Chapter 10 Internal Controls and Risk Management for Banks
- Robert Effros
- Published Date:
- May 1998
10A. Supervision by Risk
JIMMY F. BARTON
It seems that everyone these days—bankers, regulators, Congress, journalists, consultants—are all promoting the virtues of risk management, so much so that it is easy to get the impression that risk management is the latest fad in banking. However, the fact is that risk management has been around as long as the business of banking. Banks are—have always been and always will be—in the business of risk management.
For a number of reasons, however, risk management is more important than ever before. Banking markets today are constantly affected by innovations; the increased use of technology; and a virtual explosion in the types, volume, and velocity of financial transactions. Banks face unprecedented domestic and international competition not just from other banks but from a growing arena of financial institutions. Banks are surrounded by a legal environment of constant change. Due in part to some of these same factors, the risk-management systems available to banks have also improved. Advances in risk-management theory and in technology, taken together, allow banks to identify, measure, monitor, and control risk more effectively. Technology has also enabled faster communication and data transmission, allowing more timely risk measurement and thus enhanced risk management across a banking company’s global operations.
The bank regulators’ role is to ensure the safety and soundness of the banking system. Therefore, it is essential that bank regulators respond to the increased potential for risk. It is equally essential that bank regulators do this in a way that is the least intrusive and least costly way possible, in order to enable banks to thrive in today’s competitive environment. The key to meeting the challenge of ensuring the safety and soundness of the banking system, while balancing risk versus reward, is for bank regulators to focus on the risk-management systems of banks. The Office of the Comptroller of the Currency (OCC), which supervises national banks in the United States, is doing this through a program called “supervision by risk.”1 This chapter answers the following questions:
What is supervision by risk?
Is supervision by risk a change?
What are the benefits of this philosophy for banks?
What do bankers need to do in light of the OCC’s changes?
What still needs to be done by the OCC?
What Is Supervision by Risk?
Supervision by risk is best described as an evolution, not a revolution, in the OCC’s supervisory practices. It can be characterized as a blending of a past philosophy—supervising based on risk—and a new structure to accomplish supervision. Supervision by risk requires both bankers and examiners to break the paradigm that evaluation of risks occurs only vertically. Rather, supervision by risk focuses the banker and the examiner on the identification and evaluation of risks across all product lines and activities. Supervision by risk is both a horizontal and a vertical assessment of risks. It can be broken down into several key categories or steps:
First, identifying risks using common definitions. The OCC has defined nine risk categories. This set of risk definitions forms the cornerstone for its supervision relative to each bank or banking company. These definitions will form a consistent, common language for examiners to follow and bankers to understand.
Second, measuring and evaluating risk based on common evaluation factors. Now that a common set of risks has been identified, the OCC has also developed an internal OCC process designed to assess risks, in a common evaluation format, again in an effort to improve consistency. This is the risk-assessment system.
Third, developing a supervisory strategy based on risk and performing examinations based on this strategy. The OCC’s supervisory strategy for each institution will be based on the conclusions from the risk-assessment system.
Finally, documenting conclusions and communicating findings to bank management and the board. Open, two-way communication is fundamental to the entire supervisory process.
Banking risk is defined generally as the potential that events, whether expected or unanticipated, may have an adverse impact on a bank’s capital or earnings.
Risk by itself is not a reason for concern. Risk is necessary for reward. When discussing risk, however, several questions often arise: How much risk is enough? How much is too much? How should risk be managed? What if events do not happen as planned? Generally, risks are warranted if they are understandable, measurable, controllable, and within the bank’s capacity to readily withstand adversity. In other words, risks are warranted if they are subject to effective risk-management systems.
As previously mentioned, the OCC has identified nine risks for bank supervision purposes: credit, liquidity, interest rate, price, foreign exchange, transaction, compliance, strategic, and reputation risk. Why these nine risks? The OCC reviewed the risk categories tracked by a number of large banks and financial institutions. It found that no consistent language or categories were used. The OCC has also learned from its examiners that greater precision is important in supervising risks because it provides more direct and specific communication and greater flexibility in tailoring supervision to each institution. The nine-risk framework provides the OCC with a comprehensive picture of the risks associated with banking as it exists today, while also looking at the issues facing the banking industry in the foreseeable future.
The OCC is often asked if all of these risks have equal impact on earnings and capital. Certainly not. The impact of each will vary by bank and may change within a bank or company over time. Furthermore, it is obvious that some of these risks are subsets of other, more commonly known risks. For instance, interest rate, price, and foreign exchange risks are often called “market” risk. The OCC broke these risks into nine categories to give flexibility and greater precision in its supervision.
