OCC Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches

SUPPLEMENTARY INFORMATION:

I. Background

Large-scale financial crises have demonstrated the destabilizing effect that severe stress can have on financial entities, capital markets, the Federal banking system, and the U.S. and global economies. This is particularly true when a crisis places severe stress on large, complex financial institutions due to the systemic and contagion risks that they pose. For example, during the 2008 crisis, the Office of the Comptroller of the Currency (OCC) observed that many financial institutions were not prepared to respond effectively to the financial effects of severe stress. The lack of or inadequate planning threatened the viability of some financial institutions, and many were forced to take significant actions without the benefit of a well-developed plan for recovery.

For the OCC, this experience highlighted the importance of large, complex banks having strong risk governance frameworks, including plans for how to respond quickly and effectively to, and recover from, the financial effects of severe stress. The agency recognized that this type of advance planning would reduce a bank's risk of failure and increase the likelihood that it would return to a position of financial strength and viability following severe stress.

On September 29, 2016, the OCC issued Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches (Guidelines). Under the Guidelines, an insured national bank, insured Federal savings association, or insured Federal branch (bank) subject to the standards (covered bank) should have a recovery plan that includes (1) quantitative or qualitative indicators of the risk or existence of severe stress that reflect its particular vulnerabilities; (2) a wide range of credible options that it could undertake in response to the stress to restore its financial strength and viability; and (3) an assessment and description of how these options would affect it. The Guidelines provide that a recovery plan should also address (1) the covered bank's overall organizational and legal entity structure and its interconnections and interdependencies; (2) procedures for escalating decision-making to senior management or the board of directors or an appropriate committee thereof (board); (3) management reports; (4) communication procedures; and (5) any other information the OCC communicates in writing. The Guidelines also set forth the responsibilities of management and the board with respect to the covered bank's recovery plan.

The 2016 Guidelines applied to banks with total consolidated assets of $50 billion or more. In 2018, the OCC amended the Guidelines to raise the threshold to $250 billion based on its view, at that time, that these larger, more complex, and potentially more interconnected banks presented greater systemic risk to the financial system and would benefit most from recovery planning.

In March 2023, several insured depository institutions (IDIs) with total consolidated assets of $100 billion or more experienced significant withdrawals of uninsured deposits in response to underlying weaknesses in their financial position and failed. These events highlighted the risk, complexity, and interconnectedness of banks with average total consolidated assets between $100 billion and $250 billion and underscored that it is important for banks in this size range (which are not covered by the current Guidelines) to develop and maintain recovery plans to respond to the financial effects of severe stress.

In addition, since the issuance of the Guidelines in 2016, the agency has examined covered banks' recovery planning processes and reviewed numerous recovery plans. Based on this experience, the OCC has identified areas where the current Guidelines should be strengthened.

To address these issues, on July 3, 2024, the OCC published a proposal to expand the Guidelines to apply to banks with average total consolidated assets of $100 billion or more; incorporate a testing standard; and clarify the role of non-financial (including operational and strategic) risk in recovery planning. The OCC received five comments on the proposal. Two comments were from banks, one was from an individual, one was from two trade associations, and one was from a non-profit organization. These comments are addressed in detail in the next section.

II. Description of the Proposal, Comments, and Final Guidelines

A. Covered Bank Threshold

Definition of covered bank. The current Guidelines generally apply to banks with average total consolidated assets of $250 billion or more. Based on the OCC's observations during the IDI failures in 2023, the agency proposed to expand the Guidelines to apply to banks with average total consolidated assets of $100 billion or more. To make this change, the OCC proposed to revise the definition of “covered bank” in paragraph I.E.3. of the current Guidelines.

The OCC received several comments on this proposed change. While one commenter supported the proposed $100 billion threshold, another commenter suggested a $150 billion threshold. Commenters also recommended that the OCC include metrics in addition to asset size in its definition of covered bank, periodically adjust the threshold for inflation, notify covered banks when they become subject to the Guidelines, and tailor the Guidelines based on covered banks' size and complexity.

