October 2023
An analysis of the formal Enforcement Actions issued by the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and some State Banking Regulators during 2023 reveal some common themes, some of which were seen even in prior years, e.g., BSA/AML/OFAC compliance issues, flood insurance violations and fair lending deficiencies. Some information security weaknesses and 3rd party risk management issues also led to these supervisory actions. However, during our detailed review of 10 enforcement actions, we noted instances of at least one or more of the following in many of these:
- Issues with Quality of Bank Management
- Insufficient Board Oversight and Reporting
- Inadequacies relating to Strategic Planning and Capital Planning
- Liquidity Risk Management challenges
- Credit risk issues concerning portfolio management and concentration.
The above issues underscore the increased risks impacting financial stability and the increased stress on banks to weather the current macroeconomic pressures caused by the rapid increase in interest rates, along with associated uncertainties at least in the near future.
While, based on emerging regulatory focus, we have been issuing thought leadership materials on various risk management topics throughout the year, in the segments below, we have reviewed in more detail action items pertaining to three of the issues mentioned above as these appear to be a common theme in multiple enforcement actions:
Strategic and Capital Planning
Surprisingly, Strategic and Capital Planning weaknesses appeared to be the predominant cause of Enforcement Actions, and these were mentioned in 5 of the 10 enforcement actions (50%) that we reviewed. Therefore, we decided to examine more closely the regulatory requirements specified and noted that one of the most comprehensive actions on this topic involved a formal agreement entered between the OCC and National Iron Bank which serves as good guidance on regulatory expectations. We have summarized some of the key action items below, which should help banks enhance their Strategic Plan and Capital Plans, as necessary.
In general, the action reinforced that a strategic plan should outline a Bank’s overall risk profile, and objectives concerning earnings performance, growth, balance sheet mix, off-balance sheet activities, liability structure, and capital and liquidity adequacy, together with strategies to achieve those objectives. However specific details of what is expected to be included in a strategic plan were also outlined and are summarized below.
- A mission statement that forms the framework for the strategic goals and objectives.
- Assessment of strengths, weaknesses, opportunities, and threats that can impact these.
- The goals and objectives should include details, including key financial indicators and risk tolerances.
- Financial projections for major balance sheet and income statement accounts and target financial ratios.
- An evaluation of operations, board and management information systems, policies, and procedures for their adequacy to accomplish the strategic goals and objectives.
- A management employment and succession plan for capable management continuity.
- A description of target market(s) and competitive factors that could impact the goals outlined in a strategic plan.
- Identification and assessment of current and planned product lines and systems and the risk management processes used to identify, measure, monitor, and control risks (including concentration risks) within the product lines and systems.
Details were also included concerning the capital planning process which commences with including information that outlines and illustrates the sufficiency of capital levels needed to accomplish the objectives and goals outlined in the strategic plan. Specific information concerning the management and monitoring of capital that were specified, included:
- Details of the capital structure and needs that are derived from the assessment of key risks embedded in the strategic plan.
- A contingency or back-up capital plan for potential balance sheet and liquidity stresses.
- A process to periodically measure, monitor, and report material financial statement variances from the strategic plan together with explanations and potential impacts.
- Capital stress testing plans should be scheduled no less than annually. Scenarios should include cases where balance sheet growth exceeds business plan projections.
We suggest that, at a minimum, a thorough formal review of existing Strategic and Capital Plans should be done, covering the above points, and reported to the Board of Directors.
Credit and Concentration Risk
Discarding flood insurance related matters, it was noted that, in 4 of the 10 enforcement actions (40%), Credit Risk Management issues were raised concerning credit quality and loan concentrations with a focus on processes and controls required to manage loan portfolios including loan analysis and documentation, monitoring of performance trends and loan concentrations. Below is a summary of actions items noted.
- Loan policies need to include sufficient details that address the type of documentation and information required to support credit quality determinations including collateral valuations, cash flows and ability to repay, etc. Further, policies should include a risk-based methodology and approach regarding the frequency and priorities related to performing credit reviews.
- Loan policies should specify policy exception limits and escalation processes whereby the appropriate Board level approvals are obtained to support waivers to policy guidelines.
- Processes should include controls that identify policy exceptions or outstanding documentation so that these items can be tracked and remediated effectively.
- Procedures and systems should adequately identify and track information that can impact credit risk such as collateral coverage.
- loan portfolio performance monitoring process should be able to provide for early identification of increasing credit risk and potential problem loans.
- An independent loan review should report directly to the Board of Directors.
- Systems and data analysis should identify credit concentrations across all loan types.
- Concentrations of credit should be reviewed to determine the inherent credit, liquidity, and interest rate risks and evaluate the potential impact on growth plans and capital planning.
- Concentration levels should be analyzed by meaningful measures such as loan type, borrower, and collateral type.
- Portfolio-level stress tests should quantify the potential impacts on earnings and capital.
We have also seen numerous instances where even when policy/procedure documents are reviewed every year, it is more for compliance with the review process than as a meaningful exercise, resulting in gaps between the documents and actual practices or requirements. Given the increased credit risks and associated regulatory focus, a review of the MIS reports should be done to ensure that key risks, including loan performance and concentration risks, are reported, independent loan review process is in place, stress tests are conducted periodically, and all these are appropriately reflected in the policies and procedure documents.
Liquidity
In many of the enforcement actions liquidity issues were identified (some in relation strategic and capital planning), however in 3 of the 10 enforcement actions (30%), liquidity issues were specifically mentioned, and the following requirements were specified as part of the actions.
- Develop detailed policies and procedures addressing liquidity and funds management.
- Establish liquidity level parameters necessary to maintain adequate on-balance sheet liquidity levels to ensure sufficient liquidity sources are available in normal and stressed operating conditions.
- Implement a plan for contingency funding that outlines sources of funding, limitations on respective sources and criteria for using each of the funding sources.
- Ensure that the contingency funding plan maintains a cushion amount of highly liquid funds.
- Determine that sufficient controls and audit systems are in place.
- Where applicable, reduce reliance on wholesale funding sources, and develop a brokered deposit plan to manage the levels of such deposits.
Liquidity risk management needs a bit more focus currently. While at least an annual test of liquidity contingency plan is expected in normal times, depending upon the liquidity status in the Bank, a more frequent testing may be warranted to enable the Board and Senior Management have the comfort about the adequacy of the plans.
To summarize, apart from regulatory actions, the current environment has increased the need to constantly review the concentration risks in both the assets and liability side of balance-sheet, reevaluate strategic and capital plans and ensure that updated policies are in place supported by required systems and processes at the Bank. This should also serve as a reminder to examine controls and risk management processes for ensuring that they are also designed and implemented to monitor the evolving stresses on credit quality, liquidity constraints and capital needs.
RGS Global Advisors is a leading cost-effective provider of Internal Audit, Risk Management, IT/IS/Cyber, BSA/AML/OFAC & Compliance Consultancy services to Financial Institutions.
For further guidance or assistance contact us at: info@RGSGlobalAdvisors.com