The OCC also had a lot of questions about the identification of strategic and reputation risk as separate risks. These risks are included in order to have a set of risk categories that represent the entire risk profile of a bank. The OCC does not actively supervise or examine for these two types of risk in the same manner as the other seven, but it needs to consider them in order to have a thorough risk assessment of each institution.
The risks in various categories are interrelated. Any bank product or service generally exposes the bank to a number of risks simultaneously, and these risks often influence one another. For instance, it is difficult to determine directly the exact level of credit risk versus interest rate risk in a loan. Supervision by risk emphasizes that it is not necessary or important to distinguish a precise amount of each risk in a particular product or service, but rather to be aware that various risks are present and assessed. Again, supervision by risk is a new paradigm that focuses on a global evaluation of the risks.
The Risk-Assessment System: General Information
Once the risks have been identified, the next stage to ensure effective supervision is to develop a common framework to document decisions about those risks. This common framework to guide and record an examiner’s analysis is known as the risk-assessment system. This system provides a concise method for communicating and documenting judgments for the nine risks. While the OCC has developed this overall philosophy for assessing and documenting risks, it is important to note that certain aspects of the risk-assessment system will vary, depending on whether or not the bank is a large or a community bank and/or whether strategic and reputation risk or one of the other more explicit risk categories is being addressed.
The Risk-Assessment System for Large Banks
In the risk-assessment system for large banks (those banks with total assets of $1 billion or more), examiners will make several decisions. These decisions relate to:
the quantity of risk;
the quality of risk management;
the aggregate and composite risk; and
the direction of risk.
Quantity of Risk
First, examiners must make judgments about the quantity of risk. Quantity is the level or volume of existing risk. The quantity of risk is labeled as high, moderate, or low. Quantity implies measurement. Banks are using and enhancing measurement tools, including models, on a more frequent basis. This enhances both the bank’s and the OCC’s ability to quantify these risks. The OCC also recognizes, however, that not all banks have or need sophisticated systems to quantify each risk. That sophistication and need for systems must be evaluated on a bank-by-bank basis. The OCC also recognizes that “measurement” does not always mean to quantify these risks in direct dollar terms or percentages. For example, quantification of transaction or compliance risk is not easily accomplished in terms of dollars and cents. The OCC does feel, however, that these two risks can be quantified in relative terms.
Quality of Risk Management
The next part of the decision process requires examiners to make conclusions about the quality of risk management. The quality of risk management is measured as weak, acceptable, or strong. Risk management is an internal bank process that does more than simply measure the quantity of risk. It is a process that is forward looking and proactive. An effective risk-management process must identify, measure, monitor, and control risks. The process should add value to the company by providing consistency, a proactive culture, effective communication, and coordination throughout the organization. It does not have to be an independent unit within the bank, such as an auditing unit. Regardless of how it is structured, risk management is a process that understands the culture, the risks, and the interrelationship of the risks within each company.
Aggregate and Composite Risk
The third stage in the risk-assessment system is for examiners to make a decision on aggregate risk. The aggregate risk reflects the level of supervisory concern, considering the quantity of risk in a particular area weighed against the quality of risk management. The OCC categorizes aggregate risk as low, moderate, or high.
At this stage of the decision process, the treatment of the remaining two risks—strategic and reputation risk—can be examined. The OCC does not require a separate quantity/quality decision for strategic and reputation risk. These risks are more implicit and cannot be readily quantified. The OCC does make a decision, however, on the level of supervisory concern for these two risks. This is called composite risk, and it is categorized as low, moderate, or high. Composite risk is similar to aggregate risk except that it is more one dimensional.
Direction of Risk
The final decision that examiners make for large banks is to determine the direction of risk for all of the nine categories of risk. Direction of risk reflects the likely changes to the aggregate or composite risk profile over the next 12 months. Direction is described in terms of increasing, stable, or decreasing. Direction does not necessarily mean that the aggregate risk will move from one level to another in 12 months. Direction means that the aggregate risk is trending up or down, or remaining unchanged. Assessing the direction of risk helps the examiner to determine and refine the supervision activities for the bank.