The OCC continues to believe that the $100 billion threshold is appropriate. As noted above, the agency has observed that banks at or above this size generally have a level of risk, complexity, and interconnectedness at which recovery planning is most beneficial. Narrowing the threshold to $150 billion would exclude some of these banks. With respect to additional metrics, the reservation of authority in paragraph I.C. of the Guidelines provides the OCC with sufficient flexibility to determine, based on factors other than asset size, that a bank is highly complex or otherwise presents a heightened risk and, thus, should be subject to the Guidelines.

Regarding an inflation adjustment, the OCC has determined that it does not need to include this provision in the Guidelines, as the agency can revisit and amend the threshold through the rulemaking process as appropriate. The OCC has also concluded that it is not necessary to notify a bank when it becomes a covered bank because this is determined based on a bank's own Consolidated Reports of Condition and Income (Call Report) data. Finally, the current Guidelines specifically state that each covered bank's recovery plan should be “appropriate for its individual size, risk profile, activities, and complexity,” and thus, they are inherently tailored.

Therefore, the OCC is adopting the changes to the definition of “covered bank” as proposed.

Calculation of the threshold. The current Guidelines define “average total consolidated assets” in paragraph I.E.1. as “the average total consolidated assets of the bank or the covered bank,” as reported on its Call Report for the four most recent consecutive quarters. The OCC proposed a clarifying change to this definition to refer to the average “of” total consolidated assets of the bank or covered bank. This change was intended to clarify that the calculation of “average total consolidated assets” for purposes of the Guidelines is based on the “total assets” line, not the “average total consolidated assets” line, of the Call Report. This change could have affected the quarter in which a bank became a covered bank and would have been consistent with the OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches. The OCC did not receive any comments on this proposed change and adopts it as proposed.

Reservation of authority. The reservation of authority in paragraph I.C.1. of the current Guidelines provides that the OCC has the discretion to apply the Guidelines, in whole or in part, to a bank with average total consolidated assets of less than $250 billion if it determines that the bank is highly complex or otherwise presents a heightened risk that warrants application of the Guidelines. Consistent with the proposed threshold change described above, the proposal would have allowed the agency to apply the Guidelines to a bank with average total consolidated assets of less than $100 billion in these circumstances.

The OCC received one comment on this proposed change, which stated that the reservation of authority should not be used for banks with under $100 billion in average total consolidated assets because recovery planning addresses issues similar to those already addressed in other contexts ( e.g., capital planning and stress testing). The OCC continues to believe that the agency should have the flexibility to apply the Guidelines to banks below the $100 billion threshold based on whether the bank is highly complex or otherwise presents a heightened risk. For this reason, the OCC is adopting this change as proposed.

B. Testing

Testing generally. As stated above, the OCC has many years of experience with administering the Guidelines, including reviewing covered banks' recovery plans. During this period, the agency has observed that covered banks would benefit from testing their recovery plans, which would allow them to proactively identify and address any weaknesses or deficiencies before they experience severe stress. This process would help a covered bank determine that its recovery plan is an effective tool that can realistically help restore the bank to financial strength and viability in response to severe stress. Not surprisingly, testing is already a key component of other regulatory frameworks addressing the stress continuum ( e.g., contingency funding planning and stress testing ).

For these reasons, the OCC proposed to add a testing provision as a new paragraph II.D. of the Guidelines, which stated that a covered bank should validate the effectiveness of its recovery plan. The preamble explained that a covered bank may do this by simulating severe financial and non-financial stress scenarios ( e.g., the scenarios used to develop the plan) to confirm that the plan is likely to work as intended. This testing should include, for example, ensuring that the plan's triggers appropriately reflect the covered bank's particular vulnerabilities and will, in practice, provide timely notice of increasingly severe stress, ranging from warnings of the likely occurrence of severe stress to its actual existence. Testing should also enable management and the board to verify that the covered bank has identified credible options that it is prepared to carry out during a period of severe stress. It should provide management and the board with similar assurances regarding other elements of the plan and, ultimately, the plan as a whole. The proposal did not specify a testing format or methodology but stated that testing should be risk-based and reflect the covered bank's size, risk profile, activities, and complexity.

