the condition of financial institutions based on transaction testing alone cannot keep pace with the moment-to-moment changes occurring in financial risk profiles.
Consequently, in order to ensure that institutions have in place the processes necessary to identify, measure, monitor, and control their risk exposures, examinations and inspections have increasingly placed a greater emphasis on evaluating the appropriateness of such processes and have been evolving away from a very high degree of transaction testing. Under a risk-focused examination approach, the degree of transaction testing should be reduced when internal risk management processes are determined to be adequate or risks are considered minimal. It is important to note, however, that when risk management processes or internal controls are considered inappropriate, such as when there is an inadequate segregation of duties or when they are determined to be lacking as a result of on-site testing, additional transaction testing sufficient to fully assess the degree of risk exposure in that function or activity must be performed. In addition, in the event that an examiner believes that a banking organization's management is being less than candid, has provided false or misleading information, or has omitted material information, then substantial on-site transaction testing should be undertaken, and appropriate follow-up actions should be initiated, including the requirement of additional audit work and appropriate enforcement actions.
In most cases, full-scope examinations and inspections are conducted on or around a single date. This is appropriate for the vast majority of institutions supervised by the Federal Reserve. However, as the largest banking organizations have undergone considerable geographic expansion and the range of their products has become more diversified, it has become increasingly difficult to coordinate the efforts of the large number of examiners necessary to conduct examinations and inspections at a single point in time for these organizations without causing undue burden. Accordingly, full-scope examinations or inspections for many large companies are now conducted over the course of a year, rather than over a span of weeks, in a series of targeted reviews focusing on one or two significant aspects of the institution's operations. This approach to conducting full-scope examinations and inspections has the advantage of providing more continuous supervisory contact with the largest institutions and may facilitate improved coordination with other federal banking agencies. It also facilitates more flexibility in the allocation of examiner resources. This flexibility in allocating resources has been especially important as the complexity of banking markets and products has increased and has led to the development of cadres of examiners with specialized skills.
As the speed with which financial institutions can reconfigure their balance sheets has accelerated, the Federal Reserve has also supplemented its techniques for off-site monitoring of the condition of financial institutions between on-site examinations and inspections. For instance, within the last two years, the surveillance programs for banks and bank holding companies have both been considerably improved through the adoption of a more rigorous screening technique for the identification of troubled institutions and specialized screens to evaluate investment activities.3 At many Reserve Banks, these improvements in the surveillance system have been accompanied by efforts to increase the role of Reserve Bank monitoring staffs in the assessment of banking trends, the development of supervisory strategies, and the administration of outstanding enforcement actions.
Several Reserve Banks have also adopted a portfolio management approach in which one person is assigned responsibility for monitoring, and overseeing the supervision of, a selected group of institutions. Such portfolio management structures facilitate ongoing communication between Reserve Banks and financial institutions, which results in greater familiarity with developments at supervised organizations. This ongoing communication is particularly useful in planning and implementing risk-oriented supervisory strategies for institutions engaged in the most dynamic and complicated financial activities.
In addition, the Federal Reserve, together with the other federal banking agencies, has also actively promoted sound disclosure and accounting standards, particularly for newer products and services. Recent efforts in this area include revisions to publicly available regulatory reports to collect additional information on trading activities, derivatives, structured notes, mortgage securities, and mutual funds and investment management activity. Furthermore, the Federal Reserve has consistently advocated improvement in public annual report disclosures about trading activities and, more broadly, about credit and market risks. Such information can allow market discipline to foster sound practices at financial institutions, without requiring direct regulatory intervention.
