FDIC Proposes Governance and Risk Management Guidelines for IDIs

The FDIC proposed governance and risk management guidelines that would apply to all insured state nonmember banks, state-licensed branches of foreign banks and insured state savings associations with assets of $10 billion.

The proposal would amend FDIC Rules 364.101 ("Standards for safety and soundness") and 308.302 ("Determination and notification of failure to meet a safety and soundness standard and request for compliance plan") to include corporate governance and risk management guidelines to:

• impose general obligations of the board of directors and individual directors of financial institutions;
• require that the Board establish a number of separate Committees to divide up work between Board members;
• require adoption of a code of ethics;
• require creation of a risk management system that is (i) proportionate to a financial institution’s "size, complexity, business model, and risk profile" and (ii) based on a "three-line-of defense" model consisting of business units at the front line, an independent risk management function led by a chief risk officer, and an internal audit unit; and
• ensure that policies are "effectively communicate[d]" by financial institutions to employees to promote (i) compliance, (ii) identification of policy breaches and (iii) establishment of consequences in the event of a breach.

Comments on the proposal are due 60 days after publication in the Federal Register.

Statements

FDIC Chair Martin J. Gruenberg said that the proposed guidelines "improve" larger insured depository institution’s corporate governance and risk management processes following the wave of bank failures in March 2023. He said that the proposal makes clear the FDIC’s expectations that corporate governance and risk management frameworks must evolve with a financial institution’s growth and complexity.

In dissent, FDIC Director Jonathan McKernan argued that the proposed guidelines "undermine accountability for risk ownership, conflate the roles of board and management, preempt state corporate law, and potentially conflict with regulatory expectations applicable to parent companies."

In dissent, FDIC Vice Chair Travis Hill doubted that the requirements would establish the necessary safety and soundness standards. He said that the proposed guidelines include requirements regarding demographic diversity, but say nothing regarding relevant professional experience or qualifications. (The guidelines state that "diversity of demographic representation . . . is key to a board composition . . . .")