The Risk-Assessment System for Community Banks
Similar to the composite risk decision made for strategic and reputation risk in large banks, examiners will make only one decision for community banks. The decision reflects the level of supervisory concern for each of the nine risk categories. The aggregate or composite decision does not directly require a decision on quantity and quality of risk management. The OCC does not ignore the quantity of risk and quality of risk-management factors; rather they are blended into a single decision process. The OCC categorizes this aggregate and composite risk for community banks as low, moderate, or high.
Examiners also will determine the direction of risk in community banks for all nine categories of risk. The same concepts discussed previously for large banks apply to the direction of risk for community banks.
The Risk-Based Strategy
The third step in the supervision-by-risk philosophy is that of a risk-based strategy. A key advantage of using the risk-assessment system for the OCC is that it helps the examiner plan examination activities. The decisions from the risk-assessment system form the foundation of its strategy for each bank. The OCC will focus its examination efforts on the areas of greatest risk in the institution and use only minimum procedures in areas of low risk.
For large banks, which are more complex and diverse, the OCC focuses more on risk management. The risk-management examinations will be supplemented with some transaction testing or validation, depending on the risk present.
For community banks, which are less complex and diverse and typically present traditional banking risks, OCC examiners start with performance-based testing. Performance-based testing confirms the use of sound fundamental principles in a bank. Performance-oriented testing is appropriate for low-risk areas commonly found in noncomplex community banks, provided that the risk areas are appropriately managed and controlled. The OCC’s Community Bank Procedures for Noncomplex Banks, introduced in June 1994,2 represent its first step in establishing minimum procedures. In areas of low risk, the OCC will continue to use only those procedures and place emphasis on performance. In areas of higher risk, the OCC will look much more closely at the risk-management process.
The last phase of the supervision process is that of communication. Although communication is listed as the last phase, effective communication is integral to the entire supervisory process. It can take the form of the report of examination, board meetings, entrance and exit meetings, or any other form of communication, such as phone calls, correspondence, or outreach meetings.
The OCC has outlined minimum standards for what examiners must communicate to bankers. Among other items, examiners should discuss the overall condition; the significant risks that the OCC, or the management team, have identified for the institution; the OCC’s examination plans or strategy for the next supervisory cycle; and the OCC’s preliminary and final conclusions from the risk-assessment system.
Communication is only effective if it is an open two-way process. Bank management and directors must be willing to share with examiners information and comments on the risk-assessment system and the examiner’s conclusions. Bankers should ask questions or provide comments on various aspects of the OCC’s evaluation of the bank’s risks.
To illustrate how all this information is tied together, the following is a brief synopsis of the supervisory cycle within the supervision-by-risk process. The OCC first develops an initial risk assessment for each bank or company using the risk-assessment system. Using this initial risk assessment, it will develop a supervisory strategy to outline its examination scope. The OCC will perform its examinations, which then provide additional information. This improves the accuracy of the risk-assessment profile. Using this risk-assessment profile, the OCC is better able to draw conclusions on the quantity of risk and the quality of risk-management systems. This will, in turn, allow it to make better decisions on capital adequacy, better classify the banks it supervises, and allocate its resources accordingly. The process of assessing risk and adjusting OCC supervision accordingly is a continual one. Communication with bank management occurs throughout each stage of the process and is critical to effective supervision.
Is Supervision by Risk a Change?
Is the Supervision by Risk program similar to what the OCC has been doing in national banks? Is it a change or not?
The theory of supervising banks based on risks, developing supervisory strategies in response to the identified risks, and emphasizing communication in its examinations are fundamental elements of good bank supervision that the OCC has long practiced. Supervision by risk, however, does make some important changes that the OCC feels will enhance its ability to effectively and efficiently continue to supervise national banks.
Specifically, supervision by risk
adds a common language and a structured process for examiners to use in assessing risks;
provides an analytical framework for the OCC to use in deciding where to focus resources—in individual banks as well as for the national banking industry as a whole; and
lays the foundation for the communication between examiners and bankers to be based on risk management.
Just as important as describing what supervision by risk is or what changes the OCC is implementing based on this philosophy is the need to clarify a few misconceptions. First, supervision by risk does not try to eliminate all risks in the banking system. The OCC does not expect risk to be eliminated—some degree of risk is fundamental to any business. However, the OCC does expect risks to be managed.
