(1) General. A bank holding company subject to this subpart must maintain a risk
committee that approves and periodically reviews the risk-management
policies of the bank holding company’s global operations and oversees
the operation of the bank holding company’s global risk-management
framework. The risk committee’s responsibilities include liquidity
risk-management as set forth in section 252.34(b).
(2) Risk-management
framework. The bank holding company’s global risk-management
framework must be commensurate with its structure, risk profile, complexity,
activities, and size and must include:
(i) Policies and procedures
establishing risk-management governance, risk-management procedures,
and risk-control infrastructure for its global operations; and
(ii) Processes and
systems for implementing and monitoring compliance with such policies
and procedures, including:
(A) Processes and systems for identifying
and reporting risks and risk-management deficiencies, including regarding
emerging risks, and ensuring effective and timely implementation of
actions to address emerging risks and risk-management deficiencies
for its global operations;
(B) Processes and systems for establishing managerial and employee
responsibility for risk management;
(C) Processes and systems for ensuring the
independence of the risk-management function; and
(D) Processes and systems to integrate risk
management and associated controls with management goals and its compensation
structure for its global operations.
(3) Corporate governance requirements. The
risk committee must:
(i) Have a formal, written charter that
is approved by the bank holding company’s board of directors;
(ii) Be an independent committee
of the board of directors that has, as its sole and exclusive function,
responsibility for the risk-management policies of the bank holding
company’s global operations and oversight of the operation of the
bank holding company’s global risk-management framework;
(iii) Report directly to
the bank holding company’s board of directors;
(iv) Receive and review regular reports
on not less than a quarterly basis from the bank holding company’s
chief risk officer provided pursuant to paragraph (b)(3)(ii) of this
section; and
(v)
Meet at least quarterly, or more frequently as needed, and fully document
and maintain records of its proceedings, including risk-management
decisions.
(4) Minimum member requirements. The
risk committee must:
(i) Include at least one member having
experience in identifying, assessing, and managing risk exposures
of large, complex financial firms; and
(ii) Be chaired by a director who:
(A) Is not an officer or employee of the bank holding company and
has not been an officer or employee of the bank holding company during
the previous three years;
(B) Is not a member of the immediate family, as defined in section
225.41(b)(3) of the Board’s Regulation Y (12 CFR 225.41(b)(3)), of
a person who is, or has been within the last three years, an executive
officer of the bank holding company, as defined in section 215.2(e)(1)
of the Board’s Regulation O (12 CFR 215.2(e)(1)); and
(C) (1) Is an independent
director under Item 407 of the Securities and Exchange Commission’s
Regulation S-K (17 CFR 229.407(a)), if the bank holding company has
an outstanding class of securities traded on an exchange registered
with the U.S. Securities and Exchange Commission as a national securities
exchange under section 6 of the Securities Exchange Act of 1934 (15
U.S.C. 78f) (national securities exchange); or
(2) Would qualify as
an independent director under the listing standards of a national
securities exchange, as demonstrated to the satisfaction of the Board,
if the bank holding company does not have an outstanding class of
securities traded on a national securities exchange.
(1) General. A bank holding company subject to this subpart must appoint a chief
risk officer with experience in identifying, assessing, and managing
risk exposures of large, complex financial firms.
(2) Responsibilities.
(i) The chief risk officer is responsible
for overseeing:
(A) The establishment of risk limits on an
enterprise-wide basis and the monitoring of compliance with such limits;
(B) The implementation of
and ongoing compliance with the policies and procedures set forth
in paragraph (a)(2)(i) of this section and the development and implementation
of the processes and systems set forth in paragraph (a)(2)(ii) of
this section; and
(C)
The management of risks and risk controls within the parameters of
the company’s risk control framework, and monitoring and testing of
the company’s risk controls.
(ii) The chief risk officer is responsible
for reporting risk-management deficiencies and emerging risks to the
risk committee and resolving risk-management deficiencies in a timely
manner.
(3) Corporate governance requirements.
(i) The bank holding company must ensure
that the compensation and other incentives provided to the chief risk
officer are consistent with providing an objective assessment of the
risks taken by the bank holding company; and
(ii) The chief risk officer must report
directly to both the risk committee and chief executive officer of
the company.