Risk-focused Examinations and Inspections
The Federal Reserve has long relied on examiners to demonstrate the judgment, expertise, and initiative necessary to select the procedures appropriate to the evaluation of the risks faced by each institution. Recent developments in the business of banking that have increased the range of activities at many financial institutions and correspondingly heightened demands on examiner resources have made the need for examiners to effectively focus their activities on areas of the greatest risk even more crucial. Recent experience and surveys of bankers and examiners conducted by the Rx21 group have further suggested areas in which efficiencies can be gained in conducting on-site examinations and inspections through improved planning. As a result, many Reserve Banks have been increasing the amount of time available to plan and prepare for examinations and inspections. In-office planning results in more effective examinations and inspections that are focused on risks particular to specific institutions and, thus, minimizes supervisory burdens. Further, such planning facilitates the close coordination of the efforts of the Federal Reserve with those of the other state and federal banking agencies. Moreover, consistent with SR 95-13, "Recommendations to Increase the Portion of Examinations and Inspections Conducted in Reserve Bank Offices," this planning allows information requests to be better tailored to specific institutions and, in many cases, makes possible the completion on Reserve Bank premises of certain procedures that have typically been conducted on-site. This, too, can help reduce supervisory burden without compromising the quality of the evaluation process.
Risk Assessment
In order to focus procedures on the areas of greatest risk to financial institutions, a risk assessment should be performed in advance of on-site supervisory activities. The risk assessment process highlights both the strengths and vulnerabilities of an institution and provides a foundation from which to determine the procedures to be conducted during an examination or inspection. Risk assessments entail the identification of the financial activities in which a banking organization has chosen to engage; the determination of the types and quantities of risks to which these activities expose the institution; and the consideration of the quality of the management and control of these risks. At the conclusion of the risk assessment process, a preliminary supervisory strategy for the institution and each of its major activities can be formulated. Naturally, those activities that are most significant to the organization's risk profile or that have inadequate risk management processes or rudimentary internal controls represent the highest risks to the institution and should undergo the most rigorous scrutiny and testing.
Identifying the significant activities of an institution, including those conducted off-balance sheet, should be the first step in the risk assessment process. These activities may be identified through the review of prior examination and inspection reports and workpapers; surveillance and monitoring reports generated by Board and Reserve Bank staffs; Uniform Bank Performance Reports and Bank Holding Company Performance Reports; regulatory reports (e.g., Call Report, Y9-C, FFIEC 002); and other relevant supervisory materials. Where appropriate, reviews should also be conducted of strategic plans and budgets; internal management reports; board of directors information packages; correspondence and minutes of meetings between the banking institution and the Reserve Bank; annual reports and quarterly SEC filings; press releases and published news stories; and stock analysts' reports. In addition, examiners should also hold periodic discussions with management to gain insight into their latest strategies or plans for changes in activities or management processes.
Once significant activities have been identified, the types and quantities of risks to which these activities expose the institution should be determined. This allows identification of the high risk areas that should be emphasized in conducting examinations and inspections. The types of risk that may be encountered in banking activities individually or in various combinations include, but are not limited to, credit, market, liquidity, operational, legal and reputational risks4. For example, lending activities are a primary source of credit and liquidity risks. They may also, however, present considerable market risk if an institution is originating mortgage loans for later resale, interest rate risk if an institution is granting fixed-rate loans, or legal risk if loans are poorly documented. Similarly, the asset/liability management function has traditionally been associated with exposures to interest rate and liquidity risks. There are also, however, operational risks associated with many of the transactions undertaken by this function and other market risks associated with investments and hedging instruments commonly used by the function. The quantity of risks associated with a given activity may be indicated by the volume of assets and off-balance sheet items that the activity represents or the portion of revenue for which the activity accounts. Activities that are new to an institution or for which exposure is not readily quantified, however, may also represent high risks to an institution that should be evaluated at examinations and inspections.