Second, supervision by risk is not a substitute for CAMEL, which is the acronym for the five elements of the Uniform Financial Institutions Rating System: (i) capital, (ii) asset quality, (iii) management, (iv) earnings, and (v) liquidity. Supervision by risk and CAMEL ratings exist in tandem. CAMEL uses actual performance to derive a conclusion about a bank’s current condition, while supervision by risk focuses supervisory attention on the area or areas of current and emerging risk. In other words, the OCC will continue to assess the bank’s condition on performance, yet it will plan the areas of the bank to be examined and assign the resources needed to accomplish this task by identifying and measuring risk. There is also an interagency bank regulatory effort under way that is working on amending CAMEL to include risk management.3 The interrelationship of CAMEL and supervision by risk will be reevaluated once these changes are made.
Finally, supervision by risk does not mandate that every bank adopt one risk-management system or the OCC’s exact definitions. Risk management remains the responsibility of bank management and the board of directors. The bank’s risk-management system may differ from that described herein. A bank’s management and its directors should evaluate its risk-management system to ensure its effectiveness.
What Are the Benefits of Supervision by Risk for Banks?
What benefits does supervision by risk have for the banks? Does it just create more regulatory burden? The OCC does not think so. While supervision by risk is the linchpin for OCC’s supervision of the national banking industry, the OCC firmly believes that the concept of effective risk management, which is fundamental to the supervision-by-risk philosophy, is simply good business for banks.
The OCC also thinks that there are tangible benefits to banks from this approach. First, it focuses examiner attention on items of significance. In areas where a bank effectively manages risk, examination activities will be minimal. Second, communication between bank management, directors, and the OCC will be more focused because the parties will share a common language and concentrate attention on what concerns bank management and the OCC most. Third, risk management focuses on adding value to the organization. Risk management is a process that understands the culture, the risks, and the interrelationships of these risks within each individual company. It does not simply add another costly layer of management in the organization. It is a culture that emphasizes basic concepts and increases the financial institution’s strength. Finally, supervision by risk recognizes that the responsibility for managing risks rests with the bank. Supervision by risk does not require any particular organizational structure or particular systems to manage these risks. The OCC simply wants bank management to manage the risks effectively. As supervision by risk evolves at the OCC, it will provide national banks with enhanced peer analysis that focuses on risk and risk management.
What Must Bankers Do in Light of the OCC’s Changes?
There are two critical elements that deserve attention: first, the definitions of risk; and, second, the concept of risk management.
Definitions of Risk
First, understanding the definitions of risk and their interrelationship provides some context for the supervision-by-risk philosophy. To assist in this process, a few examples of bank activities or products and the risks present in those activities are described.
The first example illustrates the interrelationship of risks: a fixed-rate ten-year U.S. government investment security that is held in a bank’s held-to-maturity portfolio. It includes interest rate risk—if short-term rates increase, the bank’s interest margins could decrease because the cost of funds would rise in relation to the security’s yield. Liquidity risk is involved because of the costs involved in liquidating the bond, should that become necessary. If interest rates have increased significantly since management purchased the bond, the bank may incur unacceptable losses to sell the bond. Transaction risk also comes into play through the paperwork and wire processing of funds to buy and sell the security. In addition, while the pieces are sliced equally in this representation of the risks, interest rate risk in a U.S. government bond may be larger than transaction risk. It is also important to note that one cannot always effectively evaluate risks on an individual bond or transaction basis. One bond itself may not appear to involve significant interest rate risk exposure, but when combined with the remainder of the bonds in the portfolio, interest rate risk may become significant. To properly assess risks, one must look at all assets and liabilities and their aggregate impact; risks from one product or activity may be mitigated by other products or activities.
To illustrate further the interrelationship of risks, a second example is a variable-rate term loan to a small business. Obviously, credit risk is involved, based on the possibility of default by the obligor. Even though the loan has a variable rate in this example, interest rate risk still exists. If interest rates fall sharply, for example, the borrower may decide it is feasible to refinance, thus leaving the bank with unexpected funds to reinvest in a lower-yield environment. Liquidity risk is again present because there would be a cost to the bank to sell this asset in a time of need. Compliance risk occurs based on whether or not the loan adheres to internal loan policies or possibly because of legal limitations. In addition, transaction risk can be substantial if the bank lacks adequate internal controls or systems to monitor the loan.
