A little more than a year ago, I wrote in this space about the "Heightened Standards" issued in 2014 by the Office of the Comptroller of the Currency for certain banks with $50 billion and more in assets.
It is essential for counsel and human resources executives advising banks to become familiar with these in more than a passing way.
The "OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Savings Associations, and Insured Federal Branches"1continue to consume the interest of most major U.S. and foreign banks doing business here, and they touch upon Human Resources in many significant ways.
Indeed, implementation of the Heightened Standards requires a review of key human resources and compensation-related policies and templates, including those concerning hiring (such as job descriptions); performance management (such as job performance appraisals and discipline); and compensation, including bonuses, and deferred and incentive compensation.
By the same token, the heightened emphasis on enforcement of laws relating to financial crimes, such as money laundering and bank fraud, requires Human Resources to help ensure that, in carrying out performance appraisals, banks do not unwittingly create non-privileged documents that may expose the bank to unnecessary risk.
Background on the Guidelines
The guidelines identify targeted institutions as any insured national bank, insured federal savings association, or insured federal branch of a foreign bank.
The OCC, an independent bureau of the U.S. Department of the Treasury, charters, regulates, and supervises all national banks and federal savings associations as well as federal branches and agencies of foreign banks. The OCC's mission is "[t]o ensure that national banks and federal savings associations operate in a safe and sound manner, provide fair access to financial services, treat customers fairly, and comply with applicable laws and regulations."2
The guidelines apply to banks with average total consolidated assets equal to or greater than $50 billion. They were effective May 30, 2016, as to banks whose assets are between $50 and $100 billion. Coverage came into place in November 2015 for banks with assets of $100 billion or more.
The guidelines also apply to a bank with average total consolidated assets of under $50 billion, if that bank's parent company controls at least one covered bank, or if the OCC determines that the bank's operations "are highly complex or otherwise present a heightened risk as to warrant"3 the guidelines' application.
The guidelines' principal focus is on helping covered banks "establish and implement a risk governance framework to manage and control…risk-taking activities."4 Risk governance procedures apply to a number of risk categories—credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputation risk.5
However, human resources-related practices are specifically identified in the guidelines' discussion of "talent management processes" and "compensation and performance management programs."6
Front Line Units
The guidelines do not specifically delegate enforcement of these particular provisions to a covered bank's human resources department. Instead, the guidelines require banks to establish "front line units" (FLUs) to address these provisions.7
FLUs are defined as organizational units or functions responsible for credit, interest rate, liquidity, price, operational, compliance, strategic, and reputation risk, and that (1) engage in activities designed to generate revenue or reduce expenses; (2) provide operational support or servicing for the delivery of products or services to customers; or (3) provide technology services.8
The office of the general counsel is explicitly excluded from "normally" being considered an FLU.9
Similarly, human resources departments are not FLUs. However, they are cited in the guidelines as an example of "an organizational unit [that] may have some accountability for one or more risks, but may not meet other provisions of the definition."10
Moreover, the OCC notes that "one of the primary responsibilities of Human Resources is to design and implement compensation programs, which, if not designed and implemented properly, could motivate inappropriate risk-taking behavior."11
The guidelines set out regulatory expectations of the roles played by various organizational units. They outline job responsibilities for certain positions and organizational units, which must be integrated into the job description. Job descriptions should clearly set forth the guidelines' various reporting lines. This requires that covered institutions review job descriptions of certain affected units and positions pursuant to those instructions.
For example, the CEO is to develop the bank's risk governance framework; develop a written strategic plan assessing risks facing the bank and the bank's mission and strategic objectives; develop the bank's risk appetite statement; help promote a safe and sound risk culture; oversee other personnel to ensure their compliance with requirements under the risk governance guidelines; resolve certain disagreements; and oversee day-to-day activities of the Chief Risk Executive (CRE) and in some cases the Chief Audit Executive (CAE).
The CRE leads an independent risk management unit and reports directly to the CEO. The CAE leads Internal Audit (IA) and also reports directly to the CEO. The CAE must have unrestricted access to the audit committee, and the audit committee, in turn, approves the appointment, removal and compensation of the CAE and reviews and approves IA's overall charter and audit plans.
The guidelines mandate independence of IA from Internal Risk Management (IRM) and FLUs. The board's audit committee reviews and approves IA's overall charter, risk assessments, and audit plans.
As with the CRE, the CEO does not oversee the CAE's day-to-day activities, but the CEO or the audit committee has primary oversight of the CAE's administrative activities, such as personnel matters, expense account management, and departmental supplies.