A number of analytical techniques may be used to estimate the quantity of risk exposure depending on the activity or risk type being evaluated. For example, in order to assess the quantity of credit risk in loans and commitments, the level of past due loans, internally classified or watch list loans, nonperforming loans, and concentrations of credit exposure to particular industries or geographic regions should be considered. In addition, as part of the assessment of credit risk, the adequacy of the overall ALLL may be evaluated by considering trends in past due, special mention, and classified loans; historic chargeoff levels; and the coverage of nonperforming loans by the ALLL. Analytical techniques for gauging the exposure of a banking institution to interest rate risk as part of the evaluation of asset/liability management practices may include a review of the historic performance of net interest margins, as well as the results of internal projections of future earnings performance or net economic value under a variety of plausible interest rate scenarios. The measurement of the quantity of market risk arising from an institution's trading in cash and derivative instruments may take into account the historic volatility of trading revenues, the results of internal models calculating the level of capital and earnings at risk under various market scenarios, and the market value of contracts relative to their notional amounts.
Once the types and quantities of risk in each activity have been identified, a preliminary assessment of the process in place to identify, measure, monitor, and control these risks should be completed. This evaluation should be based on findings from previous examination activities conducted by the Reserve Bank or the other banking agencies, supplemented by the review of internal policies and procedures, management reports, and other documents that provide information on the extent and reliability of internal risk management systems. As described in SR 95-51, sound risk management processes vary from institution to institution, but generally include four basic elements both for each individual financial activity or function and for the organization in aggregate. These are: active board and senior management oversight; adequate policies, procedures, and limits; adequate risk measurement, monitoring, and management information systems; and comprehensive internal audits and controls.
The preliminary evaluation of the risk management process for each activity or function also assists in determining the extent of transaction testing that should be planned for each area. If the process appears appropriate and reliable, then a limited amount of transaction testing may well suffice. If, on the other hand, the risk management process appears inappropriate or inadequate to the types and quantities of risk in an activity or function, examiners should plan a much higher level of transaction testing. They should also, of course, plan to conduct the most testing in those areas that comprise the most significant portions of a banking organization's activities and, thus, typically represent high potential sources of risk.
Preparation of a Scope Memorandum
Once the examination planning and risk assessment processes are completed, a scope memorandum should be prepared. A scope memorandum provides a detailed summary of the supervisory strategy for an institution and assigns specific responsibilities to examination team members. A scope memorandum should be tailored to the size and complexity of the institution subject to review, should define the objectives of each examination or inspection, and generally should include:
- a summary of the results of the prior examination or inspection;
- a summary of the strategy and significant activities of the banking organization, including its new products and activities;
- a description of the institution's organization and management structure;
- a summary of performance since the prior examination or inspection;
- a statement of the objectives of the current examination or inspection;
- an overview of the activities and risks to be addressed by the examination or inspection; and
- a description of the procedures that are to be performed at the examination or inspection.
For large, complex organizations operating in a number of states, or internationally, the planning and risk assessment processes are necessarily more complicated. As a result, many Reserve Banks have broadened the traditional scope memorandum into a more extensive set of planning documents to reflect the unique requirements of these complex institutions. Examples of these planning documents include annual consolidated analyses, periodic risk assessments, and supervisory plans.
On-site Procedures
As discussed above, the amount of review and transaction testing necessary to evaluate particular functions or activities of a banking organization generally depend on the quality of the process used by the institution to identify, measure, monitor, and control the risks of the activity. When the risk management process is considered sound, then further procedures are limited to only a relatively small number of tests of the integrity of the management system. Once the integrity of the management system is verified through limited testing, conclusions on the extent of risks within the function or activity are drawn based on internal management assessments of those risks rather than on the results of more extensive transaction testing by examiners. On the other hand, if initial inquiries into the risk management system--or efforts to verify the integrity of the system--raise material doubts as to the system's effectiveness, then no significant reliance should be placed on the system and a more extensive series of tests should be undertaken to ensure that the banking organization's exposure to risk from a given function or activity can be accurately gauged and evaluated. More extensive transaction testing is also generally completed for activities that are very significant to an institution than for other areas, although the actual level of testing for these significant activities may be reduced commensurate with the quality of internal risk management processes.