A final example involves mutual funds. Certainly a bank’s decision to offer mutual funds involves various risks. Strategic risk is encountered based on bank management and the board’s decisions to enter the business and what products they should offer. The decision makers should also consider initial capital outlays to establish the fund and to gain a break-even customer base. Reputation risk becomes apparent when the funds fare poorly, because customers may associate any monetary loss with the salesperson placing them in the product. Reputation risk increases when the fund is a proprietary mutual fund, because customers will have a tendency to associate the product with the institution. Also, compliance risk arises because of the various legal, ethical, and contractual obligations and the number of regulatory agencies potentially supervising this area: the OCC, the Federal Deposit Insurance Corporation, the Securities and Exchange Commission, and the National Association of Securities Dealers. Liquidity risk may also be present if the funds perform poorly or if the bank itself encounters publicized problems. Customers of the funds, including institutional investors, can disappear quickly, and the bank could find itself providing actual liquidity to the fund from the bank. Transaction risk also occurs with every transaction and is heightened when the bank serves as the administrator or custodian of its own mutual funds.
These few examples illustrate the global risk paradigm versus mere product or activity risk assessments. It is important to remember that products and activities have multiple risks, that these risks are interrelated, and that proper evaluation of risk requires a change from vertical product analysis to a horizontal assessment for the entire institution.
The OCC expects each national bank to establish or maintain an effective risk-management system. As previously noted, an effective risk-management system has four basic components: risk identification, risk measurement, risk control, and risk monitoring.
Because market conditions and company structures vary, there is no single risk-management system that works for everyone. However, each institution should have a system, whether formal or informal, that addresses each of these four areas. The level of sophistication of these systems should correspond to the size and level of complexity of the institution’s operations and its competitive environment.
Most institutions already have some elements that are the basis for an effective risk-management system. For example, they probably have policies, whether formal or informal, that define risk philosophy. A common example is a policy that communicates the loan-to-value limits for the bank’s lending staff. Each bank also has an internal process that allows management to analyze and monitor its balance sheet and income statement. Every bank also has personnel. They are constantly evaluated on whether or not they are performing as expected and whether or not they have the skills necessary to manage the bank’s risks. In addition, every bank has some control systems in place, whether these involve segregation of duties, audit, or possibly a loan review function. The implementation of an effective risk-management system is not the creation of a whole new process. Rather, it should build upon some sound fundamental principles of effective management that already exist and evolve the bank’s culture into one that views risks within the organization from a global perspective.
What Still Needs To Be Done by the OCC
At the OCC, supervision by risk will continue to evolve. The steps addressed above are simply the first steps to establish and implement fully supervision by risk. The OCC needed to develop a common language and consistent structure for assessing risks; these are critical to the evolution of its program. The OCC is committed to refocusing its examining culture to incorporate these concepts.
10B. Effective Tools for the Host Country Supervisor
STEPHEN M. HOFFMAN, JR.
This chapter first describes the supervision program used by U.S. bank supervisory agencies, including the Board of Governors of the Federal Reserve System, for supervising U.S. operations of foreign banking organizations. It focuses on how the program enables these bank supervisory agencies, as host country supervisors, to identify supervisory concerns for communication to the banks and their home country supervisors. This, in turn, leads to the prompt resolution of those concerns and ensures the continuance of strong overall risk-management and internal control processes in the U.S. banking system.
Second, the chapter examines what can happen when a bank does not have adequate risk-management and internal control processes in place throughout the organization. Daiwa Bank and Barings are both recent examples of the consequences of failure to observe relatively simple, “low-tech” elements of risk management and internal controls. The chapter describes some of the conditions present at Daiwa Bank that made it possible for the bank to incur significant trading losses resulting from unauthorized activities that had gone undetected by the management of the bank, by its internal and external auditors, and by home and host country supervisors for over eleven years.
It would appear, based on the experience of U.S. bank supervisors with Daiwa Bank and Barings, that as ways to prevent these types of situations from occurring in the future are considered, any proposed enhancements must include increased attention on a global basis to a bank’s risk management and internal controls. In order to evaluate fully a multinational bank’s efforts at measuring and controlling risk throughout its franchise, the bank’s home and host country supervisors must communicate regularly in coordinating their supervisory efforts. The Federal Reserve has a strong interest in coordinating its supervisory efforts with those of its bank supervision colleagues around the world in order to create an overall supervisory environment that more closely mirrors the business activities of the international banks that are collectively supervised.
The Foreign Banking Organizations Supervision Program
Foreign banks operate in the United States through various legal entities: branches and agencies, commercial banks, edge and agreement corporations, commercial lending companies, representative offices, non-banking subsidiaries, and frequently through multiple banking and non-banking financial entities located in more than one state. In such situations, a number of state and federal banking supervisory agencies are charged with the responsibility of examining and supervising the particular entities comprising the foreign bank’s multistate U.S. operations.