The OCC received three comments on its proposed testing provision. One commenter stated that testing should be a flexible, risk-based “capabilities assessment” ( i.e., an assessment of a covered bank's capability to implement its recovery plan in a timely manner). The commenter also expressed concern that validation was not defined or explained and could require a covered bank to prove its plan's effectiveness by, for example, actually executing a recovery plan option ( e.g., divesting a business line). The commenter also argued that the inclusion of scenario analysis would duplicate the process that a covered bank used to develop or update a recovery plan. Another commenter supported the addition of testing to the Guidelines but stated that the OCC should provide more specific directions.

The OCC disagrees with several of these comments. While a capabilities assessment is an important aspect of testing, it is insufficient on its own to achieve the purpose of testing. For example, a capabilities assessment would not necessarily help a covered bank identify gaps in its recovery plan ( e.g., missing triggers or options) or determine if the plan can realistically help to restore the bank to financial strength and viability during periods of severe stress. With respect to the concept of validation, the OCC is using the term to convey that testing should confirm, to the extent possible, that the plan can accomplish its intended goals. Naturally, validation does not necessarily mean that a covered bank should actually execute a recovery option as part of testing. With respect to scenario analysis, the proposal would not have directed covered banks to use a specified testing format or methodology. Therefore, one covered bank could determine that a scenario analysis is an informative component of testing, while another may decide that it would unnecessarily duplicate its process for developing and updating its recovery plan. Accordingly, the OCC makes no change in the final Guidelines in response to these comments.

However, the OCC agrees that testing should be risk-based. A risk-based standard will provide each covered bank with the flexibility to develop and implement a testing framework that is consistent with its individual characteristics. To reflect this, the OCC is amending the final Guidelines to state that testing “should be appropriate for the bank's individual size, risk profile, activities, and complexity, including the complexity of its organizational and legal entity structure” and declines to establish a more prescriptive testing standard.

Testing of elements. The proposal stated that testing should include validation of the effectiveness of each element of the plan. Two commenters questioned how a bank would validate the effectiveness of key aspects of recovery planning ( e.g., the “Overview of covered bank,” which describes a covered bank's overall organizational and legal entity structure and its interconnections and interdependencies). The OCC agrees that it may not be possible to validate the effectiveness of each plan element, particularly descriptive elements ( e.g., the covered bank's overview). The agency believes, however, that a covered bank should consider each element of its recovery plan as part of testing to validate the effectiveness of the overall plan. This consideration may include, for example, assessing the effectiveness, completeness, or accuracy of each element, as appropriate. To address any confusion, the OCC has revised the final Guidelines to state: “Testing should validate the effectiveness of the recovery plan, including by considering each element set forth in paragraph II.B. of this appendix.”

Frequency of testing. The proposed testing provision provided that a covered bank should test its recovery plan periodically but not less than annually. Two commenters generally agreed that annual testing is appropriate while another commenter suggested that testing should be conducted at intervals and along timelines that are appropriate for each bank. In addition, a commenter said that the testing should be conducted in connection with, or as part of, resolution planning or other business-as-usual testing to avoid unnecessary duplication and that a provision for specific testing in response to a material change is unnecessary if testing is risk-based.

The OCC continues to believe that annual testing is appropriate and has concluded that a covered bank should also test its recovery plan following any significant changes to the recovery plan made in response to a material event. This frequency will ensure that management and the board can consider the results of testing during their recovery plan reviews under paragraphs III.A. and B. of the Guidelines, respectively. Within this framework, the final Guidelines provide each bank with flexibility regarding when to test its plan, including whether to align this testing with other types of testing or to engage in continuous or regular testing throughout the testing cycle, provided that the bank meets the testing standard in the Guidelines. The OCC also reiterates that it does not expect a covered bank to consider every component of each element during each testing cycle ( e.g., considering the trigger element during a cycle does not necessarily mean considering every trigger during that cycle). Rather, as noted above, testing should be risk-based. Therefore, the final Guidelines provide that “Each covered bank should test its recovery plan periodically but not less than annually and following any significant changes to the recovery plan made in response to a material event.”