For example, given the risk exposure associated with a bank's commercial lending activities, a relatively high number and dollar volume of C&I and commercial real estate loans has traditionally been reviewed.5 However, if credit administration practices are considered satisfactory, fewer loans need be reviewed to verify that this is the case than would be reviewed if deficiencies in credit administration practices were suspected. This review may be achieved through a valid statistical sampling technique, when appropriate. It should be noted, though, that if credit administration practices are considered sound, but loans reviewed to verify this raise doubts about the accuracy of internal assessments or the compliance with internal policies and procedures, then the number and volume of loans subject to review should generally be expanded to ensure that the level of risk is clearly understood, an accurate determination of the adequacy of the ALLL can be made, and the deficiencies in the credit risk management process can be comprehensively detailed.
Evaluation of Audit Function as Part of Assessment of Internal Control Structure
An institution's internal control structure is critical to the safe and sound functioning of the organization in general and to its risk management system in particular. When properly structured, internal controls promote effective operations and reliable financial and regulatory reporting, safeguard assets, and help to ensure compliance with laws, regulations, and internal policies and procedures. In many institutions, internal controls are tested by an independent internal auditor who reports directly to the board of directors or its audit committee. However, in some smaller institutions whose size and complexity of operations do not warrant an internal audit department, reviews of internal controls may be conducted by other institution personnel independent of the area subject to review.
Because the audit function is an integral part in the institution's own assessment of its internal control system, examiners must include a review of the institution's control assessment activities in every examination and inspection. Such reviews assist in the identification of significant risks and facilitate a comprehensive evaluation of an institution's internal control structure. These reviews also provide information for determining the procedures to be completed in assessing internal controls for particular functions and activities and for the institution overall. When conducting such a review, examiners should evaluate the independence and competence of the personnel conducting control assessments and the effectiveness of the assessment program in covering the institution's significant activities and risks. In addition, examiners should meet with the internal auditors or other personnel responsible for evaluating internal controls and review internal control risk assessments, work plans, reports, workpapers, and related communications with the audit committee or board of directors.
Depending on the size and complexity of the activities conducted by the institution, the examiner should also consider conducting a similar review of the work performed by the institution's external auditors. Such a review often provides added insight into key risk areas by detailing the nature and extent of the testing of those areas that have been conducted by auditors in the course of their work.
Evaluation of Overall Risk Management Process
In order to highlight the importance of an institution's risk management process, banks and bank holding companies are assigned a risk management rating on a five point scale as a significant part of the evaluation of the management components of the CAMEL and BOPEC rating systems (see SR 95-51). In addition, U.S. branches and agencies of foreign banking organizations are assigned a similar rating under the ROCA rating system6. These risk management ratings encompass evaluations of the quality of risk management processes for all significant activities and all types of risks. As such, they may largely reflect a summation of conclusions on the adequacy of risk management processes for each individual function or activity evaluated.
In assigning these risk management ratings, however, it is also important to consider the quality of the risk management process for the institution overall, as well for each individual function. At smaller organizations engaged in traditional banking activities, relatively basic risk management processes established for each significant activity, such as lending or asset/liability management, may be adequate to allow senior management to manage effectively the overall risk profile of the organization. On the other hand, at larger institutions that are typically engaged in more complex and widely diversified activities, effective risk management systems must evaluate various functional management processes in combination so that aggregate risk exposures can be identified and monitored by senior management. This typically requires that management information reports be generated for the overall institution, as well as for individual functional areas, and typically necessitates some aggregate or specific institution-wide limits for the principal types of risks relevant to the company's activities.
Further, since a critical aspect of ensuring that risk management and control procedures remain adequate is ongoing testing of the strength and integrity of procedures and the extent to which they are understood and followed throughout an institution, examiners should also assess the adequacy of efforts to ensure that procedures are being followed when assigning a risk management rating. Such validation efforts must be conducted by individuals who have proper levels of organizational independence and expertise, such as internal or external auditors, internal risk management units, or managers or other professionals within the institution with no direct connection to activities for which procedures are being assessed.