In 1995, the U.S. banking supervisors adopted a joint program for supervising the U.S. operations of foreign banking organizations (FBOs).1 This program, which is referred to as the FBO supervision program, was developed through a cooperative effort among the agencies in order to provide a more comprehensive framework for supervising foreign banks’ operations in the United States on a coordinated basis.
There is nothing radically new about this program. Most of the processes that comprise the FBO supervision program have been conducted by the different U.S. federal and state banking supervisory agencies for more than a decade. What is new is the level of coordination among the agencies. The program provides a highly defined framework within which the U.S. bank supervisors share information and coordinate both their supervisory assessment activities, including on-site examinations, and their evaluations of the results of these activities in order to develop shared supervisory conclusions and, where needed, remedial action measures. It is designed to enable U.S. supervisors to identify as early as possible any supervisory concerns relating to the U.S. operations of a foreign bank and to achieve their prompt resolution.
The FBO supervision program essentially seeks to develop and maintain an up-to-date supervisory view for the U.S. operations of each FBO, including a remedial action plan as necessary, that is based on all of the information available to the U.S. bank supervisors concerning the situation of the FBO itself as well as that of all of its operations in the United States.
Main Components of the FBO Program
The program has three main components. One component is the “strength-of-support assessment” (SOSA), which is an evaluation of the ability of the FBO to provide support, both financial and managerial, to its U.S. operations. This assessment process takes into account the financial condition of the FBO, the efficacy of its home country supervisory regime, and the home country’s record of support for troubled depository financial institutions. The SOSA also takes into account any known developments affecting the FBO that may portend concerns with its risk-management processes, operational controls, or compliance programs. Examples of such developments are megamergers or the identification of problems that indicate the existence of weaknesses in the risk-management processes of the foreign bank or the occurrence of significant breaches in its internal control environment.
The information developed through the SOSA contributes to the formulation of a supervisory strategy for the FBO’s U.S. operations. In cases where the ability of the FBO to support its U.S. operations is in question, the SOSA process would, at a minimum, lead to enhanced monitoring of the asset and liability structure of the U.S. operations, together with close scrutiny of liquidity levels and funding capabilities, and, in extreme cases, could result in supervisory action to “ring fence” the U.S. operations to ensure, insofar as possible, that the U.S. operations are able to honor fully their market obligations by means of their own resources. In situations where weaknesses in the risk-management processes of the foreign bank have been identified or where there have been significant breaches in the bank’s internal control environment, the result of the SOSA process would be an intensified examination of the FBO’s U.S. operations in those areas identified as particular risks for the organization.
Second, the centerpiece of the FBO supervision program is the development of an annual comprehensive examination plan for each FBO’s U.S. operations. This plan takes into account any issues identified through the SOSA process as well as any supervisory concerns raised in the previous round of examinations of the FBO’s U.S. operations, particularly any issues identified as systemic in nature. In developing the comprehensive examination plan, the emphasis is on focusing examination efforts on those aspects of the FBO’s U.S. operations that are seen as posing the greatest risk.
The third major component of the FBO supervision program is the development of an annual summary of the condition of the U.S. operations of each FBO. This evaluation is prepared following the completion of each round of examinations of the FBO’s various U.S. banking and nonbanking operations. The preparation of this assessment facilitates the identification of issues that raise a significant degree of supervisory concern with respect to the FBO’s U.S. operations viewed as a whole. This assessment is communicated directly to the FBO’s head office senior management. In addition, any significant supervisory concerns are discussed with the FBO’s home country supervisor.
It is important to emphasize that the various parts of the FBO supervision program should be viewed as a continuum. Each part is prepared in close conjunction with the others and is updated as developments warrant. Together, the various components give structure to the ongoing process of supervising foreign banks’ U.S. operations and facilitate the early identification and prompt resolution of problems in those operations.
Enhanced Examination: The ROCA Rating System
Another significant development in the supervision of U.S. operations of foreign banks that has been put into place as a key part of the FBO supervision program is the enhancement of the examination process for U.S. offices of foreign banks. This enhancement is embodied in the risk management, operational controls, compliance, and asset quality (ROCA) rating system, as well as in the related branch and agency examination manual, which provides detailed guidance to examiners on the application of the new rating. The ROCA system replaces the previous rating, which focused heavily on the condition at a point in time of the branch or agency’s portfolio of risk assets.
