(a) Risk-management
and risk-committee requirements for foreign banking organizations
with combined U.S. assets of less than $50 billion.
(1) U.S.
risk committee certification. A foreign banking organization
with average combined U.S. assets of less than $50 billion must, on
an annual basis, certify to the Board that it maintains a committee
of its global board of directors (or equivalent thereof), on a standalone
basis or as part of its enterprise-wide risk committee (or equivalent
thereof) that:
(i)
Oversees the risk-management policies of the combined U.S. operations
of the foreign banking organization; and
(ii) Includes at least one member having
experience in identifying, assessing, and managing risk exposures
of large, complex firms.
(2) Timing of certification. The certification
required under paragraph (a) of this section must be filed on an annual
basis with the Board concurrently with the FR Y-7.
(b) Risk-management and risk-committee
requirements for foreign banking organizations with combined U.S.
assets of $50 billion or more but less than $100 billion.
(1) U.S.
risk committee.
(i) General. A foreign banking organization
subject to this this subpart and with average combined U.S. assets
of $50 billion or more must maintain a U.S. risk committee that approves
and periodically reviews the risk-management policies of the combined
U.S. operations of the foreign banking organization and oversees the
risk-management framework of such combined U.S. operations.
(ii) Risk-management
framework. The foreign banking organization’s risk-management
framework for its combined U.S. operations must be commensurate with
the structure, risk profile, complexity, activities, and size of its
combined U.S. operations and consistent with its enterprise-wide risk
management policies. The framework must include:
(A) Policies and procedures establishing
risk-management governance, risk-management procedures, and risk-control
infrastructure for the combined U.S. operations of the foreign banking
organization; and
(B) Processes and
systems for implementing and monitoring compliance with such policies
and procedures, including:
(1) Processes and systems for
identifying and reporting risks and risk-management deficiencies,
including regarding emerging risks, on a combined U.S. operations
basis and ensuring effective and timely implementation of actions
to address emerging risks and risk-management deficiencies;
(2) Processes and systems for establishing
managerial and employee responsibility for risk management of the
combined U.S. operations;
(3) Processes and systems for ensuring the independence of the risk-management
function of the combined U.S. operations; and
(4) Processes and systems to integrate
risk management and associated controls with management goals and
the compensation structure of the combined U.S. operations.
(iii) Placement of the U.S. risk committee.
(A) A foreign banking organization
that conducts its operations in the United States solely through a
U.S. intermediate holding company must maintain its U.S. risk committee
as a committee of the board of directors of its U.S. intermediate
holding company (or equivalent thereof).
(B) A foreign banking organization that conducts its operations through
U.S. branches or U.S. agencies (in addition to through its U.S. intermediate
holding company, if any) may maintain its U.S. risk committee either:
(1) As a committee of the global board of directors (or equivalent
thereof), on a standalone basis or as a joint committee with its enterprise-wide
risk committee (or equivalent thereof); or
(2) As a committee of the board of
directors of its U.S. intermediate holding company (or equivalent
thereof), on a standalone basis or as a joint committee with the risk
committee of its U.S. intermediate holding company required pursuant
to section 252.147(e)(3).
(iv) Corporate
governance requirements. The U.S. risk committee must meet at
least quarterly and otherwise as needed, and must fully document and
maintain records of its proceedings, including risk-management decisions.
(v) Minimum
member requirements. The U.S. risk committee must:
(A) Include at least one member having
experience in identifying, assessing, and managing risk exposures
of large, complex financial firms; and
(B) Have at least one member who:
(1)
Is not an officer or employee of the foreign banking organization
or its affiliates and has not been an officer or employee of the foreign
banking organization or its affiliates during the previous three years;
and
(2) Is not a member of
the immediate family, as defined in 12 CFR 225.41(b)(3), of a person
who is, or has been within the last three years, an executive officer,
as defined in 12 CFR 215.2(e)(1) of the foreign banking organization
or its affiliates.
(2) [Reserved]
(c) U.S. chief risk officer.
(1) General. A foreign banking organization with average combined U.S. assets
of $50 billion or more but less than $100 billion or its U.S. intermediate
holding company, if any, must appoint a U.S. chief risk officer with
experience in identifying, assessing, and managing risk exposures
of large, complex financial firms.
(2) Responsibilities.
(i) The U.S. chief risk officer
is responsible for overseeing:
(A) The measurement, aggregation, and monitoring
of risks undertaken by the combined U.S. operations;
(B) The implementation of and ongoing compliance
with the policies and procedures for the foreign banking organization’s
combined U.S. operations set forth in paragraph (b)(1)(ii)(A) of this
section and the development and implementation of processes and systems
set forth in paragraph (b)(1)(ii)(B) of this section; and
(C) The management of risks and risk controls
within the parameters of the risk-control framework for the combined
U.S. operations, and the monitoring and testing of such risk controls.
(ii) The U.S. chief
risk officer is responsible for reporting risks and risk-management
deficiencies of the combined U.S. operations, and resolving such risk-management
deficiencies in a timely manner.
(3) Corporate
governance and reporting. The U.S. chief risk officer must:
(i) Receive compensation
and other incentives consistent with providing an objective assessment
of the risks taken by the combined U.S. operations of the foreign
banking organization;
(ii) Be
employed by and located in the U.S. branch, U.S. agency, U.S. intermediate
holding company, if any, or another U.S. subsidiary;
(iii) Report directly to the U.S. risk
committee and the global chief risk officer or equivalent management
official (or officials) of the foreign banking organization who is
responsible for overseeing, on an enterprise-wide basis, the implementation
of and compliance with policies and procedures relating to risk-management
governance, practices, and risk controls of the foreign banking organization
unless the Board approves an alternative reporting structure based
on circumstances specific to the foreign banking organization;
(iv) Regularly provide information
to the U.S. risk committee, global chief risk officer, and the Board
regarding the nature of and changes to material risks undertaken by
the foreign banking organization’s combined U.S. operations,
including risk-management deficiencies and emerging risks, and how
such risks relate to the global operations of the foreign banking
organization; and
(v) Meet regularly
and as needed with the Board to assess compliance with the requirements
of this section.
(d) Responsibilities of the foreign banking organization. The foreign banking organization must take appropriate measures
to ensure that its combined U.S. operations implement the risk-management
policies overseen by the U.S. risk committee described in paragraph
(a) or (b) of this section, and its combined U.S. operations provide
sufficient information to the U.S. risk committee to enable the U.S.
risk committee to carry out the responsibilities of this subpart.
(e) Noncompliance with this section. If a foreign banking organization does not satisfy the requirements
of this section, the Board may impose requirements, conditions, or
restrictions relating to the activities or business operations of
the combined U.S. operations of the foreign banking organization.
The Board will coordinate with any relevant State or Federal regulator
in the implementation of such requirements, conditions, or restrictions.
If the Board determines to impose one or more requirements, conditions,
or restrictions under this paragraph, the Board will notify the organization
before it applies any requirement, condition, or restriction, and
describe the basis for imposing such requirement, condition, or restriction.
Within 14 calendar days of receipt of a notification under this paragraph,
the organization may request in writing that the Board reconsider
the requirement, condition, or restriction. The Board will respond
in writing to the organization’s request for reconsideration
prior to applying the requirement, condition, or restriction.