Plan updates following testing. Finally, the proposed testing provision provided that a covered bank should revise its recovery plan as appropriate following testing. One commenter stated that the OCC should not require a bank to both test and make changes to its recovery plan based on the result of the testing in the same testing cycle. The OCC believes that covered banks should take a risk-based approach to updating their recovery plans following testing. For example, if testing reveals a critical deficiency in the plan, the covered bank should update it as soon as feasible. However, for less significant deficiencies, it may be appropriate to delay updates until the next annual review cycle. Therefore, the OCC adopts this provision of the Guidelines as proposed.

C. Non-Financial Risk

In the OCC's experience with covered banks' implementation of the Guidelines, banks have generally been successful in considering and addressing financial risks in their recovery plans. For example, many covered banks' recovery plans address changes to the bank's financial position, such as profitability, funding sources, liquidity ratios, and capital ratios. The OCC has observed, however, that covered banks have been less consistent in considering or addressing non-financial risk, such as operational and strategic risks. By focusing a recovery plan exclusively on financial risks while neglecting non-financial risks, the covered bank may overlook the very real threats that non-financial risks can pose to its financial strength and viability.

Because the current Guidelines do not specifically reference non-financial risk, the proposal contained changes to ensure that covered banks appropriately address these risks in their recovery plans. Specifically, the OCC proposed to add language to paragraph II.A. stating that a covered bank “should appropriately consider both financial risk and non-financial risk (including operational and strategic risk).” The reference to financial risk was not because covered banks had not appropriately considered this type of risk but to highlight that both types of risk should be considered. The OCC also proposed conforming changes to the definitions of “recovery” and “trigger” in paragraphs I.E.4. and I.E.6., respectively, and to the recovery plan elements of “trigger” and “impact assessment” in paragraphs II.B.2. and II.B.4., respectively. Finally, to provide an additional example of an operational risk plan with which a covered bank should align its recovery plan, the OCC proposed adding a reference to “resilience program” in paragraph II.C.

The OCC received one comment on the proposed non-financial risk language, which agreed that this type of risk should be considered but also observed that financial risk and non-financial risk have distinct roles in recovery planning. In particular, the commenter noted that the role of, and a covered bank's response to, non-financial risk differs from its response to financial risk and that breaches of non-financial triggers should not automatically lead to activation of the recovery plan and execution of recovery options.

The OCC agrees that financial risk and non-financial risk differ. However, both are important aspects of recovery planning, and the Guidelines provide covered banks with sufficient flexibility to account for these differences. Each covered bank's recovery plan can and should address financial risk and non-financial risk in a manner appropriate for that bank, including by ensuring that its recovery plan reflects their differences. Moreover, while the breach of any trigger (whether financial or non-financial) should always be escalated for purposes of initiating a response, a covered bank should not view a specific trigger as necessitating the execution of a particular option. Rather, a covered bank should use its judgment to determine what options, if any, to undertake during a period of severe stress. Therefore, the OCC is adopting these changes as proposed.

D. Compliance

When the OCC issued the proposal, it understood that covered banks would need time to implement the proposed changes. To this end, the agency proposed to amend paragraph I.B. of the Guidelines, entitled “Compliance date,” to provide affected banks with sufficient time to comply.

Specifically, under the proposal, a bank that is a covered bank under the current Guidelines would have had 12 months from the effective date of the amendments to comply with the changes. A bank that has $100 billion or more but less than $250 billion in average total consolidated assets on the effective date of the amendments to the Guidelines would have had to comply with the Guidelines within 12 months of the effective date, except for the testing requirements with which the bank would have had to comply within 18 months. A bank or other financial institution that is not a covered bank on the effective date of the amended Guidelines but that subsequently becomes a covered bank would have had 12 months from the date on which it became a covered bank to comply with the Guidelines, except that it would have had 18 months to comply with the testing requirements.

The OCC received several comments on this topic. Two commenters stated that newly covered banks should have more time to comply ( e.g., 24 months), while another suggested that the proposal provided newly covered banks with too much time because of synergies with resolution and contingency planning requirements. One commenter said that the final Guidelines should have (1) one compliance date for a covered bank to develop the testing framework and (2) another compliance date to conduct the testing and, if necessary, revise its recovery plan based on the testing results. Finally, one commenter suggested that the OCC's compliance dates should not overlap with the FDIC's resolution planning rule.