The first component of the ROCA rating system, risk management, or the process of identifying, measuring, controlling, and reporting risk, is an important function at any financial institution. In a branch or agency, which is typically removed from its head office by location and time zone, an effective risk-management system is critical in managing the scope of its activities and in achieving comprehensive, ongoing oversight by local and head office management. In the examination process, examiners determine the extent to which risk-management techniques are adequate to control risk exposures that result from the branch or agency’s activities and to ensure adequate oversight by the local and head office management and thereby promote a safe and sound banking environment.
The primary components of a sound risk-management system are a comprehensive risk assessment approach; a detailed structure of limits, guidelines, and other parameters used to govern risk taking; and a strong management information system for monitoring and reporting risks.
The process of risk assessment includes the identification of all the risks associated with the branch or agency’s balance-sheet and off-balance-sheet activities, and the grouping of them into appropriate risk categories, such as those reviewed in Chapter 10A. All major risks should be measured explicitly and consistently by branch or agency management. For example, a branch or agency would be expected to have systems for early identification of problem assets and the development of appropriate resolution programs. Risks should also be evaluated on an ongoing basis—underlying risk assumptions relating to economic and market conditions vary, and offices’ activities change over time. Expansion into new products or business lines should not outpace proper risk management, including oversight by the head office. Where risks cannot be explicitly measured, the management should demonstrate knowledge of their potential impact and a sense of how to manage such risks.
Risk identification and measurement are followed by an evaluation of the trade-off between risks and returns to establish acceptable risk exposure levels, which are stated primarily in the branch or agency’s lending and trading policies that are subject to the approval of the head office management. These policies should give standards for evaluating and undertaking risk exposure in individual office activities as well as procedures for tracking and reporting risk exposure to monitor compliance with established policy limits or guidelines.
The head office management has a key role in developing and approving the branch or agency’s risk-management system as part of its responsibility to provide a comprehensive system of oversight for that office. Generally, the risk-management system, including risk identification, measurement, limits, guidelines, and monitoring should be modeled on that of the FBO as a whole to provide for a fully integrated, institution-wide risk-management system.
The second component of the ROCA rating system is operational controls. This component assesses the effectiveness of the branch or agency’s operational controls, including those relating to the safeguarding of assets, accounting, and reporting. The assessment is based on the expectation that each branch and agency should have in place a fully effective, coordinated process of internal controls, including audit coverage, that is consistent with the size of the office and the complexity of its operations. In this regard, internal control and audit procedures should ensure that operations are conducted in accordance with both management requirements and regulatory policies, and that all reports and analyses provided to the head office and local senior management are timely and accurate.
This aspect of supervision in the context of branches and agencies is intended to achieve two basic goals. One goal is to ensure that the participation of foreign bank branches and agencies in the U.S. banking system does not undermine the efficiency of, and confidence in, the system. The second goal is to ensure that the head office management, and by extension the bank’s home country supervisor, are able to supervise comprehensively the global operations of the FBO on a consolidated basis in accordance with the Basle supervisory principles.2
The third component of the ROCA rating system is compliance. In addition to maintaining an effective system of operational controls, branches and agencies should also demonstrate the existence of programs necessary to ensure compliance with all applicable state and federal laws and regulations, including regulatory reporting requirements.
The final component of the ROCA rating is asset quality. Generally, asset quality is evaluated to determine whether a financial entity has sufficient capital to absorb prospective losses and, ultimately, whether it can maintain its viability as an ongoing entity. The evaluation of asset quality in a branch or agency does not have the same result because these offices are not separately capitalized entities. Instead, a branch or agency relies on the financial and managerial support of the FBO as a whole.
Nonetheless, the evaluation of asset quality is important both in assessing the effectiveness of credit-risk management and also in the event of a possible liquidation of the branch or agency. However, as just mentioned, these offices are not strictly limited by their own internal and external funding sources in meeting solvency and liquidity needs. The ability of a branch or agency to honor its liabilities ultimately is based on the condition and level of support from the FBO.
If the condition of the FBO is satisfactory, it is presumed to be able to support the branch or agency with sufficient capital and reserves on a consolidated basis. As a result, the assessment of asset quality in such circumstances would not in and of itself be a predominant factor in the branch or agency’s overall assessment if existing risk-management techniques are satisfactory. If, however, the condition of the FBO is less than satisfactory and/or support from the FBO is questionable, the evaluation of asset quality is considered carefully in determining whether supervisory actions are needed to improve the branch or agency’s ability to meet its obligations on a stand-alone basis. In cases where a branch or agency is subject to asset maintenance, it is expected that asset quality issues will be addressed by disqualifying or discounting high-risk assets as eligible assets. The level of problem assets at a branch or agency may be an indication of problems in credit policies, loan-origination practices, loan workouts, or loss-identification procedures. Generally, problems in these areas are addressed in the risk-management component of the rating system.