Similarly, the FLUs have particular roles and responsibilities, as do IRM, IA, and others, and these should be clearly defined.
Again, human resources departments have been knee deep in developing compliant job descriptions to meet these various defined roles.
Sharpening hiring practices, and developing appropriate succession planning and compensation programs that take account of risk, are additional human resources functions that are essential to compliance with various provisions of the guidelines.
The guidelines' talent management provisions require covered banks to "establish and adhere to processes for talent development, recruitment, and succession planning to ensure that management and employees who are responsible for or influence material risk decisions have the knowledge, skills, and abilities to effectively identify, measure, monitor, and control relevant risks."12
The Board of Directors or an appropriate committee is charged with assuring that the CEO and CAE, and one or more CREs, have the requisite skills and abilities to do their jobs.
Thus, human resources departments are closely involved in assisting the board, as the guidelines require, to "review and approve a written talent management program that provides for development, recruitment, and succession planning regarding the [CEO, CAE and the CREs], their direct reports, and other potential successors."13
This program also requires the board (most likely with the assistance of Human Resources) to "[r]equire management to assign individuals specific responsibilities within the talent management program, and hold those individuals accountable for the program's effectiveness."14
The guidelines also require covered institutions to "establish and adhere to compensation and performance management programs that comply with any applicable statute or regulation."15 As a result, Human Resources must work with the board to develop and review incentive compensation programs that do not reward excessive risk-taking and that are otherwise consistent with the bank's risk governance framework.
Human resources departments in covered institutions should review internal discipline and performance management policies to be sure they allow the institution the flexibility to promptly address performance deficiencies that may put the bank at risk and that are inconsistent with the bank's risk governance framework. Thus, policies that condition imposition of discipline on multiple warnings of poor performance may unduly tie the bank's hands in addressing inappropriate conduct.
Performance appraisals, particularly in positions that may affect risk governance, should also be reviewed with care. Human Resources should consult with FLUs to assure that performance appraisals properly take account of an employee's behaviors that may have an impact on operational risk, compliance risk, strategic risk, or reputation risk.
On the other hand, Human Resources should be sure to work with the general counsel and Compliance to assure that a performance appraisal does not unnecessarily reach premature conclusions regarding potentially unlawful conduct. A performance appraisal that jumps to conclusions may become a key exhibit in a government prosecution or civil action seeking to remedy alleged wrongful conduct.
Three Lines of Defense
Human resources departments are expected to assist FLUs, IRM, and IA in fulfilling their essential roles as the bank's "three lines of defense" in meeting the risk governance framework.
In fact, the guidelines require FLUs to fulfill their responsibilities either alone or in conjunction with other organizational units, including Human Resources, whose purpose is to assist them.
Human Resources' role becomes all the more important when considering that IRM is required to inform the CEO and the board of instances where FLUs are not adhering to the risk governance framework.
IA, among other things, is responsible for inventory of all processes, product lines, services, and functions. It must ensure that policies and procedures reflect emerging risks and improvements in industry practices, and IA, IRM, the CEO and the board must do their best to benchmark the bank's risk management practices against its peers.
Human Resources should work together with these core functions to help ensure that the bank can effectively operate these three lines of defense.
The guidelines provide banks with an expected framework of human resources management in terms of hiring, performance management, compensation and talent management. With a developing understanding of the guidelines, human resources departments will not only assist banks to meet regulatory requirements, but can clear the path toward assisting banks to achieve strategic growth.
1. 12 C.F.R. Part 30, Appendix D.
2. http://www.occ.gov/about/what-we-do/mission/index-about.html (accessed July 5, 2015).
3. 12 C.F.R. Part 30, Appendix D, Section I.6.C.3.
4. Section I. 1.
5. Id. Section II. B.
6. Id. Section II. L- M.
7. Id. Section I.E.6.
8. Id. Section I.E.6 (a).
9. Id. Section I.E.6 (b).
10. OCC Guidelines, OCC-2014-001, at 27 (Sept. 2, 2014).
12. 12 C.F.R. Part 30, Appendix D, Section II. L.
13. Id. Section II. l. 2.
14. Id. Section II. l. 3.
15. Id. Section II. M.
Philip M. Berkowitz is a shareholder and U.S. co-chair of Littler Mendelson's international law practice. Nancy Zhang, a summer associate at the firm, assisted in preparing this column. This article is reprinted with permission from the July 14, 2016 issue of the New York Law Journal. © ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.