Evaluation of Compliance with Laws and Regulations
Compliance with relevant laws and regulations should be assessed at every examination and inspection. The steps taken to complete these assessments, however, will vary depending on the circumstances of the institution subject to review. When an institution has a history of satisfactory compliance with relevant laws and regulations or an effective compliance function, only a relatively limited degree of transaction testing need be conducted to assess compliance. For example, in evaluating compliance with the appraisal requirements of Regulation H at an institution with a formal compliance function, compliance may be ascertained by reviewing the scope and findings of internal and external audit activities, evaluating internal appraisal ordering and review processes, and sampling a selection of appraisals for compliance as part of the supervisory loan review process. On the other hand, at institutions that have a less satisfactory compliance record or that lack a compliance function, more appraisals would naturally need to be tested to assess the overall compliance with the appraisal requirements of Regulation H.
Documentation of Supervisory Findings
Workpaper documentation of supervisory findings is necessary for Reserve Bank management to verify objectively the work performed during examinations and inspections. It also provides a source of information on the condition and prospects of an institution that is invaluable to the planning of future reviews. Most important, however, this documentation provides support for the conclusions and recommendations detailed in examination and inspection reports. Given the importance of adequate documentation, the Federal Reserve has for some time been working to refine its standards for workpapers, particularly with regard to the examination of state member banks. Additional enhancements in documentation standards are likely to be developed in coming months to balance the requirement for consistent and comprehensive documentation with the need for flexibility in supervisory procedures.
Communication of Supervisory Findings
Effective and open communication between supervisors and financial institutions is essential to ensuring that banking organizations understand fully the results of examinations and inspections, are aware of any identified deficiencies, and, when necessary, take appropriate corrective actions. The Federal Reserve has established a number of standards for the communication of supervisory findings to the management and directors of financial institutions.7
In order to ensure that supervisory findings are communicated to financial institutions in a concise and effective manner, the Federal Reserve has also consistently directed its examiners to focus supervisory report comments on the discussion of material deficiencies. During recent years, communication guidelines have been further refined through the adoption of a combined examination and inspection report for bank holding companies with lead state member banks and through revisions designed to streamline and better focus the bank holding company inspection report.8 In light of the increasing risk focus of examinations and inspections, the Federal Reserve is continuing to review its report formats in order to identify opportunities for further enhancements.
Other Enhancements to Examinations and Inspections
While the Federal Reserve's current supervisory processes are comprehensive and tested, further enhancements will likely be warranted to ensure that they remain adequate as innovation and technological change continue within the banking industry. As a result, the Federal Reserve has initiated several projects designed to identify its key supervisory challenges and to determine the additional steps that must be taken. As noted above, the Rx21 group was established by the System's Strategic Plan Steering Committee and charged with developing specific recommendations to help preserve the best aspects of the existing examination process, while identifying ways to improve its effectiveness and efficiency in light of the rapid pace of changes occurring in the financial services industry.
Consistent with the steps that have already been taken, the supervisory initiatives that are currently underway, and the dramatic changes continuing to take place in the banking industry, our efforts to make the supervisory/examination function more risk-focused, process-oriented, and burden sensitive will continue and, where appropriate, be accelerated. The supervision function's strategic planning exercise, as well as discussions within the Federal Reserve and with the other banking agencies, have identified the following general areas where further efforts and initiatives could yield potentially fruitful results in terms of sharpening the efficiency, effectiveness, and risk-orientation of the examination process:
- Pre-examination planning to better identify major risks and procedures to further tailor examinations to accommodate the size, risks and activities of banking organizations;
- Supervisory focus on how business lines, activities or functions that cut across legal entities affect the overall risk profiles of banking organizations and how these risks are managed and controlled for the overall organization;
- Frequency and quality of communications between supervisors and senior management and degree of use by supervisors of internal management information to monitor on a more timely and effective basis the condition and risk profiles of banking organizations;
- Potential for broader cooperation and coordination between supervisors and internal auditors and outside accountants;
- Further prospects for reducing the amount of examiner time spent on-site;
- Quality, effectiveness, and consistency (both within the System and with the other federal and state agencies) of the information technology used in support of the examination and supervision process;
- Degree of reliance on public disclosure and market discipline to support the supervisory process and encourage prudent management practices;
- Need for specialization among supervisory personnel and examiners and the quality and effectiveness of training in providing the skills and tools to conduct risk-focused examinations; and
- Level of coordination and cooperation among the banking agencies and other financial institution regulators, both domestically and internationally.