The preceding text addressed the procedures that U.S. bank supervisors use to assess a bank’s ability to manage the risks associated with its business. Daiwa Bank is an example of what can happen when basic internal controls fail at a depository institution.
A breach of basic internal controls at the New York branch of Daiwa Bank caused the bank to incur $1.1 billion in trading losses resulting from unauthorized trading activities that were conducted from 1984 to 1995, over an 11-year period. A senior official at the branch was able to perpetrate this fraud because he had responsibilities for both custody and securities trading. Based on information available to U.S. bank supervisors at this time, it appears that he was able to hide his trading losses by selling securities that were held by the New York branch in custody for the bank and its customers. The official was able to conceal his trading activities by preparing false custodial account records and by never being absent from the bank for more than three consecutive business days over the 11-year period.
The information that U.S. bank supervisors obtained concerning both Daiwa Bank and Barings indicates a fundamental breakdown in relatively simple elements of risk management and internal controls. In recent years, there has been a tendency by both bank managements and supervisors to focus on “high-tech” aspects of risk management and internal control, that is, the identification, modeling, and loss-limit-control aspects of complex financial instruments. The events at both Barings and Daiwa Bank indicate that the failure to observe relatively simple aspects of risk management and internal control carries a heavy price. Unfortunately, depository financial institutions will always be vulnerable to the risk of hiring a “rogue” employee who has his or her own best interest at heart rather than the interests of the institution. Given the impact that these individuals can have on a bank’s income and capital, banks should be self-motivated (and most are) to control the activities of individuals who are in positions to create large losses. Banks have a financial incentive to ensure that they have comprehensive risk-management and internal controls systems in place that allow them to identify, measure, control, and report the nature and the amount of risk that they are willing to assume. However, supervisors also have a duty to ensure the integrity of their financial systems by identifying breaches in internal controls or gaps in bank managements’ policies and procedures at a point early enough to minimize damage.
With this goal in mind, U.S. bank supervisors have accelerated the implementation of the improved supervisory programs and risk assessment methodologies that have just been described in order to strengthen further their capability to oversee banks, both domestic and foreign, operating in the United States.
Worldwide Coordination of Supervisory Efforts
In the Barings and Daiwa Bank cases, both banks conducted significant activities outside of their home countries that were in large part managed locally. This type of operating structure is not uncommon for a multinational bank. In cases where such a structure exists, it behooves the home and host country supervisors to communicate on a regular basis in order to coordinate their supervisory efforts. While informal conversations foster improved relations with one’s fellow bank supervisors, this method of communication cannot continue to suffice as the best means of coordinating one’s supervisory efforts with those of a fellow bank supervisor. The Federal Reserve is exploring ways to ensure better coordination of supervisory activities, including timely communication of material information, with foreign supervisors. In this regard, a number of international bank supervisors recently have indicated an interest in clarifying further their cooperative supervisory arrangements with the Federal Reserve. These efforts will enable the Federal Reserve both to learn more about the international operations of U.S. banks, thereby improving its effectiveness as a home country supervisor, and to share information on the U.S. operations of foreign banks, thereby meeting its responsibilities as a host country supervisor to communicate significant information to the home country supervisors of foreign banks operating in the United States.
Finally, the Federal Reserve, working together with the Basle Supervisors’ Committee and other multinational supervisory groups as well as bilaterally with other international bank supervisors, will continue to devote even more of its attention to ensuring the adequacy of risk management and internal controls for internationally active banks. The objectives of this effort will be to determine with greater precision the bank supervisory policies and procedures relating to risk management and internal controls, including audit coverage, that are in place around the world; then to pursue the development of sound international practices, or possibly even minimum standards, for global risk management and internal controls by multinational banks.
Given the rapid advances in technology, the geographic expansion of bank activities, the globalization of financial markets, and the constant innovation in financial instruments, there is a greater likelihood that the problems of one internationally active bank will affect others. In an effort to counterbalance the increased risk of material loss for a large multinational bank, and more broadly for the international banking system, supervisors must vigorously coordinate their supervisory efforts when unsafe and unsound conditions exist. The supervisory methods that have just been described should be of benefit to all bank supervisors, as they seek to strengthen further the global network of comprehensive supervision of the operations of internationally active banks.