The OCC agrees with commenters that covered banks should have time to both develop a testing framework and conduct testing. In order to provide sufficient time for both, the OCC is revising the proposed compliance dates. Specifically, under the final Guidelines, banks that are currently covered banks will have 12 months to amend their recovery plans to address non-financial risk and an additional 6 months to comply with the new testing provision. Banks that are not covered by the current Guidelines but that become covered banks on the effective date of the final Guidelines will have 12 months to develop their recovery plan and an additional 12 months to comply with the testing provision. Banks or other financial institutions that become covered banks after the effective date of the final Guidelines will have 12 months to develop their recovery plan and an additional 12 months to comply with the testing provision. These compliance dates provide banks and other financial institutions that are or become covered banks under the final Guidelines with sufficient time and flexibility to both develop a testing framework and conduct testing, and based on our supervisory experience, they strike the appropriate balance between the time needed to satisfy the final Guidelines and the risks that recovery planning is designed to address. The agency believes this addresses the other comments about the proposed compliance dates discussed above.

In the proposal, the OCC also asked whether it should reserve authority to adjust an otherwise-applicable compliance date. In response, one commenter noted that if the OCC did so, it should reserve authority to both lengthen and shorten the applicable timeframes but should not specifically reference the context in which it might be appropriate to use this reservation of authority because the referenced examples could be interpreted as highly risky.

The OCC has determined that an additional reservation of authority for compliance date adjustments is unnecessary, as the agency already has sufficient tools to address this issue. For example, as a condition of approving a merger, the OCC can require that a bank comply with the Guidelines on a timeline other than the one specified in paragraph I.B. Therefore, the final Guidelines do not contain any changes in response to this question.

E. Other

In addition to the changes discussed above, the OCC has made technical and clarifying changes to the final Guidelines.

III. Regulatory Analysis

Paperwork Reduction Act of 1995

Under the Paperwork Reduction Act of 1995 (PRA), the OCC may not conduct or sponsor, and a respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The OMB previously approved the collection of information in the current Guidelines, which are found in 12 CFR part 30, appendix E, at paragraphs II.B., II.C., and III. Specifically, paragraph II.B. lists the elements of the recovery plan, which are an overview of the covered bank; triggers; options for recovery; impact assessments; escalation procedures; management reports; communication procedures; and other information. Paragraph II.C. addresses the relationship of the plan to other covered bank processes and coordination with other plans, including the processes and plans of its bank holding company. Paragraph III. outlines management's and the board's responsibilities.

The final Guidelines include changes to the information collection. Specifically, the threshold for applying the final Guidelines is reduced from $250 billion to $100 billion in average total consolidated assets. The final Guidelines also establish a testing standard, which provides that a covered bank should test its recovery plan. Additionally, the final Guidelines clarify the role of non-financial risk (including operational and strategic risk) in recovery planning.

The OCC has submitted the following revised information collection to the OMB for review.

Title: OCC Guidelines Establishing Standards for Recovery Planning by Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches.

OMB Control No.: 1557-0333.

Affected Public: Businesses or other for-profit organizations.

Estimated Burden:

Frequency of Response: On occasion.

Total Number of Respondents: 21.

Total Burden per Respondent: 32,017 hours.

Total Burden for Collection: 672,360 hours.

The OCC did not receive any PRA-related comments. The agency has a continuing interest in the public's opinions of information collections. Within 30 days of publication of this document, commenters may submit comments regarding the burden estimate, or any other aspect of this collection of information, including suggestions for reducing the burden, to the address listed in the ADDRESSES caption in the Notice of Proposed Rulemaking. All comments will become a matter of public record. Written comments and recommendations for the information collection should be sent within 30 days of publication of this document to www.reginfo.gov/public/do/PRAMain. Find this information collection by selecting “Currently under 30-day Review—Open for Public Comments” or using the search function.