The Federal Reserve will work internally, as well as with the other federal and state banking and financial institution regulators, to achieve further improvements and enhancements in each of these areas.
The Federal Reserve has already undertaken major initiatives to improve and standardize the use of technology by its examiners. This includes the development of an Examiner Workstation that automates many functions of the supervisory loan review process and an automated workpaper system that facilitates more efficient planning and more effective documentation of examination activities. In addition, the Federal Reserve has undertaken a major reengineering of its trust examination process to sharpen its risk focus9. Moreover, to ensure that examiners remain adequately trained, the Federal Reserve is also augmenting its training programs for examiners to provide additional grounding in internal controls, greater expertise in the assessment of bank's use of information system technology, and further opportunities for the development of specialized skills and areas of expertise.
In addition, a number of initiatives are underway to increase coordination with other banking agencies. For example, for some time, the Federal Reserve has been working with the Conference of State Bank Supervisors, the Federal Deposit Insurance Corporation, and several state banking agencies to develop a seamless, risk-focused, and consistent supervisory program for state-chartered banks. These efforts recently came to fruition with the adoption of the State/Federal Supervisory Protocol. The Federal Reserve has also been working with these agencies to streamline current application procedures for state-chartered banks, adopt common information technologies and supervisory systems, and coordinate training efforts. Moreover, the federal banking agencies are currently developing implementation procedures for a unified examination approach mandated by section 305 of the Riegle Community Development and Regulatory Improvement Act of 1994. Effective coordination with the state banking departments and the other Federal banking agencies will remain a very high priority of the Federal Reserve's supervisory program.
Conclusion
In summary, the Federal Reserve has made considerable progress in adapting its supervisory approach to focus appropriately on the management of risks in new and significant banking activities. However, additional modifications clearly will be required to adjust further to changes occurring in the financial services industry. Supervisory policies and practices that were developed for less dynamic market environments and that may not fully be consistent with a risk-focused approach will need to be changed or revised. Further, additional steps may be needed to develop guidance on the procedural details of the risk-focused approach to ensure consistent application across the System. In refining its examination process, however, the Federal Reserve does not intend to eliminate transaction testing procedures, but rather will seek to achieve an optimal mix of transaction testing and risk management process reviews for facilitating the continuous safe and sound operation of state member banks, bank holding companies, and U.S. branches and agencies of foreign banking organizations.
Reserve Banks are asked to see that each examiner receives a copy of this SR letter. Should you have any questions regarding this letter, please contact Roger Cole, Deputy Associate Director, at (202) 452-2618, or Kevin Bertsch, Supervisory Financial Analyst, at (202) 452-5265.
Richard Spillenkothen
Director
Attachment
Cross-References:
SR 85-28, "Examination Frequency and Communicating with Directors" SR 93-69, "Examining Risk Management and Internal Controls for Trading Activities of Banking Organizations" SR 94-13, "Loan Review Requirements for On-site Examinations" SR 94-32, "Revised Bank Surveillance Procedures" SR 94-46, "Combined Examination/Inspection Report for Bank Holding Companies with Lead State Member Banks" SR 95-12, "Revisions to Guidance for the Preparation of the Bank Holding Company Inspection and Bank Examination Reports and for the Preparation and Issuance of Director's Summaries of Examination/Inspection Findings" SR 95-13, "Recommendations to Increase the Portion of Examinations and Inspections Conducted in Reserve Bank Offices" SR 95-17, "Evaluating the Risk Management and Internal Controls of Securities and Derivative Contracts Used in Nontrading Activities" SR 95-19, "Revisions to Guidance on Meetings with Boards of Directors" SR 95-22, "Enhanced Framework for Supervising the U.S. Operations of Foreign Banking Organizations" SR 95-33, "Incorporation of an Investment Activities Screen into the Bank Surveillance Program" SR 95-43, "Revised Bank Holding Company Surveillance Procedures" SR 95-51, "Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies" SR 96-10, "Risk-Focused Fiduciary Examinations"
Commercial Bank Examination Manual
Bank Holding Company Supervision Manual
Examination Manual for U.S. Branches and Agencies of Foreign Banking
Organizations
Trading Activities Manual
Attachment
Definitions of Risk Types Evaluated at Examinations and Inspections
- Credit Risk arises from the potential that a borrower or counterparty will fail to perform on an obligation.
