On October 3, 2023, the FDIC Board authorized the publication of a Notice of Proposed Rulemaking (NPR) to add a new Appendix C to the FDIC’s safety and soundness regulation, 12 CFR 364, to incorporate guidelines on corporate governance and risk management for FDIC-supervised insured depository institutions (IDIs) with consolidated assets of $10 Billion or more. This NPR is being issued under the safety and soundness authority provided by Section 39 of the Federal Deposit Insurance Act.
The FDIC observed during the 2008 financial crisis, and more recent IDI failures in 2023, that IDIs with poor corporate governance and risk management practices were more likely to fail. Reports reviewing the 2023 IDI failures noted that poor corporate governance and risk management practices were contributing factors. 1It is important to note that failures of IDIs impose costs on the Deposit Insurance Fund and negatively affect a wide variety of stakeholders including the IDI’s depositors and shareholders, employees, customers (including consumers and businesses that rely on the IDI’s services and the availability of credit), regulators, and the public as a whole.
Strong corporate governance is the foundation for an IDI’s safe and sound operations. An effective governance framework is necessary for an IDI to remain profitable, competitive, and resilient through changing economic and market conditions. The FDIC’s current safety and soundness standards for FDIC-supervised IDIs, as set forth in Appendix A of the Safety and Soundness regulation and supervisory guidance on corporate governance and risk management, provide baseline corporate governance and risk management expectations.
However, the FDIC believes that larger, more complex IDIs require more sophisticated and formal corporate governance and risk management structures and practices. The proposed guidelines would clarify the FDIC’s expectation that corporate governance and risk management frameworks need to evolve along with growth, complexity and changing business models and risk profiles of larger IDIs. The proposed guidelines describe the general obligations of a board of directors to ensure good corporate governance, including with respect to board composition, duties, and committee structure. Among other things, the duties of the board of directors include setting the tone at the top, developing a Code of Ethics, and providing active oversight of management.
In addition, the proposed guidelines would establish the FDIC’s expectations for board and management responsibilities regarding risk management and audit. An effective risk management program at larger, more complex IDIs covered by the proposal should include a three-line-of-defense model of risk management for monitoring and reporting risks, consisting of business units, an independent risk management function, and an internal audit unit. A covered institution’s risk management program should also include establishing and communicating a risk profile and risk appetite statement. Additionally, the proposed guidelines describe the FDIC’s expectations regarding the processes for identifying breaches of risk appetite or risk limits.
In conclusion, the experience of the three large IDI failures this spring should focus our attention on the need for meaningful action to improve the corporate governance and risk management processes of large IDIs under the Federal Deposit Insurance Act. The governance and risk management standards put forward in this NPR would be a significant step in that direction. I am pleased to support this Notice of Proposed Rulemaking, and look forward to reviewing the comments we receive.
- 1
The FDIC report on the failure of Signature Bank in 2023 found that the root cause of the failure was poor management without adequate risk management practices and controls. The institution’s management did not prioritize good corporate governance practices (FDIC’s Supervision of Signature Bank, April 28, 2023, p. 2). The Board of Governors of Federal Reserve System’s report on the failure of Silicon Valley Bank also identified governance and risk management deficiencies that led to the failure. (Review of the Federal Reserve’s Supervision and Regulation of Silicon Valley Bank, April 2023, p. 1). Similar findings are contained in the Office of the Inspector General, Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau’s September 25, 2023 Material Loss Review of Silicon Valley Bank.