Regulatory Flexibility Act

In general, the Regulatory Flexibility Act (RFA) requires an agency, in connection with a proposed and final rulemaking, to prepare a Regulatory Flexibility Analysis describing the impact of the rule on small entities, which are defined by the U.S. Small Business Administration for purposes of the RFA to include commercial banks and savings institutions with total assets of $850 million or less and trust companies with total assets of $47 million or less. However, a Regulatory Flexibility Analysis is not required if the agency certifies that the rulemaking would not have a significant economic impact on a substantial number of small entities and publishes its certification and a short explanatory statement in the Federal Register along with its rulemaking.

The OCC currently supervises approximately 942 IDIs, of which 636 are small entities. The final Guidelines do not impact any small entities because they only apply to banks with average total consolidated assets of $100 billion or more. Accordingly, the OCC certifies that the final Guidelines will not have a significant economic impact on a substantial number of small entities.

Unfunded Mandates Reform Act of 1995

Under section 202 of the Unfunded Mandates Reform Act of 1995 (UMRA), the OCC prepares a budgetary impact statement before promulgating a rulemaking that includes any Federal mandate that may result in the expenditure by State, local, and Tribal governments, in the aggregate, or by the private sector, of $100 million or more (currently $183 million, as adjusted annually for inflation) in any one year. The OCC has determined that the expenditures associated with the final Guidelines' mandates will be approximately $86.7 million. Therefore, the OCC concludes that the final Guidelines will not result in an expenditure of $183 million or more annually by State, local, and Tribal governments, in the aggregate, or by the private sector. Accordingly, the OCC has not prepared the budgetary impact statement described above.

Congressional Review Act

For purposes of the Congressional Review Act, the OMB determines whether a final rule constitutes a major rule. If a rule is deemed a major rule by the OMB, the Congressional Review Act generally provides that the rule may not take effect until at least 60 days following its publication. The Congressional Review Act defines a “major rule” as any rule that the Administrator of the Office of Information and Regulatory Affairs of the OMB finds has resulted in or is likely to result in (1) an annual effect on the economy of $100 million or more; (2) a major increase in costs or prices for consumers, individual industries, Federal, State, or local government agencies or geographic regions; or (3) significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of United States-based enterprises to compete with foreign-based enterprises in domestic and export markets. The OCC submitted the final Guidelines to the OMB for this major rule determination, and the OMB determined that the final Guidelines are not a major rule. As required by the Congressional Review Act, the OCC is submitting the appropriate report to Congress and the Government Accountability Office for review.

Administrative Procedure Act

The Administrative Procedure Act requires that publication of a substantive rule generally be made not less than 30 days before its effective date. Consistent with this requirement, the final Guidelines will be effective on January 1, 2025, which is more than 30 days after their publication in the Federal Register .

Riegle Community Development and Regulatory Improvement Act of 1994

Pursuant to section 302(a) of the Riegle Community Development and Regulatory Improvement Act of 1994, in determining the effective date and administrative compliance requirements for new regulations that impose additional reporting, disclosure, or other requirements on IDIs, the OCC considers, consistent with the principles of safety and soundness and the public interest: (1) any administrative burdens that the rule will place on depository institutions, including small depository institutions and customers of depository institutions and (2) the benefits of a rulemaking. The OCC has considered the administrative burdens that the final Guidelines will place on IDIs, including small depository institutions and their customers, and the benefits of the final Guidelines. The agency believes that the effective date of January 1, 2025, is appropriate.

Authority and Issuance

For the reasons set forth in the preamble, and under the authority of 12 U.S.C. 93a and 12 U.S.C. 1831p-1, chapter I of title 12 of the Code of Federal Regulations is amended as follows:

1. The authority citation for part 30 continues to read as follows:

Authority: 12 U.S.C. 1, 93a, 371, 1462a, 1463, 1464, 1467a, 1818, 1828, 1831p-1, 1881-1884, 3102(b) and 5412(b)(2)(B); 15 U.S.C. 1681s, 1681w, 6801, and 6805(b)(1).

2. Amend appendix E by:

a. Revising and republishing paragraph I.B.

b. In paragraph I.C.1.a., removing the text “$250 billion” and adding the text “$100 billion” in its place; and

c. Revising and republishing paragraphs I.E. and II.

The revisions and republications read as follows:

[FR Doc. 2024-24402 Filed 10-21-24; 8:45 am]

BILLING CODE 4810-33-P