- Market Risk is the risk to a financial institution's condition resulting from adverse movements in market rates or prices, such as interest rates, foreign exchange rates, or equity prices.
- Liquidity Risk is the potential that an institution will be unable to meet its obligations as they come due because of an inability to liquidate assets or obtain adequate funding (referred to as "funding liquidity risk") or that it cannot easily unwind or offset specific exposures without significantly lowering market prices because of inadequate market depth or market disruptions ("market liquidity risk.")
- Operational Risk arises from the potential that inadequate information systems, operational problems, breaches in internal controls, fraud, or unforeseen catastrophes will result in unexpected losses.
- Legal Risk arises from the potential that unenforceable contracts, lawsuits, or adverse judgements can disrupt or otherwise negatively affect the operations or condition of a banking organization.
- Reputational Risk is the potential that negative publicity regarding an institution's business practices, whether true or not, will cause a decline in the customer base, costly litigation, or revenue reductions.
Footnotes
1. Guidance to examiners on the evaluation of trading and derivatives activities is provided in SR 93-69, "Examining Risk Management and Internal Controls for Trading Activities of Banking Organizations;" SR 95-17, "Evaluating the Risk Management and Internal Controls of Securities and Derivative Contracts Used in Nontrading Activities;" and the Federal Reserve's Trading Activities Manual. The Federal Reserve's ratings for risk management are described in SR 95-22, "Enhanced Framework for Supervising the U.S. Operations of Foreign Banking Organizations," and SR 95-51, "Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies." SR 95-22 details the risk-oriented approach followed in supervising the U.S. operations of foreign banking organizations. Return to text
2. For purposes of this letter, transaction testing is defined to include not only the reconciliation of internal accounting records to financial reports (in order to evaluate the accuracy of account balances) and the comparison of day-to-day practices to the requirements of policies and procedures (in order to assess compliance with internal systems), but also all other supervisory testing procedures, such as the review of the quality of individual loans and investments. Return to text
3. See SR 94-32, "Revised Bank Surveillance Procedures;" SR 95-33, "Incorporation of an Investment Activities Screen into the Bank Surveillance Program;" and SR 95-43, "Revised Bank Holding Company Surveillance Procedures." Return to text
4. These primary risk types are defined in an attachment to this letter. Return to text
5. Current guidance on the selection of loans for review is provided in SR 94-13, "Loan Review Requirements for On-site Examinations." This guidance is now being reviewed by a committee of senior Board and Reserve Bank officials as part of the Federal Reserve's efforts to optimize the efficiency and effectiveness of its examination process. Return to text
6. U.S. branches and agencies of foreign banking organizations are also assigned a separate rating for operational controls under guidance included in SR 95-22. Return to text
7. See SR 85-28, "Examination Frequency and Communicating with Directors," SR 95-12, "Revisions to Guidance for the Preparation of the Bank Holding Company Inspection and Bank Examination Reports and for the Preparation and Issuance of Director's Summaries of Examination/Inspection Findings," and SR 95-19, "Revisions to Guidance on Meetings with Boards of Directors." Return to text
8. See SR 94-46, "Combined Examination/Inspection Report for Bank Holding Companies with Lead State Member Banks." Return to text
9. See SR 96-10, "Risk-focused Fiduciary Examinations." Return to text